• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
39,459 (8.42/day)
Location
Hyderabad, India
Processor AMD Ryzen 7 2700X
Motherboard ASUS ROG Strix B450-E Gaming
Cooling AMD Wraith Prism
Memory 2x 16GB Corsair Vengeance LPX DDR4-3000
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) Creative Sound Blaster Recon3D PCIe
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Microsoft Sidewinder X4
Software Windows 10 Pro
Even if you don't have more than one operating system installed, your PC has a boot-loader, a software component first executed by the system BIOS, which decides which operating system to boot with. This also lets users toggle between different run-levels or configurations of the same OS. The GRUB2 boot-loader is deployed across billions of computers, servers, and pretty much any device that uses a Unix-like operating system. Cybersecurity researchers with Oregon-based firm Eclypsium, discovered a critical vulnerability with GRUB2 that can compromise a device's operating system. They named the vulnerability BootHole. This is the same firm behind last year's discovery of the Screwed Drivers vulnerability. It affects any device that uses the GRUB2 boot-loader, including when combined with Secure Boot technology.

BootHole exploits a design flaw with two of the key components of GRUB2, bison, a parser generator, and flex, a lexical analyzer. Eclypsium discovered that these two can have "mismatched design assumptions" that can lead to buffer overflow. This buffer overflow can be exploited to execute arbitrary code. Devices with modern UEFI and Secure Boot enabled typically wall off even administrative privileged users off from tampering with boot processes, however, in case of BootHole, the boot-loader parses a configuration file located in the EFI partition of the boot device, which can be modified by any user (or malicious process) that has admin privileges. Thankfully, patched versions of GRUB2 are already out, and the likes of SUSE have started distributing it for all versions of SUSE Linux. Expect practically every other *nix vendor, server manufacturer, to release patches to their end-users. Find a technical run-down of the vulnerability in this PDF by Eclypsium.



View at TechPowerUp Main Site
 
Joined
Mar 6, 2017
Messages
2,083 (1.67/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Are windows users safe from this one?
Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.
 
Joined
Jan 25, 2006
Messages
998 (0.19/day)
Processor Ryzen 1600AF @4.2Ghz 1.35v
Motherboard MSI B450M PRO-A-MAX
Cooling Deepcool Gammaxx L120t
Memory 16GB Team Group Dark Pro Sammy-B-die 3400mhz 14.15.14.30-1.4v
Video Card(s) XFX RX 5600 XT THICC II PRO
Storage 240GB Brave eagle SSD/ 2TB Seagate Barracuda
Display(s) Dell SE2719HR
Power Supply EVGA 600W 80+
Software Windows 10 Pro
I think I need my coffee though it's only 6.20am here, I had to double take as I thought it said bootyhole vulnerability o_O
 
Joined
Nov 11, 2004
Messages
6,397 (1.11/day)
Location
Formosa
System Name Overlord Mk MXVI
Processor AMD Ryzen 7 3800X
Motherboard Gigabyte X570 Aorus Master
Cooling Corsair H115i Pro
Memory 32GB Viper Steel 3600 DDR4 @ 3800MHz 16-19-16-19-36
Video Card(s) Gigabyte RTX 2080 Gaming OC 8G
Storage 1TB WD Black NVMe (2018), 2TB Viper VPN100, 1TB WD Blue 3D NAND
Display(s) Asus PG27AQ
Case Corsair Carbide 275Q
Audio Device(s) Corsair Virtuoso SE
Power Supply Corsair RM750
Mouse Logitech G500s
Keyboard Wooting Two
Software Windows 10 Pro
Benchmark Scores https://valid.x86.fr/33u9si

Corvid

New Member
Joined
Jun 24, 2020
Messages
2 (0.05/day)
Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.
None of these problems are problems with open source. They are problems with a lack of qualified/interested programmers, capitalism, and the profit motive.

There's plenty of open source projects out there with tons of funding and dedicated developers, but companies tend to forget about "little" projects that run their entire goddamn infrastructure like OpenSSL and GRUB
 
Joined
Jul 5, 2013
Messages
10,035 (3.87/day)
System Name GPD-Q9
Processor Rockchip RK-3288 1.8ghz quad core
Motherboard GPD Q9_V6_150528
Cooling Passive
Memory 2GB DDR3
Video Card(s) Mali T764
Storage 16GB Samsung NAND
Display(s) IPS 1024x600
After having read into it more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.
 
Last edited:
Joined
Mar 6, 2017
Messages
2,083 (1.67/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
They are problems with a lack of qualified/interested programmers, capitalism, and the profit motive.
If it's the choice between providing for yourself and your family, most good programmers will take a job at places like Microsoft, Google, Apple, IBM, or any other Fortune 500 company and rightfully so. Nobody likes starving.
There's plenty of open source projects out there with tons of funding and dedicated developers
Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.
 
