Skip to main content

"Hope this email finds you well. Maintenance of pam_tacplus"

Few things annoy FOSS developers more than a huge, multi-billion IT corporation that suddenly sends me an email regarding an open-source project I’ve been running since 1990’s that I’ve recently shut down due to absolute lack of interest from its users… which happened to be telcos and large IT companies. Here’s what I replied:

Thank you for your email. As it’s often the case with open-source projects, their value to organisations is only noticed and appreciated when they go offline. I have maintained pam_tacplus for the last years and it had the call for sponsorship prominently displayed for most of the time specifically because it’s a legacy project that is difficult to maintain. None of the commercial companies that clearly do rely on it ever demonstrated any interest in even nominal donations, so it was archived. While it’s notable someone finally noticed it, I’m not the person to discuss its future development any more.

I did work in large companies and I do understand the sick logic that drives them, when it’s easier to get approval for annual spending of $50k for some office decorations than $100 for a mission-critical project which happens to be open-source and can be used for free for some time. But it’s possible. If you’re working in such roles, please make every effort to get this $100 because otherwise it will become your responsibility to develop and maintain code that you always got for free.

And if you're considering starting a new open-source project, you might want to consider publishing it on Big Time Public License 2.0.0, which was kindly suggested by Fediverse readers where this was originally posted and generated quite a lot of feedback.

Linux server with UEFI Secure Boot and LKRG

UEFI Secure Boot is an useful control to prevent trojanizing of a server and strongly recommended whenever you actually run a physical machine, either as a standalone server or host for virtual machines. On its own it's not particularly difficult to configure with mainstream Linux distributions thanks to the fact that signing keys for distributions like Ubuntu are already distributed along with any modern BIOS. There's one particular scenario where some customisations are required — when you run a Linux kernel in Secure Boot mode and want to load additional kernel modules.

Read more…

Trusted software supply chains with SigStore

Trojanised libraries are an increasingly growing problem in sofware supply chain due to the fact that almost every Java, PHP, Python or Node project typically uses a dozen of third-party libraries which then chain-load further libraries. A compilation of a Java project or installation of Node or Python project is continous stream of third-party libraries loaded from repositories such as Maven, NPM or Pypi — and abuse is just matter of statistics.

Read more…

Current state of security scanners for C/C++

A lot has improved over the last few years in terms of availability of C/C++ source code security scanners. Many scanners are now available for free for open-source projects, not only improving the security of commons code, but also allowing developers to get some hands-on experience and learn how they operate. In this part I'm discussing Synopsys Coverity, clang-analyzer and AddressSanitizer.

Read more…

State of web micropayments

As of 2021 there is little doubt that the world of web advertising is toxic and abusive for both the end users and content publishers, and negatively impacts web security. Are there any reasonable alternatives out there?

Read more…