A successful small open-source project
In this short article I would like to show how a small project developed by the ITS User Services could gain popularity and attract several developers which are now improving it and keeping it alive.
Year 2007, the ITS Hosting group used Nagios to proactively check our servers (e.g., memory, CPU usage, disk usage, network traffic). In the same year it became clear that the SSL protocol was not perfect and that several configurations could be a simple vector for several attacks (denial of service, information disclosure and even remote access).
After the publication of CVE-2007-1858 about the default ciphers of the Tomcat Server, we felt the need to check all our machines and keep the check running regularly in case an update would change the SSL/TLS settings.
Another important check was the validity of the certificate, we wanted to be warned early if a certificate was about to expire.
I then wrote a simple Nagios plugin to check the security settings and validity of the certificate of an HTTPS server.
The API of Nagios is straightforward:
- you just have to return 0 for OK, 1 for a warning, 2 for a critical and 3 for an unknown status
- and generate a single line of text with a predefined format
This simple API allows a quick implementation of a prototype.
As I did not want to reinvent the wheel, I choose to use the OpenSSL command line utilities to perform the checks and packed everything in a shell script (calling command line utilities form Perl or C seemed, at the time, an overkill).
Looking at this choice now, it was probably the wrong one: the plugin has now around 3’000 lines of code and shell scripting is not really the most comfortable language for large projects. However, at the time, I did not expect that so many checks and features would then be added.
Having a Mac with a BSD system and deploying the plugin on a GNU system, (BSD does not have GNU utilities per default) I also choose to make the plugin POSIX compliant. A good choice for a successful open-source project but a choice that costed many headaches and difficulties (people using bash on a GNU system do not usually realize how much is not standard). In the end, I managed to learn a lot about the different shells.
As the first versions of the plugin were doing a good job, I then decided to release the code as open source. This step required a lot of work but after 12 years the work that the community put in this project confirms, that the effort was worth the investment.
To attract people, you need to make your project easy to understand, easy to use and install and easy to access. The project needs a web page, a bug tracking system and a lot of documentation. I also had to choose a licence, and looking at other Nagios plugins, I decided to go for the GNU General Public License v3 (given the strong restrictions, especially with the distribution on macOS systems I would have rather chosen the Apache one).
Another good choice was to follow Eric Raymond’s hints in The Cathedral and the Bazaar: Release early, release often. Since 2007 the tool was released with new features and bug fixes more than 100 times, often several times in the same month.
Important is also to listen to the community, to their needs and wishes and to acknowledge the work of co-authors: the authors list has now reached 72 persons, which helped with patches and corrections.
Legal aspects at ETH Zürich
The development of open-source software at the ETH is possible but has to be coordinated with the school with a Software Disclosure agreement with ETH transfer. After leaving the Software Services in 2013, the ETH decided not to continue with the project, which was left to the community.
It was moved to GitHub, and I am now maintaining in as a hobby. By the time we already released 31 versions and the community was big enough to keep the project living.
After more than 10 years, the plugin attracted a solid community and was developed far beyond what I expected and what were the original goals. It has tons of advanced features and is widely used.
With this short article, I want to advocate for open sourcing your projects: it requires some work at the beginning but eventually, you will get back more than what you had to invest.
Contact & Text
Dr. Matteo Corti, Head of ITS User Services, IT Services