Why enterprises must do more to support open source software they use

Why enterprises must do more to support open source software they use

Image:
Why enterprises must do more to support open source software they use

CNCF panellists discuss what if the maintainer of that vital component goes under a bus

Some important software libraries are ubiquitous, incorporated into hundreds of thousands of applications. If you want to secure traffic OpenSSL is a very popular way to do it. If your Java application needs to output logfiles, then you use Log4J. You certainly don't write your own.

Which is all well and good until something goes wrong and you find, in the case of Heartbleed, that OpenSSL was only maintained by two people. Another example, critical flaws have been found in the venerable compression library zlib, a standard component of Unix and Linux and also included in software from NetApp among many others.

When a corporate customer caught wind of a zlib vulnerability in the company's software, they asked what Intel was going to do about it, said Arun Gupta, vice president and general manager for open ecosystem at Intel.

"So we tried to get hold of Mark Adler (the principle maintainer) but he didn't get back immediately. I get it, and he's retired and a rocket scientist. He wants to be building rockets. So we said 'please fix it' and he said 'soon'. Trouble is that doesn't cut it for enterprise. You can't rely on that."

Fortunately Adler patched zlib the following day, but for Gupta, who is also chair of CNCF GB, it was something of a wake-up call, and he offered a member of his team to be a joint maintainer of the library.

This issue is sometimes called the 'bus problem' - what if the maintainer of this software that everyone depends on goes under a bus?

Luckily it is not as serious as it might seem, said Gupta, speaking in an analyst session at KubeCon & CloudNativeCon in Detroit last week. There are probably only a handful of such widely used libraries with one or two maintainers, but nonetheless it is still vial to get a handle on it. Even libraries with numerous maintainers can become obsolete, and ensuring core components are supported is a live topic at the Linux Foundation's OpenSFF and other groups in CNCF, he said.

Regrettably, there's not an easy answer to the problem, said Matt Klein, software engineer at Lyft and most well known as the creator of service proxy software Envoy. A large part of the issue is that people think of open source software as being 'free', but it's not. Klein said that tens of millions of dollars in wages alone have gone into Envoy, and that his team has spent a lot of time and money in swapping out obsolete dependencies. Sometimes the reason they become obsolete is that funding has dried up.

The point of open source, he went on, is not that it's free, but that it accelerates innovation and reduces time to market. And part of the deal for enterprise use is giving something back.

"This is not hobby hacker software. These are highly paid people that are dealing with this and making it usable for all of us. And if companies want to use and rely on that software, they don't necessarily have to be maintainers, but they should be funding contractors or giving money to the CNCF that can be spent on these projects."

He continued: "We need to change thee narrative. It's not just magically available for everyone to use. The money's got to come from somewhere."