Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Government Open Source Communications Software United States

Pentagon To Make a Big Push Toward Open-Source Software Next Year (theverge.com) 98

"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. According to The Verge, the Pentagon is going to make a big push for open-source software in 2018. "Thanks to an amendment introduced by Sen. Mike Rounds (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), the [National Defense Authorization Act for Fiscal Year 2018] could institute a big change: should the bill pass in its present form, the Pentagon will be going open source." From the report: We don't typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world's largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine. Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process. Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.

Pentagon To Make a Big Push Toward Open-Source Software Next Year

Comments Filter:
  • by Dorianny ( 1847922 ) on Tuesday November 14, 2017 @05:50PM (#55550755) Journal
    Expect Billions to flow from the deep pockets of the likes of Boeing and Lockheed Martin to the K street lobbying machine
    • This is about DoD software tools, not the guidance system for the F-35! lol

      Where contractors are writing it, the exact same contractors would be writing it. This doesn't change the procurement system at all.

      • The guidance system for the F-35 is open source: the DoD receives from their contractors complete rights to modify and distribute the code. Open source doesn't mean publicly distributed or community developed.
        • You're wrong. Go check the license. Go look up what "open source" means.

          Receiving rights from your contractors is something that everybody always gets. All closed source software written by contractors comes with an implicit license; furthermore, software that is Classified can be controlled by the government and they can share it with their other contractors. You can get a license fee, but you don't get to control who they give access to.

          So yeah, if you don't know what the words mean, they might mean anyth

          • You're wrong. Go check the license. Go look up what "open source" means.

            Okay, here's the definition [opensource.org]. Please point to anything in that definition that contradicts what I've said.

            Receiving rights from your contractors is something that everybody always gets.

            If only that were true. A huge amount of code is written on contract but then received with a proprietary license that locks the customer into the vendor for any support.

            All closed source software written by contractors comes with an implicit license

            It comes with a license to use (typically within an organisation), it usually doesn't permit modification or redistribution.

            • Try wikipedia, so that you're not accidentally just being propagandized by one of the various factions.

              That's true in general; start from encyclopedia articles, not people with vested interests.

              You'll find that "open source" is a very broad idea, and doesn't mean very much until you specify a license.

              • So, what you're saying, is that you have a different definition of open source to the rest of the world (if you don't agree with the definition from the OSI, which is the consensus agreed on by a large number of open source contributors and distributors, look at the FSF's Four Freedoms or the Debian Open Source Guidelines, which are all roughly equivalent). That's fine, and you're free to make up your own definitions of words, but you don't then get to call out other people for using the consensus definit
                • No, I'm saying that the term "Open Source" wasn't coined by the OSI and when people use the words "open source" they are not declaring allegiance to OSI! In fact, there are numerous "camps" with different opinions; some people actually hate the OSI, and yet are proponents of things that other people would describe as "Open Source."

                  In short, the meaning of a loose term that isn't a proper noun is not determined by what one person (you) says, it is determined instead by how people actually use the word. On Pl

    • I've worked for two very big contractors in the past, and they enthusiastically embraced open source. In fact, there was a consensus among management that open source is preferable whenever FOSS can get the job done at an acceptable level. Every dollar not spent on commercial licenses is another dollar that could be spent on billing labor.

  • by Tailhook ( 98486 ) on Tuesday November 14, 2017 @05:52PM (#55550775)

    No one is perpetually scrutinizing anything. That's an old fallacy wrongly attributed to ESR and/or Torvalds. "Linus's Law" merely states all bugs are shallow given enough eyeballs, not the some vast benevolent army of free labor is auditing everything all the time. That's fiction, as as been proven many times with the discovery of ancient zero days in software that's been open source for decades.

    • by Desler ( 1608317 )

      The presence of Heartbleed being an excellent example that belies this claim.

      • by Aighearach ( 97333 ) on Tuesday November 14, 2017 @10:13PM (#55551943) Homepage

        The presence of Heartbleed being an excellent example that belies this claim.

        No, you clearly didn't understand him. Heartbleed exemplifies his claim.

        As soon as people knew about Heartbleed, there were fixes available. The bug was proven shallow almost instantly upon discovery, and numerous were the workarounds. People even re-implemented the whole software package to make sure it was fixed! And their fixes worked, the bug was indeed gone. You can't get a shallower bug.

        Every example you can even find of a deep bug, a bug that is known to exist but that people don't know how to fix, it is a bug where either there are nearly zero users of the code, or the code is closed source and there are few people with access. Any bug that has even a moderate number of eyes will be very very shallow.

        • Re: (Score:1, Informative)

          by Desler ( 1608317 )

          No it doesn’t. The claim of the quotation is that people are constantly scruntinizing open source code but this is false. Heartbleed existed for years without being found.

          • The claim of the quotation is that people are constantly scruntinizing open source code

            Right, that's what you're not comprehending. You're getting the claim wrong, and people are trying to explain it to you, but you can't fucking understand because you don't know the meaning of words.

            Yeah, if that was the claim it would be fucking stupid and wrong. But it isn't.

    • by plopez ( 54068 )

      You might want to look at Open BSD. Much of what they have done has been adopted by lesser OSS projects.

      • by donaldm ( 919619 )

        You might want to look at Open BSD. Much of what they have done has been adopted by lesser OSS projects.

        Have you looked at the OpenBSD [openbsd.org] license?

        From the URL "OpenBSD strives to provide code that can be freely used, copied, modified, and distributed by anyone and for any purpose. This maintains the spirit of the original Berkeley Software Distribution."

        Very altruistic but does not have much control over what can be done with said software and do you honestly think some users are going to play fair?

    • by Kjella ( 173770 )

      Equally fallacious is that every weakness is reported immediately, not sure what fantasy writer made this article. There's plenty of black hats that'll sell backdoors to any system, open or closed. Regarding Linus's law, I think it's valid but with limitations. Like if you have a square mile of land, the more people use it the more likely they'll stumble upon something but nearly all will take the natural paths. It's vastly different from a search party where you comb the bushes and look in all the places t

      • No, you're not understanding it.

        In your example, it means that if you send out a search party, and you have a lot of people, you can easily cover the whole area. It doesn't even speak to what is happening when you're not searching; when you don't know you have a bug.

        The whole premise of Linus' Law is that you have a bug; it has been reported. And you're trying to fix it. If you have enough people involved in the search, it becomes almost guaranteed that you'll find it. If you only have a few people searchin

    • No matter the project, the Pentagon and DOD rely so heavily on Windows, so any open source project that wants to play with the DOD should run on Windows.
    • This also leads to another overlooked point. Which is easier for a hostile programmer to infiltrate, contributors to a FOSS project or a commercial development team like Powerpoint's, Word's, etc? A hostile programmer being someone intentionally introducing an exploit. A designed "zero day".
    • by jbn-o ( 555068 ) <mail@digitalcitizen.info> on Tuesday November 14, 2017 @11:50PM (#55552345) Homepage

      That's fiction, as as been proven many times with the discovery of ancient zero days in software that's been open source for decades.

      Not only does that not follow (you have no idea who scrutinizes their copy of FLOSS precisely because of the privacy FLOSS affords users) but you're missing a much more important point: FLOSS respects a user's ability to do things computer owners want their software to do but inherently can't trust proprietary software to carry out. Proprietary software can't be trusted because the users can't be sure it is doing what the users want and not doing what the users don't want (typically this means leaking information, opening backdoors, and implementing malware). It's not about guarantees, it's about the permission to exert as much control over one's own computers as one wishes. Proprietary software inherently doesn't grant that permission and FLOSS does. Couple that with a monied organization as big as the American federal government, and you have the ability for significantly increasing control over their own computers.

    • Thanks for posting that. You're absolutely right that when ESR wrote that Linus thought "with enough eyeballs, all bugs are shallow ... the fix will be obvious to someone" , he did NOT mean "all bugs are non-existent". He said "the fix will be obvious to someone" because that's what he meant - with "a large enough co-developer base" looking at a bug, one of them will come up with an elegant fix.

      Separately, another, different statement is also true.
      I maintain a database of all the CVEs ever issued, with th

      • The fact of the matter is that every month dozens of new vulnerabilities in Windows come out. We're now at Microsoft KBnumber 4052231, and a significant fraction of those four million KBs address security issues.

        Windows is pretty big. How does that number compare to Linux, plus glibc, plus glib, plus GTK, plus the core GNOME libraries, plus systemd, dbusd, and so on (i.e. the 2,000 or so open source packages that, combined, provide roughly equivalent functionality to the base Windows install)?

        Someone says "but but but three years ago Heartbleed was in open source software", and I point to the 40 or so vulnerabilities published for Windows THIS MONTH, and EVERY MONTH.

        And I can point to 40 in the Linux kernel's USB stack alone from this month (and we're only half way through the month). How many Windows kernel CVEs have there been?

        • > And I can point to 40 in the Linux kernel's USB stack alone from this month

          Okay, go!
          No? How about 4? Still no? Maybe 3? How about ANY at all?

          Did I not mention I curate a database of every CVE ever issued? My team looks at each and every one.

          > Windows is pretty big. How does that number compare to Linux, plus glibc, plus glib, plus GTK, plus the core GNOME libraries, plus systemd, dbusd, and so on

          Compared to the entire standard Red Hat installation, the number of CVEs times their CVSS severity is

          • And I can point to 40 in the Linux kernel's USB stack alone from this month

            Okay, go!

            Okay, here you go [github.com].

            No? How about 4? Still no? Maybe 3? How about ANY at all?

            Did I not mention I curate a database of every CVE ever issued? My team looks at each and every one.

            Doing a great job, if you miss ones that even The Registers notices [theregister.co.uk]

            Compared to the entire standard Red Hat installation, the number of CVEs times their CVSS severity is roughly ten times higher for Windows 8.

            You'll forgive me if I don't trust your number when you seem to be unaware of recent kernel vulnerabilities and haven't published your methodology.

            Oh, and it's worth noting that a number of the CVEs related to the USB stack are impossible for any certified drivers on Windows because they're required to pass a static analysis check that would catch them (Microsoft had a few hundred CVEs for similar bugs some years back w

  • by Zorro ( 15797 ) on Tuesday November 14, 2017 @05:56PM (#55550803)

    There will be a LOT of yapping and some apps will be created then in about 9 months they will toss it all and sign a Billion dollar check to Microsoft.

    What happened to NSA Linux.

    The other fallout from that was tossing out all our Apple and Sun systems too.

    Then came the ship with NT 4.0 that never worked correctly and the brief Idea to launch nukes from NT 4 computers.

  • lolwut? (Score:2, Interesting)

    by Desler ( 1608317 )

    Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.

    This is total bullshit. No one noticed, for example, the Debian OpenSSL vulnerability for nearly 2 years. There are also plenty of other examples that were around many times longer without being spotted despite all this claimed “perpetual scrutiny.”

    • Just imagine how much less secure it was when it was closed source.

    • If nobody noticed it, nobody exploited it, either. If it wasn't open source, it would have never been noticed by anyone.
      • That's not how it worked, for two reasons. First, the Debian vulnerability meant that SSH private keys were generated with only about 16 bits of entropy, so became trivially guessable by brute force attacks. There was a long tail of people finding that they had vulnerable keys and replacing them for months after it was discovered. Some were in embedded devices where replacing the keys was very painful. Second, the people noticing a bug to exploit the vulnerability and the people noticing a bug to fix it
      • by Desler ( 1608317 )

        Goal post shifting at its finest. Also, people find bugs in closed-source software all the time so your second claim is also patently false. You think Project Zero has source code to all the programs they find bugs in?

  • More secure??? (Score:4, Insightful)

    by DidgetMaster ( 2739009 ) on Tuesday November 14, 2017 @05:59PM (#55550837) Homepage
    Open source is not necessarily more secure than proprietary software. Because it is visible, good programmers can look for bugs and plug security leaks if they want to, but bad guys can also look for vulnerabilities to exploit. Nobody has to look at the code and/or fix anything. In fact, most people have ZERO interest in doing so. Plenty of security flaws have gone either unnoticed or unfixed for an awful long time in open source projects.
    • > Open source is not necessarily more secure than proprietary software. Because it is visible, good programmers can look

      It's not *necessarily* so, in the sense that nothing *requires* that open-source code is automatically better. On the other hand, I curate a database of over 90,000 software vulnerabilities, and spend my work days examining security issues. Every CVE that is issued goes into our system. The fact is, Windows and Flash alone make up a very large percentage of the vulnerabilities, and hav

    • Why do you assume that it's visible? Open source just means that you have the rights to make changes. This should be the requirement for all government procurement, because if the vendor goes out or business or EOLs the product then you're screwed if it isn't.
  • More secure? (Score:5, Interesting)

    by Computershack ( 1143409 ) on Tuesday November 14, 2017 @06:03PM (#55550871)

    Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.

