The Synopsys Software Integrity Group is now Black DuckĀ®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

TANSTAAFL! The tragedy of the commons meets open source software

Fred Bals

Sep 10, 2020 / 4 min read

One of the reasons behind the popularity of open source is the volunteer communities improving and updating code. Itā€™s what software developer and author Eric Raymond called Linusā€™s Law in action: with many eyes looking at code, ā€œall bugs become shallow.ā€

A Purdue University study showed that Linusā€™s Law does work. Open source communities regularly issue patches faster than their proprietary software counterparts. But Linusā€™s Law only works when there are enough eyes on the code. And thereā€™s no guarantee that the community behind any given open source project will continue maintaining the code. Of the 1,500+ codebases examined for the 2021 Open Source Security and Risk Analysis (OSSRA) report, 91% contained open source dependencies that had had no development activity in the last two years.

OpenSSL, Heartbleed, and developer burnout

developer burnout

OpenSSL, an open source encryption protocol, secures a substantial portion of the web: as much as two-thirds of all active websites, plus hundreds of thousands of email servers, chat servers, and VPNs, as well as the network infrastructure of various military, government, and financial institutions.

In 2011, a programming bug that could allow an attacker to intercept information secured by OpenSSL was introduced into the code, where it remained undiscovered for almost three years before being reported by a Google developer. Within 24 hours of its disclosure, the vulnerability, dubbed ā€œHeartbleed,ā€ was used to break into a major corporation and steal taxpayer data from the Canada Revenue Agency, according to a report in The New York Times. Although a patch was quickly issued, Heartbleed still lives on in hundreds of thousands of devices, with Shodanā€”an Internet of Things search engineā€”reporting over 91,000 instances of the vulnerability as of late 2019.

Steve Marquess, the former CEO of the OpenSSL Foundation, noted in a blog post that the coding error leading to Heartbleed was partially attributable to developer burnout. In 2011 there was only one overworked, full-time developer on the OpenSSL project. ā€œThere should be at least a half dozen full-time OpenSSL team members, not just one,ā€ Marquess wrote. And that developer should be ā€œable to concentrate on the care and feeding of OpenSSL without having to hustle commercial work.ā€ Things have improved somewhat in 2020. There are now 18 contributors listed on the OpenSSL site and their work is funded through at least 2021, thanks to a grant from the Linux Foundation Core Infrastructure Initiative, a project dedicated to distributing resources to open source projects that are critical to the security of the internet. But the Heartbleed bug is what happens when people ignore the TANSTAAFL price.

The TANSTAAFL price

price

In the early 19th century, ā€œfree lunchesā€ were a popular saloon promotion. Patrons still had to buy a beer or other drink in order to wash down whatever food the barkeep offered, and that was the catch. Profits on whiskey and beer sales more than compensated the saloon for putting out the free lunch spread, which often was little more than soup, crackers, and problematic pickled eggs. Coined by science fiction author Robert Heinlein, TANSTAAFL (ā€œThere ainā€™t no such thing as a free lunchā€) reminds us that things always have to be paid for, whether the price is evident or not.

With popular open source code, the TANSTAAFL price has been the increased pressure on its maintainersā€”the people who handle bug reports, feature requests, code reviews, and code commits for their ā€œfreeā€ software. Increasingly, as open source use grows in popularity, the TANSTAFFL price has been developer burnout and their open source projects being abandoned.

Itā€™s the tragedy of the commons in actionā€”a resource growing so much in popularity that it canā€™t remain viable unless the community shifts to sustenance rather than exploitation. Witness the Twitter thread started by James M. South, creator of several popular open source solutions, who bemoaned the fact that, ā€œ#ImageSharp passed 6 million downloads this weekend and I'm a lot less happy about it than I probably should be.ā€

Why? South goes on in several follow-up tweets, ā€œOver 5 years of development there have only been 98 collaborators, 23 of which have made more than 10 commitsā€¦. it's not about money, it never was and never will be, it's about sustainability.ā€

Several other developers chimed in with their experiences: ā€œā€¦a similar story for #FluentValidation. Over 41 million downloads ā€¦ 140 contributors, but only 1 has made more than 10 commits.ā€ ā€œSame with ReportGeneratorā€¦ 15 million downloads but not a single sponsor.ā€

Too few peopleā€”and their organizationsā€”who rely on open source software are contributing to the projects whose open source they use. If youā€™re a developer and have a favorite open source component, you can contribute to its development through development, sharing your modifications, bug reporting, crowd-funding, letting the developers know how you are using it, and helping others get started. That last may be the most important thing you can do for any open source projectā€”helping build a user community large enough to sustain the project.

While development support is important, itā€™s not necessarily just about the code. Whether youā€™re a writer, translator, designer, or information security or legal specialist, the chances are good that you too can help support the community in some fashion.

What's in your code?

Explore insights into the current state of open source security and get recommendations for securing your open source supply chain

Download the report
2024 Open Source Security and Risk Analysis Report book cover

Continue Reading

Explore Topics