SoylentNews is people
SoylentNews
The European Union will foot the bill for bug bounty programs for 14 open source projects, EU Member of Parliament Julia Reda announced this week.
The 14 projects are, in alphabetical order, 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.
The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.
EU authorities first approved FOSSA in 2015, after security researchers discovered a year earlier severe vulnerabilities in the OpenSSL library, an open source project used by many websites to support HTTPS connections.
(Score: 1, Informative) by Anonymous Coward on Sunday December 30 2018, @09:16PM (10 children)
Nobody loves open source more than billion dollar corporations, because open source means billion dollar corporations do not have to spend a penny on software. Billion dollar corporations do not need to pay software developers, do not need to outsource, and do not even need interns to work for free.
Open source means all software gets developed by outsiders to whom billion dollar corporations owe nothing. Billion dollar corporations take everything and give nothing at all in return.
Open source means all software gets developed by foolish students who are too young and naive to understand that they will never ever get paid to develop software. Billion dollar corporations do not hire and it does not matter how many disillusioned software developers quit in disgust. There is an infinite number of young naive fools who will be ready and willing to continue open source development in the future.
Open source means billion dollar corporations always win.
If your goal is to make every software developer be dirt poor, you champion open source.
Open source means software developers always lose.
(Score: 2, Insightful) by MostCynical on Sunday December 30 2018, @10:30PM (5 children)
Can't find the -1 you're a moron mod.
Very few "billion dollar companies" have managed to get themselves away from proprietary software.
Open source means more secure, means anyone can fork, means anyone can use, means lots of things that aren't bad.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by fyngyrz on Sunday December 30 2018, @10:45PM (4 children)
No, it means more open; it does not mean "more secure." It just means someone outside the corp can look as opposed to only someone inside, and it still doesn't mean they will look, or having looked, will find, or, having found, will fix what they found or report it. Further, the source being open means that the black hats can look — and act — if they want to as well. So it's just not a clear "more secure."
Depends on the license. There are quite a few levels of this, including "your changes must be open", which is anathema to many businesses, as it means that effort they pay for does not only accrue to them. Business 101 teaches "don't enable your competitors", and for very good reason.
Agreed (and in fact, I've done a fair bit of open source, plus some non-open, but free.) But it also has two sides, like everything, I suppose. It's just not a clear cut case of "open source is always better." It comes down to what the goals are.
And frankly, if you want to make a living at writing software and doing it well, open source is a blind alley. If you write reliable, secure code that is well documented and solidly addresses the problem you're trying to solve, there's no percentage in the "support" vector, either. If, OTOH, you write lousy code, and/or lousy documentation, and/or software that is still missing significant functionality, yeah, you can charge people to "fix" that if you can get them to use your stuff in the first place... but that's not really how to create good software, is it?
--
They said: "You weren't listening, were you?"
I thought: "Isn't that a weird way to start a conversation?"
(Score: 3, Insightful) by maxwell demon on Monday December 31 2018, @09:01AM (3 children)
With closed source software you have to trust the sole provider to not put anything in that you don't want. With open source software, you have the option to either look for yourself, or to pay someone whom you trust to do it for you.
Which is a big deal, because the goals of someone outside the company providing the software likely has different goals than the company, while someone inside that company is bound to act in the interest of that company.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by fyngyrz on Monday December 31 2018, @04:44PM (2 children)
Same with open source. Have you read every line of every bit of open source you've ever used? Even if you have, do you think everyone has? Do you think they all understood what they read? The argument that "it's open, so it's safer" depends on underlying assumptions that are very rarely true.
The option isn't the fact.
Again, extremely rare. Particularly in a community that is biased so strongly against paying for any aspect of software. OTOH, the business who writes closed source software is already paying someone to look into the issues that concern it; and security issues are becoming more important as liabilities stack up against these operations.
Step back for a moment and think about what those interests are:
It appears — to me — that accomplishing the above requires attention to problems.
Now consider the open source authors. Suppose the thing doesn't work right. They're not making any money. They are, presumably, doing something else to make money. So where do their priorities lie?
For instance, take the Rocketchat developer install. [rocket.chat] It straight-up doesn't work. I've had problem reports in to them for months now. No response. I mean no response. Zero. Zip. Nada.
Or, take the Qt [www.qt.io] project, which is interesting because it's both open source and commercial. You'd think that'd give them the best of both worlds, right? Motivation to fix, because they are making some money, and all those eyes helping out.
But no. That project is as buggy as a New York slum apartment. Crashes, serious memory leaks, APIs with holes in them you could drive a big truck [youtube.com] through. It has been since version four. Report bugs, they often don't get fixed. The project is either too large for them to address the problems with the people they have available, or they simply don't care, you decide. But the bottom line is, the thing is broken all over the place. Believe me, I know; I've been using Qt since version 4.6.
Now magnify that times no financial motivation. Ouch.
Still, overall, they fix more than, for instance, the rocketchat people do.
Look. I'm not saying all open source is buggy and non-fixable. It's not. I'm also not saying corporations are the only way to make good software. I'm just saying that one the one hand, there are accountable motivations; and on the other, there aren't. The evidence shows that corporations are not entirely bad at software. It also shows that open source folks are not entirely good at software.
My conclusion is that neither way is optimum, and a fan of either way is really not in a position to cast any stones.
--
Calculus... the agony and dx/dc.
