This post is to some extent a fall-out of the recent discovery of a serious flaw in Debian's openssl and openssh packages. However, as Raghavan will confirm, a weaker version of what is said below was part of our discussion two weeks ago. Moreover, there are earlier posts on this topic in this blog.
There are times when I wonder why I am so involved with computers ... this is clearly one of those times.
कर्मण्यैवाधिकरस्ते मा फलेशु कदाचन
karmaNyaivaadhikaraste maa faleshu kadaachana
This is a phrase from the भगवद गीत (bhagavad giit) which has been stuck in my head for the last 30 odd years. It roughly paraphrases into
Do something because you think it is worth doing not because of what you hope to achieve by doing it.1
The above maxim is a good one but is sometimes a cop-out. Moreover, it provides no basis for actually making ethical choices.
Ethics comes from one's interactions with the communities one is a part of. There are (roughly) two communities that I am a part of in the context of computers:
- the FOSS community; specifically, the Debian community.
- the IMSc computer community
I take these in turn below.
Debian and FOSS communities
By its own standards, the Debian community has suffered a massive failure ... and by these same standards it has reacted extremely well to this failure.
I feel shame and blame. Why have I been ignoring RFH#332498 all these days
when it shows up in the output of
wnpp-alert? Here I
am, a mathematician with some understanding of the issues, not
helping out! Three years ago I even gave a short course of
lectures on implementations of crypto; the source of openssl and
openssh were used as examples. Excuses like, "I don't know
anything about library packaging" and "I need more time!" (who
doesn't) seem too weak now.
At the same time, I feel a sense of solidarity with the Debian (and more widely FOSS) community as it tries to pull out of the resulting mess. The resilience that allows us to laugh wryly at ourselves is IMHO admirable.
As Steve Kemp wrote: "[When we look back we will see that] we did good".
IMSc computer community
The IMSc computer setup was built by volunteers and was genuinely a community when I joined this institute in 1996. It has since then broken into users, system administrators and the computer committee. As Indira Gandhi would have said: "This is a world-wide phenomenon", and as was the case when she said it, my response is: "That doesn't make it a good thing!"
When I speak about this fractured IMSc community below it is in generalities. There are certainly individuals who rise above the shards.
I have been promoting the use of FOSS and more specifically Debian at IMSc ever since I got here. While explaining the pragmatic aspects like cost and security, I have also tried to emphasize the freedom and community aspects of FOSS use. When the latter are not understood or accepted, the former are easily blown away.
This year I made an attempt to get the Computer Committee to invite users to choose2 their own computers and the software that ran on it, but it turned out that no one really wanted this. Users just wanted to buy "fancy toys", the administrators just wanted to make their life simple and CC members just wanted the power to dictate what people bought.3
I also made an attempt to get our users to educate each other on the use of computers for their work --- first through the establishment of a wiki and then through the "No-Excuse" mailing list.4
Unfortunately, the fractured IMSc computer community sees computers and software as expensive commodities --- with some combination of fear, greed and irritation. In any case, there is no feeling of being part of a larger community that is trying to solve (certain types of) problems.
A wise man once said:
With great freedom comes even greater responsibility.
This may explain why we prefer being dictated to by proprietary vendors and computer committees that "buy stuff for us". We are afraid of the responsibility that comes with freedom.
Another much quoted quote is:
If you are not part of the solution then you are part of the problem.
The FOSS community (actively) invites people to join-in in solving problems. This participation (which can be at a level of one's own choosing) is the source of one's freedom in free software. The IMSc community just wants मा-बाप सर्कार (maa-baap sarkaar) to fix their toys.
The IMSc computer community was tied to Debian and FOSS after the break-ins into our system in the early 2000's. At that point, I was instrumental in installing a security infrastructure based mainly on Debian. This led to my greater involvement with FOSS and Debian and also to the greater "infiltration" of Debian and FOSS into IMSc computers.
From the "commodity" point of view at IMSc we have come a full circle since most users will have to "do a lot" so that the IMSc computer LAN emerges unscathed from the crisis created by the Debian openssl flaw.
From the "community" point of view at Debian we have spiralled out and even this major whirlpool will not drag us back in.
It is no longer possible (for me) to straddle the circle and the spiral in an attempt to widen the former; I'm taking the "outward radial vector"!
To this sentiment I have often added "do it because it's fun". ↩
OK! I'm exaggerating a bit! ↩
No-Excuse is an acronym for Novice and Expert Computer Users. The blurb says:
Now that this list exists there is "no-excuse" for novices to remain in-experienced or for experienced users to claim that something is "too hard to explain to a novice"!