Open Source

U.S. Department of Defense officially adopts open source

The DoD has officially adopted open source. Jack Wallen thinks this heralds a new era for the open source community. Read on to find out just how this affects the open source software movement.

It's been no secret that the DoD has considered open source for a long time. Consideration has finally reached adoption. The proof? A new site, based on Sourceforge.net, Forge.mil, will serve as a repository for open source, defense-related software. Anyone can join the site - so long as they have a DOD, CAC, or ECA certificate. The site currently only contains information and no code. The site itself is nothing more than the Sourceforge code updated to meet DoD standards.

According to a writer on Slashdot, anyone will have access to the code on the site. I have yet to find any validation to this claim. There are currently only three projects on the site. One of those projects, Bastille,  aims to aid in the automation of server configuration. Another project manages requests for proposals. The final project currently on the site automates the secure configuration of Solaris systems. DoD administrators predict there will be 20 projects on the site in next six months.

Of course, this is fantastic news for open source. What this does is validate, without question, the legitimacy of the open source model. But there is one issue I would like to bring up with regards to this project. I understand this is the DoD we're talking about, so keeping this software out of the hands of the general public seems understandable. But if, in fact, the general public does not have access to the code, is this really open source? Or is this the DoD taking advantage of the nature of open source?

This all comes, of course, on the heels of newly inaugurated U.S. President Obama who has promised an open U.S. government. So under an Obama presidency we could enjoy open source software used government-wide and the DoD embracing open source for defense software. How does this scenario play out in your imagination? In mine it plays out with open source software gaining serious traction in a country where it has had problems finding acceptance. When the government and the DoD sees that open source is a viable solution more and more corporate HQs will have less and less reason to not accept open source.

Although I find the obfuscation of the code for the DoD open source applications (and I do understand the necessity of this) at odds with the fundamental ideal of open source software, I am thrilled this is happening. This is Linux reaching the peak of a mountain they have been climbing since the mid 90s.  Well, it seems open source has reached that peak and should enjoy the rewards for this long, hard, uphill battle.

Congratulations open source community. This is a big win for you.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

36 comments
zclayton2
zclayton2

My simplistic take: I see the forge.mil domain as a repository for user modified (security checked) software. My understanding of the various FOSS licenses is that you do not sell such modifications. Depending on the license, you do not necessarily have to make them available for others to use, you just can't charge for them if you do.

rob.vietmeyer
rob.vietmeyer

As the project lead for Forge.mil let me attempt to set the record straight. Right now were just in beta, and I'm working through all the hoops to make the content more publicly accessible. We do want to have public access to OSS developed on the site. In terms of licensing, the individual project teams can pick the OSS license that's most applicable for their effort. Were not mandating a single OSS license. So far, we're seeing GPL, LGPL and Apache. Also, we are worried about the inappropriate forking of existing OSS software. Part of our project approval process is to steer proposed projects to existing OSS communities where that makes more sense than creating a new project on forge.mil. We're still learning, but I think Forge.mil has tremendous potential.

lewinskys
lewinskys

Quote-[But if, in fact, the general public does not have access to the code, is this really open source? Or is this the DoD taking advantage of the nature of open source?] I think with OPEN SOURCE, Anyone has access to the original code, and is free to modify it for thier own purpose. THis doesn't mean THEY have to make it available to the public. If they were to sell it, THEN they also must make it available openly also.

alzie
alzie

Awesome for open source! Even thought the DOD apps would be Seriously proprietary, the OS doesnt need to be. All that the DOD cares about is the security of the OS. So far, its been doing well.

maureyed
maureyed

Great! If there is one thing that the DoD doesn't believe in is openness. Period. Also, it's wonderful to know the the the next generation of hydrogen bombs may have been facilitated by the open source comunity's work. Makes me proud! Ed Maurey

djohnson
djohnson

For purists, there is always the belief that the ideal has been reached. But consider 1. Security to military and government code cannot be shared. By necessity it must be closed. 2. If the code is open, which licensing (gpl?) are the military and government adhering to/supporting? 3. Is the code shared with reservation with option to at-will close it at a later date regardless of what source it came from?

shryko
shryko

When you're guaranteed that this stuff will be running some of the more sensitive/secure servers the government has out there, a vulnerability being exposed for even a day could mean a tactical problem for troops in the field, as most people who would be trying to find flaws would be foreign programmers, most likely for espionage purposes, if not out-right damaging malicious purposes (I say this because there's a LOT of governments out there that would like to keep an eye on the US DoD's systems... and what better "eye" to keep than a trojan?)... As such, I expect that they would require you to be certified by the DoD before you get any kind of access, as a matter of security! (not saying this will result in better code, or safer systems... just saying it's probably why they're taking the path they have apparently chosen)

mta0907
mta0907

I hope that people in the open source community are not thinking that the DOD should make their source code available to everyone because this would be a security risk of the highese level. I am confident that the original source used is publicaly available but is later modified for DOD specific use. This DOD modified version should never be made available to the public.