(Score: 1) by khallow on Monday December 31 2018, @06:40PM
Or burying problems so the customer doesn't hear about them. Conflict of interest is a thing.
(Score: 2) by Pav on Tuesday January 01 2019, @12:33AM
Do you work in I.T?
Commercial providers (unless they have a ready fix) ALWAYS DENY a problem is known, or that anyone else is having the same problem... it's INDUSTRY PRACTICE! I've even been gaslighted in this way EVEN WHEN I'd spoken to other customers who had confirmed the problem (and also said they'd been given the same runaround by technical support). Free Software people are easy to deal with in comparison, and if there are no resources to quickly deal with a simple problem one can deal with it oneself.
(Score: 5, Informative) by Thexalon on Sunday December 30 2018, @11:41PM (1 child)
This is complete nonsense:
- The megacorps do in fact put money into open source software. Quite a lot of it. As in, a substantial percentage of the people working on it get paid to do so by IBM, Oracle, Facebook, Google, Apple, and sometimes even Microsoft. Another substantial portion are working for Red Hat and Canonical and other big FOSS organizations and businesses and are indirectly funded from megacorps and governments. The reason they do this is that as users of FOSS and sellers of related services, they have an interest in making FOSS work better. Of course, sometimes they're dumb about it, but it's not like they aren't involved.
- A lot of the other development on open-source projects comes from businesses that are using it in some way and need either a feature or a bug fix that nobody else has currently provided. For instance, I was involved in a project to add a substantial new feature to the Asterisk phone software, because at the time it only worked with GSM phones and I was contracting to a company that had a network based on CDMA. We ended up paying a contractor with specific expertise to add in support for CDMA to Asterisk: He got paid for his work, the company I was working for got a tool that did what they needed for far less money and more flexibly than their proprietary alternatives, and the Asterisk project got a fairly substantial patch contributed upstream to handle those kinds of phones. Everybody won, except the makers of expensive proprietary alternatives.
- Even if you have a stack of open-source software, every large business that I've ever interacted with has a ton of their own home-grown software that needs to be improved and maintained. For example, I know a significant number of people who currently or used to work for Progressive Insurance on their software, because they hire a lot of programmers in the area to work on the software that determines their risk assessments and pricing as well as their online sales software. They rely on some open source software as a platform to run that stuff, but they would never even think about replacing those programmers with open-source stuff because those risk assessments and pricing systems are extremely valuable trade secrets, and the online sales software is their branding and marketing all of which they would definitely not want to give away. Lots of smaller businesses have enough of this kind of custom software that companies that provide software development services can survive just fine.
- You and any other random person or organization can use FOSS for basically free if you so choose, so you benefit from it. That means, among other things, that you don't have multiple programmers banging their heads against the wall solving the exact same problem over and over again, leaving those programmers free to focus on that home-grown software I just mentioned in the previous point, or add in new features somebody needs, or fix bugs that somebody needs addressed. That's a substantial economic efficiency.
- Even if everything you had written was true, it's still wrong. For example, imagine if Apache Tomcat does not exist, and the only ways to host JSP-based web applications are IBM Websphere and Oracle iPlanet. Also assume for the sake of argument that nobody is choosing to switch from JSP to something else because we've also gotten rid of Apache, nginx, and so forth, so everyone who is currently using Tomcat is now buying either Websphere or iPlanet. Now, which of these two things do you expect to happen: (A) IBM and Oracle hire a ton of programmers to make a bunch of probably-unnecessary changes to their software, (B) IBM and Oracle get into a price war, driving the price of those packages from hundreds of dollars per server to $5 a server, or (C) IBM and Oracle just keep the money from all this newfound business and report a nice boost in earnings-per-share in the next quarter, benefiting Larry Ellison, Ginni Rometty, and Wall Street but nobody else? I'd put my money on option C.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Pav on Tuesday January 01 2019, @12:46AM
Both Free Software and Open Source Software failed...
Free Software failed by being unable to find a way to make a buck in a way that didn't compromise their principles.
Open Source Failed by saying "f*** principles" and concentrated on becoming the next 800 pound gorllia IBMs and Microsofts (just with a different coding paradigm). Granted, some would say that isn't a failure. If Thomas Piketty is right though it will turn into a societal failure in the medium term.
Personally I think the Free Software movement should ally with the Cooperative Movement... I think the coop movement could give "democratic capitalism" to free software, and free software could give a much lower startup cost, and methods to collectively design business models to DRASTICALLY lower the cost and risk of average citizens starting businesses.
(Score: 1) by khallow on Monday December 31 2018, @07:23AM
What is supposed to be the problem here?
Oh yea, you're Salty Spice, right? Even the PHB can figure out that there's a difference between software that he reads about in the papers and an icon on his desktop. Somebody has to put it there, and it's not going to be him.
(Score: 2) by MichaelDavidCrawford on Monday December 31 2018, @09:03AM
It's not actually true that billion dollar companies don't employ coders, rather they usually pay their own staff to contribute to Open Source projects, they often release Open Source of their own, as Apple for example has down with numerous I/O Kit Kernel Extension Drivers as well as pay to develop in-his proprietary code.
BTW you forgot to conclude your post with "Fuck MDC", so I'll do so myself after pointing out that I listed each of the locations of a multinational when I set into work this evening.
To Wit:
Fuck MDC>
Yes I Have No Bananas. [gofundme.com]