    Remember it wasn't that long ago when all you had to do was hit Backspace 28 times and you could bypass login security on almost all Linux distros....

    • by Desler ( 1608317 )

      It’s also not that long ago that OpenSSL had that massive Heartbleed bug and that Debian was generating predictable random numbers in their OpenSSL version.

    • by Tesen ( 858022 )

      Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.

      Remember it wasn't that long ago when all you had to do was hit Backspace 28 times and you could bypass login security on almost all Linux distros....

      Exactly! Open Source is only as good as the company that wants to keep up with patching and devote resources for regression testing. These days that is very few (unfortunately).

    • Remember it wasn't that long ago when all you had to do was hit Backspace 28 times and you could bypass login security on almost all Linux distros....

      No, I don't remember that at all. What I do remember is that on some systems, before the OS was loaded, you could drop into a GRUB bootloader rescue shell by connecting a keyboard emulator that could spam the keyboard buffer with backspaces during boot. If you're actually pressing a backspace key as you describe then no, that isn't actually likely.

      Generally speaking, if you have keyboard access during boot you can get to that sort of rescue screen on a computer, unless it has been locked down. Note that unl

  • You might want to talk to the Munich city council about that.

    You'll be receiving my bill for $3,500,000 by the end of the week.
  • by dwheeler ( 321049 ) on Tuesday November 14, 2017 @06:05PM (#55550881) Homepage Journal
    Won't happen, that amendment died in the conference reconciliation. The merged version does have an open source software pilot, but that's it: Section 875: (a) DoD shall “initiate the open source software pilot program” (b) NLT 60 days enactment of this Act, the SECDEF shall “provide a report to Congress with details of the plan of the Department of Defense to implement the pilot program required by subsection (a).”
  • A friend of mine is working on one of those government projects you can't talk about. What he can say is that they are in a 'bake off' with other projects where his project is using OSS, quasi-Agile (*cough* SAFe *cough*) , automated testing (apparently an unknown concept to the beltway bandits, perhaps because there are huge billable hours to be made fixing bugs), CI, etc.

    We'll see if they win the bake off.

  • The DoD is a MASSIVE client for corporations like Microsoft and Dell. If they are going fully open source then either Microsoft will release an open source version of Windows+Office+SQL Server or the open source toolset will get similarly advanced (which it simply isn't, at least not when you factor in the responsiveness at the user level for Windows, the overwhelming Office+Outlook+Exchange integration compared to all the competition, and the Analysis Server aspect of SQL Server) tools.
    • The last thing anyone wants is a free OS. They will be targeting open source platform for which Microsoft is already a leader.

    • This has nothing to do with the software they buy.

      This has to do with the software they write or have written.

      Microsoft doesn't mind writing open source software if you're paying them the same for it; this isn't the type of contract where they would get residuals, this is the type where they get paid for their time doing the work. Stuff with residuals where they're licensing the software to DoD, that would all be unchanged.

  • The author of the article wrote:

    One big advantage is that, often, the agreements to run open-source software are much more relaxed than those behind proprietary code, and come without licensing fees. The license to run a copy of Adobe Photoshop for a year is $348; the similar open-source GNU Image Manipulation Program is free.

    I feel that, for a large corporation or institution, licensing cost should probably be the least concern. Functionality is not free. What counts is transparency (you can inspect the software), control (you can modify the software), relaxed legal constraints (no need to waste resources counting billable seats or hours), and benefiting the community (enhancements you make or sponsor are usable by all). All of which will likely contribute to lowering costs in the long run.

    So I a

  • by david.emery ( 127135 ) on Tuesday November 14, 2017 @06:44PM (#55551081)

    In 35 years in that business, I saw and used a lot of open source development tools, as well as in deployed software. Red Hat is a major provider of OS to DoD, including embedded in weapon systems. GNAT Ada is open source.

