Posts Tagged ‘effort’

Install certbot on Debian, Ubuntu, CentOS, Fedora Linux 10 / Generate and use Apache / Nginx SSL Letsencrypt certificates

Monday, December 21st, 2020

Reading Time: 9minutes

letsencrypt certbot install on any linux distribution with apache or nginx webserver howto</a><p> Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit <a data-cke-saved-href=
Internet Security Research Group (ISRG). ISRG group gave initiative with the goal to "encrypt the internet", i.e. offer free alternative to the overpriced domani registrer sold certificates with the goal to make more people offer SSL / TSL Free secured connection line on their websites. 
ISRG group supported Letsencrypt non-profit certificate authority actrively by Internet industry standard giants such as Mozilla, Cisco, EFF (Electronic Frontier Foundation),  Facebook, Google Chrome, Amazon AWS, OVH Cloud, Redhat, VMWare, Github and many many of the leading companies in IT.

Letsencrpyt is aimed at automating the process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites. I.e. you don't have to manually write on console complicated openssl command lines with passing on Certificate CSR /  KEY / PEM files etc and generate Self-Signed Untrusted Authority Certificates (noted in my previous article How to generate Self-Signed SSL Certificates with openssl or use similar process to pay money generate secret key and submit the key to third party authority through a their website webadmin  interface in order to Generate SSL brought by Godaddy or Other Certificate Authority.

But of course as you can guess there are downsides as you submit your private key automatically via letsencrypt set of SSL certificate automation domain scripts to a third party Certificate Authority which is at Letsencrypt.org. A security intrusion in their private key store servers might mean a catastrophy for your data as malicious stealer might be able to decrypt your data with some additional effort and see in plain text what is talking to your Apache / Nginx or Mail Server nevertheless the cert. Hence for a high standards such as PCI environments Letsencrypt as well as for the paranoid security freak admins,  who don't trust the mainstream letsencrypt is definitely not a choice. Anyways for most small and midsized businesses who doesn't hold too much of a top secret data and want a moderate level of security Letsencrypt is a great opportunity to try. But enough talk, lets get down to business.

How to install and use certbot on Debian GNU / Linux 10 Buster?
Certbot is not available from the Debian software repositories by default, but it’s possible to configure the buster-backports repository in your /etc/apt/sources.list file to allow you to install a backport of the Certbot software with APT tool.
 

1. Install certbot on Debian / Ubuntu Linux

 

root@webserver:/etc/apt# tail -n 1 /etc/apt/sources.list
deb http://ftp.debian.org/debian buster-backports main


If not there append the repositories to file:

 

  • Install certbot-nginx certbot-apache deb packages

root@webserver:/ # echo 'deb http://ftp.debian.org/debian buster-backports main' >> /etc/apt/sources.list

 

  • Install certbot-nginx certbot-apache deb packages

root@webserver:/ # apt update
root@webserver:/ # apt install certbot python-certbot-nginx python3-certbot-apache python-certbot-nginx-doc


This will install the /usr/bin/certbot python executable script which is used to register / renew / revoke / delete your domains certificates.
 

2. Install letsencrypt certbot client on CentOS / RHEL / Fedora and other Linux Distributions

 


For RPM based distributions and other Linux distributions you will have to install snap package (if not already installed) and use snap command :

 

 

[root@centos ~ :] # yum install snapd
systemctl enable –now snapd.socket

To enable classic snap support, enter the following to create a symbolic link between

[root@centos ~ :] # ln -s /var/lib/snapd/snap /snap

snap command lets you install, configure, refresh and remove snaps.  Snaps are packages that work across many different Linux distributions, enabling secure delivery and operation of the latest apps and utilities.

[root@centos ~ :] # snap install core; sudo snap refresh core

Logout from console or Xsession to make the snap update its $PATH definitions.

Then use snap universal distro certbot classic package

 [root@centos ~ :] # snap install –classic certbot
[root@centos ~ :] # ln -s /snap/bin/certbot /usr/bin/certbot
 

 

If you're having an XOrg server access on the RHEL / CentOS via Xming or other type of Xemulator you might check out also the snap-store as it contains a multitude of packages installable which are not usually available in RPM distros.

 [root@centos ~ :] # snap install snap-store


how-to-install-snap-applications-on-centos-rhel-linux-snap-store

snap-store is a powerful and via it you can install many non easily installable stuff on Linux such as eclipse famous development IDE, notepad++ , Discord, the so favourite for the Quality Assurance guy Protocol tester Postman etc.

  • Installing certbot to any distribution via acme.sh script

Another often preferred solution to Universally deploy  and upgrade an existing LetsEncrypt program to any Linux distribution (e.g. RHEL / CentOS / Fedora etc.) is the acme.sh script. To install acme you have to clone the repository and run the script with –install

P.S. If you don't have git installed yet do

root@webserver:/ # apt-get install –yes git


and then the usual git clone to fetch it at your side

# cd /root
# git clone https://github.com/acmesh-official/acme.sh
Cloning into 'acme.sh'…
remote: Enumerating objects: 71, done.
remote: Counting objects: 100% (71/71), done.
remote: Compressing objects: 100% (53/53), done.
remote: Total 12475 (delta 39), reused 38 (delta 18), pack-reused 12404
Receiving objects: 100% (12475/12475), 4.79 MiB | 6.66 MiB/s, done.
Resolving deltas: 100% (7444/7444), done.

# sh acme.sh –install


To later upgrade acme.sh to latest you can do

# sh acme.sh –upgrade


In order to renew a concrete existing letsencrypt certificiate

# sh acme.sh –renew domainname.com


To renew all certificates using acme.sh script

# ./acme.sh –renew-all

 

3. Generate Apache or NGINX Free SSL / TLS Certificate with certbot tool

Now lets generate a certificate for a domain running on Apache Webserver with a Website WebRoot directory /home/phpdev/public/www

 

root@webserver:/ # certbot –apache –webroot -w /home/phpdev/public/www/ -d your-domain-name.com -d your-domain-name.com

root@webserver:/ # certbot certonly –webroot -w /home/phpdev/public/www/ -d your-domain-name.com -d other-domain-name.com


As you see all the domains for which you will need to generate are passed on with -d option.

Once certificates are properly generated you can test it in a browser and once you're sure they work as expected usually you can sleep safe for the next 3 months ( 90 days) which is the default for TSL / SSL Letsencrypt certificates the reason behind of course is security.

 

4. Enable freshly generated letsencrypt SSL certificate in Nginx VirtualHost config

Go to your nginx VirtualHost configuration (i.e. /etc/nginx/sites-enabled/phpmyadmin.adzone.pro ) and inside chunk of config add after location { … } – 443 TCP Port SSL listener (as in shown in bolded configuration)
 

server {

….
   location ~ \.php$ {
      include /etc/nginx/fastcgi_params;
##      fastcgi_pass 127.0.0.1:9000;
      fastcgi_pass unix:/run/php/php7.3-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME /usr/share/phpmyadmin$fastcgi_script_name;
   }
 

 

 

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/phpmyadmin.adzone.pro/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/phpmyadmin.adzone.pro/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

 

5. Enable new generated letsencrypt SSL certificate in Apache VirtualHost


In /etc/apache2/{sites-available,sites-enabled}/your-domain.com-ssl.conf you should have as a minimum a configuration setup like below:
 

 

NameVirtualHost *:443<VirtualHost 123.123.123.12:443>
    ServerAdmin hipo@domain.com
    ServerName pc-freak.net
    ServerAlias www.your-domain.com wwww.your-domain.com your-domain.com
 
    HostnameLookups off
    DocumentRoot /var/www
    DirectoryIndex index.html index.htm index.php index.html.var

 

 

CheckSpelling on
SSLEngine on

    <Directory />
        Options FollowSymLinks
        AllowOverride All
        ##Order allow,deny
        ##allow from all
        Require all granted
    </Directory>
    <Directory /var/www>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
##      Order allow,deny
##      allow from all
Require all granted
    </Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
</VirtualHost>

 

6. Simulate a certificate regenerate with –dry-run

Soon before the 90 days period expiry approaches, it is a good idea to test how all installed Nginx webserver certficiates will be renewed and whether any issues are expected this can be done with the –dry-run option.

root@webserver:/ # certbot renew –dry-run

 

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/adzone.pro/fullchain.pem (success)
  /etc/letsencrypt/live/cdn.natsr.pro/fullchain.pem (success)
  /etc/letsencrypt/live/mail.adzone.pro/fullchain.pem (success)
  /etc/letsencrypt/live/natsr.pro-0001/fullchain.pem (success)
  /etc/letsencrypt/live/natsr.pro/fullchain.pem (success)
  /etc/letsencrypt/live/phpmyadmin.adzone.pro/fullchain.pem (success)
  /etc/letsencrypt/live/www.adzone.pro/fullchain.pem (success)
  /etc/letsencrypt/live/www.natsr.pro/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

