Hey, there! Log in / Register
Boston city Web site goes open source
By adamg on Thu, 10/27/2016 - 2:46pm
Boston has loaded the source code for boston.gov on github, which means code writers can now rummage around and submit improvements to make the site work better.
City Hall says this makes Boston the first "major" US city to turn its Web site into an open-source project. Officials emphasize the code - based on open-source Drupal software - contains no sensitive data.
Intriguingly, github stats show a code contribution from Marty Walsh. OK, granted, just for the "readme" file.
Neighborhoods:
Topics:
Free tagging:
Ad:
Comments
I wonder...
So, along with this, they should put out a bug bounty. Because if I sniff out a bug/failure point that would let me, say, gather people's names, license plate numbers, and credit card data when they go to pay a parking ticket, then I have to choose between white and black hats. They might want to sway the calculation in favor of more white hats than black hats.
Paid via one free parking
Paid via one free parking space for a month.
A month!?!
Sold. I've found 12 bugs. Give me a year or I'll send them in at a rate of one every 30 days at my determined order of priority.
>:)>
I contribute open source and I develop for a living
But there's no way I can justify volunteering my time for free, to cover any gaps in the work of a lowest-bidder or a municipal employee on this. nor to cover any gaps in funding. (Where's my contract? Where's my salary, benefits, and pension?)
What this looks like to me is making it easier for bad guys to find security vulnerabilities. Why guess and experiment to find vulnerabilities, when you can just skim the code? The typical open source means of improving code security by having many skilled people look at it only works when many skilled people care to look at the code and then fix it. Otherwise, and initially, your open source is just making life easier for bad guys.
Who do I see for negligence when my private data is leaked because of this?
And did DHS sign off on this?
Calling BS on this anon
Brah, do you even
liftcode?Anon claims to be progger that contributes to open source - but then asks how he can justify volunteering time for free - so please tell me what OSS you're already working on that pays you.
And the baloney that you follow up with is the typical sounds-informed-but-really-has-never-actually-researched bs one hears from anti-open source types. And for good measure you throw in the "security through obscurity" argument that was debunked...oh - about 20 years ago.
I call bullshit - you're not a programmer, unless it's your universal remote, and you certainly don't know jack all about web site security if you think what the city's making available somehow puts private info at risk. Show me where.
(and yeah, I have looked it over, although am not a big Drupal/php guy. I was dubious about the choice because in the past Drupal's caching was considered subpar and the (baked-in) lack of backward compatibility made it a tough choice on really big multi-lobed sites like cityofboston. But it looks like Drupal 8 has addressed many previous complaints. So...we'll see).
311
But will it make the city any quicker to fixing things I report via 311? While they are quick to fix potholes (not as quick as Cambridge, but Boston generally does the work within a week), I've been reporting a dead streetlight on Pinckney Street for at least the past two months. The city assigns an issue number, but never follows up. I checked just this morning, it's still dead!
EWW
Ewwww it's built in PHP, the red headed step child of the internet.
Security Problem #1
PHP
Really?
More so than other platforms?
No, they're just fronting
n/t