[sanguy]

You would be shocked at how much "military critical" software is built on OSS tools, libraries, and code bases. More shocking are the primary contractors charge top rates, contribute little to OSS, and try to hide the OSS usage from the end client.

[derefr]

You'd in turn perhaps be shocked at how much OSS software originates in militaries.

Especially in the software security / cryptography space — if a crypto algorithm isn't literally designed by some military, it's often designed by some mathematicians who were contracted by a military to come up with an algorithm with some particular nice set of properties, who then (probably much later) reused their paid learning to create another algorithm with similar nice properties for public use, but different enough that it doesn't "give anything away" cryptanalytically about its confidential progenitor algorithm.

"Opened" projects like Tor or Ghidra aren't at-all uncommon, either. The unusual part with those projects is that we know where they came from; usually such things are thoroughly scrubbed of their origins and handed over to a maintainer with a public identity, who is to claim that they created it themselves.

[rackjack]

Can you name some projects that have been scrubbed and handed over?

[derefr]

That would rather put to waste the effort of scrubbing them, no?

A lot of the reason for the scrubbing isn't confidentiality of authorship per se (though obviously that's important), but rather optics. If people see a FOSS project described as being e.g. "created by the NSA", they'll get skeeved out of using it or contributing to it, even if the NSA is no longer involved (or is only involved in the sense that people who happen to work at the NSA contribute to the project as civilians, in their time off, without the goals of the NSA driving the contributions.)

Most of these opened projects are just a result of people in the organizations seeing a genuinely-good project that was created as a byproduct of some project — probably by some contractors that were actually decent for a change — that nobody internally can get the resourcing to maintain any more, and so is going to be canned and replaced — and thinking they can advocate to give it a new life as a civilian asset. People thinking of the public good, basically. If revealing the origins of the work would void that benefit to the public good, they'll fastidiously avoid doing so.

[badsectoracula]

NSA opening up Ghidra didn't seem to stop it from becoming a very popular reverse engineering tool though.

[neatze]

Not always, ATAK[1] was release open source on purpose so emergency services and civilians can use it too.

[1] https://github.com/deptofdefense/AndroidTacticalAssaultKit-C...

[samus]

SELinux was contributed by the NSA. Doesn't really stop people from using it.

[turk-]

Apache Nifi and Accumulo do come to mind, both out of NSA.

[znpy]

And SELinux, still from the NSA.