Software bugs and the OpenSource community: Who keeps our computers running?

21 October 2014

Sarah Wishart

Sarah Wishart

Former Consultant

There has been a lot of buzz around the recently uncovered ‘Shellshock’ bug found in bash software. It got me thinking a lot about OpenSource software and just how integral it is to a large majority of the technology we have available today.

‘Shellshock’ is a flaw in the Bourne Again Shell (bash) system which allows a malicious user to exploit the machines running it by declaring new environment variables outside of the main script. This would give the hacker the ability to edit or copy the information processed by bash and could even allow external programs to be launched or downloaded.

Bash is heavily utilised throughout Unix based systems such as Linux and Macintosh, and on apache web-based servers to parse CGI scripts (i.e. form filling web pages), potentially leaving anyone using or utilising any of these technologies vulnerable to attack. Bash is one of many pieces of OpenSource software that is taken advantage of daily.

What is OpenSource and who is behind it?

OpenSource software is the collective term used to refer to software which had been developed in a public, collaborative manner. The community behind the creation of this software do so predominantly in their free time, as an aside from their day jobs. Once released, the software is usually maintained solely by these individuals or small groups of volunteers – I find this worrying.

I am concerned about software, which we have grown to be heavily reliant on, that is written and maintained by small groups of volunteers. Don’t get me wrong, I think the OpenSource community is a wonderful thing, and I certainly fall into the large flood of people reliant on their software for so many things. However, as much as we all would like to believe, no one person can do everything. I think that the vital and innovative OpenSource community needs to implement (or improve, if it exists) a formal system to ensure that the heavily used OpenSource products undergo rigorous testing after every update, and are maintained by larger networks of people.

For example, from the late eighties to present day the Bourne Again Shell has been maintained by two people - Brian Fox, a major contributor to its creation until the early nineties, and Chet Ramey, who took over the role from 1992 to the present day. Chet has reported that he may have inadvertently introduced Shellshock to the bash shell himself in a patch back in 1992 before he was keeping comprehensive logs. I think he must have some impressively large shoulders to carry the responsibility of solely maintaining software underpinning Unix-based machines.

How do we combat software maintenance going forward?

One thing that makes the OpenSource community brilliant is the amalgamation of ideas and work-arounds to current problems. It is a community rife with free software created by talented programmers. I am unsure of how the OpenSource community can address the issue of maintenance; in fear of altering its atmosphere, employing full time, paid staff may not be the way. I for one am grateful that there are talented professionals donating their free time to creating OpenSource software. Software which is now intricately woven into the framework of the technology we use daily.

 I think that without the OpenSource community we would struggle to progress as quickly as we have. Implying the need for change in the way OpenSource software is maintained could encourage ideas which turn the community into a profit-based business. This changes the culture and very core of the community, and may even unintentionally stifle creativity. Software would begin to be developed to make the business profitable and maintenance staff would need to be paid. The OpenSource community would find itself competing against major players in the software business, placing constraints on the ideas which are followed through to development. I don’t think a change in the culture of the OpenSource community is desperately wanted by anyone, but if something doesn’t change how will we know who is actually keeping our computers running?

About the author

Sarah Wishart

Former Consultant

Bluefin and SAP S/4HANA - welcome to the one horse race