The Open Road

I loved this post over at OpenLogic about the risks of proprietary software. All those risks some persist in seeing in open-source software? They're twice as bad when you can't access the code.

Here are my two favorites that OpenLogic lists:

• Proprietary software we use could be really buggy and break down, making it impossible for anyone in the company to get any work done.

... Read more

In reading through a larger article on open-source adoption in the US Department of Defense, I came across this interesting perspective on why shared-source software (which Microsoft and an increasing number of software vendors use to mimic open source without fully embracing its benefits and obligations) is bad for security:

Several large companies whose software is in heavy use in DOD advocate a shared source code model in which people can view the source code but not change it. This shared source code approach has some problems, though. By sharing source code with organizations, the users have the ability to find flaws in the software. However, because they are not able to fix code security flaws, unscrupulous organizations may use access to source code to develop software that exploits the bugs. This shared source code approach potentially contributes to the rise in zero-day exploits in a number of commercial products. The best approach for truly secure systems is transparency--release the software as open source because security by obscurity rarely works well.

In other words, letting people in without providing a way for them to get themselves out (of a security exploit or whatever) is a recipe for frustration and potentially disaster. It's like tying the customer's hands so that they can see how they'll be hit but not allowing them to raise their hands to defend themselves.

Shared source may be comfortable for vendors, but it's bad for customers.

Via John Scott.

If you believe some of the headlines, Microsoft just open sourced a bunch of software related to its .Net libraries. Don't be fooled. The definition of open source is very clear. This is not open source. Not even a little bit. In fact, this may actually be an insidious trap (more on that below).

Will Hurley captures the move accurately:

Is .NET open source now?...The license indicates that developers can "see" the source code, but Microsoft's not providing any means of copying it. If a developer finds a bug in the code, rather than fixing it themselves and submitting a patch to the community they'll be encouraged to submit feedback via the product feedback center. They're showing us the man behind the curtain, but we're not allowed to speak to him in person just yet. We're still stuck with the giant, disembodied green head. And since community involvement is essential to most open source efforts, well....

In other words, it's not open source. But is it good for developers, anyway?

There is an ugly feeling growing against Microsoft in its attempts to have a few of its shared-source licenses certified as OSI (Open Source Initiative)-approved. The general sentiment is that OSI approval is for everyone except Microsoft.

I compete with Microsoft. My livelihood depends on beating Microsoft. I have worked for two companies that have been run over by Microsoft and its leveraging of monopoly power. I'm at least as familiar with Microsoft's legal and business tactics as most people, and probably more so than most. I've been on the losing end of Microsoft's monopoly power more than once.

But I don't believe in discrimination. Not even of the "bad guys."

Tim notes that Microsoft will be submitting its shared-source licenses to the OSI for approval. He calls this "huge, long-awaited,...and earthshaking." It's actually none of the above, but it is welcome.

It will do little to blur the "bright line between Microsoft and the open-source community," as Tim suggests it will. That bright line is increasingly drawn by Microsoft, and not by the community. This will not erase patent FUD, for example, from the collective consciousness. But I suppose it does help Microsoft to start acting like a full participant, rather than an outsider.

But this isn't the real news.

It was just a matter of time. But eventually, it was bound to happen. Some in the industry have been playing fast and loose with the term "open source," and yesterday Michael Tiemann, president of the OSI, cried 'Foul!' on his blog. As Michael writes:

Starting around 2006, the term open source came under attack from two new and unanticipated directions: the first was from vendors who claimed that they have every bit as much right to define the term as does the OSI, and the second was from vendors who claimed that their license was actually faithful to the Open Source Definition (OSD), and that the OSI board was merely being obtuse (or worse) in not recognizing that fact. (At least one vendor has pursued both lines of attack.) This was certainly not the first attack we ever had to repel, but it is the first time we have had to confront agents who fly our flag as their actions serve to corrupt our movement. The time has come to bring the matter into the open, and to let the democratic light of the open source community illuminate for all of us the proper answer.