Category Archives: Open Source Software

Helmut Dersch: Panorama Tools – Open Source Software for Immersive Imaging – IVRPA Berkeley 2007 – Video

Posted on by


Helmut Dersch: Panorama Tools - Open Source Software for Immersive Imaging - IVRPA Berkeley 2007
Panorama Tools - Open Source Software for Immersive Imaging Prof. Helmut Dersch - http://webuser.hs-furtwangen.de/~dersch/ IVRPA Berkeley 2007 Conference - h...

By: IVRPA - International VR Photography Association

The rest is here:
Helmut Dersch: Panorama Tools - Open Source Software for Immersive Imaging - IVRPA Berkeley 2007 - Video

Security Woes in Open Source: Don’t Believe the Hype

Posted on by

by John Linkous

It seems like such a short time ago: the massive and pervasive Heart Bleed vulnerability, triggered by a flaw in the OpenSSL open source software product, left massive swaths of confidential information including user names and passwords of public web services, and private encryption keys accessible to anyone with a browser and the knowledge of how to exploit the flaw. Of course, OpenSSLs Heart Bleed vulnerability is not the only flaw that has recently been discovered in open source software. Right on the heels of Heart Bleed, vulnerabilities within two popular packages for identity management, OAuth and OpenID, were discovered potentially leading to compromise across a Whos Who of web properties: Facebook, Google, Yahoo, LinkedIn, PayPal, and many more.

All of these recently discovered flaws within open source software platforms have many people asking the question: Is open source software really safe? After all, these are products, packages and tools that are often developed in a highly decentralized manner, with contributors from around the globe who generally are tied together as volunteers. There is no HR process for open source projects contributors (other than perhaps an evaluation of programming skills): what if an open source developer moonlights as a carder, and inserts malicious code or a backdoor into an open source library? All the source code is available for anyone to see: what prevents a malicious attacker from scanning the code for vulnerabilities, and writing tools to exploit them? Most open source packages are developed on a volunteer basis: what if the package maintainers simply decide not to patch their vulnerabilities, with no way to force them to do so?

All of these questions have been raised in recent weeks across industry media, blogs and tweets, in response to these discovered flaws. Its made for great FUD and commentary fodder, but how legitimate are these concerns?

Fortunately, to paraphrase Mark Twain, the reports of the insecurity of open source software are greatly exaggerated. First, a short bit of history. Ill be the first to admit: I was not always a fan of open source. My first experiences with open source software were in the mid-90s, with early distributions of Linux and its associated packages. Linux, of course, does not mean the same thing as open source. But the reality is that most peoples first introduction to open source (including mine) was through that operating system or other open source BSD-based operating systems such as OpenBSD and NetBSD, which host thousands of open source projects through efficient package management systems. Back then, open source was trying to mark its territory, and its most vocal advocates were folks like Richard Stallman and Eric S. Raymond who ranted seemingly endlessly about the evils of commercial software, and how code should be free (as in freedom of speech, not necessarily as in free beer).

Failing to use the correct terminology to an open source acolyte, such as referring to the operating system as Linux rather than GNU/Linux, could get you neck-deep in flame war on Usenet or IRC that might go on for days and no amount of mea culpa would grant you quarter. In those heady days, it was a full-blown technology holy war, and you were either all-in with open source by contributing something to a package (code, QA and test, documentation, etc.) and more importantly eschewing commercial software, or you were the enemy. While those tactics ultimately helped open source in some ways, the libertarian philosophical bent and all-or-nothing approach alienated a lot of people who might have otherwise embraced open source a lot sooner. For me, it was a frustrating time and place for learning about open source.

Fortunately, along came some vendors who worked out the kinks, and I started to come around to appreciating the open source way. First was Red Hat, who established the first successful model for legitimizing open source with a real corporate face and a cohesive distribution of Linux. Other vendors followed suit, with distributions such as SuSe, Caldera and Debian improving on how open source packages worked with each other within the ecosystem of an operating system that was itself open source. Fast-forward to today, and open source is ubiquitous in the corporate world, standing equally alongside commercial software. Linux distributions such as Ubuntu provide a user experience that rivals any other OS.

Apple has adopted a variant of BSD, itself an open source operating system with thousands of open source packages, as the foundation of its OSX. Open source packages deliver countless foundation technology services to the enterprise, from name resolution (bind and OpenDNS), to databases (MySQL, PostGRES, Hadoop, and others), reporting (Jasper), and business operations such as customer relationship management (SugarCRM). And of course, open source owns the lions share of web application servers and http platforms (Apache http server, Apache Tomcat, and JBOSS). Even Microsoft, once vilified as the antithesis of the open source community by some of its more vocal members, is now recognizing that it needs to work with open source and is making efforts at improving open source package integration under new CEO Satya Nadella.

So, lets take a moment and talk about some of the concerns related to open source, and why theyre generally illegitimate:

What about the people who write the code? While its true that most open source packages are developed on a volunteer basis, its also true that most open source project founders and managers are passionate about their projects, and want to see them succeed. They actually control who can and cannot contribute to packages, and often will select people they personally know and trust as contributors. Many projects have very democratic approaches to development, and rely on extensive peer review to ensure that their fellow developers are developing quality code. This collegial model is something that commercial development firms often try to emulate, because they understand that it can result in better quality code. From a personality perspective, while its true that the occasional nutter is discovered in the open source community (such as Hans Reiser), the quantity pales in comparison to bad behavior coming out of commercial Silicon Valley companies (RadiumOne and GitHub being only the two most recent examples).

Read more:
Security Woes in Open Source: Don't Believe the Hype

Why open source software isn’t as secure as you think

Posted on by

Paul Rubens | June 13, 2014

The security of open source software relies on the community spotting errors -- but Heartbleed and other recent events suggest that that's not happening.

The OpenSSL Heartbleed fiasco proves beyond any doubt what many people have suspected for a long time: Just because open source code is available for inspection doesn't mean it's actually being inspected and is secure.

It's an important point, as the security of open source software relies on large numbers of sufficiently knowledgeable programmers scrutinizing the code to root out and fix bugs promptly. This is summed up in Linus's Law: "Given enough eyeballs, all bugs are shallow."

But look at what happened with OpenSSL. Robin Seggelemann, a German programmer from Munster University, updated the OpenSLL code by adding a new Heartbeat keep-alive function. Unfortunately, he missed a necessary validation in his code to check that one particular variable had a realistic value. The member of the OpenSSL development team who checked the code before the update was released also missed it. This caused the Heartbleed bug.

One reviewer, even a handful of reviewers, can easily miss a trivial error such as this if they don't know there's a bug to be found. What's worrying is that, for two years, the Heartbleed bug existed in OpenSLL, in browsers and in Web servers, yet no one in the open source community spotted it. Not enough eyeballs scrutinized the code.

Commercial Vendors Don't Review Open Source Code

Also alarming is that OpenSSL was used as a component in hardware products offered by commercial vendors such as F5 Networks, Citrix Systems, Riverbed Technology and Barracuda Networks - all of whom failed to scrutinize the code adequately before using it, according to Mamoon Yunus, CEO of Forum Systems, a secure cloud gateway vendor.

"You would think that it would be my responsibility as a vendor, if I commercialize OpenSSL, to put my eyeballs on it," he says. "You have to take a level of ownership of the code if you build a company based on an open source component."

Instead, Yunus believes vendors just regarded OpenSSL as a useful bolt-on to their hardware products - and, since it was open source, assumed other people were examining the code. "Everyone assumed other eyeballs were looking at it. They took the attitude that it was a million other people's responsibility to look at it, so it wasn't their responsibility," he says. "That's where the negligence comes in from an open source angle."

See original here:
Why open source software isn't as secure as you think

How to Start Contributing to Open Source

Posted on by

Contributing to open source can be a fun and rewarding experience, but it can also be difficult to know where to start. This article will guide you through making your first contribution to the world of open source; from deciding which project you want to get involved in, right through to raising your first issue and making your very first code contribution.

If you're not a programmer, or you just fancy a break from coding, this article also includes a list of ways that you can get involved in open source, without writing a single line of code.

What is Open Source & GitHub?

Open source is a method of software development that promotes transparency and collaboration. When a project is open source, not only can you download and use it, but you can view its source code too. This means that you can fix bugs, add new features, and generally make changes to the project. Being able to view the source code, also gives you a greater understanding of how the software works.

If you've used open source software before, chances are you're already familiar with GitHub. GitHub is a website that provides repositories where developers can store and share their open source projects, but it's also a way for people from all over the world to collaborate on a single project. Once you've registered with GitHub, you can raise issues, suggest new features, and even contribute your own code to projects hosted on the website. Although GitHub is far from the only code hosting service out there, its popularity in the open source community means that it's a good place for newcomers to start.

GitHub

Choosing a Project

After you've created your GitHub account, you need to decide which project you want to get involved in. This is where the sheer number of projects on GitHub can be overwhelming. In December 2013, GitHub announced that it had reached 10 million repositories, so you'll need a way of narrowing down your options, if you've ever going to choose a project:

How GitHub Projects are Structured

Every GitHub project is stored in its own repository, which usually consists of multiple folders and files. Although projects owners have the freedom to structure their GitHub projects however they like, there's some files that are common across most projects.

Read more:
How to Start Contributing to Open Source

Oracle sees more SDN light, joins OpenDaylight

Posted on by

Integrated tiered storage for Big Data and HPC

Oracle has announced it is joining open source software-defined networking (SDN) effort OpenDaylight as a silver member.

Big O will bake the software into Solaris 11.2 just as soon as it can and says doing so will mean its customers can use a common and open SDN platform with OpenStack to manage Oracle Solaris-based clouds.

Oracle joining OpenDaylight is both predictable and significant. It's predictable because, having thrown in its lot with OpenStack, it makes sense for the company to go all in by also joining OpenDaylight. It's significant because any time an organisation the size of Oracle joins an effort like OpenDaylight it's a positive endorsement of the standard.

It's also significant because it shows greater commitment to SDN from Oracle. As the company says in its spiel about the decision, including OpenDaylight will mean Solaris can control and use resources using the standard.

One more interesting nugget: Oracle says it will ... enable compatibility with OpenStack Neutron and OpenDaylight SDN to allow customers to deploy applications in highly available, secure and flexible Oracle Solaris virtual machine instances. That looks a nice little value-add to Solaris that, on top of Big O's other recent releases, makes Oracle look more and more like it is happy to cook up and run just about any kind of cloud.

It's worth noting, however, that Oracle hasn't gone all-in with OpenDaylight, as it has signed up for the lowest, Silver, level of membership.

Eight steps to building an HP BladeSystem

Read more:
Oracle sees more SDN light, joins OpenDaylight