Forgot your password?
typodupeerror
United States

Defense Dept. Memo Explains Open Source Policy 387

Posted by timothy
from the bureaucracy-miring-in-itself dept.
TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.
This discussion has been archived. No new comments can be posted.

Defense Dept. Memo Explains Open Source Policy

Comments Filter:
  • by sould (301844) on Tuesday June 03, 2003 @12:30AM (#6103006) Homepage
    ....make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."

    Except it's not really like that is it?

    OSS is not a toddler - it's tends to be just as mature as proprietry equivilants.

    So it should be covered by similar guidlines.

    Which is all memo says really.
    • Also known as the 'trainspotting' child policy.

      iopha
    • by zurab (188064) on Tuesday June 03, 2003 @02:06AM (#6103396)
      OSS is not a toddler - it's tends to be just as mature as proprietry equivilants.
      So it should be covered by similar guidlines.
      Which is all memo says really.


      Mostly. But I found couple of things that bothered me a little:

      "OSS refers to software that is copyrighted and distributed under a license that provides everyone the right to use, modify and redistribute the source code of software. Open source licenses impose certain obligations on users who exercise these rights." [Emphasis mine]

      This is not entirely true. Most open source licenses that I know of do not impose any obligations on *use* of the software (unless you consider warranty disclaimer as an obligation). These types of obligations usually come with proprietary software and licenses.

      "Certain restrictive open source licenses allow users to copy, modify and distribute software..." [Emphasis mine]

      "Restrictive" is a relative term. That's why I say, make all Open Source apps double-license - one Open Source license of choice, the other - binary only regular EULA with all its conditions. Let users choose which one they want. They will not call this software "restrictive", "cancerous" or any other names anymore.
    • Erm... (Score:3, Insightful)

      by KrispyKringle (672903)
      In defense of timothy, I may as well point out that his statement was clearly not a comparison of OSS and toddlers. I don't think there was any opinion, either expressed or implied, metaphorically comparing Open Source Software with young, as-yet undeveloped children.

      It was a joke about how strict the regulations were. Didn't you see the part about sticking to the ceiling like a spider? That's not normal human child behavior, hence, the stated regulations that would require such would be unreasonably str

    • by Anonymous Coward on Tuesday June 03, 2003 @04:48AM (#6103917)
      Yes and no... Yes, OSS should be just as mature and reliable as accepted propreitary equivalents, and that is partially what the guidelines are saying. No, OSS doesn't get to be used just because it is widely considered to be mature and reliable, and here's where the difficulty comes in.

      The referenced guidelines require that all Information Assurance applications MUST have gone through the NIAP certification process. This includes security scanners like nmap or nessus, lockdown tools like bastille, intrusion detection systems like Snort, and also (I think) any security-enabled applications like OpenSSH, or really anything OpenSSL-enabled like Apache, and even the operating systems that run them. With the current certification requirements, it is incumbent upon the vendor to pay to have a certified 3rd party testing group send the product through the testing. It is a lengthy, expensive, beauracracy-driven process. It is highly unlikely that any opensource project will have the time, money, or patience for dealing with it. Someone like RedHat or IBM would have to feel that it is in their best interests to throw away millions of dollars to prove that a given installation of a particular opensource application is acceptably, provably secure. Given the intense lobbying by Microsoft that happened when the NSA undertook the SE Linux project, and more importantly given that most managers have serious missions to accomplish that have nothing to do with software evaluations, it is highly unlikely that any government manager is going to put their budgets and careers on the line by having an opensource product put through evaluation.

      This situation does not just affect opensource projects, but also small businesses and vendors. It's unlikely that such organizations would have the resources to get this certification process completed. This game is clearly closed to only big and/or well-heeled vendors.

      For this reason, it is highly unlikely that officially blessed opensource products will ever enter an environment with even marginal security requirements. Until the beaucractic process for evaluation changes significantly, the current situation is decidedly biased against opensource, as well as small businesses and vendors.

      All this being said, while DoD has fairness as a goal in its procurement processes, safeguarding the lives of its servicemen and servicewomen is the top priority, even if that means a bias for or against certain classes of organizations. Whether there is an effective way of making this process more fair while keeping things secure, whether the benefits of the system outweigh the detriments, or whether the process as it exists now is doing an effective job in passing products that are secure in the real world and not just on paper, is a question that I cannot answer.
      --
      • by TFloore (27278) on Tuesday June 03, 2003 @10:21AM (#6105293)
        I'll reply on some general topics here, because it's useful to understand what the regulations say and mean, as well as how they are interpretted.