Joined
Nov 1, 2008
Messages
4,152 (0.97/day)
Location
Vietnam
System Name Gaming System / HTPC-Server
Processor i5 8700K (@4.8 Ghz All-Core) / R5 3600
Motherboard Z370 Aorus Ultra Gaming / MSI B450 Mortar Max
Cooling CM ML240L / CM Seidon 120XL
Memory 16Gb Hynix @3200 MHz / 16Gb Ballistix @3600Mhz
Video Card(s) Colorful 1080Ti / Gigabyte RX 5700 (XT Bios)
Storage 750G MX300 / 8+4 TB WD Reds + 250 Sabrent NVMe
Display(s) 2x Dell U2515H/18D / 50" L50U50 4K TV
Case Xigmatek Aquarius Plus / Zalman HTPC case
Audio Device(s) On Board Realtek
Power Supply FSP 850 W Gold / Andyson TX-700 Platinum
Mouse Logitech G502 Hero / K400+
Keyboard Wooting Two / K400+
Software Windows 10 x64
Benchmark Scores Cinebench R15 = 1542 3D Mark Timespy = 9758
Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.
People monetize open source all the time. Sure, you might be right about small, obscure open source programs, but when big companies use open source, they do scrutinize the code and they do get paid to do so.
 

sumolDeLaranja

New Member
Joined
Jul 14, 2020
Messages
5 (0.21/day)
Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.
You think said projects get funding out of kindness in big-name companies' hearts, or because not having to reinvent the wheel lets them save money and pay for programmers to do real innovation? ;)
Please no jokes about our best and brightest spending their time creating adtech algorithms to sell you a fidget spinner...
It seems like megacorps see a place for open source, and clearly they do want to employ bright people and have them create new products and services, and not have them rewrite rather essential stuff like cryptography stacks and bootloaders over and over again...
 
Joined
Aug 20, 2007
Messages
13,220 (2.79/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
Yes. However, the theory behind open source's million eyes idea is a load of bunk.
It's not. his vulnerability however, is. If you control the bootloader you can just pass some kernel parameters to attain root, how is this a vulnerability? This is more like a concept in computing, lol.

Apparently not. Technically no OS is safe from this.
They are. Windows doesn't use GRUB, it uses NTLDR. Not that you can't uh, do the same kind of crap there. Bootloaders are not meant to be secure really. It's like having physical access to the machine at that point.

After having read into this more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.
I mean if you have root, you can always rewrite the bootloader. But again, this is like crying about how I got compromised because I was already compromised. It's BS.
 

bug

Joined
May 22, 2015
Messages
7,861 (4.13/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
After having read into this more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.
Yes, you need to craft a grub.cfg file. You can only do that if you gain root privileges first. If an attacker gains root access on your machine, grub/secure boot is the least of your worries.

Good thing it was discovered though, many attacks these days are built around chaining together several innocuous and/or hard to exploit flaws like this.
 
Joined
Jul 10, 2015
Messages
276 (0.15/day)
Location
Sokovia
System Name Alienation from family
Processor i7 7700k
Motherboard Hero VIII
Cooling Macho revB
Memory 16gb Hyperx
Video Card(s) Asus 1080ti Strix OC
Storage 960evo 500gb
Display(s) AOC 4k
Case Define R2 XL
Power Supply Be f*ing Quiet 600W M Gold
Mouse NoName
Keyboard NoNameless HP
Software You have nothing on me
Benchmark Scores Personal record 100m sprint: 60m

bug

Joined
May 22, 2015
Messages
7,861 (4.13/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.
About 80% of all software projects are failures, open source has nothing to do with that.
 
Joined
Nov 11, 2004
Messages
6,397 (1.11/day)
Location
Formosa
System Name Overlord Mk MXVI
Processor AMD Ryzen 7 3800X
Motherboard Gigabyte X570 Aorus Master
Cooling Corsair H115i Pro
Memory 32GB Viper Steel 3600 DDR4 @ 3800MHz 16-19-16-19-36
Video Card(s) Gigabyte RTX 2080 Gaming OC 8G
Storage 1TB WD Black NVMe (2018), 2TB Viper VPN100, 1TB WD Blue 3D NAND
Display(s) Asus PG27AQ
Case Corsair Carbide 275Q
Audio Device(s) Corsair Virtuoso SE
Power Supply Corsair RM750
Mouse Logitech G500s
Keyboard Wooting Two
Software Windows 10 Pro
Benchmark Scores https://valid.x86.fr/33u9si
They are. Windows doesn't use GRUB, it uses NTLDR. Not that you can't uh, do the same kind of crap there. Bootloaders are not meant to be secure really. It's like having physical access to the machine at that point.
The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.
So YES, Windows is affected too. Maybe not as badly, but still.
 

bug

Joined
May 22, 2015
Messages
7,861 (4.13/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
So YES, Windows is affected too. Maybe not as badly, but still.
It's unclear to me how this will affect a pure Windows install, since those don't include grub. Also unclear why the certificate authority is mentioned.
But I can see how this will affect dual-boot installs: once you botch the UEFI, it stays botched.
 
Joined
Mar 6, 2017
Messages
2,083 (1.67/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Sure, you might be right about small, obscure open source programs
What about OpenSSL? That thing is something that the whole entire Internet is practically built on, it's the one piece of software that literally makes secure eCommerce possible. Yet, it never got the attention that it deserved until all of a sudden, some nasty big security hole was found (Heartbleed) and THEN it got the funding it needed. Where was the funding before? Oh sure, they got some scraps thrown their way every once in a great while; but in the end it was just scraps. Oh here, we had some money in our end-of-the-year budgets, let's throw it their way.

And OpenSSL wasn't the only big-name project that damn near failed. Ever heard of OpenBSD? Yeah, back in January of 2014 they didn't even know if they were going to be able to keep the lights on and pay the electricity bill. It was only after a $100,000 bailout by none other than Microsoft that saved OpenBSD from oblivion. And I'm pretty damn sure that Microsoft didn't give the money over out of the goodness of their hearts. If you believe that, I've got some bottom land to sell you; just don't ask me what it's at the bottom of.

Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.

Just look at the forum software that powers this very forum, XenForo. It's written in PHP however it's $160 a year for the base package. If you add some addons, it's $345 a year. And it's not open source. Sure, there's phpBB and Simple Machines Forum but yeah right.
 
Last edited:

bug

Joined
May 22, 2015
Messages
7,861 (4.13/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.
Gtk/Gnome, Qt/KDE, GIMP, Darktable, Blender, Apache Kafka (et comp), Elasticsearch, Mozilla, Chromium, OpenWRT, pfSense, PuTTY, Keepass, ffmpeg, VLC, git, gcc...
But you're right, aside from a few hundred projects, open source is totally a joke.
 
Joined
Mar 6, 2017
Messages
2,083 (1.67/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Mozilla is funded by huge donations from Google. Chromium is obviously by Google. But that’s why I said, outside of the big-name projects open source is generally a joke. Most projects on GitHub die within a year due to lack of funding.
 
Joined
Aug 20, 2007
Messages
13,220 (2.79/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
So YES, Windows is affected too. Maybe not as badly, but still.
Ah. The grub2 commentary confused me.

What about OpenSSL? That thing is something that the whole entire Internet is practically built on, it's the one piece of software that literally makes secure eCommerce possible. Yet, it never got the attention that it deserved until all of a sudden, some nasty big security hole was found (Heartbleed) and THEN it got the funding it needed.
It had funding the whole time, it just had a big bug in a complex software. This happens, money or not.

Most projects on GitHub die within a year due to lack of funding.
A lack of a maintainer does not make them useless.
 
Joined
Mar 6, 2017
Messages
2,083 (1.67/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
It had funding the whole time, it just had a big bug in a complex software. This happens, money or not.
Not according to the one man who was maintaining it. There was only one man who was babysitting the code of OpenSSL and he was in his sixties. He wanted to retire for God's sake yet with not enough funding being brought in, he couldn't hand the project off.

Something that involves a library of code as huge as OpenSSL is needs more than one person to scan the lines of code, I'd go so far as to say that it needs a team of people doing code audits at least twice a year if not more than that. OpenSSL is like the water and sewer pipes of the Internet, if that breaks all hell breaks loose.
 
Joined
Aug 20, 2007
Messages
13,220 (2.79/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
Not according to the one man who was maintaining it. There was only one man who was babysitting the code of OpenSSL and he was in his sixties. He wanted to retire for God's sake yet with not enough funding being brought in, he couldn't hand the project off.

Something that involves a library of code as huge as OpenSSL is needs more than one person to scan the lines of code, I'd go so far as to say that it needs a team of people doing code audits at least twice a year if not more than that. OpenSSL is like the water and sewer pipes of the Internet, if that breaks all hell breaks loose.
So you have one example, that isn't an open source specific problem, but a funding one?
 
Joined
Mar 6, 2017
Messages
2,083 (1.67/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
So you have one example, that isn't an open source specific problem, but a funding one?
OK, but I also mentioned OpenBSD that was saved only by Microsoft coming along with $100,000 in their pockets.

The problem that most open source projects have is that they have lot of "takers" but not a lot of "givers". If you like an open source program/project, you need to do what is right and by that, I mean donate to the project be it direct donations or if they have a merch store, buy something there. Buy a coffee cup or a t-shirt for God's sake! Every little bit helps.

Like it or not, open source projects live and die on their budgets (or should I say, lack of budgets). The unfortunate thing is that a majority of people are freakin' cheapskates. They don't donate, they don't pay, yet they're the first to start yelling when things go wrong.
 
Joined
Mar 10, 2015
Messages
3,250 (1.64/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.
WordPress is still a joke.
 
Top