Clearly the heartbleed bug has put open source software in the spotlight.
Something to be noted is the use of open source components in commercial products (from vendors like Cisco, Juniper, HP, Dell and IBM). Many of these products apparently were using the “buggy” version of the OpenSSL code.
Meaning these companies were leveraging the free OpenSSL software and selling products that helped them make considerable amounts of money. Which does bring up a few questions. If you are a product developer and if you use a third-party component in the product you are marketing to your end customers, isn’t it your responsibility to thoroughly test each component you use?
Imagine the same thing happening in a different industry, say automotive or other consumer products. What if they integrated components without thorough testing? Unthinkable, you might say. Reminds one of the problems GM has been facing with its ignition switch.
Turns out OpenSSL software was not adequately tested. Why? Because everyone assumed it was someone else’s job to do so. It also exposed paucity of resources and funds.
Perhaps the time has come to considerably strengthen the governance of open source development and usage, by an organization like the OSI.
Commercial vendors that use open source will have to become members of this governing body. Plus they will have to contribute annual fees that are determined by a number of variables including their volume of open source usage and more importantly by the resulting revenue generated. These funds will in turn be distributed to the developers worldwide who work on open source initiatives. Consequently open source software will no longer be free for the makers of commercial products that use it in their end offerings.
Of course there are lots of questions about what the fees should be and how the money should be redistributed. However I am sure all that can be figured out.
The New York Times has reported that major vendors have each pledged to contribute $100,000 a year over the next three years to the Core Infrastructure Initiative. But isn’t 100K a drop in the bucket for these companies? Evidently they can do better, much better.
Also this demonstrates that the open source model cannot always be counted on to deliver defect-free software. A stronger governance process needs to be instituted. Furthermore it should become the responsibility of the product developer to test add-on software before integrating it.
Open source and its collaborative model certainly have a lot going for it. But no longer can we blithely assume that everything is hunky dory. There are significant imperfections that need to be taken into account and remediated.
Time for greater oversight of the open source system. And for those who ride the train to step up and pay their fair share for the ride.