        The regulations always say words to the effect of "a specific installation of a specific version of a specific software product (on a specific hardware configuration)". The parenthetical there is for some other security ratings.

        A good example of this is the C2 security rating. Microsoft spent some money getting Windows NT C2 rated. Specifically, they got a specific patch level of a specific service pack of Windows NT v3.51 approved as C2 certified, on a specific set of hardware (with no floppy, I think) in a non-networked configuration.

        No one paid any attention to those little details. They just saw "Windows NT is C2 rated" and used that for purchase decision approval for every Windows NT/2000 system the DoD has bought since then. Because the "bureaucratic process" doesn't know enough about computers to know what the ratings mean, or what they apply to, or where they don't apply.

        The same will be done with this. "The NSA certified Linux for secure operation" will be enough, with supporting documentation to state that. Doesn't matter that it is for a different version of linux than your current procurement, it will still get it through the acceptance process.

        Government regulations are only meant to be an overwhelming burden for those people silly enough to think you are actually supposed to comply with them fully. No one that has worked with government procurements for more than 3 months still believes that.
  • Justification.... (Score:5, Informative)

    by mao che minh (611166) * on Tuesday June 03, 2003 @12:31AM (#6103010) Journal
    Well, the possible use of any commodity that may be used by the government (especially by the military) is always pitched in a structured and lengthy write-up that examines all aspects of the commodity and it's probable uses.

    Oh wait, everything but the use of Microsoft products that is. It seems like that gets instant approval without the need for any justification. "Microsoft released Windows XP? OK, upgrade, forget about the costs and everything else that such an upgrade demands - just do it - across the board. Office XP you say? OK, allocate $10,000,000 for the software, we'll worry about paying for the licenses later."

    Everyone knows that the benefits of using open source products far exceeds any benefits that can be reaped by paying a whole bunch of money for closed source products and their associated licenses (which are arguably always more extensive and restrictive then open source license schemes). Sure, paying $50,000,000 to upgrade your old NT servers to 2000 and your 98 desktops to either Windows 2000 or XP has it's benefits over spending $30,000,000 on Redhat and Star Office and the training. A bunch of sales people always say that such a move (upgrading Windows servers and clients and Office) has it's benefits. I just don't seem to see them. Maybe I'm too progressive, I don't know.

    PS: didn't get it...this time

    • What's the value of having assurance that there will be bugfixes and updates? With Microsoft, and under contract, you know that's going to happen. It may not happen as quickly as with open source software, but under a service agreement, the government has someone to sue should "service" not be provided.

      OSS? Linus and software maintainers could stop development at any moment, and a contract with Redhat isn't going to change that. The government would have no contract with Linus to continue development,
      • Re:Contracs (Score:5, Insightful)

        by mao che minh (611166) * on Tuesday June 03, 2003 @01:12AM (#6103206) Journal
        A service contract with Microsoft doesn't usually include accountability. That is a stance that Microsft usually takes very strongly: "we are not accountable" - it's "as is". "Prove that it is our fault". Besides, major Linux vendors offer the same exact type of contract that you are talking about, because that is one of their core areas of specialization: support and services, not licenses and upgrades. It's a moot point for a number of reasons, really, but a good one to bring up in this topic nonetheless.

        True, the core Linux maintainers could die or quit at any time. So could a software company drop a given application or operating system. For example, my company used a CRM called Vantive that was vastly superior in terms of ease of use and custimozation compared to PeopleSoft 8. We have in-house programmers that are very adept at coding for it. But PeopleSoft bought Vantive and dis-continued it. A few bugs sprang up that required access to certain source code that we didn't have. The answer? Pay 2 million (absolutely no exagueration) for People Soft 8 and go through the process of buying better servers and changing the structure of your Oracle databases "if you need future support for a PeopleSoft CRM". And yes, we had a service contract.

        But the beauty of open source insures that others will pick up where they left off. It happens with alomst every popular and useful open source project whose lead developers quit. In the case of Linux, you would have people from companies like Redhat, Suse, and IBM ready to take the lead. The costs of such a change of "power" is rarely passed on to the consumer. Also, the really good analysts do,/i> factor in the cost of hiring contractors to specialize your code.

        • Re:Contracs (Score:3, Insightful)

          by Sancho (17056)
          A service contract with Microsoft doesn't usually include accountability.

