David A. Wheeler's Blog

Sun, 04 Sep 2011

MIL-OSS 2011

I recently went to the MIL-OSS (“military open source software”) 2011 Working Group (WG) / Conference in Atlanta, Georgia. Topics included the open prosthetics project, releasing government-funded software as OSS, replacing MATLAB with Python, the “Open Technology Dossier Protocol” (OTDP), confining users using SELinux, an explanation of DoD policies on OSS, Charlie Schweik’s study on what makes a success OSS project, and more. Some people started developing a walkie-talkie Android app at the conference. Here’s a summary of the conference, if you’re curious.

First, a few general comments. If this conference is any guide, it is slowly getting easier to get OSS into government (including military) systems. OSS is already used in many places, but it’s often “don’t ask, don’t tell”, and there are still lots of silly bureaucratic barriers that prevent the use of OSS where it should be used or at least considered. But there were many success stories, with slide titles like “how we succeeded”.

Although the conference had serious purposes, it was all done in good humor. All participants got the MIL-OSS poster of Uncle Sam (saying “I want YOU to Open Source!”). The theme of the conference was the WarGames movie; the first finder for each of the WarGames Easter eggs would get a silly 80s-style prize (such as an Atari T-shirt).

As the MIL-OSS 2011 presentations list shows, I gave three talks:

The conference was complicated by the recent passing of Hurricane Irene. The area itself was fine, but some people had trouble flying in. The first day’s whole schedule was delayed so speakers could arrive (using rescheduled flights). That was probably the best thing to do in the circumstance — it was basically like a temporary time zone change — but it meant that one of my talks that day (Why the GPL Might not Destroy the Universe) was at 9:10pm. And I wasn’t even the last speaker. Eeeek. Around 15 speakers had still not arrived when the conference arrived, but all but one managed to get there before they had to speak.

Here are few notes on the talks:

Many discussions revolved around the problems of getting authentication/authorization working without passwords, in particular using the ID cards now widely used by nearly all western governments (such as DoD CAC cards). Although things can work sometimes, it’s incredibly painful to get them to work on any system (OSS or not), and they are fragile. Dmitri Pal (Red Hat)’s talk “CAC and Kerberos From Vision to Reality” discussed some of the problems and ways to possibly make it better. The OpenSSH developers are actively hostile to the X.509 standard that everyone uses for identity certificates; I agree with the OpenSSH folks that X.509 is clunky, but that is what everyone uses, and not supporting X.509 means that openssh is useless for them. Every card reader is incompatible with the others, so every time a new model comes out, drivers have to be written and it often doesn’t work anyway (compare that to USB keyboards, which “just work” every time even through KVM switches). I think some group needs to be formed, maybe a “Simple Authorization without passwords” group, with the goal of setting standards and building OSS components so that systems by default (maybe by installing one package) can trivially use PKI and other systems and have it “just work” every time. No matter that client, server (relying party), or third-party authenticator/authorization server is in use.

If you’re interested in more of my personal thoughts about OSS and the U.S. Department of Defense (DoD), also see FLOSS Weekly #160, the interview of David A. Wheeler by Randal Schwartz and Simon Phipps. Good general sites for more info are the MIL-OSS website and the DoD CIO Free Open Source Software (FOSS) site.

There’s more to be done, but a lot is already happening.

path: /oss | Current Weblog | permanent link to this entry