Ask HN: How can I get involved with Linux/OpenSSL/GnuPG/etc
What would it take to be involved in $bigScaryOpenSourceProject? I'm passionate about cryptography, security, and privacy so projects like Linux, Firefox, OpenSSL, etc... might be perfect for me to get more involved with. Outside learning C or possibly Rust (for Firefox development in future) I have no idea how I'd start with any of these projects, partly as my day job is all web based so it's what I've been focused on for years.
Are there valuable contributions I can make outside writing code? For example, SSL can be tricky to setup but tools like SSL Test and the Mozilla Server Side TLS wiki page are invaluable in making us all safer. What's something in security that's too difficult or time consuming that I could work to automate or make easier?
29 comments
[ 0.23 ms ] story [ 82.6 ms ] threadFor the other projects you listed I’m not aware of such documentation, but I’d recommend you just go ahead and ask them directly :).
As you work on the little things you will slowly gain a better understanding of how the code base is organised and how you could contribute more significant changes.
Valuable contributions outside of writing code differ across projects, but most lack current or understandable documentation. As you learn about the project and read whatever documentation might already be there you will certainly find things that can be clarified.
I don't think it's unfriendly to newbies at all, other than the size of the codebase being so large that it takes considerable time/effort to understand well enough to make a patch you're willing to work through getting integrated.
Newbies can and do meet the standards for contributing, and it's not painful IME.
Look for something you care about, and are willing to put the work into improving. Software you use is a good start.
Less popular software is more likely to be happy for help.
https://youtu.be/-TdrFjDJn5E
* Pick a project you use and like. This way you will already be familiar with some aspects of the projects and you will have an idea for what works and what doesn't. You will be able to use your improvements for yourself.
* It's easier to contribute to a small project than a larger one. Larger projects are usually more complex and require understanding more code. If a smaller project has less people involved with it, it will be easier for you to get to know everyone and for everyone to get to know you.
* It's also easier to contribute to newer projects. Older projects usually have strict guidelines that can take a while to get used to. They often have internal politics that come into play. Finally newer projects have a lot of "low hanging fruits", simple things that anybody can fix.
You can start with commits that fix docs or clarify the code with additional comments. Contribute some unit tests, etc. As you familiarize yourself with the code and the process, you will be able to fix larger bugs and even implement new features.
The reason you should consider it is twofold:
- Code is only good if it's used, and ideally, usable. - This gives you a great opportunity to learn a lot about OpenSSL in an environment that has more (resources for) mentorship and unit tests.
https://www.github.com/pyca
Disclaimer: While I was around when it was founded and am still officially its resident cryptographer, I don't really do much of the work. I just occasionally show up and say "Frobenius" a lot.
What I've seen going wrong in the past is where people decide that they want to contribute to a project and don't tell anyone else about it until they've written hundreds or thousands of lines of code that are never going to be accepted, because the maintainers don't like their overall design (or the maintainers don't agree with the direction of the patch, or something else that could have been caught early but is way too late now).
Communicate early, communicate often. And if a community doesn't like that, leave and find a different one. Your time is more valuable than that.
P.S. and be sure you're contributing to a project that you are passionate about, not just one that sounds cool. Having your own intrinsic motivation will make a huge difference.
You can find bugs in bugzilla (firefox) or github (servo) that are labelled as suitable for newbies, my advice is to try and build it first then pick one up and go for it!
Go to their bug trackers and start working on the smallest bugs. Or write extensions for the most popular new languages to use their libraries or apps, so new programmers can take advantage of the existing crypto. Or write or update documentation. Or write user-friendly guides on what people need to use and how. Or fill the holes in their test routines to find new bugs faster, and build new test platforms for wider platform coverage. Or track down performance bugs.
Second, I would say start reading the manual, or at least skimming it. Get a better understanding of what the software actually intends to do, not what you think it intends to do. Remember that documentation is a part of software, so improvements are always welcome here!
Then, after, you can learn how to build the software. Make an easy modification (like changing a title, or changing something that gets printed out), and recompile and observe the change. From here you can look at a high level what gets built in what order, and what's important in the project.
Finally, you can start thinking about bugs that have been recorded in a bug tracker, or attempting to implement a neat improvement or feature. Look/ask for guidance, so you don't spend time doing something that ultimately no one will want or care about (which isn't to say it wasn't appreciated, but many projects have specific guidelines/goals/etc. and it's important your changes fit with those).
OpenSSL and GPG — subscribe to relevant mailing lists, find something wrong with them and discuss with upstream / fix it. This could be missing tests/docs or a bug.
Adding new functionality is harder to do as an outsider, but these other areas are somewhat easier to contribute to (in general).
https://www.youtube.com/watch?v=LLBrBBImJt4
I gave some hints here: http://dcid.me/notes/2013-may-12
That I hope can be useful for you.
thanks,
Are there valuable contributions I can make outside writing code?
Traditionally, documentation has always been rather lacking for the bulk of projects.
Secondly, you can fuzz FLOSS software, using something like afl-fuzz, American Fuzzy Lop. The following tutorial has some pointers to get started, and obviously software written in C is easier to get started with. If you need help with something, feel free to ask on the afl-users mailing list. You can fuzz on a CPU-heavy VM somewhere, like DigitalOcean, an Amazon spot instance, or a Google preemptible instance.
https://fuzzing-project.org/tutorials.html
In fuzzing, once you get the hang of it, you'll find that your keyboard time is the limiting factor. You'll set up a test case in 15-20 minutes, leave it fuzzing for a day, and come back to spend at least 1-2 hours working through crashes and reporting the bugs through their channels.
You may be saying "Wait I don't know anything about C," but honestly, I don't know anything about C either, and I've found hundreds of bugs with fuzzing. There are some crash dump investigation tools that give you an idea of the nature of the crash (gdb's exploitable.py) and that's usually enough to report to the maintainer. When the maintainer has a fix released, you can send an email to the oss-security mailing list detailing what you know about it. MITRE can assign a CVE on the mailing list if you describe the bug appropriately when you ask for one.
Also, check out Kernelnewbies:
http://kernelnewbies.org/