TrueCrypt or false? Would-be open source project must clean up its act

Security isn't TrueCrypt's only controversial point -- its claim to be open source doesn't hold water, either

These days you can't be too careful about protecting your privacy. No wonder people are turning to such solutions as TrueCrypt, which describes itself as "free open source on-the-fly encryption." It's a cross-platform program that can encrypt your hard disk. In an age where our own governments are hacking into service providers to steal information about us, it's the sort of software we all need.

But all is not well with TrueCrypt. The sustained anonymity of the developers behind it, coupled with its release practices and licensing, have finally pushed open source developers to the edge. While it's not unreasonable for the developers to protect their identities, transparent development practices are needed for counterbalance.

[ InfoWorld presents the Bossies 2013, the best open source software for clouds, mobile, developers, and more. | Track trends in open source with InfoWorld's Technology: Open Source newsletter. ]

In light of recent revelations about the actions of the NSA and other security agencies to compromise encryption software, concern about the integrity of security software can scarcely be considered paranoid. Trust, but verify.

The headline concern about TrueCrypt is that there's no published audit of the source code by known security experts. Without this, there are no grounds beyond its authors' claims to trust its effectiveness or integrity -- in other words, who knows, it could have a "backdoor." This is a situation open source community members will no longer tolerate, especially given the consistent anonymity of the authors.

Fortunately, since the source code is publicly available, an audit is possible independent of the developers. This month a crowdfunded project to perform a professional audit of the code achieved full funding in a very short time. The project will also seek to devise release practices that give users confidence that the program they download has in fact been built from the audited source and not some modified version with secret backdoors.

OSI concerns

Beyond the integrity of the source code and the binary release, the copyright license used by TrueCrypt presents a serious issue. The consensus in the open source community is that licenses that want to describe themselves as open source must be approved by the Open Source Initiative (OSI, of which I am currently president) as conformant with the Open Source Definition (OSD). The license used by TrueCrypt is not OSI approved.

That's not just a matter of omission. Though submitted to OSI for approval in 2006, it was withdrawn from consideration by TrueCrypt just before OSI would have ruled on the OSD compliance of the license. That was probably done because experts examining the license considered it unlikely to gain approval and said as much to the OSI board. Despite some changes since then, the license remains confusing, and to some commentators, it seems to have requirements incompatible with the OSD. It has not been resubmitted to OSI for approval.

While it's accurate to describe the software as "free" because it is made available without charge (although the license is also not a free software license according to the FSF license list), it is not at all appropriate for it to describe itself as "open source." This use of the term "open source" to describe something under a license that's not only unapproved by OSI but known to be subject to issues is unacceptable.

At our meeting this week, members of OSI's board expressed deep concern that the project is behaving in this way. As OSI director and open source expert Karl Fogel said, "The ideal solution is not to have them remove the words 'open source' from their self-description, but rather for their software to be under an OSI-approved open source license."

Some might regard these concerns as ephemeral, but the experience of the open source community time and again is that projects that refuse to respond to concerns about licensing turn out to be problematic in other ways. For this reason, many Linux distributions have policies of avoiding mislicensed software. For example, these concerns have led the Fedora Project to disengage and seek alternatives.

Until the licensing is fixed, the code audited, and the build made trustworthy, it's probably better to use an alternative to TrueCrypt such as tc-play, packaged by Fedora. Calling something secure and open source doesn't make it so. The TrueCrypt project needs to address community concerns and clean up its act.

This article, "TrueCrypt or false? Would-be open source project must clean up its act," was originally published at InfoWorld.com. Read more of the Open Sources blog and follow the latest developments in open source at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies