Document Actions

Heartbleed postmortem: OpenSSL's license discouraged scrutiny

InfoWorld - An open source expert believes OpenSSL's custom license was partly responsible for the neglect behind Heartbleed.

Weeks after the OpenSSL debacle, the question still stands: Why did so few people show up to work on such widely-used and important code? Since the problem arose, funds have flowed in to fix it at the behest of corporate giants, but before the crises, few volunteers participated. One leading open source expert has suggested a reason: licensing.

An interesting comment from David A. Wheeler, an expert in government use of open source, asks whether the OpenSSL project's use of a rarely seen open source license was partly responsible for a lack of community engagement and oversight. In the context of a longer paper highlighting technical facets of addressing Heartbleed, Wheeler says: