, 2002-08-07
The OpenSSH backdoor demonstrates that the community must get pragmatic about package verification, and fast.
Expand all |
Post comment
Is it really so inmature?
2002-08-08
Javier Fernandez-Sanguino (1 replies)
Javier Fernandez-Sanguino (1 replies)
The Open Source community has matured, greatly, and further than anyone ever predicted it would. Open Source is a recognized and welcomed community in many "common users" lives these days, with more and more young people grasping the reigns, learning the ropes, and driving the herd. Much like when computers were new, now Open Source has reached it's day.
However, it is not immaturity that is holding Open Source back, it is more childish behavior by the "adults" of open source. More and more I read comments by the old hands, the recognized names, the one hit wonders of the Open Source community giving their expert advice on where it is going. Then I look at where they are, where they came from, and how long it has been since they entered the corporate political world, where words make the person, not actions. Where perception rules supreme and once you have proven yourself, the ignorant heads worship you as the expert on everything, not just what you know. How ironic this is, because it was the very thing we, as a community, spoke out against as youngsters, or newbies to the world.
Some of the Open Source community has, in fact, sold out. That was the reason to enter in the first place. They knew the corporate rules, played the game, and now have their seat in the light and look down on everyone else, and feel free to comment and snub their noses at. It is not your basic hacker mentality. No no, it is more of an "I made it, you are still working for it" mentality. That is childish.
A perfect example of this is the recent xforce/apache scuffle that took very respected members of the community, and made them look like school kids pointing fingers at a kickball game. I lost a lot of respect, as did many, for xforce in the whole issue. Comments made were childish, wrong, and based on personal like or dislike, instead of facts. This was amongst the "mature" of the bunch.
I agree, we need standards, but who is to set them. We have all been shouting this for years, however, no one steps up to give viable solutions. They are more than happy to give their opinions, with no accountability for them. Maturity comes from learning. Who are we to learn from? Who are our mentors? Who are we to emmulate? Microsoft? Mandrake? Redhat? Throw me a bone here people.
Fact is, you cannot achieve the standards you are looking for when money is involved. The whole Open Source issue bases itself on completion through teamwork. We don't have to like it, but if you are going to be a member of the open source community, you have to accept that someone is going to improve on what you have created. And others are going to offer criticism on any and all products. If you have thin skin, better to not release your ideas or product to the public. Where I have created some pretty lame stuff, others grab it, see my concept, and improve and clean it. I don't get any credit. I don't care. At least someone took the time to help develope an idea I had, but didn't really have the means to make it complete. THAT is why I got into open source. Many have even been mature enough to show me where I screwed up, improving my skills and allowing me to add my ideas to others ideas. Yes, I have come a long way, yet am not so into myself to think I can just ride the coat tails of others with words.
Unfortunately for all, the actions of a few outweigh the work of many. The Trojan that Jon spoke of is a good example, however, not the end of the road. Continuing to draw attention to these issues in this type of arena are the reasons they continue. Not only that, but the bellowing of certain companies as "the most secure" or "the best solution" invites Open Source trolls. Don't blame the community for that. Blame the ego of a few.
I do agree that more maturity is needed in identity certification, however, the more we cry about it, the more childishness is invited. Self discipline is also a factor here.
I do NOT agree, almost violently (a jab at you Jon) with a standard for identity certificates. Can you say Microsoft? When a standard is created in security, security fails. Period. If you have not learned that by now, then forget it. Please read on...
Security is one of the ONLY places where diversity works. Throw wrenches into what is supposed to be there, and you confuse those who thought they knew what they are doing. The best security practice is not telling anyone what your security practices are. Make them guess. Every time I go into a briefing or presentation about security, I get how I am supposed to be doing things explained to me. However, when I show them how I have my placements, physical and operational, they scratch their heads, say, "that is not a standard policy" and write me off.
I applaud the lack of a standard in identity certificates, it enables more personal operation security as well as enabling your mind to not become stagnant. Trust me, when a standard has arrived, it will do so at a price, a high price. People profit off of standards, and more and more, that does not even hold true. People profit off of anything.
There is no easy solution to the problem, but if we continue to work together without looking for the brass ring and green pockets, we will succeed.
I do like your whole technical writing Jon. Outstanding. Please don't take this as a jab at you, it is not intended as so. Just remember, the community as a whole does not enjoy the status or paychecks of the few. Remember that when representing. You do a great job. Keep it up Jon.
Axe
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/101/16104#16104