“Open Source”

Introductions – Mark Lachniet

• MSU Graduate

• Open Source user since 1997

• Security specialist for Sequoia Services

• Linux Professional Institute LPIC-1

• Novell CNE / Master CNE

• Microsoft MCSE 4.0

• Checkpoint Certified Security Engineer

Tentative Agenda

• Introductions• Quick survey• Open Source History• Open Source Defined• The Cathedral and the Bazaar• Current Status• Open Source security• Training and Support• Cultural and global issues

Quick Survey

• How many of you consider yourself technical?

• How many of you are already familiar w/ Open Source?

• How many are already using O.S. software? (this is trick question)

Being ChEaP

• In order to understand OS, you have to understand its advocates and developers

• Cheap refers more to the desire to learn, experiment, and develop in new and clever ways

• Cheap means pretty much the same thing as the term Hacker used to, or the term Geek currently does

• For many people, OSS is a powerful statement about lifestyle and personal choice

• The question is… WHY?

Open Source History• Richard Stallman could conceivably be called

the founder of the Open Source Movement• Worked at the MIT Artificial Intelligence Lab

as part of a community of programmers who designed a free compiler for the PDP-10

• The AI group promoted the sharing and use of computer time and code - the early roots of OSS

• This eventually came to an end when the university decided to use a non-free system and Stallman was forced into the world of commercial software

Endings and Beginnings

• Stallman left MIT shortly thereafter, citing a “stark moral choice” not to capitulate to a commercial software company

• Thus began his mission• The first step towards creating the “utopian”

software society of his dreams was the creation of the first free operating system

• He then began work on the GNU System and the Free Software Foundation

• This started with the GNU C compiler and associated tools

Meanwhile, back in Finland• GNU was a great work in process, but the kernel (the

real brains of the OS - like command.com) was non-existent.

• A Finnish programmer name Linus Torvalds had been working on creating a UNIX-compatible kernel for the 386 platform

• His kernel was actually an adaptation of the earlier MINIX operating system for the 386

• Linus worked long and hard on coding the kernel, according the the legend, sometimes releasing two or more versions in a single day

• Around 1992, GNU and the LINUX kernel were combined to create what we now think of as Linux

Open Source Defined

• Depends upon the OS license – there are many!

• The GNU Public License has these aspects:1. Free Redistribution – may not restrict or require a fee

2. Source Code – must distribute unobfuscated source code

3. Derived Works – must allow modifications by others

4. Integrity of the Author’s Code – my require “patches”

5. No Discrimination Against Persons or Groups

6. No Discrimination Against Fields of Endeavor

7. Distribution of License – cannot add restrictions (NDA)

8. License Must Not Be Specific to a Product – bundling

9. License Must Not Contaminate Other Software

The Cathedral• Think of the way that a cathedral is built - it is

overseen by the church and takes lifetimes to build

• The end result is usually quite beautiful, and a testament to the work, but it is slow in the making

• Commercial software is built in exactly this way - they take their time, release a few versions only now and then, and try very hard to make sure that the final product is beautiful (hopefully!)

• In software, this means insulating end users from the process, and working very hard to make sure that every possible bug is found and fixed before it is released - just like making sure that the cathedral is perfect before it is opened to the public

The Bazaar• The bazaar, on the other hand, is a chaotic free-for-all

• Anyone can come to the bazaar if they bring the right currency (skills) to the table

• The bazaar method makes all of the information available to all of the people so that anyone with a knack or an interest can tinker with whatever they want

• In the bazaar method, software is released frequently - with or without bugs

• This invites the whole world to participate in the process - bugs are found, people modify the code to suit them and contribute it back to the project

• While this frequently means that a revision of software may have a problem, it also means that it can be fixed very quickly

Current Status• Linux, runs now on some 20% of the world

servers in volume• Apache, runs on over 60% of the world's

web servers• Perl, which is the engine behind most of

the `live content' on the World Wide Web.• BIND, the software that provides the DNS

(domain name service) for the entire Internet.

• Sendmail, the most important and widely used email transport software on the Internet.

OSS F.U.D.• [F]ear [U]ncertainty and [D]oubt• Because of the highly polarized debate

on OSS, it is often difficult to get to the true heart of the issue

• Both sides of the argument are guilty of an overly one-sided argument

• The truth is that OSS is *not* the best solution for all situations

• Let’s refer again to the European Commission’s findings

FUD Fighting - misconceptions• OSS is just a new gadget • OSS belongs to nobody • People cannot be motivated to

produce OSS, because it is free• OSS is just for hackers and students,

not for business • OSS provides no support • There is no stability, because so many

people can change the software. • Divisions or “forking” will split OSS

projects in many un-compatible variants.

True OSS Risks• Lack of accountability • Reduced set of supported

hardware • Reduced set of business

applications • Lack of guide-lines • No guarantee that development

will happen• Some limitations regarding high-

end installations (but IBM is changing this problem)

• MJL: Difficulty – the Geek Factor!

