The vulnerability in OpenSSL has shocked the Internet community and has reverberated up and down society layers worldwide.
UPDATE 25-Apr-2014: After our original campaign ended oversubscribed we got featured in the New York Times. Now, by popular demand we are relaunching the campaign for 200 more t-shirts.
Is Open Source Safe?
Can the free and open source be trusted? How come the bug could stay hidden for over two years? Was it introduced intentionally? Those are some of the questions many are asking, but are those fair questions?
Because the code for OpenSSL is publicly available along with its change history, anyone can track down the change to date and time it was introduced and to the individual who committed the code. Only those who do nothing do not make mistakes. It is easier to point fingers and assign the blame than it is to effect positive change.
On the other hand, the open source promise of achieving higher quality and security by having multiple pairs of eyeballs reviewing and scrutinizing the code has to be questioned.
In reality most of the open source users are takers. A very small percentage contribute anything and only a fraction of those will care to thoroughly review their (or others’) contributions in context of the overall code base. In OpenSSL’s case that’s over 450,000 lines of code. Corporate-sponsored open source projects tend to do a better job of providing direction for the project and vetting the contributions because their brand name is often on the line. Purely community-driven projects often lack any formal organization and see a lot of arguments over features, endless flame wars on mailing lists and unavoidable attrition of talent as they get frustrated and/or busy with their paid careers.
Get a T-Shirt, Help the Cause
Did you know that the OpenSSL Foundation is not even organized as a non-profit? No wonder they are said to only attract $2,000 a year in donations. They are also the stewards of largely invisible product, unlike say Mozilla, who makes a popular Firefox web browser, so most people simply never even heard of their mission.
Let’s help them out. We are hoping to send the foundation at least a $1,000 and we need your help. We have launched a T-shirt campaign at http://teespring.com/iheartbleedopenssl (or click the image above). Please participate and share the message.