Security Basics mailing list archives
Re: Why open source software is more secure
From: Chad Perrin <perrin () apotheon com>
Date: Thu, 8 May 2008 11:40:12 -0600
On Thu, May 08, 2008 at 04:36:19PM +0100, David Harley wrote:
The main goal of a software vendor is not to bring you a _good_ product, but to sell it you. That is the only truth about that.And I thought I was cynical... I'm not saying that there aren't poor products, but there are companies who see making a quality product as a sales asset, and making a living out of selling a product doesn't mean you can't believe in and be passionate about improving that product.
True -- but the trend is for people making a living out of selling a product (and having no other specific use for the product) to be passionate only about gaining and holding market share. Any interest in the product is usually a mere consequence of that, rather than a primary concern. There are, of course, exceptions (and I think the guys at PGP Corporation are a prime example of that, speaking of security).
That's why the product might be fully featured, nicely decorated and published on time: the vendor is economically motivated to make it this way. But there's no sense to make it secure and stable because the only motive for this is liability which does not exist software industry.This is exactly the wrong way round. Selling a product usually establishes a contractual liability. Open source software is unsuitable in many contexts precisely because of the difficulty of establishing liability in the event of a problem.
To be more accurate -- there are those contexts where open source software is deemed unsuitable because, without the implied liability of a commercial software vendor, there's nobody to blame if something goes wrong. This potential for blame doesn't make the software any better, doesn't improve the circumstances if something does go wrong, et cetera, but it does provide a way for the decision-maker who chose the software to deflect responsibility for the results to some third party, thus allowing him or her to keep his or her job. Of course, that's assuming there isn't a commercial vendor for open source software. A lot of the time, there is. OS vendors like Red Hat and SuSE, database vendors like EnterpriseDB and MySQL AB, and others of their ilk are excellent examples. Furthermore, even in cases where there isn't a vendor to whom one can shift blame to keep one's job, the potential for playing the "blame game" with a given vendor must be weighed against the likelihood that something will go awry. Even if a vendor is chosen to whom one can theoretically shift blame for a catastrophic error in judgment, that may not be enough to save one's bacon in the boardroom. There are times when the need for assurance in a secure and/or stable software selection is greater than that for "someone to blame" -- and for such circumstances, you may be better off choosing something like OpenBSD over MS Windows, or EnterpriseDB's PostgreSQL offering over Oracle (as shown in the FTD fiasco of last year).
I'm not saying that good (excellent, even) open source software doesn't exist: I use some myself. But there is also stuff around that couldn't survive commercially because of its limitations and/or lack of support.
There's also closed source commercial software that couldn't survive in the open source world because of its poor quality and the inability to fix it oneself when something blows up. These streets run both ways. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] MacUser, Nov. 1990: "There comes a time in the history of any project when it becomes necessary to shoot the engineers and begin production."
Attachment:
_bin
Description:
Current thread:
- Why open source software is more secure sapran (May 08)
- Re: Why open source software is more secure Ali, Saqib (May 08)
- Re: Why open source software is more secure Chad Perrin (May 08)
- RE: Why open source software is more secure David Harley (May 08)
- RE: Why open source software is more secure Hayes, Ian (May 08)
- Re: Why open source software is more secure Chad Perrin (May 08)
- Re: Why open source software is more secure aliasghar.toraby () gmail com (May 08)
- Re: Why open source software is more secure Adriel Desautels (May 08)
- Re: Why open source software is more secure Ivan . (May 09)
- Re: Why open source software is more secure Alexander Klimov (May 12)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- RE: Why open source software is more secure Craig Wright (May 13)
- RE: Why open source software is more secure Hayes, Ian (May 13)
- Re: Why open source software is more secure Chad Perrin (May 13)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- Re: Why open source software is more secure Ali, Saqib (May 08)
- RE: Why open source software is more secure Craig Wright (May 13)
- <Possible follow-ups>
- Re: Why open source software is more secure zenmasterbob123 (May 08)