 

7. Renew a certificate from a multiple installed certificate list

In some time when you need to renew letsencrypt domain certificates you can list them and choose manually which one you want to renew.

root@webserver:/ #certbot –force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: adzone.pro
2: mail.adzone.pro
3: phpmyadmin.adzone.pro
4: www.adzone.pro
5: natsr.pro
6: cdn.natsr.pro
7: www.natsr.pro
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/phpmyadmin.adzone.pro

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/phpmyadmin.adzone.pro

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://phpmyadmin.adzone.pro

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=phpmyadmin.adzone.pro
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

IMPORTANT NOTES:
 – Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/phpmyadmin.adzone.pro/fullchain.pem

   Your key file has been saved at:
   /etc/letsencrypt/live/phpmyadmin.adzone.pro/privkey.pem
   Your cert will expire on 2021-03-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 – If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

8. Renew all present SSL certificates

root@webserver:/ #certbot renew

Processing /etc/letsencrypt/renewal/www.natsr.pro.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Cert not yet due for renewal

 

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/adzone.pro/fullchain.pem expires on 2021-03-01 (skipped)
  /etc/letsencrypt/live/cdn.natsr.pro/fullchain.pem expires on 2021-02-28 (skipped)
  /etc/letsencrypt/live/mail.adzone.pro/fullchain.pem expires on 2021-02-28 (skipped)
  /etc/letsencrypt/live/natsr.pro-0001/fullchain.pem expires on 2021-03-01 (skipped)
  /etc/letsencrypt/live/natsr.pro/fullchain.pem expires on 2021-02-25 (skipped)
  /etc/letsencrypt/live/phpmyadmin.adzone.pro/fullchain.pem expires on 2021-03-21 (skipped)
  /etc/letsencrypt/live/www.adzone.pro/fullchain.pem expires on 2021-02-28 (skipped)
  /etc/letsencrypt/live/www.natsr.pro/fullchain.pem expires on 2021-03-01 (skipped)
No renewals were attempted.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

 

 

9. Renew all existing server certificates from a cron job


The certbot package will install a script under /etc/cron.d/certbot to be run that will attempt every 12 hours however from my experience
often this script is not going to work, the script looks similar to below:

# Upgrade all existing SSL certbot machine certificates

 

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Another approach to renew all installed certificates if you want to have a specific options and keep log of what happened is using a tiny shell script like this:

 

10. Auto renew installed SSL / TSL Certbot certificates with a bash loop over all present certificates

#!/bin/sh
# update SSL certificates
# prints from 1 to 104 (according to each certbot generated certificate and triggers rewew and logs what happened to log file
# an ugly hack for certbot certificate renew
for i in $(seq 1 104); do echo "Updating $i SSL Cert" | tee -a /root/certificate-update.log; yes "$i" | certbot –force-renewal | tee -a /root/certificate-update.log 2>&1; sleep 5; done

Note: The seq 1 104 is the range depends on the count of installed SSL certificates you have installed on the machine, that can be seen and set the proper value according to your case when you run one time certbot –force-renewal.
 

How to be More Productive Infogram – 35 Essential Habits Most Productive People on Earth put in Practice

Wednesday, March 18th, 2015

Reading Time: < 1minute

As a person involved in IT, i've been always irritated by how much inproductive is our society. Almost nothing in a modern world (no matter the Government Regime be it democratic or communistic is pushing you to become productive) on the contrary the modern culture preached habits are putting you into habits which are both unhealthy and make you live a very boring and unsuccessfuly life. There are plenty of books already written on the subject on how to be productice, however people are so busy to produce more and more and be materially successful, that most of the people we do is unwise and lacks any efficiency.
Below Infogram definitely gives a clue what is wrong with most people's regime which tend to produce less and less day by day, even though they put more and more effort in what they do. 

how-to-be-productive-get-done-35-habits-most-productive-people-infographic

Though I always thought I'm among the productice population, after revealing the inforgram I understand a lot of my mistakes which causing me to have often unhealthy and unefficient life …

19th of August Ilindensko Preobrajenski Revolt – Bulgarian land liberation war Uprising on feast of Transfiguration

Monday, August 20th, 2012

Reading Time: 3minutes

Ilinden freedom or death flag Svoboda ili Smyrt slogan

On 19-th of August 1903 happened the Indensko Preobrajensko Vyzstanie – (Ilinden Transfiguration liberation revolt). This revolt is important moment for Bulgarian restoration modern history. At this time South Eastern part of Bulgaria was still under Ottoman Turkish Empire rule and there was huge internal tension between local population striving to liberate and unite with rest of bulgarian lands.

