|
|
|
|
|
|
by crpatino
4439 days ago
|
|
|
This is yet another manifestation of the dark side of open source movement: the expectation that the generosity of the few must always support the comfort of the many. More than once I have commented that the only missing feature of GPL is that all free software must be distributed in source code, and compiled/build from scratch in every system it is to be deployed. Binary distribution requires a parallel form of licensing with appropriate fees/royalties. Your case would be easily be solved if you were willing to pay an expert provider for their know how in implementing this types of solution. This solves reasonably well the problem of reliability (customer is unable to tell a lemon from the real thing, but is at least able to demand a refund or sue in case of breach of contract from the part of the provider). This does not have to be expensive either. For a couple USD$100's you could have access to standard configurations, designed to meet the common needs of most customers. Or you can pay premium (a.k.a. consulting) fees to have a tailor made solution made for your particular needs. |
|
|
But if I just find a configuration online and use it, am I 'cargo culting' as the OP warns me against? But then, am I doing the same thing if I pay someone for it instead of finding it online for free, am I still just 'cargo culting'? $200 or not, I'm still just taking what someone else gives me and plugging it in. I guess in either case it depends on who I get it from, and how I am deciding their reliability.
I don't think it's the 'dark side of open source' to suggest that apache would be doing a service to it's users by providing out-of-the-box config that's actually secure. I realize they don't 'owe' it to me, as they 'owe' me nothing at all, including continuing to provide httpd at all. But let's say httpd was completely unstable out of the box, crashing all the time, unless you used expert knowledge to configure it to be stable, possibly by paying an expert $200. Would it be the 'dark side of open source' to suggest that made it less high-quality software than it could be, that to be quality software it needs to be stable for most common use cases out of the box?
In 2014, I think expecting software that supports SSL to be actually secure out of the box for, as you say, 'common needs of most customers', is just the same as expecting it to be reasonably stable. Doesn't mean it will be, doesn't mean the open source developers 'owe' us anything, but users making their expectations and priorities clear is part of what influences developer priorities too.
But you know what, yeah, I'm going to go there, if in 2014 you are supplying software to users (whether open source or not, whether free-as-in-beer or not) that supports TLS/SSL, or any other crypo, then you _do_ have some responsibility to supply actually secure software, or you are doing a disservice to your users (whether or not they are paying you) and to the internet at large. I don't think this is actually a very controversial statement. Nobody has to supply crypto software, open source or proprietary, for free or for $. But if you are, then, yeah, you have some responsibilities to do it right. We can certainly disagree on what 'do it right' means, but few would disagree with the basic sentiment.