OSS In the Enterprise• Commercial support from a variety of “big

player vendors” such as IBM, Compaq, and Dell

• Many companies now ship Linux pre-installed on select product lines

• Improved hardware support for enterprise solutions such as the Compaq Smart Array RAID adapter and others

• 24/7 Support contracts are available from multiple sources such as LinuxCare, IBM, and others

Popular uses for OSS

• Web server – Apache, PERL, PHP, and even ASP emulation

• File server – NFS, Novell Emulation, SaMBa Emulation

• Journaling File System (JFS)• Mail / UNIX shell server• Network appliance – dialup server, Linux

Router, security devices• Programming and application development

platform

High-End OSS Computing• One very real shortcoming in OSS /

Linux software is in high-end systems

• In particular, SMP support > 4 CPUs

• This is being addressed in several ways

• One way is to use IBM’s “Linux for S/390” software

• Another way is to use “clusters” of parallel-tasking machines such as the Beowulf cluster system

Linux on the IBM S/390• Runs on the “zSeries” server• Can run in “native” mode as the main and

only operating system• Can also run in logical partitions so that you

can run native OS/390 applications in one partition, and Linux in another

• IBM made a test server available and offered free computing time to anyone who wanted to play with it

• Will provide service and support• Future plans for “memory speed” network

communication between partitions

Beowulf Clusters• Makes use of many cheap PC’s• Communicate over regular 100mb/s or

Gigabite Ethernet• Requires specialized client software but can

be installed on free Linux distributions• Very popular in universities and schools

where cheap number crunching is required such as physics and math

• E.g. National Oceanic & Atmospheric Administration

Security on OSS software• Some people say that OSS is inherently

insecure for a few reasons:– Anyone can scan the source code for problems– OSS developers are not “paid” to look for bugs– People simply like to hack UNIX and Linux– Lack of organized control over code

• Some people say that OSS is inherently secure for a few reasons– Anyone can scan the source code for problems– OSS developers are not “paid” to look for bugs– People simply like to hack UNIX and Linux– Lack of organized control over code

Training

• One sign of a robust industry is standardization of skill-sets and certification

• Three major Linux certification exist:– The Linux Professional Institute

– GNU / Sair Linux

– Red Hat – Red Hat Certified Engineer

• These are challenging certifications

• The curriculum is publicly available – read it!

Support• Contrary to the F.U.D., there are

support mechanisms for Linux

• Look to your favorite hardware vendor

• Many national companies will sell support contracts – check your handout

• There are also many resources in Michigan, certainly many more than are listed in your handouts

Cultural Considerations• Economic concerns aside, there is another important

reason to contemplate how we deal with (and think about) technology

• Technology is integrally meshed with western culture - the Internet is now ubiquitous, especially for those of the middle class and above

• Technology is in many cases our portal to the world - a source of information, as well as a means of processing it

• Information is truly the commodity of the 21st century, and how we are able to manage and manipulate information and communicate with others will be the new frontier of our age.

Cultural Considerations

• This is why the whole question of Free Software is so important – people ask: “do we want to live in a world where the means to our most important resource - INFORMATION - is controlled by software companies?”

• Do we want to live in a world where we cannot peer “inside the box” to see the true workings of the technology we use on a daily basis?

• Do we want to be reliant upon a company to provide us with a limited number of ways to harness this most precious of resources?

Global Considerations• It is not just the western world that will be affected by the

decisions we make, because the path we take will set the environment for other countries and places making the transition to information societies

• Consider the “third world” countries in our southern hemisphere. They can barely afford the hardware to establish an information infrastructure, let alone purchase a copy of Windows NT workstation and Microsoft Office for every box

• The “Community Aid Abroad” organization points out that “Information and Communication Technologies are now fundamental to dealing with all development issues in developing countries.”

• In essence, technology is now the crux of improvement and aid efforts worldwide. The very difference in monetary price alone could theoretically be equated to human lives

Western-centric politics• Besides money, the CAA also makes the point that

commercial software creates an external dependence that is volatile and subject to political whims.

• What if, for example, the entire country of Columbia standardized on Windows NT. Then say, for example that a major security bug was found in said operating system. To further complicate the matter, say that the CIA was angry with Columbia over some issue such as the Drug trade and decided to impose a complete embargo. Columbia could potentially be in the unenviable position of having a completely insecure network infrastructure and no way to obtain patches. This is probably not a very good example - they could just illegally obtain the patches - but there are many other ways that this dependence could work against them

Technology and Culture• In addition, its worth noting that modern software and the

Internet itself is Anglo-centric. It is primarily written in English.• Language itself plays some factor in cultural development, as the

western history of Imperialism has shown - embedded in language are the values, mores, and assumptions of the dominant culture

• In this way, technology can serve to introduce external cultural influences on other cultures. What does this do to these other cultures? Americans may not think of this stuff!

• With free software, this risk is somewhat reduced• Free software is written by a world-wide audience - although the

language of discourse is English, the participants are diverse• Free software, such as Linux, is more frequently adapted to other

languages such as Kanji, Spanish, and Thai - because it is possible to do so. They do not have to rely on the altruism of a company to release a version - they can obtain the source code and do the work themselves

The Scientific Method• There are strong parallels between computer software and

scientific discovery• Both are built upon the works of others - where one researcher

or programmer is unable or unwilling to take the work further, someone else will

• In science, theories are not conclusive unless they are replicable - that is to say, the scientist must publish a paper laying out their ideas, methods, data and conclusions to the community. Other scientists then take this data and attempt to replicate and understand it. If the results can be replicated, the work is accepted and built upon

• In commercial software, this isn’t the case. Having a binary without the source code is like being presented with a summary and conclusion to a scientific paper without being given any data. One may be able to “reverse engineer” the project to discover the methods, but it is difficult and costly to do so.

The Scientific Method

• In this sense, commercial ownership of software may serve to hinder the progress of software (our vital national interest) in general

• With Open Source, all of the data is there for the taking - the methods can be improved, the assumptions corrected, and the conclusions modified

• All software serves as a building block for the next generation of software to follow. With open source, this provides a rapid development path towards better software (and hence better manipulation of our information commodity).

Fire… A Satire

Mark Lachniet

mark@lachniet.com