The revolt was planned to raise some publicity in western world and show that the lands of Strandzha mountain are belonging to the newly established Russian liberated restored Bulgaria. Ilindensko Preobrazhenski Uprising was preceded by another revolt which happened in nowdays Macedonian lands near the city of Ohrid. The revolt is named under Ilindensko Preobrajensko Vyzstanie name because actually, the 2 revolts were perceived as one common effort to liberate and unite ex-Bulgarian empire territories with mainly Bulgarian and Serbian population to the newly re-establed Bulgarian land. Ilinden is important day for Bulgarian culture in english it means (Saint Elijah’s day) as the people of the early 20th century had strong faith the 2 revolts received a common name after the two Church feasts Ilinden (st. Elijah’s day) and Preobrazhenie (The day of Christ transfiguration). The revolt was organized and planned by the even to this day existing Bulgarian organizatoin VMROVytreshno Makedonska Revolicionna Organizatia – (Internal Macedonian Revolutionary Organization).
VMRO asks on a few times the then Bulgarian army to join them in the uprising efforts, but the then Bulgarian king refuses foreseeing that this could cause another war between the newly re-established 5 centuries unexistent Bulgaria with the still large and powerful Ottoman empire.
Chetata na Yane Sandanski Ilindensko preobrazhensko revolt

Though uprising was quickly brutally extinguished by Turkish as planned the revolt was able to raise a huge dispute about the so called “Bulgarian problem” and in 1913 part of Strandzha mountain was united with Bulgarian country. The Bulgarian population of the parts of Strandja mountain which remained in territory of Turish empire was forcefully chased to central Bulgaria.

Chetata na Yane Sandanski Ilindensko Preobrazhensko revolt uprising

The total number of “guerillas” who participated in two revolts was 26 000. This 26 000 bravehearts faced enormous 350 000 people Turkish army! Of course the outcomes of this uniqeual powers were clear. Still some members of the uprising held hopes thta maybe Russia or some of the western countries would help them with provisions and people “reinforcements”. 994 “guerillas” died in the uprising.

Zname ohrid flag ohrid cheta Peter Chaulev

The turkish army demolished 201 peaceful people villages (12 440 houses!) and killed brutally 4 694 (peaceful inhabitants in this number kids and woman) by slaughtering and burning them alive. 30 000 of people from the ravaged villages escaped from their homelands and become refugees in Bulgaria. As one can guess whole Civillized Europe was in shock that in 20th century such a blood bath could happen in Europe ….

I work for money if you want loyalty hire a dog – thinking that can solve your internal workplace (dilemmas) issues :)

Wednesday, February 12th, 2014

Reading Time: 2minutes

I-work-for-money-if-you-want-loyalty-hire-a-dog

I WORK FOR MONEY IF YOU WANT LOYALTY – HIRE A DOG!

I was told about those picture few months ago by a friend (Ivan Pushkaroff – Pushi) while we were drinking beer together in  (Delfincheto – a pub more known among people under the name "Ribkata (The Fish)" – A Metal Music pub in Studentski Grad (Sofia's Student City). By the way if you're in Sofia and near "Studentski Grad" be sure to drop by there – they serve great and always fresh fish also for ex-metal heads for me it is always nice to get some memories about  "the good old metal years"

when I tried to complain how difficult it is for me on my job place. I'm a quite sensitive person and a perfectionist and always try to do a great job. Often however there are many obstacles to do your job in right way (as you depend on so many bureaucracy and external people that even if you do your best someone else can mix it up and screw all your effort by not doing his part of the job. The failure of project or Task due to inadeaquacy of someone else involved to do his job right can leave you with a feeling that you have failed even though it is completely not your fault. As these days I'm quite stressed on my job and I have to work on a lot of badly designed projects (and improperly) assigned tasks – yes in big companies it is like these "the right hand doesn't know what the left one is doing". I remembered my dear friend advice to not take it seriously or personally and decided to put these funny picture in hope that these will help me and others to deal with situation of hardships in job in a humorous way After all I'm just a mercenary and I'm doing my best right now in my job at HP … I work for money if they expect higher degree of loyalty let them hire a dog 🙂

Creator of Linux kernel Linus Torvalds with a biblical name, Pope Linus second Pope of Rome

