I want YOU to open source

No readers like this yet.
Open source in the military

Opensource.com

I recently went to the MIL-OSS ("military open source software") 2011 Working Group (WG) / Conference in Atlanta, Georgia. Topics included the open prosthetics project, releasing government-funded software as OSS, replacing MATLAB with Python, the "Open Technology Dossier Protocol" (OTDP), confining users using SELinux, an explanation of DoD policies on OSS, Charlie Schweik's study on what makes a success OSS project, and more. Some people started developing a walkie-talkie Android app at the conference. Here's a summary of the conference, if you're curious.

MIL-OSS 2011

First, a few general comments. If this conference is any guide, it is slowly getting easier to get OSS into government (including military) systems. OSS is already used in many places, but it's often "don't ask, don't tell", and there are still lots of silly bureaucratic barriers that prevent the use of OSS where it should be used or at least considered. But there were many success stories, with slide titles like "how we succeeded."

I want YOU to open sourceAlthough the conference had serious purposes, it was all done in good humor. All participants got the MIL-OSS poster of Uncle Sam (saying "I want YOU to Open Source!"). The theme of the conference was the WarGames movie; the first finder for each of the WarGames Easter eggs would get a silly 80s-style prize (such as an Atari T-shirt).

As the MIL-OSS 2011 presentations list shows, I gave three talks:

  • Publicly Releasing Open Source Software (OSS) Developed for the U.S. Government. This presentation explained when the government or contractors can publicly release software, as open source software, if it was developed using U.S. government funds. This presentation summarized my paper Publicly Releasing Open Source Software Developed for the U.S. Government (also see Kane McLean's one-page summary of this paper, the "OSS Releasability Quick Reference", which was given to every conference participant). I think this is an important topic. Billions of dollars go into developing software, yet most of the time, the taxpayers (who paid for it) don't get the benefits. It turns out that this software often can be released; this is the decoder ring for these Byzantine rules. This can have incredible benefits. For example, the DoD funded the work that created the Internet, and then released as OSS an implementation of its key TCP/IP protocols. The Internet has mightily benefitted the DoD, in fact, it's benefitted the whole world. (And yes, it had the required WarGames Easter egg. Slide 15 says "Talk to others who have experience with OSS" — the egg is in the supporting bullet, "Q: What is it doing? A: It's learning!")
  • Why the GPL Might not Destroy the Universe. This tongue-in-cheek talk tries to counter some of the silly, over-the-top fears about the GNU General Public License (GPL). I figure any presentation can't be bad if it includes photos of Godzilla, flying saucers, zombies, and a poster saying "If you program open source, you're programming COMMUNISM!"
  • HOST Lessons Learned (with Tom Dunn). This summarized interviews of various people on the roadblocks to using or developing open technology (including open source software) in the government.

The conference was complicated by the recent passing of Hurricane Irene. The area itself was fine, but some people had trouble flying in. The first day's whole schedule was delayed so speakers could arrive (using rescheduled flights). That was probably the best thing to do in the circumstance — it was basically like a temporary time zone change — but it meant that one of my talks that day (Why the GPL Might not Destroy the Universe) was at 9:10pm. And I wasn't even the last speaker. Eeeek. Around 15 speakers had still not arrived when the conference arrived, but all but one managed to get there before they had to speak.

Here are few notes on the talks:

  • Andy Henshaw (GTRI) spoke on "Replacing MATLAB: Python Tools for Scientists and Engineers." His basic point is that "Python is a good replacement for MATLAB in a lot of cases." Although Python isn't fast by itself, it's often useful as a glue, with the intensive data-handling being done by hand-crafted libraries. He focused on (and discussed) the libraries NumPy, SciPy, matplotlib, and ipython. He also discussed differences between MATLAB and Python for MATLAB users. In Matlab, the basic type is a matrix, it uses 1-based indexing, ‘*' means matrix multiplication, and function calls use pass-by-value with lazy copy-on-write. In contrast, in Python with libraries like these, the basic type is a multidimensional array, it uses 0-based indexing, ‘*' means element-wise multiplication (use dot() for matrix multiplication or use the matrix class), and function calls use pass-by-reference.
  • I learned interesting things about AdaCore (who make GNAT pro, SPARK Pro, and Code Peer). They don't have a separate support organization — their engineers provide support directly, since support is really what they sell.
  • Maj Wilson/Kane McLean discussed changing culture. They argued that the mind has two independent decision-making functions that work simultaneously: the emotional mind and the rational mind. The emotional mind is like an elephant; it's illogical and determined, emphasizes getting stuff done, and has mental "muscle memory." The rational mind is like a jockey; it's logical and reasoned, emphasizes organization but often can't "get off the saddle," and does long-term / strategic planning. You need to convince both, so you should try to shrink the change, shape a clear path forward, and repeat what works. They believe that culture change in a big bureaucracy happens from both the top (the "clouds") and the bottom (the "grass roots"); resistance often comes from the middle. The solution for change, then, is to "seed clouds" and "grow the grass."
  • The "Open Technology Dossier Protocol" (OTDP) was pitched by Winston Messer and Nick Bollweg. Basically, they'd like every OSS project to put, on their web site, a small XML file that would let various search systems learn more about their project. That way, each project can update their own information.
  • David Egts (Red Hat) explained "SELinux user confinement" - a new capability in RHEL 6 to easily confine users using SELinux. Just install the "policycoreutils-python" package, which includes the semanage tool that lets you control much more precisely what specific users may do.
  • Alex S. Voultepsis explained how the intelligence community (IC) has built up an internal infrastructure with the tools that people want to use; in a vast number of cases, they use OSS to do this. For example, Intellipedia is implemented using MediaWiki, the same software that runs Wikipedia.
  • Dan Risacher discussed the DoD Oct 16, 2009 memo on open source software. He noted that we have a "Government IP knot:" "Government rules are designed to enable a program manager to control their program, not to enable sharing it." A way to cut this knot is to make it clear that the software will be released as OSS; then everyone knows what the rules are. He wants to be a "developer advocate" - the DoD needs to be able to innovate faster than its opponents.
  • John Kuniholm presented on the "Open Prosthetics Project." He is missing part of an arm, and explained some of the complications of making prosthetics. A key need is really good open source CAD tools. That is a general problem, not unique to the military or government — currently the tools are hideously expensive, and until that changes, the promise of cheap 3D printers will be harder to realize.
  • Charlie Schweik has been doing a lot of quantitative studies of OSS projects, to determine what separates successful projects from abandoned projects. He expects to have a book on soon on this topic! In the initiation stage, the key factors were: Leadership by doing, clear vision, and well-articulated goals. Other factors were Project marketing; project financing; knowledge continuity; being a multideveloper project. A really key factor, once a project is initiated, is gaining a developer (and then gaining more later). There are many conflicting claims, e.g., some say that smaller groups are better (Brooks), that larger groups are better (Linus' law), or that size doesn't matter; his data shows that Linus' law is the correct one. Face-to-face communication doesn't seem to be as important as it used to be, due to better communication technology. He's gathered lots more info; I'm looking forward to seeing the whole thing.
  • One great thing was that everyone was motivated to actually solve problems, immediately. There is already an official DoD Open Source Software (OSS) Frequently-Asked Questions (FAQ), but there's a need for a less-official FAQ, so during the conference a new MIL-OSS OSS FAQ was created. On the last day there was a discussion between various software developers and military folks, particularly about military needs. A real problem in military situations — and disasters like hurricanes — is that centralized communications systems fail. Within a short time, people were suddenly developing an OSS walkie-talkie application for Android and hosting it on github.

Many discussions revolved around the problems of getting authentication/authorization working without passwords, in particular using the ID cards now widely used by nearly all western governments (such as DoD CAC cards). Although things can work sometimes, it's incredibly painful to get them to work on any system (OSS or not), and they are fragile. Dmitri Pal (Red Hat)'s talk "CAC and Kerberos From Vision to Reality" discussed some of the problems and ways to possibly make it better. The OpenSSH developers are actively hostile to the X.509 standard that everyone uses for identity certificates; I agree with the OpenSSH folks that X.509 is clunky, but that is what everyone uses, and not supporting X.509 means that openssh is useless for them. Every card reader is incompatible with the others, so every time a new model comes out, drivers have to be written and it often doesn't work anyway (compare that to USB keyboards, which "just work" every time even through KVM switches). I think some group needs to be formed, maybe a "Simple Authorization without passwords" group, with the goal of setting standards and building OSS components so that systems by default (maybe by installing one package) can trivially use PKI and other systems and have it "just work" every time. No matter that client, server (relying party), or third-party authenticator/authorization server is in use.

If you're interested in more of my personal thoughts about OSS and the U.S. Department of Defense (DoD), also see FLOSS Weekly #160, the interview of David A. Wheeler by Randal Schwartz and Simon Phipps. Good general sites for more info are the MIL-OSS website and the DoD CIO Free Open Source Software (FOSS) site.

There's more to be done, but a lot is already happening.

User profile image.
My professional interests are in improving software development practices for higher-risk software systems (i.e., ones which must be secure, large, and/or safety-critical). My specialties include writing secure programs, vulnerability assessment, open standards, open source software / free software (OSS/FS), Internet/web standards and technologies, and POSIX. Read more about me.

2 Comments

Good job, Wheeler!

Excellent review, Dr. Wheeler. And a special thanks to Josh Davis, John Scott and Kane McLean for pulling all this together...and to GTRI for providing space and southern hospitality. Look forward to next year!

This article was originally published at dwheeler.com/blog and is reposted with permission.