I got involved into a discussion about open-source software. Apparently a maintainer of an open-source project handed over the rains to another person and the other person changed the software to include a coin/mining exploit. This really got me thinking about the double-edged sword of open-source.
Where did open-source originate from?
A little history lesson about open-source projects. Open-source came to be in 1998 where it was developed after Netscape’s announcement that the software for the Navigator software was going to publicly released.
The term got more momentum during the Freeware Summit organized by Tim O’Reilly in April 1998.
The highlight was when the Open Source Summit which is known as the birth of open-source.
So what’s the problem with open-source?
At the same time there is one and there isn’t one.
Open-source is a blessing in my opinion. It enables developers to help out with projects and collaborate. It gives companies the choice to either go buy proprietary software or to choose the option to go with open-source which is mostly free.
The problem with open-source, and which most people have forgotten, is that as soon as the software is released the maintainer has no responsibilities towards anyone. The software is provided “AS IS” which is mentioned very clearly in the license.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
This also is both a good and a bad thing.
It’s a good thing because it releases the maintainer of any duties that have to do with the software product. Other people can contribute and create their own features which the maintainer is not reliable for. I certainly would not want to be responsible for a bug in one of my open-source projects and having to deal with large claims from companies because they lost revenue.
On the other hand, because the maintainer has no responsibilities, you are the one responsible from the moment you download the software.
The maintainer of the open-source project doesn’t even to reply to any issues, give you support or any other interaction with the software user. Everything that a maintainer does outside of releasing the software is big bonus and shows the character and passion of the maintainer.
What happened in the discussion?
Apparently the new maintainer changed the code of the project and included a bitcoin miner into it. So everyone who actually used that software and updated it, would get a bitcoin miner installed which would cause a lot of problems.
Immediately you would think that the original maintainer would be the person responsible because he didn’t check the person that wanted to take over the rains.
It is very scary that open-source projects are vulnerable to these kind of practices because at some point we trust the software and put it into our environments. That causes a threat to our production environments.
In reality, maintainers of an open-source project, are in no way responsible for these kind of issues. As soon as a piece of open-source software is released, the maintainer has done it’s work.
How can we avoid this?
I don’t think we can actually avoid these kind of problems. If for some reason such a thing happens mostly of the time people will find out quickly.
News like this will go quick especially with social media platforms like Facebook and Twitter, projects that are compromised will become flagged very soon.
I think we need to be diligent when we start using open-source software. Make sure you use software that is used a lot or is developed by someone with a good reputation.
It’s pretty easy to look into a Github repository and get basic information like who the maintainer is and do some research on the person. If you don’t trust it, don’t install it. Get more information, go ask on forums and ask questions before you start to rely on these projects.
My two cents on the responsibilities
I’m a contributor to a couple of open-source projects and I rely heavily on them in my day-to-day work.
I’ve contributed a bunch of commands to the dbatools projects. I feel responsible for these commands but I’m completely fine if someone else finds a bug and fixes it. When someone finds a bug in a command and notifies me, I will try to fix it. I feel responsible because I created them but it’s in no way only my responsibility.
Maintainers and contributors have no obligation to help after a piece of software is released. Everything that’s done after the release is a big bonus.
I do think that the way the projects are run reflects the types of people who are involved. Regularly I get questions from people all over the world about a command I created.
I will always reply to these questions because I think that it’s important to give support in these projects and it helps the projects being.
Open-source software is great and most of the time you get a reliable version for free or a small amount of money. You, as the user, have to make sure that the project can be trusted.
Closed software is great too but it can be costly. The cost for the software gives a sense a security and a lot of companies prefer to pay for software instead of using open-source.
Both have their pros and cons and you must decide what’s best for your use-case. I use both open-source and closed source and use them for my use-cases.