          And that doesn't necessarily preclude a successful lawsuit, should the government choose to persue it. If a root exploit were discovered and widely used, and it affected government servers, and Microsoft chose not to do anything about it, I suspect they would be sued and the US would win.

          True, the core Linux maintainers could die or quit at any time. So could a software company drop a given application or operating system.

          But no
          • by mao che minh (611166) * on Tuesday June 03, 2003 @01:36AM (#6103284) Journal
            Our service contract was with Vantive, not PeopleSoft. Our lawyers dropped the ball because they didn't plan ahead and leave room in the contract for a scenario of another company buying them out. This is an issue with closed source.

            If the software was GPL, it wouldn't matter how the contract was structured, because our programmers could have fixed the code. Instead, 2 million bucks was spent.

            And PeopleSoft is not liable or accountable, because all they did was gain ownership of the closed code. The agreement of assurance was specifically with Vantive. We didnt' buy the patented works itself (which wasn't an option, and People Soft refused to sell Vantive after-the-fact).

            As a side note, PeopleSoft 8 is laughable. I could design a better tool using PHP-Nuke (I actually hacked up a solution that was based on PHP-nuke for real simple CRM fucntions to show that it could be done - it was ignored, of course).

          • Re:Contracs (Score:5, Insightful)

            by 73939133 (676561) on Tuesday June 03, 2003 @02:05AM (#6103392)
            If a root exploit were discovered and widely used, and it affected government servers, and Microsoft chose not to do anything about it, I suspect they would be sued and the US would win.

            You are kidding, right? Windows is full of holes, and many of have been around for years by the time people get around to using them for break-ins, including into government computers. I don't know whether the US government could, in theory, win, but in practice, they don't seem to be sueing.

            If the OSS developer drops the project, there is no guarantee that anyone will pick it back up. It may be likely, but that's not good enough for many officials. Without something in writing, there's no real security in your purchase/training.

            Microsoft drops products constantly. And when Microsoft does that, you are completely stuck because nobody can pick up the software.

            Perhaps what's confusing you is that Microsoft refers to many different, incompatible products using the same trademark. But that doesn't do you any good when your programs stop running.

            The reality of it all is that if you buy Microsoft, not only do you have to put up with buggy software, but you get no guarantees, you have to expect security holes and accept the risk for them yourself, you can't fix anything, and the software likely has a much shorter usable life than comparable open source software.
          • Re:Contracs (Score:5, Insightful)

            by Tony (765) on Tuesday June 03, 2003 @03:46AM (#6103755) Journal
            Without something in writing, there's no real security in your purchase/training.

            As mentioned in the parent, companies like Red Hat and Suse make their money from support contracts. Since their bread and butter is in these contracts, and not in selling upgrades, they are more likely to take an active role in fixing problems, instead of having a vested interest in propogating problems (leading to more upgrades).

            Microsoft has, in the past, refused to fix bugs in "older" software. In many circumstances, the solution is to "upgrade." In several cases, bugs deemed non-critical by MS have been left unfixed for months. In several other cases, the fixes to these bugs have caused even worse problems.

            I have yet to see a contract stipulating Microsoft promises to fix any problems discovered, let alone take resonsibility for any defects. Doesn't mean they don't exist; but, like invisible ephemeral unicorns, until I see one (or the effects of one), I don't believe in them.

            The concept of manufacturer liability in the software market is laughable. Schools can get sued for millions for choosing co-valedictorians, but Microsoft sure as hell isn't going to pay for the privacy-raping holes in Passport.

            Something is fucked up here.
      • Re:Contracs (Score:5, Insightful)

        by E_elven (600520) on Tuesday June 03, 2003 @01:21AM (#6103230) Journal
        OSS? Linus and software maintainers could stop development at any moment, and a contract with Redhat isn't going to change that.


        I don't think you understand how OSS works. See, if Linus&Co decide to stop whatever they're doing and go live fat and happy in Silicon Valley or somewhere, 'we' still have the code. Anyone can take it and continue the development -worst case scenario, they can't call it 'Linux' anymore. However, if Microsoft says 'well, that's all, folks! We'll start selling beach balls from now on!', there's not a single thing anyone can do about it. And no one can continue the development of those systems.

        E
        • Re:Contracs (Score:5, Insightful)

          by sleeper0 (319432) on Tuesday June 03, 2003 @01:48AM (#6103328)
          yeah, this is the point. There is the same amount of risk or greater with closed source projects. Do you think the DOD has never used a piece of software the creator discontinued? Or went out of business? To protect against that I am sure they always manage to get the source code up front (to say nothing of the security issues that require them to get closed source)... In either case if something bad happens the dod can maintain their own systems, open source would just take a step out of the contract negotiations that allow that.
          • Re:Contracs (Score:3, Interesting)


            Do you think the DOD has never used a piece of software the creator discontinued?

