David A. Wheeler's Blog
Sun, 04 Sep 2011
I recently went to the MIL-OSS
(“military open source software”)
2011 Working Group (WG) /
Conference in Atlanta, Georgia.
Topics included the open prosthetics project,
releasing government-funded software as OSS,
replacing MATLAB with Python,
the “Open Technology Dossier Protocol” (OTDP),
confining users using SELinux,
an explanation of DoD policies on OSS,
Charlie Schweik’s study on what makes a success OSS project,
Some people started developing a walkie-talkie Android app at the conference.
Here’s a summary of the conference, if you’re curious.
First, a few general comments.
If this conference is any guide, it is slowly getting easier
to get OSS into government (including military) systems.
OSS is already used in many places, but it’s often
“don’t ask, don’t tell”, and there are still
lots of silly bureaucratic barriers that prevent the use of OSS
where it should be used or at least considered.
But there were many success stories, with
slide titles like “how we succeeded”.
Although the conference had serious purposes, it was all done in good humor.
All participants got the MIL-OSS poster of Uncle Sam (saying
“I want YOU to Open Source!”).
The theme of the conference was
movie; the first finder for each of the WarGames Easter eggs
would get a silly 80s-style prize (such as an Atari T-shirt).
As the MIL-OSS 2011 presentations list shows, I gave three talks:
- Publicly Releasing Open Source Software (OSS) Developed for the U.S. Government.
This presentation explained
when the government or contractors
can publicly release software, as open source software,
if it was developed using U.S. government funds.
This presentation summarized my paper
Publicly Releasing Open Source Software Developed for the U.S. Government
(also see Kane McLean’s one-page summary of this paper,
the “OSS Releasability Quick Reference”, which was given to every
I think this is an important topic.
Billions of dollars go into developing software, yet most of
the time, the taxpayers (who paid for it) don’t get the benefits.
It turns out that this software often can be released; this is
the decoder ring for these Byzantine rules.
This can have incredible benefits.
For example, the DoD funded the work that created the Internet,
and then released as OSS an implementation of its key TCP/IP protocols.
The Internet has mightily benefitted the DoD, in fact, it’s
benefitted the whole world.
(And yes, it had the required WarGames Easter egg.
Slide 15 says “Talk to others who have experience with OSS” — the egg
is in the supporting bullet, “Q: What is it doing? A: It’s learning!”)
- Why the GPL Might not Destroy the Universe.
This tongue-in-cheek talk tries to counter some of the silly,
over-the-top fears about the GNU General Public License (GPL).
I figure any presentation can’t be bad if it includes photos of Godzilla,
flying saucers, zombies, and a poster saying “If you program
open source, you’re programming COMMUNISM!”.
- HOST Lessons Learned (with Tom Dunn). This summarized interviews
of various people on the roadblocks to using or developing open technology
(including open source software) in the government.
The conference was complicated by the recent passing
of Hurricane Irene.
The area itself was fine, but some people had trouble flying in.
The first day’s whole schedule was delayed so speakers
could arrive (using rescheduled flights).
That was probably the best thing to do in the circumstance —
it was basically like a temporary time zone change —
but it meant that one of my talks that day
(Why the GPL Might not Destroy the Universe) was at 9:10pm.
And I wasn’t even the last speaker. Eeeek.
Around 15 speakers had still not arrived when the conference arrived, but
all but one managed to get there before they had to speak.
Here are few notes on the talks:
- Andy Henshaw (GTRI) spoke on “Replacing MATLAB: Python Tools for Scientists and Engineers”. His basic point is that
“Python is a good replacement for MATLAB in a lot of cases”.
Although Python isn’t fast by itself, it’s often useful as a glue,
with the intensive data-handling being done by hand-crafted libraries.
He focused on (and discussed) the libraries
SciPy, matplotlib, and ipython.
He also discussed differences between MATLAB and Python for MATLAB users.
In Matlab, the basic type is a matrix, it uses 1-based indexing, ‘*’
means matrix multiplication, and function calls use pass-by-value with
In contrast, in Python with libraries like these,
the basic type is a multidimensional array, it uses 0-based indexing,
‘*’ means element-wise multiplication (use dot() for matrix multiplication
or use the matrix class), and function calls use pass-by-reference.
I learned interesting things about AdaCore
(who make GNAT pro, SPARK Pro, and Code Peer).
They don’t have a separate support organization — their engineers
provide support directly, since support is really what they sell.
Maj Wilson/Kane McLean discussed changing culture.
They argued that the mind has two independent decision-making functions
that work simultaneously:
the emotional mind and the rational mind.
The emotional mind is like an elephant; it’s illogical and determined,
emphasizes getting stuff done, and has mental “muscle memory”.
