The double-edged sword of open-source
I got involved in a discussion about open-source software. A maintainer of an open-source project handed over the reins to another person and the other person changed the software to include a coin/mining exploit. This got me thinking about the double-edged sword of open source.
Where did open-source originate from?
A little history lesson about open-source projects. Open-source came to be in 1998 when it was developed after Netscape’s announcement that the software for the Navigator software was going to be publicly released. The term got more momentum during the Freeware Summit organized by Tim O’Reilly in April 1998. The highlight was when the Open Source Summit which is known as the birth of open-source.
So what’s the problem with open-source?
At the same time, there is one and there isn’t one. Open source is a blessing in my opinion. It enables developers to help out with projects and collaborate. It gives companies the choice to either go buy proprietary software or to choose the option to go with open-source which is mostly free. The problem with open-source, which most people have forgotten, is that as soon as the software is released the maintainer has no responsibilities toward anyone. The software is provided “AS IS” which is mentioned very clearly in the license.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This also is both a good and a bad thing. It’s a good thing because it releases the maintainer of any duties that have to do with the software product. Other people can contribute and create their features which the maintainer is not reliable for. I certainly would not want to be responsible for a bug in one of my open-source projects and have to deal with large claims from companies because they lost revenue. On the other hand, because the maintainer has no responsibilities, you is the one responsible from the moment you download the software. The maintainer of the open-source project doesn’t even reply to any issues or give you support or any other interaction with the software user. Everything that a maintainer does outside of releasing the software is a big bonus and shows the character and passion of the maintainer.
What happened in the discussion?
The new maintainer changed the code of the project and included a bitcoin miner in it. So everyone who used that software and updated it would get a bitcoin miner installed which would cause a lot of problems. Immediately you would think that the original maintainer would be the person responsible because he didn’t check the person that wanted to take over the rains. It is very scary that open-source projects are vulnerable to these kinds of practices because at some point we trust the software and put it into our environments. That causes a threat to our production environments. In reality, maintainers of an open-source project, are in no way responsible for these kinds of issues. As soon as a piece of open-source software is released, the maintainer has done its work.
How can we avoid this?
I don’t think we can avoid these kinds of problems. If for some reason such a thing happens most of the time people will find out quickly. News like this will go quickly, especially with social media platforms like Facebook and Twitter, projects that are compromised will become flagged very soon. I think we need to be diligent when we start using open-source software. Make sure you use software that is used a lot or is developed by someone with a good reputation. It’s pretty easy to look into a GitHub repository and get basic information like who the maintainer is and do some research on the person. If you don’t trust it, don’t install it. Get more information, go ask on forums, and ask questions before you start to rely on these projects.
My two cents on the responsibilities
I’m a contributor to a couple of open-source projects and I rely heavily on them in my day-to-day work. I’ve contributed a bunch of commands to the dbatools projects. I feel responsible for these commands but I’m completely fine if someone else finds a bug and fixes it. When someone finds a bug in a command and notifies me, I will try to fix it. I feel responsible because I created them but it’s in no way only my responsibility. Maintainers and contributors have no obligation to help after a piece of software is released. Everything that’s done after the release is a big bonus. I do think that the way the projects are run reflects the types of people who are involved. Regularly I get questions from people all over the world about a command I created. I will always reply to these questions because I think that it’s important to give support in these projects and it helps the projects.
Open-source software is great and most of the time you get a reliable version for free or a small amount of money. You, as the user, have to make sure that the project can be trusted. Closed software is great too but it can be costly. The cost of the software gives a sense of security and a lot of companies prefer to pay for software instead of using open-source. Both have their pros and cons and you must decide what’s best for your use case. I use both open-source and closed-source and use them for my use cases.