Re: Why open source software is more secure

[Chad Perrin <perrin () apotheon com>]

On Thu, May 08, 2008 at 04:36:19PM +0100, David Harley wrote:
> > The main goal of a software vendor is not to bring you a 
> > _good_ product, but to sell it you. That is the only truth 
> > about that. 
>
> And I thought I was cynical... I'm not saying that there aren't poor
> products, but there are companies who see making a quality product as a
> sales asset, and making a living out of selling a product doesn't mean you
> can't believe in and be passionate about improving that product.

True -- but the trend is for people making a living out of selling a
product (and having no other specific use for the product) to be
passionate only about gaining and holding market share.  Any interest in
the product is usually a mere consequence of that, rather than a primary
concern.  There are, of course, exceptions (and I think the guys at PGP
Corporation are a prime example of that, speaking of security).


> > That's why the product might be fully featured, 
> > nicely decorated and published on time: the vendor is 
> > economically motivated to make it this way. But there's no 
> > sense to make it secure and stable because the only motive 
> > for this is liability which does not exist software industry.
>
> This is exactly the wrong way round. Selling a product usually establishes a
> contractual liability. Open source software is unsuitable in many contexts
> precisely because of the difficulty of establishing liability in the event
> of a problem.

To be more accurate -- there are those contexts where open source
software is deemed unsuitable because, without the implied liability of a
commercial software vendor, there's nobody to blame if something goes
wrong.  This potential for blame doesn't make the software any better,
doesn't improve the circumstances if something does go wrong, et cetera,
but it does provide a way for the decision-maker who chose the software
to deflect responsibility for the results to some third party, thus
allowing him or her to keep his or her job.

Of course, that's assuming there isn't a commercial vendor for open
source software.  A lot of the time, there is.  OS vendors like Red Hat
and SuSE, database vendors like EnterpriseDB and MySQL AB, and others of
their ilk are excellent examples.  Furthermore, even in cases where there
isn't a vendor to whom one can shift blame to keep one's job, the
potential for playing the "blame game" with a given vendor must be
weighed against the likelihood that something will go awry.  Even if a
vendor is chosen to whom one can theoretically shift blame for a
catastrophic error in judgment, that may not be enough to save one's
bacon in the boardroom.  There are times when the need for assurance in a
secure and/or stable software selection is greater than that for "someone
to blame" -- and for such circumstances, you may be better off choosing
something like OpenBSD over MS Windows, or EnterpriseDB's PostgreSQL
offering over Oracle (as shown in the FTD fiasco of last year).


> I'm not saying that good (excellent, even) open source software doesn't
> exist: I use some myself. But there is also stuff around that couldn't
> survive commercially because of its limitations and/or lack of support.

There's also closed source commercial software that couldn't survive in
the open source world because of its poor quality and the inability to
fix it oneself when something blows up.  These streets run both ways.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
MacUser, Nov. 1990: "There comes a time in the history of any project when
it becomes necessary to shoot the engineers and begin production."

Attachment: _bin
Description: