The Conflict at the Heart of Open Source

One of the reasons the “Heartbleed” bug caused so much disruption is that OpenSSL is one of the most widely-used software packages out there. Companies like Cisco and Google use it extensively, among others. But despite being heavy users neither company ever gave the OpenSSL folks any money.

One reason of that is the license OpenSSL uses, a derivative of the Apache license, doesn’t impose many restrictions on its use. So while OpenSSL was able to build a large community, it has been distinctly lacking in the ability to raise funds. Those funds might have been able to pay for the additional eyes that would have found that bug before it got a chance to be everywhere.

Every open source project has to decide which license to use. The so-called copyleft licenses, like the GPL, impose far greater restrictions on use and by default require projects make their source code available under the same license. Projects can make money by charging for alternative plans that allow the source to be kept private. The license OpenSSL uses doesn’t allow them to do that so they’re dependent on voluntary donations to fund themselves. And that just doesn’t work.

Now companies like Cisco and Google are establishing a fund for open source projects like OpenSSL to draw from. It’s a bit late in the game, of course, but perhaps better than nothing. Still, you have to wonder.  If they had paid some token amount when first using OpenSSL would it have been more than the amount of money spent on mitigating the “Heartbleed” issue? It’s hard to believe it would.

Leave a Reply