Why are people so yucky?
So, the deal is that I wrote a silly little Apache module
last week that does kerberos authentication based upon
whatever comes through basic authentication. Not a big deal,
and little piece of glue code to make Stan's life a
little easier. A whole whopping 56 lines of code, and about
three hours of my life figuring out how Authen::Krb5 works,
writing and testing the module.
So after a weeks worth of problems involving the service
that was under my authentication code (actually really weird
routing problems involving DHCP) I get an email from a guy
in the Security Office for IU...
A little background here: I work for the Messaging Team at
Indiana University. We do DNS, Email, DHCP, News, DCE,
various NT services, and Account generation for the campus.
Theoretically for all eight campuses, but right now mostly
just two. Most of my job is to be around and write code that
any of those services need to stay running in a smooth
manner. I also do big design work, so that the amount of
glue code necessary (and available to break) stays to a
minimum.
So this email from the Security Office basically says that I
should have consulted them before I write this code (not
that they had anything else available), consult them before
I write any code that might possibly be used for security
and that they should be the maintainers of the code. And I
should mail it to them.
So I am in the midst of trying not to freak out. It sounds
as though they have basically told me that I am not allowed
to write anything that might possibly have a little bit of
security involved. Does this involve anything I write that
is encrypted? I write code that does all sorts of
authentication and authorization. Does it need to be cleared
by committee now?
I am probably over-reacting. Hell, I know I am
over-reacting, but asking me not to write code that I (or my
friends and co-workers) need to do our jobs is a little
upsetting. This has been happening with increasing
frequency. The "Don't do that, this project will do that
later" vaporware thing is definately going on.
Anyway, my response to this is to get off my ass and
register as a developer in CPAN so that I can get the stuff
published, then I'll inform them that they can download the
code, just like anyone else. It's not a great module, but it
works and hasn't shown a problem in tens of thousands of
authentications since it went production on Monday. And I
wrote it, dammit. I don't care if someone else wants to
contribute. That is what open source is all about. But I
also don't want it hidden away or co-opted because it falls
into someone else's kingdom.
Am I reacting in a
completely idiotic way?