Open source is failing as expected. Not programming advice

These two things don’t seem related, but they are. It’s not the timeframe that makes them related, but they are two sides of the same many-sided coin, I guess. So let’s look at them: the xz disaster and the redis debacle.

The xz disaster

So, someone had a five year plan to hack every system on the planet. So they started to contribute (under the name Jia Tan) to a widely used but unsustained open source project, xz. People used that a lot, and the library for compression called liblzma. Nice. This was so widely used that even essential systems like systemd ended up linking this library through their second hand dependencies. Most modern systems use systemd (and I’m talking about Linux systems because they are the only ones that matter in the wide world out there), so this library was guaranteed to be loaded - and, if Jia Tan’s plan would’ve worked, to override a function from OpenSSL. The library used for encryption by almost everyone. That means that your secure system would’ve opened up on Jia Tan’s „Open Sesame” in no time.

But the systemd guys tried to remove their dependency on liblzma, for an unrelated reason, and that made Mr. Tan very antsy. He had to rush, and plug in his patches as fast as possible so he could continue to take advantage of that hack he imagined years ago. His plan, years in the making, was crumbling. And he rushed, and a 400ms delay observed by a PostgreSQL developer was enough to trigger everyone’s alert sign. Now, everyone was in danger.

The most important lesson here is how smooth the xz disaster could’ve been. I will not discuss the sophistication of the attack - it’s exciting in the same way horror movies are exciting. I just want to note that Jia Tan’s plan could’ve worked and could’ve wrecked everyone’s secure system. That’s because the monoculture that is now Linux is replacing what used to be a polyculture of systems, even within Linux systems. Open source has become a monoculture that builds on top of rushed projects or single-person-maintained systems, people that are gracious enough to have once produced good software for everyone’s use, but maybe now are no longer interested in that. And it’s their right not to be, they are just developers doing their thing for fun, and the software is provided as is, without guarantees.

The redis debacle

Redis is changing its licensing. A beloved and widely used piece of software was bought off, basically, by some investors who now want to see some money. That’s because the author of the initial piece of software needed to eat, enjoy life, write books and basically do anything else with his life than maintain the piece of software. And because everyone’s eagerly trying to stick more features unto the same 19 20 21 22-legged octopus. Because there’s never a final version of a product. Anyway, that being said, everyone wanted to use this, and a lot of people do use it. Now, the new owners of Redis are saying „you know what, give us money”. And people are shocked.

I mean, one could say that there’s no link between Redis Inc. and Jia Tan, but in fairness they are bidding in the same direction: owning everyone. Probably Jia Tan’s bid was smarter, and could’ve been more successful, but the Redis guys will probably make a lot of money short-term, because changing to something else out of the blue is very expensive. And an expense you can alleviate by throwing money at some people basically taking your software hostage and asking for ransom.

Is it moral? Mnope. Is it legal? Yes, probably. Is it any different? It is, but somehow it doesn’t feel different. The promise we built in our heads about open source is no longer there.

And here’s the point

Opensource is growing more monocultural, but, at the same time, it’s fragmented in millions of pieces that each can fail in ways you cannot really investigate in depth. And the problem is that nowadays everyone relies on open source software. Because it’s cheaper and consistently better quality than whatever you can create inside your company. You can do better than open source, for sure, but it will be incredibly expensive. You can solve your problem in your own way, but relying on other people’s work will always be easier, especially since people will insist that that people’s work is the closest to flawless you can ever be.

Not using open source is suicide - it’ll make your costs explode. Open source is really deep within the fabric of all the software sold nowadays, and all the hardware sold nowadays. If it has microchips in it it probably runs some open-source bits. It’s everywhere.

Not only is it everywhere, but it’s also mandatory. There are complete technology stacks that rely on you bringing tons of open source code from the internet while building stuff. Things like npm or cargo, solutions that are shoved down our throats as the saviors. Repositories of millions of packages. All with their Jia Tan’s ready to sabotage you, all with Redis Incs looming over them, ready to hold you at gunpoint for ransom.

How anxious are you about deploying your open-source based solution now?

This is not programming advice

Rewrite the world. From scratch. It’s not feasible, but someone has to do it. And if you do, stop relying on zero terminated strings. And get rid of the tons of legacy in our systems. Write the world anew.