            Yup. Personal experience in that area. A suprisingly large amount of DOD software was written for Clipper Summer '87.


            To protect against that I am sure they always manage to get the source code up front (to say nothing of the security issues that require them to get closed source)

            BWAAAAHAAHAHAHAHAHAHA!!!!! (thunk!)

            (/me gets back on chair.)

            (sniffle!)

            Oh, that's RICH!

            You almost had me fooled for a minute there.

      • Re:Contracs (Score:5, Insightful)

        by Jason Earl (1894) on Tuesday June 03, 2003 @01:25AM (#6103245) Homepage Journal

        Oh please, no one has ever sued Microsoft for lack of "service," and it is not because Microsoft products are perfect either.

        Not only that, but Microsoft has done just about every other unfriendly thing that a software vendor can do. They have stopped development of projects, created spurious incompatibilities, and sold bugs as "features." If the government paid IBM (or RedHat or whomever) half of what they currently spend on Microsoft software they could almost certainly get a real service contract for a huge pile of Free Software, and if they didn't like the service they got, they could take that money next year and hire someone else without having to switch software.

        I agree that there are costs to switching to Free Software, and I definitely agree that Free Software can't currently fill everyone's computer needs, but your arguments against Linux amount to nothing more than FUD. There are plenty of valid reasons for not choosing Linux. However, service, support, and longterm viability are all parameters that favor Linux.

        • Whoa now, I'm not arguing against Linux, I'm pointing out a part of the cost that people sometimes leave out. Personally, I suspect that hiring a small development team to maintain/develop alongside the OSS developers would be more cost effective--in the long run. But in the immediate-term, it may look more cost effective to go with Microsoft.

          • Re:Contracs (Score:3, Interesting)

            by Jason Earl (1894)

            I agree with you 100%. Heck, I will even go so far as to say that in many cases replacing proprietary software with Free Software is a loser over the long term. There are plenty of commercial software systems that are good deals, and there are Free Software systems that do not measure up.

            However, the second the commercial software folks start talking about accountability (especially with regards to Microsoft) I can't help but cry foul. Microsoft sells their software "as is" they are not remotely liable

      • Re:Contracs (Score:5, Insightful)

        by ssimpson (133662) <`slashdot' `at' `samsimpson.com'> on Tuesday June 03, 2003 @05:52AM (#6104091) Homepage

        With Microsoft, and under contract, you know that's going to happen.

        Sorry - no you don't. Microsoft have previously claimed that Windows NTv4 is being supported for security hotfixes until 30 Jun 04 (see here [microsoft.com]) but then failed to fix a serious RPC based DoS attack [microsoft.com].

        I should imagine this pisses "secure" government sites off quite a bit - they have been promised security fixes for another year now and then get shafted because MS claim that NTv4 "does not support the changes that would be required to remove this vulnerability".

        At least with OSS users are capable of fixing the problem themselves (or paying for it, or using a general release patch etc).

        But there are hidden costs that you just don't always see.

        Yep - and what are the costs of upgrading all of the Windows NTv4 to Windows 2000 servers to avoid this security bug?

    • ... and it didn't crash often, it'll get approved. Or if it has "Microsoft, SGI, or IBM" in the name (almost forgot).

      Typical, eh?

    • by Anonymous Coward on Tuesday June 03, 2003 @12:58AM (#6103146)
      Oh wait, everything but the use of Microsoft products that is. It seems like that gets instant approval without the need for any justification.

      Whatever ... 9 times out of 10, the least upgraded systems you will find will be in the government or DOD. There are thousands of little fiefdoms, all run by different little chiefs, and their IT structure is a mess.

      Sure, the nice high tech stuff is out in the field, but Joe Government is working off a 95 box hooked up to an NT network most likely, with 3270's into some ancient mainframe or some Sun system.

      This is where OSS can make a big impact. Shit, half the IT guys in the government are UNIX guys, where do you think they've been hiding? Right next to the Novell Guys. All of a sudden, thousands of "out of date" UNIX guys are competitive with linux, and they're bringing in new blood to supplement them, because many are close to retirement. All the while their outdated Win and proprietary UNIX systems are nearing EOL, with nary a vendor in sight.