The rational mind is like a jockey; it’s logical and reasoned,
emphasizes organization but often can’t “get off the saddle”, and does
long-term / strategic planning.
You need to convince both, so you should try to
shrink the change, shape a clear path forward, and repeat what works.
They believe that culture change in a big bureaucracy happens from both
the top (the “clouds”) and the bottom (the “grass roots”);
resistance often comes from the middle.
The solution for change, then, is to “seed clouds”
and “grow the grass”.
The “Open Technology Dossier Protocol” (OTDP)
was pitched by Winston Messer and Nick Bollweg.
Basically, they’d like every OSS project to put, on their web site,
a small XML file that would let various search systems learn more about
That way, each project can update their own information.
David Egts (Red Hat) explained “SELinux user confinement” -
a new capability in RHEL 6 to easily confine users using SELinux.
Just install the “policycoreutils-python” package, which includes the
semanage tool that lets you control much more precisely what specific
users may do.
Alex S. Voultepsis explained how the intelligence community (IC)
has built up an internal infrastructure with the tools that people want to
use; in a vast number of cases, they use OSS to do this.
For example, Intellipedia is implemented using MediaWiki, the same software
that runs Wikipedia.
Dan Risacher discussed the DoD Oct 16, 2009 memo on open source software.
He noted that we have a “Government IP knot”: “Government rules are
designed to enable a program manager to control their program, not to
enable sharing it”. A way to cut this knot is to make it clear that the
software will be released as OSS; then everyone knows what the rules are.
He wants to be a “developer advocate” - the DoD needs
to be able to innovate faster than its opponents.
John Kuniholm presented on the “Open Prosthetics Project”.
He is missing part of an arm, and explained some of the complications of
A key need is really good open source CAD tools.
That is a general problem, not unique to the military or government —
currently the tools are hideously expensive, and until that changes, the
promise of cheap 3D printers will be harder to realize.
Charlie Schweik has been doing a lot of quantitative studies of
OSS projects, to determine what separates successful projects
from abandoned projects.
He expects to have a book on soon on this topic!
In the initiation stage, the key factors were: Leadership by doing, clear vision, and well-articulated goals.
Other factors were Project marketing; project financing; knowledge continuity; being a multideveloper project.
A really key factor, once a project is initiated, is gaining a developer
(and then gaining more later).
There are many conflicting claims, e.g., some say
that smaller groups are better (Brooks), that larger groups
are better (Linus’ law), or that size doesn’t
matter; his data shows that Linus’ law is the correct one.
Face-to-face communication doesn’t seem to be as important as it used to be,
due to better communication technology.
He’s gathered lots more info; I’m looking forward
to seeing the whole thing.
One great thing was that everyone was motivated to actually solve problems,
There is already an official
DoD Open Source Software (OSS) Frequently-Asked Questions (FAQ),
but there’s a need for a less-official FAQ, so during the conference
MIL-OSS OSS FAQ was created.
On the last day there was a discussion between various software developers
and military folks, particularly about military needs.
A real problem in military situations —
and disasters like hurricanes —
is that centralized communications systems fail.
Within a short time, people were suddenly developing an
application for Android and hosting it on github.
Many discussions revolved around the problems of getting
authentication/authorization working without passwords, in particular
using the ID cards now widely used by nearly all western governments
(such as DoD CAC cards).
Although things can work sometimes,
it’s incredibly painful to get them to work
on any system (OSS or not), and they are fragile.
Dmitri Pal (Red Hat)’s talk “CAC and Kerberos From Vision to Reality”
discussed some of the problems and ways to possibly make it better.
The OpenSSH developers are actively hostile to the X.509 standard that
everyone uses for identity certificates; I agree with the OpenSSH folks
that X.509 is clunky, but that is what everyone uses, and not supporting
X.509 means that openssh is useless for them.
Every card reader is incompatible with the others, so every time a new
model comes out, drivers have to be written and it often doesn’t work anyway
(compare that to USB keyboards, which “just work” every time even
through KVM switches).
I think some group needs to be formed, maybe a
“Simple Authorization without passwords” group, with the goal of
setting standards and building OSS components so that systems by default
(maybe by installing one package) can trivially use PKI and other systems
and have it “just work” every time.
No matter that client, server (relying party), or third-party
authenticator/authorization server is in use.
If you’re interested in more of my personal thoughts about OSS and the
U.S. Department of Defense (DoD), also see
FLOSS Weekly #160, the
interview of David A. Wheeler by Randal Schwartz and Simon Phipps.
Good general sites for more info are the
MIL-OSS website and the
DoD CIO Free Open Source Software (FOSS) site.
There’s more to be done, but a lot is already happening.
path: /oss | Current Weblog | permanent link to this entry