Software Itself Is A Process, Not A Product

...or, “there is no such thing as LTS.”

Bruce Schneier used to say that “security is a process, not a product,” meaning that it is an engineering discipline that you must continually practice, rather than a magic box you can buy. It is becoming increasingly clear that this is true for software in general: software is not a fixed thing that you acquire once, but a service or distribution that is continually updated.

Software is a living cultural artifact, a constant dialog between developers and users.

It might seem attractive (cheaper, or easier) to treat software as a finished product. However, old software — that is, any version of a program other than the latest stable version — is latent technical debt. It tends to be unsafe, unstable, and to lack features that you might find you need. Worse — much worse — you will come to rely on old APIs and interfaces, and then when you are absolutely forced to upgrade in a year or 5 from now, all that latent technical debt will hit you in the face. The giant migration to a new set of interfaces/features/bugs will be much more painful than all the small migrations combined. What seemed easy or cheap at first becomes catastrophically and unnecessarily expensive. Some of the absolute worst software I ever saw as a security engineering consultant was creepy, freaky old mainframe goatware from 1964. The organizations that paid IBM through the nose to keep it on life support insisted it was “really stable, man”, but in fact its prehistoric limitations contributed magnificently to grave and absurd unnecessary risk.

One of the most famous examples of treating software as a finishable, finished product is the qmail mail server by Dan Bernstein. You couldn’t hope for a better test case of the concept: ground-breaking design, wonderful performance, and nearly superhuman security quality. Bernstein achieved all this, and considered his work done. The trouble is, the needs of the email-using community changed. We wanted SPF and Domain Keys, IPv6, and a whole pile more stuff. There is no guarantee that all the third party add-ons that make qmail viable in the modern world rise to the same level of quality as the original core, since it lost its technical leadership. It’s abandonware on life support, just like the mainframe dinosaur sadness.

Another example is Donald Knuth’s TeX mathematical typesetting system, like qmail the product of a computing science super-genius. Knuth admits the eternal imperfection of TeX by using the digits of pi for version numbers — the current version is 3.1415926 — but in fact the core TeX has not been updated in many years. It’s still implemented in a language that generates Pascal, itself an obsolete language that must first be translated into C for use on modern machines. All new functionality comes from ever more crufty, slow, hard to use, and weirdly-designed layers upon layers of third-party add-ons and wrappers.

These are undeniable works of genius, laid low by the belief that they could be finished products, rather than created with recognition that they must evolve with their users. Software is simply not like other art forms.

This is not to say that a program’s original developer must be chained to the task of maintaining it forever; only to illustrate the point that developers and users must plan for software to change continually to meet changing needs. The further behind people’s needs the software is, the greater the technical debt and the deeper the melancholy of imperfection.