      You couldn't get a better situation for FOSS in the government right now. Someone's gotta replace those big nasty mainframe's and NT 3.51 boxen. Some of us make a decent living doing it. :)
  • It's a start (Score:5, Interesting)

    by BWJones (18351) on Tuesday June 03, 2003 @12:32AM (#6103017) Homepage Journal
    "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider.

    Well, hey. At least its a start. Previously, many DOD organizations and departments had an absolute policy on software/platform. In many places, especially sensitive installations, the policy was Solaris. In the last few years there has been an inexorable move toward Windows, despite the obvious problems. Other defense contractors have been moving in the same direction presumably to control costs by moving everything to one platform. However, most people are finding that this is not the best solution and they are allowing the installation/use/purchase of other systems including open source, Linux and OS X.

  • by KU_Fletch (678324) <bthomas1@@@ku...edu> on Tuesday June 03, 2003 @12:33AM (#6103025)
    You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." Thanks for that, now everytime the AC comes out at work I'm going to expect an army of spider-babies to pop out and steal my printer.
  • by Nom du Keyboard (633989) on Tuesday June 03, 2003 @12:34AM (#6103026)
    Explains Open Source Policy

    Isn't that putting it a bit strongly?

  • by craenor (623901) on Tuesday June 03, 2003 @12:35AM (#6103031) Homepage
    What is bureaucracy?

    This guy wants to clean out a room in the Pentagon, stacked to the ceiling with boxes labeled, "non-essential documents". So he starts a study showing how much space they can save by ridding themselves of all of these useless documents.

    A few months later they complete this study, and send it up for a review. A board determines that this is a great idea and they can in fact save tons of space by ridding themselves of all of these documents, with one stipulation. They must make copies of all the documents for their records...

    Craenor
    • by mao che minh (611166) * on Tuesday June 03, 2003 @12:52AM (#6103115) Journal
      I live in a military town [hamptonroads.com], and hence know a lot of folks that work in the local military bases (from actual military personel to contractors to just plain non-affiliated civilians). I have heard many such stories.

      My favorate involves moving a set of offices (used by Naval training personel, my friend is an officer and IT worker in said office) from Windows 98 and 2000 to Redhat. Yes, it is happening in a few places withing the military. Anyways, the IT staff there has been utilizing Linux and BSD for years, and decided to write up a report to outline it's effectiveness and security so that they could obtain approval to use it for all of the desktops under their control. Needless to say, they got approval with the usual stipulations (such as: some workstations demand Windows for certain software that only runs on Win32, and emulation is not an option). But, the military wanted them to also keep on hand a collection of spare Windows 2000 workstations "just in case", because "Linux is not yet proven" - that was their honest answer (why they needed entire workstations and not just a collection of "ready to go" Ghost images was a point of laughter in itself). The total: 50 workstations for a network of 200 systems. The cost of paying for those workstations and then keeping them on hand, and then paying for the Win2k clients and licenses for the next year was nearly triple the cost of moving the existing workstations over to Redhat 7.x (which was the newest RH release at the time) and hiring outside training for whatever training they might need (which didn't involve a move to Open or Star Office, because they were planning on running Microsoft Office anyways).

      One of the people that "approved" the move was father-in-law for a local Microsoft sales person. Sure the plan got "approval" due to it's merits, but the contigency plan effectively killed the move.

    • No problem (Score:3, Insightful)

      by unsinged int (561600)
      Provided they're electronic copies.
    • by _Sprocket_ (42527) on Tuesday June 03, 2003 @02:42AM (#6103518)
      Military culture has a lot of its own urban legends and stories. One of my favorites is The Bird Report (mainly because I've run in to this kind of situation several times in various gov't and private bureaucracies):

      A Sgt. had developed a habit of blowing off a few hours each day by checking out a GOV and driving a circuit around the outside of the flightline and along some of the base's back roads. To justify his routine (and provide additional entertainment), the Sgt. made an informal count of the base bird population as observed during his drive. On returning to the office, he would burn off some additional time typing out a Base Bird Population Report and sending it on to HQ.

      The routine continued for the better part of a year. The Sgt. did his rounds and made his submissions to whatever HQ blackhole the bogus report would end up. But eventually the whole scam lost its charm, the Sgt. lost his interest, and the Base Bird Population Report ended.

      Three months passed. The Sgt. had all but forgotten about the Bird Report until he received a memo from HQ. The memo informed him, rather tersely, that he was 3 months late on the Base Bird Population Report.

      It seems someone at HQ had created a job of filing the Bird Reports. What had started as a bogus exercise with no real reason had become a requirement.
  • Hum.. (Score:5, Funny)

    by JFMulder (59706) on Tuesday June 03, 2003 @12:41AM (#6103059)
    and stick effortlessly to the ceiling like a spider
    Better start here [slashdot.org] then.
  • by bethanie (675210) on Tuesday June 03, 2003 @12:42AM (#6103064) Journal
    My toddler can do all that. Can't yours?

    ....Bethanie....
  • Spider-baby (Score:2, Redundant)

    by dhovis (303725) *
    "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."

    Well, with the advent of gecko tape [slashdot.org] that last part may now be possible!

  • It's not that bad (Score:5, Interesting)

    by Mahrin Skel (543633) on Tuesday June 03, 2003 @12:44AM (#6103072)
    The regulations cited are basically a bunch of qualification hoops that have to be jumped through before software is considered "Mil-Spec". The first outfit inside DoD to qualify a OSS package is going to have to *really* want it to fill out all that paperwork, but once it is done it should get a lot easier. Keep in mind, that doesn't mean it will get used for Top Secret or above work right away, some of those hoops are *not* pro forma. But once DoD starts using it, even for trivial things, there will be outfits that just need to satisfy *one* more requirement than has already been filled, and will find it worthwhile to take it the next step.

    Best first bet would be it will slip in from DARPA. They've probably *already* been using it in places they're technically supposed to be using a commercial UNIX.

    --Dave

  • by bstadil (7110) on Tuesday June 03, 2003 @12:44AM (#6103074) Homepage
    Perfectly legitimate memo as far as I can see. I fact it makes a very good point that FOOS is a previledge not a right. Priviledges comes with attachments and can be revoked. This memo only states that DoD will play by the rules.

    I think the FOOS community notably the ones (like me) that do not write code but tries to get FOOS into the corporations, increasingly need to stress the fact that it comes with strings attached and that the corporations need to make sure that those strings is being honored.

    • by Anonymous Coward
      increasingly need to stress the fact that it comes with strings attached and that the corporations need to make sure that those strings is being honored.

      I'd say that's so important as to be essential. That can lessen the "buyer's remorse" if a company discovers it can't do something it wants to down the road and, more importantly, focuses the consumers' minds on the idea that there are different kinds of licenses. That seemingly simple concept can be a huge revelation to someone who has only dealt with p

  • So Basically... (Score:2, Interesting)

    by snipingkills (250057)
    So basically this policy says that if you use OSS then you have to follow the licensing that went with it. What happens if it was sensitive code and it could be detrimental(sp?) if you released the source? Do you still have to do it or is that an exception in the GPL?
    • Re:So Basically... (Score:2, Informative)

      by cyt0plas (629631)
      The GPL basically says (oversimplicification, oh well) that if you distribute a binary copy to someone, you have to include the source. First off, if it's so "top secret" that it cannot have the source given out, they probably won't give the binary out either. Secondly, if they keep it internally, it's not "dissemminated", and as such, they are not bound by it either.

      The GPL is a copyright license, and as such covers only _distribution_ and posession, not use or output. They don't distribute it - they
  • Waivers (Score:3, Interesting)

    by MonkeyBoyo (630427) on Tuesday June 03, 2003 @12:56AM (#6103133)
    How much do you want to bet that most acceptible software in the DoD is there because of waivers? In the NSTISSP link [nist.gov] it says:
    (14) Waivers to this policy may be granted by the NSTISSC on a case-by-case basis. Requests for waivers, including a justification and explanatory details, shall be forwarded through the Director, National Security Agency (DIRNSA), ATTN: V1, who shall provide appropriate recommendations for NSTISSC consideration. Where time and circumstances may not allow for the full review and approval of the NSTISSC membership, the Chairman of the NSTISSC is authorized to approve waivers to this policy which may be necessary to support U.S. Government operations which are time-sensitive, or where U.S. lives may be at risk.
  • by Camel Pilot (78781) on Tuesday June 03, 2003 @01:06AM (#6103180) Homepage Journal
    The Navy/Marine corp are launching a large scale contract (NMCI) that restricts all Navy IT to MS and MS solutions.

    This contract locks down the network to only NMCI managed systems (MS only). If there are existing systems that cannot run under windows than you have to apply for a "legacy system" exception and pay extra for no service.

