Die Flagge des Marasek



Current Texts Comic Imprint Calendar Search PHP-Classes Container-Wizard main.s21


Class Library
Global Politics
World Outlook

Further thoughts on the Debian SSL Issue

Previous: Spass mit BarcodesNext: It's rarely the language...
Assigned keywords: Computer, Weltsicht

There was another article about Debian today on Heise, named the "OpenSSL-Debacle". Well, no, it was a Debian debacle, no more, no less. In general the topic seems to be far misrepresented as of yet - I can remember a time when german IT media brought one bulletin after another about security holes in a famous social networking platform and the alleged misbehaviour of its owner; probably the main difference between this and that case is that back then the platform was about to be sold to a competing publisher, gaining him a huge new audience.

On Links, Ben Laurie has his own thoughts. Most notable was his complaint about people blaming OpenSSL for not properly helping Debian in this issue. Well, he points out that OpenSSL is underfunded as compared to other Open Source projects. Different from other projects, they have no people which are paid full time for developing on OpenSSL.

This made me somewhat thoughtful. For some time already, it seems to me that the typical "Featuritis" feared in Closed Source products has infected the Open Source world as well. Open Source apologetists are quick to dispell such allegiations, saying that they have no marketing guys as a driving force and no strive for market share that would fuel a race for new features. However, we have to accept that by now, many projects are as commercial as closed software, with people being funded to work full time on the project. It is clear that these projects have a motivation to stay ahead as opposed to the stereotype of some nerd who does something solely for himself and then lets the world partake. And there are a lot of projects which are quite popular, but suffer from bad code quality and security issues. I once took a look at typo3 and decided that these guys where next to clueless about fundamental principles of relational database design - something which hardly anyone cared who used. Instead people then would tell me that it had to be good since it "was the only CMS that was able to succeed in the corporate environment". Yeah.

I fear that companies will jump to fund the "sexy" projects, those which grow fast and spur many buzzwords, like a "SOA Framework with AJAX Frontend and strong Web 2.0 focus". Security and stability, on the other hand, do not sound sexy.

Recently I got praise from a user: I had used a small JavaScript Windows Widget in one of my projects which would allow you to have a small box which one can move around and minimize. It was not yet working as I had forgotten to upload the responsible class, so my colleague called me because she got an Exception. I decided to upload it immediately - she was quite astonished and said how nice it was. It is a little bit frustrating - I have pretty good concepts working there, with a good focus on security, stability and a small ressource footprint, but the first thing what I hear is that it looks nice or that someone does not like the color of the font on page X. Likewise, it must be equally frustrating if everyone talks about how cool RoR is, but just expect SSL to work and letting the hell break loose if it does not.


Please note: comments posted won't be visible immediately, as they will be checked for harmful content.

* Title  
* Nickname  
* Comment