etkinsd
etkinsd

The approval for using open-source software is good. However, the implementation is all-wrong! When I want to use open-source, I want to use an un-adulterated version and not some version that some DoD contractor hacked up to make it "approved for DoD use"

Jaqui
Jaqui

just how accurate is this source? after all, the comments on the slashdot article point out a couple of glaring faults with the claims in the article: http://news.slashdot.org/comments.pl?sid=1111605&cid=26684093 edit to add: sent this to the U.S. D.o.D. Reading the "article" on slashdot about the "new" DoD site forgemil.com, then the comments on said article. http://news.slashdot.org/article.pl?sid=09/02/01/1259203 comment that raises a question: http://news.slashdot.org/comments.pl?sid=1111605&cid=26684093 My question: How long before the U.S. D.o.D. refutes this hoax or verifies the article by including forgemil.com in the list of D.o.D. websites? Jaqui

Jaqui
Jaqui

as a viable solution for enterprise use? No. It Validates that it is a viable option, but that is as far as it goes. If the ENTIRE US Government went to ONLY open source, that would have the "solidify" effect. The US Army has long supported open source, in their own way, the US Army game is available for linux, windows and mac. [ "Call of Duty" is the game company response to the FREE game the US Army produces, very similar products ]

d.thiedeke
d.thiedeke

I think it is a definite step in the right direction. I wish the Australian government would take this step also. The development of these application can only help Open Source as a whole.

hramsdell
hramsdell

The company I work for TSRI does a lot of work with the DoD mainly in the areas of legacy system transformations. And a lot of times we have to worry about finding flaws in the systems. Are these non mission critical systems that are using OSS? I would hope so. Also, how do your developers maintain up to date detailed documentation? You main want to take a look at our site, we've recently started offering free OSS documentation for developers/engineers. It may help if your efforts to demonstrate/understand the systems. If you don't see a system you need on that site let me know and I'll get it added to our queue. http://rhs.softwarerevolution.com/portals/ For full access to the entire documentation set use: username: guest password: guest Good Luck! - Howard Ramsdell Software Engineer The Software Revolution Inc.

Neon Samurai
Neon Samurai

The US gov's computer spooks hit there own networks as hard as they hit foreign government networks. The chinese computer spooks also test there own systems as hard as they test foreign governments. Really, any government with tech savvy is doing this as are businesses and organizations. I believe it's corporate law that a third party penetration test and security audit be conducted quarterly in the US and Canada. Breaking into one's own network is an ongoing process of actively keeping security as tight as applicable. I don't think anyone goes; "ok, our servers are rock solid, you guys ignore our own networks and see if you can get into that country over there."

Neon Samurai
Neon Samurai

I think the Military is using mechanisms a little more robust than source code obscurity to secure information. For those that are researching vulnerabilities to exploit, the lack of source code is already a non-issue since fuzzing tools work against the compiled binary and and hardware as it is. They're not interested in fixing the found flaws so they don't need to source code to provide a patch against along with a bug report. Similarily, the NSA offers a free service to audit anyone's programing. You send them the compiled program and they give you a report of how long it took to find and exlpoit vulnerabilities in it; not "if" but "how long". The NSA being the people who originally developed the SELinux system and kernel modules. SELinux is available to the public without reducing the safety of systems protected by it. Keeping the source code hidden would only serve to limit potential bug fixes by researchers focused on improving security rather than exploiting it. Since the DoD is probably not distributing the customized programs, they also would not be bound by the software license. MIT and BSD don't require changes to be past back and the GPL only requires changes and source to be made available if you distribute your version of the software.

jck
jck

DoD and their contractors modify a lot of things. Unless it is SBU, DoD-S, TS, etc., you really don't have to worry about it. Sometimes the DoD builds their own search engines for public use. It would be no biggie to share that sort of thing.

jdclyde
jdclyde

is the same thing they currently do to Windows. They have a long list of services that MUST NOT be running, and run an audit CD to make sure. It ensures going back to the "off by default" rule, and then only enable what is deemed to be required and safe. I know someone that goes around with a crew world wide to anyone that wants to do business with the DOD. His crew certifies the computers, network, servers, and physical site or you don't get the contract.

Neon Samurai
Neon Samurai

Some are of the opinion that, while making it more accessible, Connonical has made some poor choices repeating the errors of other platforms. For those people there is Debian and many other distributions to choose from. If the military's inhouse distribution is considered broken for one's needs, there are other distributions to choose from.

jlwallen
jlwallen

i too questioned the validity of this. but then i think i finally realized that a DoD .mil address most likely wouldn't be accessible to the public in the first place so most likely this was a "public" address just to show the greater population what was going on. if you wouldn't mind, report back here what the DoD says.

william.purcell
william.purcell

For many years, the DoD has classed software as Commercially Owned Software (COS) or Government Owned Software (GOS). GOS is typically software developed by government staffs or by commercial developers under government contract for a specific application, utility, etc. A lot, but not necessarily all of the GOS is freely shared among agencies of the DoD. In fact, it is sometimes shared with other Federal Agencies outside of DoD. But this has always worked more in theory than practice since there was never an easy way to know what GOS is really available. Perhaps this new site is a formalized way to advertise the availability of certain GOS to other agencies that might have a need for it. Hopefully, one requirement for this site would be that the software is based on Open Source standards with no proprietary extensions imbedded. If so, the site will definitely open a lot of opportunities within the government, but will probably not trickle out to the rest of the Open Source world. Just a guess....

