- Google I/O 2013's Coolest Products and Services
- 10 Star Trek Technologies That are Almost Here
- 19 Generations of Computer Programmers
- 25 Must-Have Technologies for SMBs
Network World - The sendmail and Snort security bugs exposed last week brought front and center the unique challenges inherent in producing and applying patches to open source software.
The bottom line, experts say, is that corporate users should be aware that open source patches can be produced quickly but won't necessarily come from a trusted source. Also, it is difficult to track software that might need a patch.
"With open source you really have a double-edged sword," says Dan Ingevaldson, the team leader of X-Force Research and Development at Internet Security Systems, which discovered the sendmail bug. "It's very open but there is no single point of contact where there is a list of enterprise customers using the code."
That could foster a disconnect between code developers and users not plugged into mailing lists.
In the sendmail case, code creator Eric Allman was notified of the bug and then he informed companies such as HP, IBM and Sun that he knew had the 15-year-old open source code in their commercial products. Those vendors then developed patches for their own customers.
But Allman says, "on the open source side, you don't always know who picked up the software. You can get the big companies, but for all the others you just announce the problem in the appropriate places."
On the closed source side, a central point of contact, say Microsoft, becomes the flash point for OEMs and other known licensees of products. But the criticism against closed source vendors is that often they don't respond quickly or at all until hackers release exploit code.