The obscurity of open source software projects.

With all the sturm und drang about the OpenSSL so-called Heartbleed vulnerability, I spent a good chunk of the previous week examining servers I own or maintain to determine whether I’ll need to upgrade, regenerate/revoke certificates, etc. It has not been pleasant, nor easy.

The challenge of maintaining infrastructure that seems to hum along without intervention can’t be overstated. In my personal and work life, turn up of servers is not a day-to-day occurrence. Maintenance work gets slotted into the “do when there is slack time” column. And since those servers just keep chugging along without too much noise, they don’t rise up and get noticed. The unfortunate side effect of this is a slow, but steady, growth in open attack vectors on those critical infrastructure elements.

The obvious way to deal with this “low priority/high importance” work is to aggressively schedule it and get buy in from management and one’s personal scheduler. It always takes more time than estimated to perform these maintenance tasks, because of changes in software features and operation — and sometimes obsolescence. The problem of obsolescence is the most dogged one, I believe.

Cacti Logo

I’ve used Cacti for many years to graph SNMP interface statistics, traffic, and memory usage collected from Linux, Cisco, and Zhone platforms. It’s a PHP application utilizing the LAMP stack and is lightweight and easy to use. In the chronology of web based graphing of SNMP data, Cacti came after MRTG/RRDTool and allowed for easy creation and viewing of graphs from a web front end. Over the years, the pace of development and release cadence has slowed where the last released version was in August 2013. Since then, there seemingly has been a major restructuring of the code, but I can’t determine where the project is going.

There are tons of projects like this, powering important parts of the Internet’s infrastructure. Each with communities that swell and wane as itches are scratched and new challenges found. Right now, ElasticSearch and the “ELK Stack” are hot and cool and fast — and quite useful — but in 5 years will there even be a way to download the code reliably or documentation that reflects the way the code actually works? I discovered OSSEC last year and was blown away by the completeness of the solution and the excitement of those who had been using it. But now the support of Trend Micro may be in doubt. Will the project sink into obscurity as attention wanes?

There are big challenges for those who must maintain infrastructure built on these tools. As the different software stacks “evolve” on different timelines, it falls to the users/administrators to step up and dig deeper into the code and discover, document, and attempt to correct problems. This is the lifecycle of FLOSS software and, upon writing this entry, I think that it’s a damn good thing (compared to the pay and pray model with commercial software).