point
Menu
Magazines
Browse by year:
October - 2004 - issue > Feature: Open Source
Reality Check in Open Source
Venkat Ramana
Tuesday, July 8, 2008
Paul Gustafson and William Koff, Senior Executives at CSC’s Leading Edge Forum write: Something disruptive is happening when:
  • organizations operate on the premise of paying $0 for new software infrastructure, demanding justification for any purchase costs above that
  • a global software development community over 800,000 strong challenges the leading software vendors like no competitor can
  • organizations achieve time-to-market, innovation and product quality like never before
  • commodity computing platforms bring significant price-performance benefits to more and more organizations, defying proprietary approaches
  • organizations eye the methodology of the global development community to improve their own way of developing software
  • governments around the world issue directives steering away from proprietary software, and
  • software vendors are forced to prove their case
  • .

    That disruption is open source, the software development model made popular by the Linux operating system. With Linux as the star, there is a rich cast of open source software available today for Web servers, application servers, databases, content management, office systems, browsers, development tools, security and more. Open source brings about the reorganization of millions of software developers into global collaborative communities, amassing a strength order of magnitude greater than what is possible in the proprietary software realm.

    The lure of open source software is that it is “free” in the sense that anyone can use it, modify it, create derived works from it, and redistribute it—and there are no license fees.

    Jay Michaelson, a co-founder of Wasabi Systems and a reputed legal counsel, has this to offer in his article There is no such thing as a free (software) lunch (ACMQueue): “The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users.” So begins the GNU General Public License, or GPL, which has become the most widely used of open source software licenses. Freedom is the watchword—it's no coincidence that the organization that wrote the GPL is called the Free Software Foundation—and that open source developers everywhere proclaim, “Information wants to be free.”

    As the GPL indicates two paragraphs later, however, “To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights.” As most open source software developers know, this means that, in practice, the GPL is actually one of the less “free” software licenses out there because it requires anyone who modifies a GPL’d program to make the program’s code freely available, if the program is “distributed” to others.

    Is the Sky Falling?
    Microsoft and other big players in the proprietary software business are almost continuously accused of spreading enormous amounts of FUD (fear, uncertainty, and doubt) with regard to this particular requirement. They and their allies have even argued that the GPL threatens national security. In addition, some have also claimed that the contents of a Linux server may be unprotected, and they have warned of everything short of the sky falling—and once someone gets a patent on clouds, they'll probably warn about that, too.

    The Linux community has responded in kind and, to be completely fair to companies such as Microsoft, has capitalized on equally paranoid fears on the part of some of its larger users. The Chinese government, for example, has an official policy of using Linux because it believes that Microsoft software is part of a U.S. plot for world domination.

    Call For Reforms
    Red Hat CEO Matthew Szulik opened the recent Open Source show with a call for the reform of U.S. patent and copyright law, saying that U.S. IP policy represented a “growing threat” to Linux. “The current process of not requiring full disclosure of software and source code allows copyright registration to create an unnecessary threat, … causing potential unconstitutionality in how U.S. copyright is awarded,” Szulik said. His warning was underscored by news recently that the City of Munich, Germany, was delaying its highly publicized Linux migration because of IP concerns. Munich Mayor Christian Ude said his city was still backing the Linux initiative but was delaying the client portion of the rollout due to concerns about proposed European Union patent legislation, according to a statement posted on the City of Munich Web site.

    An analysis of the Linux kernel, sponsored by insurance company Open Source Risk Management (OSRM), found that 283 software patents—27 of which were owned by Microsoft—could potentially be used as the basis of a patent lawsuit against Linux users or distributors. Patent lawsuits on average cost about $3 million to defend, according to Dan Ravicher, the author of the OSRM study.

    Nick Donofrio, IBM’s senior vice president of technology and marketing, took up the patent issue in his keynote address, calling on the IT community to rally together and establish procedures that can help avoid patent infringement claims and to work to resolve issues as they arise. Donofrio vowed that IBM, which owns 60 of the patents discovered in the OSRM study, would not use its patents to harm Linux. “We have no intention of asserting our patents against the Linux kernel, unless, of course, we are forced to defend ourselves,” he said.

    Although SCO may have achieved widespread notoriety by questioning the integrity of Linux’s IP, the company has not made much money from its claims. In its most recent quarter, revenue for the company’s SCOsource initiative, which pursues such claims, dropped to a mere $11,000—a tiny fraction of the $3 million to $5 million in legal bills the company is spending each quarter.

    Security Lapses
    John Viega, co-author of Secure Programming Cookbook for C and C++, warns the open source community about the myth that open source is secure. In a recent column, he writes, the original argument for open source security is Eric Raymond’s “many eyeballs” maxim: with many eyeballs, all bugs are shallow. The gist of Raymond’s argument is that the number of bugs found in a piece of software correlates to the number of people looking at the code. The hope is that more people looking at the code will unearth more of the lingering issues.

    “Additionally, I commonly hear people insist that open source developers tend to be better at security because they have a better, more supportive community. Part of this may be a reinforcement of the ‘many eyeballs’ argument, but part of it is a cultural elitism, in which the open source community believes it is better at writing code in general, and secure code in particular.”

    The people you want looking at your free software are for the most part doing other things with their time, such as auditing commercial software. Still, those in the open source community never seem too worried about security in their own software. It seems like every open source developer under the sun thinks he understands security well enough to avoid security issues, even if he isn’t too surprised when other developers are not quite as competent; plenty of security advisories for open source applications come out every week.

    Of course, the customer won’t pay for software security. Customer demand will force the software suppliers to address the issue. Even the Navy’s prototype requires that vendors pay for their assessments. Who will pay for open source software assessments? Ultimately the highest-profile open source software may go through the wringer if behemoths like IBM think it's worth the cost. Smaller projects are unlikely to receive that kind of treatment.

    Security assurance isn’t just about assessments, either, and the security-aware customer knows it. It's a worn but true cliché that security can’t be bolted onto an application after the fact. It needs to be considered from the beginning. A positive, cost-effective change in security requires a change in process.

    Whither, Desktop Dominance?
    Few firms are planning to move to Linux on the desktop, and will stick with Windows as their desktop PC operating system, according to research. A report from Forrester Research, The State of the Corporate PC, said that Linux does not pose a serious threat to Microsoft’s dominance of the desktop. Half of the small firms interviewed for the report, and 47 per cent of enterprises, told the analyst that they will not replace any of their Windows-based corporate desktops with systems running Linux.

    In contrast, Windows XP migrations are in full swing. Some 77 per cent of enterprise users are upgrading, 37 per cent on new PCs and existing hardware and 40 per cent on new PCs only. Forrester also noted “aggressive plans” to deploy Longhorn, Microsoft’s next-generation operating system, when it is released. The analyst explained that firms are committed to the Microsoft platform and have built their application environments around Windows. Survey respondents also expressed concern that the cost savings would not be significant enough to warrant a major shift in platform strategy.

    “Linux adopters expect significant cost savings for hardware and software,” the report says. “For those firms that do plan to deploy Linux to some extent, the primary motivators are lower total cost of PC ownership, easier and cheaper licensing, and lower cost of applications.”

    The open source movement is powering forward, and will change the landscape. How significantly is to be seen.

    Twitter
    Share on LinkedIn
    facebook