Thursday, February 16th, 2012

Reading Time: 3minutes

Western Roman Catholic Pope Linus picture, Pope after Saint apostle Peter

Linus's name is encountered once in the Scriptures (The Holy Bible) in the second book part of the New Testament scriptures:

I really like King James English version of the bible, here is the text extracted from there, mentioning Linus's name:

2 Timothy 4:21
Doe thy diligence to come before winter. Eubulus greeteth thee,
and Pudens, and Linus, and Claudia, and all the brethren. (From KJV 1611 Translation)

Here is a modernized version of the same verse taken from the New American Standard Bible Version (1995):

2 Timothy 4:21
Make every effort to come before winter. Eubulus greets you,
also Pudens and Linus and Claudia and all the brethren.

- New American Standard Version (1995)

Other curious fact maybe, even uknown to Linus Torvalds himself is Saint Linus used to be the first bishop of Rome, after the Apostles bishopship.
This makes Saint Linus the second in place Roman Catholic Pope after Saint Peter in early Western Church. There are some early sources which says Pope Clement I was the second pope of Rome, however probably this sources are erroneous, since some very important early written sources like the Apostolic Constitutions states Linus was the first bishop of Rome and was ordained by St. Paul. The same documents says Pope Linus was succeeded by Pope Clement – ordained by saint Peter.

Below's paste is taken directly from BibleGateway.com cofirming about Pope Linus being the sacond Roman Catholic Pope:

Linus
(a net), a Christian at Rome, known to St. Paul and to
Timothy, (2 Timothy 4:21) who was the first bishop of Rome after the apostles. (A.D. 64.)

Something Pope Linus is known with is, to have issued a church decree that woman should cover their heads in church.This ancient church tradition is still observed more or less in the Orthodox Church. It is not known much about how Saint Pope ruled the early Western Church but since the western and eastern Church used to be in communion in these early days, this means the nowdays Roman Catholic saint Linus is probably a saint in the Eastern Orthodox Church as well.
According to some unprovable written sources Pope Linus later suffered martyrdom and was buried in Vatican Hill next to saint apostle Peter.

St. Linus according to Church tradition passed away in the 1st securury A.D.
Below's paste is taken directly from BibleGateway.com a multilingual website location for reading the bible

Linus
(a net), a Christian at Rome, known to St. Paul and to
Timothy, (2 Timothy 4:21) who was the first bishop of Rome after the apostles. (A.D. 64.)

I've merged a picture of how saint Linus used to look with one of the pictures of Linus Torvalds. It's rather funny they actually look alike 😉 🙂 🙂

Saint Linus and Linus Torvalds creator of GNU Linux kernel

The creator of GNU/Linux kernel Linus Torvalds might not be a saint in Christian sense, but his deed is definitely saintly as he initiated the creation of the Linux kernel and decided to share its source and publish it under GPL (General Public License).
The phenomenon of GNU / Linux Free Operating System existent today and specific type of development is definitely a miracle. The general philosophy of sharing with neighbor your software is also very close to the Christian philosophy of sharing. Actually too many of the ideas of the free software and "open source" movements resemble purely Christian ideas.

The software sharing philosophy has become a reality thanks to Richard Stallman and his GNU Project, however the existence of GNU / Linux as a complete operating system become reality thanks to the Linus torvalds kernel efforts which is known under the code name Linux. Talking about names, maybe not much will know, that Linux kernel used to have a different name in the early stage of its development, its first code name was FreaX

What is the real development costs of Debian GNU / Linux – How much costs the development of a Free Software projects

Friday, February 17th, 2012

Reading Time: 4minutes

Free Software (FS) is free as in freedom as well as free as in price. Free and Open Source Software (FOSS) is developed by geek hobbyist which voluntarily put their time and effort in writting, testing and sharing with anyone for free million of lines of programming code. This doesn't mean however the price of free software costs is 0 (zero). Though the "end product" –  Free Software developed is FREE, "real" software costs as with any other product costs huge money.

I've recently read on Jeb's blog an estimation on how much is the cost of one of the major Free Software project efforts – Debian GNU / Linux
According to James E. Brombergerthe whole Debian project was estimated to be at the shocking price of $19 billion – $19 000, 000, 000 !!!

Here is how JEB got the $19 billions, a quote taken from his blog:

"By using David A Wheeler’s sloccount tool and average wage of a developer of US$72,533 (using median estimates from Salary.com and PayScale.com for 2011) I summed the individual results to find a total of 419,776,604 source lines of code for the ‘pristine’ upstream sources, in 31 programming languages — including 429 lines of Cobol and 1933 lines of Modula3!