    And on my last project we kept 2 lawyers (one government, one prime contractor) busy nearly full-time evaluating various OSS licenses for our intended use. The GPL was a significant debate; most OSS licenses were deemed acceptable by both sides. In each case, we evaluated OSS and proprietary software for functionality, life-cycle costs, supportability, expected security/vulnerabilities, and made a decision that balanced these factors. Sometimes the OSS components won out, other times not. But there was a documented decision with rationale.

    In general, the choice of software was not a government decision, but a prime contractor decision. Not sure how much we want Congress dictating to contractors what they put into their products.

    • Yeah....but someone just heard about open source software and thought the rest of the world should know too.

    • In general, the choice of software was not a government decision, but a prime contractor decision. Not sure how much we want Congress dictating to contractors what they put into their products.

      To the exact same extent that it has become a contractor decision! That is the extent to which Government should re-impose controls over what the Government buys. Congress is the best our country has come up with to make those decisions.

    • Which OSS licenses did you find to be most DoD amenable, when all was said and done?

      • Most were OK, I think the Apache license was one we saw frequently. The GPL 'contamination' clauses were a concern, and there was a lot of disagreement over how they should be interpreted.

  • It's the year for the Linux Desktop for sure!

    Can you imagine how many desktops the DOD has and is paying Microsoft for?

  • "The Department of Defense is the world's largest single employer,"
    Not Gattaca Corp, not Tyrell, not Weyland-Utani or Tessier-Ashpool. This demonstrates why we won't get super-cool things in our lifetimes. Sure DARPA shmarpa, but if we instead had 3.2 million people working on nano-tech, biology, AI, lunar colonies and FTL, then maybe we could get somewhere as a civilization.
    The US has plenty of nukes, has demonstrated a willingness to use them. That is all we basically need for defense. All the res
  • Powerpoint slides make me want to load magazines.

  • by Registered Coward v2 ( 447531 ) on Tuesday November 14, 2017 @10:54PM (#55552115)

    As long as DoD does not distribute anything it develops beyond DoD (or the Federal government since it is all part of the same organization) it is all staying within the organization developing it and thus would not be obligated to share any improvements.

    Per gnu.org:

    The GPL does not require you to release your modified version, or any part of it. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.

    and

    For instance, you can accept a contract to develop changes and agree not to release your changes until the client says ok. This is permitted because in this case no GPL-covered code is being distributed under an NDA. You can also release your changes to the client under the GPL, but agree not to release them to anyone else unless the client says ok. In this case, too, no GPL-covered code is being distributed under an NDA, or under any additional restrictions. The GPL would give the client the right to redistribute your version. In this scenario, the client will probably choose not to exercise that right, but does have the right.

    Thus, as long as they only use it internally they have no obligation to make the changed source code available. In addition, they could require contractors to develop code under and NDA that prohibits release until the authorize its release so even if they do not do the actual development internally they can still control its release. I would not bet on the DoD probably choosing not to exercise that right.

    So while it may be good PR for OSS in reality it may not actually advance OSS for the public. DoD could classify any OSS projects to prevent its release using the argument that its release would be detrimental to national security and require contractors to sign an NDA for any work they do for DoD.

    https://www.gnu.org/licenses/gpl-faq.en.html#GPLRequireSourcePostedPublic

  • The Department of Defense is the world's largest single employer

    I thought the Chinese army was No 1, and the UK's NHS was No 2.

    Am I wrong? anyone have actual figures?

  • by fisted ( 2295862 )

    "Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose

    I'm torn between making a snarky remark about how I, thanks to slashdot, finally learned what open source software is, or whether I should point out that in no way "open source" implies the right to "distribute the software to anyone and for any purpose" because that is clear and utter bullshit that only applies to free software (as in e.g. BSD-licensed stuff).

  • Slashdot posted my question about auditing on Linux seventeen years ago in reference to the DoD using Red Hat. We are using all kinds of other OSS back then as well so The Verge, and these senators, is just a few years late. The amendment will not result in any changes in how DoD procures software/services or operates at any level from the foxhole to Earth orbit.

E Pluribus Unix

Working...