- Don't look back
- Is support for OSS optional in your business?
- Nokia N810 Tablet + WiMax
- Vendors need to right-size their products
- Dolphins Invade Sun Campus!
- State of Open Source
- MySQL Workbench: open source data modeling
- Comments on The 451 Group's Database Report & Red Hat's 4Q revenue
- Kaplan: Guiding open source in IT
- Can the transportation market teach us anything about the software market?
March 01, 2006 | Comments: (0)
Open source security and who cares about source code, anyway?
...does it make a sound? That's the question I'm pondering right now, in light of Jason's once-a-year posting to his blog. We miss you, Jason. Don't forget to write!
This time, perhaps to make up for the years of silence, Jason gives IBM a slap. He's responding to Bob Sutor's (perhaps self-congratulatory) blog entry on open source and its superiority, especially as it relates to security, standards, and all things pure and beautiful.
Call me jaded, but I'm with Jason on calling a spade a spade: IBM is one of the Good Guys in open source, sure. But I'm not yet willing to start calling its founding "The Immaculate Incorporation." Some of the things Bob (who, incidentally, is VP of Standards and Open Source at IBM) says deserve a little slap, given their source, as Jason points out:
Touche! Matusow 1, Sutor 0. :-)Sutor: "Not knowing why governments would possibly decide to use proprietary or vendor-dictated specifications when they are clearly against the long-term best interests of the citizens, especially those who are now young and will have to deal with decisions made now once they reach adulthood."Matusow: I hope the irony of this statement coming from IBM is not lost on my readers. This one is all about the ODF / Open XML File Format debate but before I comment on that specific issue I think there is a higher-level concern. Governments should be evaluating all solutions (in-house, commercial-off-the-shelf, freeware, shareware, open source, public domain) based on the technical merits and value-for-money they receive from the solution. I wonder if IBM would suggest that governments should no longer consider purchasing proprietary IBM software (approx. $15B revenue stream resulting in more than 30% of IBMs profits) because it may be built upon vendor-dictated specifications and may result in their taxation data, military secrets, etc. be "locked-in" to DB2/Websphere/Notes solutions?
However, Jason overstates his case when it comes to security:
I can't follow Jason on this one, because I think he misconstrues Bob's argument (sophistry at its best ;-).Sutor: "People are sick of not knowing. Not knowing if code contains security problems because they can't see it.There are two assertions here. The first is that transparency of source code increases trust. I completely agree with that and that is why >13,000 organizations in >60 countries are eligible to look at Windows source code. Unfortunately, very few organizations care about source, nor have the expertise to understand what they are looking at even if they care to look. The second assertion is that source code licensed under an OSS license is more secure because of the openness. That has proven to be completely untrue and is damaging to all OSS-based businesses to continue to make. If there was ever an issue where the entire industry should get together and sing kumbayah together, it is security.
It's not a question of whether Company X or Company Y view the source code - they don't. The point is that the option of choice serves as a very useful surrogate for exercise of that choice, as I've noted before. It really does matter that Windows is closed and Linux is open, for example, both because of the incoming code problem, as well as the ongoing code maintenance problem. If a security bug is found (either through lots of eyeballs or in production when Company X's systems are breached), the communal, open approach to the fix will be faster where a strong community exists (with a strong core of developers). (Where no such community exists, companies shouldn't bother to use the product. Open source without community is...closed source.)
This is the way liberal (little "l") democracy works, too. It's not that everyone chooses to get involved in the process (electoral, community, etc.), actively writing the laws and what-not, but rather that they collectively can influence and direct the few that actually touch the "code" (laws, emergency response to disasters, etc.). In a closed government, it is that government's discretion that determines when/how it will act on a matter, with no real responsibility directly to the people.
So, Microsoft may be benevolent with its market power, but who would know? Yes, it has a fiduciary responsibility to its shareholders, and yes, it has a financial incentive to please customers, but I would argue that that responsibility and incentive may not always align. In an open company/process, the alignment may not be perfect, but I would argue it has a better chance of being tightly coupled.