    This one size fits all approach is short sighted and foolish. The upper echelon has yet to catch on that the network is the backbone or the infrastructure that enables an ever increasing plethora of monitoring systems, data acquisition and control systems, collabration and communication mechanisms, etc.

    As more and more devices become Web enabled the Navy has effectively locked itself out in the cold and crawled in bed with built in obsolesce - not to mentioned left itself vulnerable to an attack or virus that would spead like wild fire in a homogeneous network.

  • by pb (1020) on Tuesday June 03, 2003 @01:08AM (#6103188)
    Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense [216.239.51.100] -- This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD).
  • by wfrp01 (82831) on Tuesday June 03, 2003 @01:08AM (#6103190) Journal
    What I'd like to know is why does an organization that sets United States federal technology policy guidelines post their policies on the web by scanning a paper document [egovos.org] into PDF format! So we can all see a facsimile of John P. Stenbit's signature?!
    • Unfortunately, it probably has more to do with what the courts will accept as a signature than what the DoD requires. Court systems in the US are still horribly paper-dependent, even though private lawyers have been driving the development of paper-replacement technology for at least two decades.

      No matter how much electronic preparation they do to a document, in the end lawyers still have to print out their filings, carry them to the courthouse, and watch as a clerk studies their signature and stamps the

  • by ryanvm (247662) on Tuesday June 03, 2003 @01:10AM (#6103196)
    "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."

    Hi Timothy, we'd like to make you an honorary member of our organization - PIFCA (People Incapable of Forming Cogent Analogies).

    You belong with us like a marmot is comfortable with peanut butter.
    • I bet Timothy was responsible for the "Barrel of Attack Elephants" code at the top of the homepage.

      I mean "Team of Stealth Rabbits".

      Er, I mean "Barrel of Orange Midgets"

      Or wait, maybe I mean "Group of Albino Chickens"... ...

      Shit, I'm lost.
  • hmmm... (Score:5, Insightful)

    by brkello (642429) on Tuesday June 03, 2003 @01:11AM (#6103203)
    "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."

    I work for the government, so maybe I am more used to seeing security requirements for everything, but I didn't get that impression at all. We expect everything to talk, feed itself, and stick effortlessly to the ceiling all the while being secure. The government (DoD, DoE, etc) is probably one of the biggest users and innovaters of open source so I wouldn't get too feisty. The only reason people (managers) get a little hesitant about Open Source is blame. When something drops on the floor, they want someone to point the finger at, someone we have a contract with so that they can fix it reducing personal liability. Enter Microsoft with contracts in hand.
    • Re:hmmm... (Score:5, Insightful)

      by Malcontent (40834) on Tuesday June 03, 2003 @03:06AM (#6103594)
      "Enter Microsoft with contracts in hand."

      I am very serious in asking this.

      1) Does microsoft offer guarantees to the military. for example do they guarantee uptimes or security. Do their contracts stipulate that Microsoft is liable for defects in their software.

      2) Do the contracts that MS sign specify that MS will always fix the problem if things go wrong. Do they guarantee it?

      It would be interesting if MS offered such contracts to the military because in the commercial world their contracts disavow any kind of liability.
      • Re:hmmm... (Score:5, Informative)

        by gbjbaanb (229885) on Tuesday June 03, 2003 @05:19AM (#6103993)
        I don't know about 1) but my last company, we had a bug, and a nice support contract with MS, this bug turned into something pretty major for us, and MS stepped in and had developers working 9-5 to find and fix it.

        Apparently if the bug hadn't been fixed in a week, it'd have been escalted into a 'class A' bug and Ballmer or Gates would have been informed, and the developers would have started working round the clock.

        (it turns out our CTOs code was at fault, the duffer).

        I was surprised at the response from MS though. I think we had paid a fair bit to MS for the support, though knowing the guys in charge they persuaded MS that it was a strategic relationship and subject to a special discount.

        Oh, we also had a MS employee assigned to us as a support contact - not just a secretary-type either, someone who knew his stuff and could actually do things for us, including helping us with the MS performance lab we got to use.
      • Re:hmmm... (Score:3, Informative)

        by Quila (201335)
        I've never been in on any extremely large-scale MS buys but:

        1) I've never seen any guarantees of uptime.
        2) I've never seen anything other than standard corporate-style support, but I've never even seen that being used. All problems are handled by the in-house help desk people (who may be non-Microsoft contractors), who may go to TechNet for answers.
      • Re:hmmm... (Score:3, Interesting)

        by PhxBlue (562201)

        To the best of my knowledge as a US Military employee: No, and no. If Microsoft software breaks, it's up to the people in our Network Operations Centers to fix it. I'd imagine the government gets a good discount in support costs, though. . . and probably has more than a couple Microsoft employees on contract to boot.