TNT
TNT

I'm a fan of open source, but I have mixed emotions regarding this move. Many countries use open source software and OSes so I'm not sure US adoption means that much more on a global scale, though it may lend credibility to corporate America. But personally, I kind of like the fact that the government uses home-grown software and buys from US companies. If government goes open source, what does that do to Microsoft and Apple? Schools are still a part of government (mostly) and are Apple's biggest clients. The other uncomfortable emotion regards security. I'm glad the DoD site is closed and not open because I don't want foreign nations knowing exactly what our government is using and learn how to exploit it. But moving to open source alone opens us up to being targeted by hostile nations and terror groups in a way that proprietary solutions do not. So like I said in the title: Mixed emotions.

Sagax-
Sagax-

Let me begin by saying that herein I refer to a medium to long term view. Tomorrow will look much same as today. 1. DoD can examine ALL of the code for security and propriety. 2. All APIs are known. 3. No single source "lock-in". 4. A stable base for application development. For the OSS community there will be a very large source of employment and training. There is also the possibility of the DoD requirement of Open Document Format for communication with and among them. All in all the downline prospect for a large growth (both numerically and personally) among those technically competent in OSS apps and Unix--like OS administration is tremendous.

maureyed
maureyed

Granted. But,I find the US DOT utterly repulsive. As a fellow Canadian I would think you would, too. Alfred Nobel was horrified at the military use of his his invention. The amorality of most of the of the techie's replies is disturbing but not surprising. All they foresee is, "Jobs,jobs,jobs."

Neon Samurai
Neon Samurai

Think how nice it would be for all us mortals to slap in a boot disk and have the Windows system hardened a-la-Bastille style. Any BartPE geniuses out there want to give it a go?

Jaqui
Jaqui

the auto reply, nothing from the DoD, which is about par for the US Government... to a non US Citizen.

NickNielsen
NickNielsen

Some pages are generally accessible by the public, others aren't. The public web pages at the various services and most military bases can be reached from any PC. (For example: http://www.af.mil or http://www.shaw.af.mil/) These are the public web pages and are usually run in front of the base firewall. More complete and in-depth pages run behind the base firewalls and are only accessible from other DOD PCs (the NIPRnet). The information on these pages is not classified, but is considered sensitive and not for release to the general public. I understand this network has been hacked. The secure network (SIPRnet) is completely isolated from the internet at the physical layer and can only be used by PCs with closely controlled IPs AND using appropriate encryption equipment and codes. All connections are physical, no wireless is allowed. To the best of my knowledge, this network has not been hacked. Disclaimer: My direct knowledge of this subject is 10 years old. YMMV.

Neon Samurai
Neon Samurai

DoD and organizations with that kind of resources can already sign a non-disclaimer and examine all the source code. Granted, they'll then likely take the precompiled binary rather than compile the exact source they've reviewed. Places where security is that much of a concern aren't using Windows anyhow. APIs are the same, if you pay, MS will show you the API documentation but you have the NDAs and such there also. For a gov or organization like DoD that they are afraid of loosing a contract with, they'll bend over backwards. Lockin is a pretty good reason to consider other solutions though. For historical record keeping alone but then you have constituants across many platforms that have to be able to read documents also. It would definately benefit the gov, military and OSS development in general unless the DoD kept all the code changes to themselves. I'm only meaning to point out that things like access to code which is impossible for us mortals is well within the relm of possibility for DoD (heck, even the chinese government got source code to review).

NickNielsen
NickNielsen

Why do you find the US Department of Transportation so repulsive? What have they ever done to you?

RipVan
RipVan

...to starry eyed, impractical purists. It also keeps them from being forced to work for the Hitlers of the world. Oh, I forgot, to some people, just preparing a defense makes the purists look at those folks as the Hitlers. I guess we should all adhere to that mindset so that we don't get labled. "Heil!"

Neon Samurai
Neon Samurai

Any military's reason for existance is to smack the other country harder than they can smack you and any tool that makes the military more potent is going to be developed and used. In the case of free software though, one of the core tenants of the popular license is that the software is there for use as the hardware owner sees fit; even if that means Mr Stalman visiting Cuba.

Neon Samurai
Neon Samurai

yeah.. my scars from limited mil experience still linger so I'm more open to that kind of policy than most civilians. I can see how it would quash a lot of the things people blindly love for convenience at the expense of safety.

jdclyde
jdclyde

most services morals in the civilian world use. He showed me that, I showed him "ultimate boot disk". He liked, very much. B-) Then we went to the pistol range, and I spanked my big brothers a$$.... ;\

Editor's Picks