Posted by Matt Asay on March 1, 2006 07:35 AM
RATE THIS ARTICLE:
-
- COMMENTS
The idea that the community fix resulting in faster time to protection is a flawed argument Matt. The vast majority of support agreements from vendors supplying OSS technologies prohibit modification of source code, and many mandate that you wait for the vendor-approved security patch to be applied to a system. I've been harping on this for a while, but the fact that a solution was developed under the OSS model does not mean that it is run in production as anything other than commercial binary code. If you have a support contract with Red Hat and SpikeSource, and SAP - and at each layer they specify what versions of what components with what patches you can run...you are not dealing with community fixes. The trade off in speed of fix availability is balanced by testing of the fix solution so you don't end up breaking other elements when applying the security patch. Customers expectations around stability and predictability make a difference.
I don't underestimate the value of community, but to position OSS solutions as somehow mystically better at security because of the development model is not supportable. The academic and industry studies I have seen support the fact that there is no superior mode of production when it comes to creating software with fewer security flaws (because devs are trained the same way and make the same types of mistakes no matter who they are coding for). The quality of a vendor's securty response mechanisms and their engineering capacity to deal with incoming issues is hugely important.
Security is a universal problem and not limited to one vendor or one class of technology. All of us in the industry have a vested interest in seeing consumer confidence remain high in connected computing. Thus, I tend to find comparative arguments such as this to be more less productive than other parts of the grander OSS debate.
Posted by: Jason Matusow at March 1, 2006 10:02 AMYou need to start reading what I write, rather than what you think I write, Jason. I didn't say that the community would fix a problem faster. I said community pressure on the core developers, and the transparency of the process, results in faster fixes to problems. I think that has been demonstrated near-conclusively. It's certainly the case at Alfresco that the community (even though we have final control over the code) exercises a huge amount of influence over us - the transparency of that influence matters.
In other words, transparency of people matters as much - probably more - as transparency of code. You've solved, to a limited extent, the transparency of code issue for your customers (though you've done little to make it permeable for would-be customers), but you're failing to provide transparency of people and process.
You say, "The quality of a vendor's securty response mechanisms and their engineering capacity to deal with incoming issues is hugely important."
Agreed. That was my point. And I think a vendor's security response is either dramatically accentuated or pulverised by the community factor. Architecture should tend to be better in an open process (as in cryptography), if for no other reason than shortcuts aren't really permissible when the code is on display. I would expect that Microsoft has things in its code that it would be highly reluctant to publicly display, just as with any other closed-source vendor. For open source vendors, we don't have the luxury of hiding things behind copyrights and such.
Again, it's not a question of whether we do or don't allow modifications of our software - that's post-release of the code, and still doesn't touch my argument about community pressure. We have active, outside involvement in the code creation and beta/review process. That matters. It has an effect on our performance, stability, and security.
And no, it really wouldn't be that hard for Microsoft to do the same, and reap the same benefits. You just have a culutural hurdle to overcome first. I'd be happy to coach you on the process. :-)
Posted by: Matt Asay at March 1, 2006 11:21 AMOuch!
Jason -- as all others adhering to the Microsoft messaging mantra -- ignores the most fundamental question of "Value for Money" -- since they use the term so frequently that they have lost the sense of its meaning: that file formats need to be open to even qualify for evaluation.
That is, there is no VALUE to a organization of a non-standard file format.
This will be more apparent as an OpenDocument subsumes whatever else is available that offers benefits in superficial areas.
Yes, it's a showdown. But you would have to trust the premise that orgnization want to remain dumb in discerning what is and isn't 'open' to believe superficial values will trump funamental values in the market in the next 2-4 years.
Posted by: Sam Hiser at March 2, 2006 04:41 AM
- Get Started
- Port 25 Blogs
- OSS News
- Join a Project
{Open Source} Heroes Happen Here
Start today and order your own Hero Hack Pack – which includes Getting Started with Open Source, Windows Server 2008 and Visual Studio 2008 Trial. Each pack is a chance to win a free pass to OSCON 2008.
TOP STORIES
ADDITIONAL RESOURCES
- Do you have the power to resolve technical issues with one call?
- Take control of your content- leverage Microsoft SharePoint
- Keeping the E-Mail Flowing
- SGI Adaptive Data Warehouse: Building a High-End Oracle Data Warehouse
- Five Steps to Secure Outsourced Application Development
- Global Shared Memory: Performance and Productivity Breakthroughs