      • Re:hmmm... (Score:3, Interesting)

        by Eminence (225397)

        Do you seriously think they do provide any guarantees?

        In the corporate mentality (and government is the worst case of it) it is not important what is in the contract. What counts is the simple fact that there is an external entity (i.e. Microsoft) you can point finger on should something go wrong. As opposed to the situation, when there is no external entity, no contract and someone has to admit that it was they (or their subordinate) who screwed up something. Corporate mentality is about keeping safe wit

    • Re:hmmm... (Score:3, Insightful)

      by Alsee (515537)
      When something drops on the floor, they want someone to point the finger at, someone we have a contract with so that they can fix it reducing personal liability. Enter Microsoft with contracts in hand.

      Yep. And that contract says when something drops on the floor don't try pointing that finger at us or we'll bite it off.

      -
  • by zakezuke (229119) on Tuesday June 03, 2003 @01:25AM (#6103243)
    You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."

    In other news, Safeco has been reported to have replaced all their acustic cieling material with velco in order that their company wide pre-toddler policy can be implemented. In order to prevent possible liability, they had to replace their traditional furnature with what can only be described as a rubber room.

    When asked about the subject, representatives of Safeco were unavailable for comment, but issued the following statement, "we are cleaning baby vomit out of our clothing".

    According to one district manager, "I can't tell if productivity is up or down, i'm stuck. Help!".

  • obsfucation. I wonder if Lawyers and Government ppl have similar contests?
  • by cyt0plas (629631) on Tuesday June 03, 2003 @02:11AM (#6103411) Journal
    Having a policy that OSS must compare favorably with Non-OSS is reasonable, and a good sign. Any policy other than "No OSS" is a good sign, as it shows they are considering it. I would say that OSS's biggest worry is simply not being noticed, not just failing to measure up. After all, most Open Source projects simply don't have the advertising budget their Closed-Source, Commercial competitors do.
  • by Anonymous Coward on Tuesday June 03, 2003 @02:20AM (#6103449)
    Be careful about Tony Stanco, the person who wrote the Slashdot story. He seems to be using computer issues as a way of promoting himself.
  • by Timesprout (579035) on Tuesday June 03, 2003 @02:37AM (#6103503)
    The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."

    How you can make this out from that memo which basically says we have a set of procedures in place for software evaluation, if OSS passes those then fine, no problem and secondly be aware of the terms of the license that the OSS comes under.

    I know this is Slashdot but the fact that OSS may have to go through a regular selection process instead of being mandated as defacto standard, to the detriment of all others is proper procedure in most large organisations. You should be saying well done for leveling the playing and giving OSS a chance to compete on equal terms.
  • by dethl (626353) on Tuesday June 03, 2003 @03:02AM (#6103567)
    Working as an intern for a national laboratory, I noticed how getting new equipment worked. First, you find what you really want, like a computer for instance. Next, in your proposal, you go around and find different parts for that machine, and make sure the stuff you really want is the lowest price. Send it up to the people who double check this to see if they are getting a "good" deal, and bam, you get your computer.

    With this in mind, what Linux or Unix OS are they planning on using already? They must have one picked out if they are going to start making rules on the OSS situation.
  • You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider.

    Stewie?
  • DOD and OSS (Score:3, Insightful)

    by Advectium (677726) on Tuesday June 03, 2003 @08:57AM (#6104731)
    Look, The DoD uses Windows for shear monstrosity of the network users and their demographics. Average 18 year olds entering the military to Major Generals have used some form of windows. The same cannot be said of Linux or UNIX unless they were Technologically savvy /.ers. Colonel's would have a hell of a time learning Linux, trust me - they have a hard time with email. The tech savvy individuals will probably pursue some sort of computer related field in the military as well, where windows is most definitely not the answer as many pointed out. I.e. up time, security, etc. The military doesn't use windows, as an end all is all, especially for it's weapons systems. Case and point: I work as a USAF weather forecaster, our weather product dissemination uses a Silicon Graphics box dual booting Linux and WinNT via VMware. They sent me to school just to operate this stuff, as I had never used it in the past. One would find the majority of network *stuff* that matters to the DoD, not access to Yahoo, runs from something other than windows. Just my .02 cents

"If it ain't broke, don't fix it." - Bert Lantz

Working...