In my analysis the projected cost of producing Debian Wheezy in February 2012 is US$19,070,177,727 (AU$17.7B, EUR€14.4B, GBP£12.11B), making each package’s upstream source code worth an average of US$1,112,547.56 (AU$837K) to produce. Impressively, this is all free (of cost).

James has done incredible job with this great research and he deserves applause.
However I believe the numbers proposed by his research are slightly different if we speak about realistic cost of Debian GNU / Linux.
The real costs of the working software ready to install on a user PC are way higher, as according to Jeb's research only the software cost based on code line count is considered.

Hence James software estimation calculates only the programming costs and miss many, many factors that constitute the software end cost.
Some of the many, many REAL COST / expenses for developing a huge Free Software project like Debian GNU / Linux to be considered are:
 

a) bandwidth costs for hosting free software (on the server side)b) bandwidth cost for developers or FS users downloading the software

a) Time spend to spread the word of the great added value of Debian and bundled software (Mouth by Mouth Marketing)

b) Time spend to advertise Debian and its free software components on blogs, social networks (identi.ca, facebook, twitter) etc.(Voluntary online Marketing, SEO etc.)

c) Time spend on generating ideas on future program versions and reporting them to Debian FS community

d) Time on evaluation and feedback on software

e) Time spend on managing free software repository (download) servers voluntarily (by system administrators)

f) Time spend by users on Bug Tracking & Bug Reporting

g) Time spend on research and self-actualization by software developer)

h) Time spend on software Quality Assurance

This are most of the multiple factors which should probably influence the cost of any non-free (proprietary software) project. No matter this costs apply for non-free software, it perfectly applies for free software as well.With all said if if we assume the non-programming costs are equal to the programming costs of $ 19 000 000 000 (suggested by Jeb). This means the real cost of Debian will presumably be at least $32 000 000 000. Putting $ 19 billion for all this long list of "additional" costs (besides pure source) factors is probably still very under-scored number.
 

  • the developers use of their own computers (hardware depreciation)
  • electricity bill of the volunteer (developer) working on the program or project
  • electricity bills for servers where free software is stored and available for download
  • volunteer developer IT skills and tech knowledge (KNOW HOW)
  • Internet, network, dial up bandwidth cost
  • personal time put in FS development (programming, design, creativity etc.)! here the sub costs are long:
  • Costs for Project Management Leaders / Project Coordination
  • The complexity of each of the projects constituting Debian

Very interesting figure from Jeb's research is the Programming Languages break down by source code figure.
Jamesresearch reveals on the 4 major programming languages used in the 17000+ software projects (part of Debian GNU / Linux):

 

  • ANSI C with 168,536,758 – (40% of all projects source code)
  • C++ at 83,187,329 – (20% of all projects source)
  • Java 34,698,990 – (lines of code 8% of sources)
  • Lisp – (7% of all projects source code)

  His research also provides a general idea on how much the source code of some of the major FOSS projects costs. Here is a copy of his figures
 

Individual Projects

Other highlights by project included:

ProjectVersionThousands
of SLOC
Projected cost
at US$72,533/developer/year
Samba3.6.12,000US$101 (AU$93M)
Apache2.2.9693US$33.5M (AU$31M)
MySQL5.5.171,200US$64.2M (AU$59.7M)
Perl5.14.2669US$32.3M (AU$30M)
PHP5.3.9693US$33.5M (AU$31.1M)
Bind9.7.3319US$14.8M (AU$13.8M)
Moodle1.9.9396US$18.6M (AU$17.3M)
Dasher4.11109US$4.8M (AU$4.4M)
DVSwitch0.8.3.66US$250K (AU$232K)

 

As you can imagine all the source evaluation results, are highly biased and are open for discussion, since evaluating a free software project/s is a hard not to say impossible task. The "open" model of development makes a project very hard to track, open source model implies too many unexpected variables missing from the equation for clear calculation on costs. What is sure however if turned in money it is very expensive to produce.  At present moment Debian Project is sponsored only through donations. The usual yearly budget 5 years ago for Debian  was only $80 000 dollars a year!! You can check Debian Project annual reports throughout the years here , for year 2012 Debian Project budget is as low as $ 222, 677 (US Dollars)! The output price of the software the project provides is enormous high if compared to the low project expenses!

For us the free software users, price is not a concern, Debian is absolutely free both  as in freedom and free as in beer 😉