Secure Coding mailing list archives
Re: Fwd: I don't beleive open source is always the answer
From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Fri, 12 Dec 2003 15:20:56 +0000
Although I'm an avid fan of open source, I have a huge problem with that model when it comes to enterprise solutions.
I might too, if I knew what you meant by "enterprise solutions", though based on the arguments you present, I'm incliend to doubt it. There are circumstances where open source is not a right answer. But I can't see any of the arguments you marshal as being convincing, largely (I think) because you've not found any of those circumstances.
The argument that bugs are researched and fixed quicker for open source is not completely true.
Not completely, no. "The battle is not always to the strong, nor the race to the swift - but that's the way to bet". The open-source model does not always get bugs fixed faster, either - but that's the way to bet. And with open source, you're no worse off than you were with closed-source, where you'd have to pay someone else to fix them; indeed, you're better off, because you can shop around for someone to pay to fix them.
However, there is nothing compelling anyone to fix a specific issue.
True enough. But try to get a big vendor (Microsoft, Sun, etc) to fix a bug that isn't producing loads of negative PR - especially for free, which is implicit in the open-source model - and then explain exactly how the closed-source model differs from the open-source model in this respect.
If it is fixed, the fix occurs in one of the builds. There is no back patching of supported versions.
This simply isn't true. In general, that is (it's doubtless true in some cases). For example, fixing of old versions is exactly what NetBSD three-number (x.y.z) releases are: post-release fixes applied to the x.y release.
In order to get a fix as soon as possible, you also have to take many other changes that may or may not be complete, safe or tested.
Even if your statement is true, it does not differentiate open-source from closed-source. Consider Microsoft "That's fixed in service pack 18" - but when you install SP18 you promptly discover that it breaks something else. And I don't think your statement is true to begin with. You can always do it yourself. Or pay someone to do it, which you would have to do in the closed-source model, one way or another.
The idea of taking the source and making your own change is also unrealistic. Since this list is all about security, I know everyone here would agree that any such change would require a great deal of testing.
You can do it yourself or you can pay someone to do it for you. With closed source, you don't have the first option, and you can't shop around for the second option. How does that make open source worse? I also disagree that it's unrealistic: Point 1: in most service industries, it's "first priority, restore service; second priority, fix the problem". Point 2: who can better test a fix in your environment, you or some vendor to whom you're just a name in a customer database? Point 3: you have to pay one way or another, and if you're paying your own people to do it, you're paying just for the work, not for another company's profit markup as well.
You've then just made the solution your own product to support.
And what's wrong with that? Especially since with open source your fix will often be taken back into the main tree, at which point it's no longer solely your headache? /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Fwd: I don't beleive open source is always the answer Joe Teff (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer David M. Wilson (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer Joe Teff (Dec 12)
- Re: Fwd: I don't beleive open source is always the answer George W. Capehart (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer Martin Stricker (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer der Mouse (Dec 12)
- Message not available
- Re: Fwd: I don't beleive open source is always the answer Joe Teff (Dec 12)
- Re: Fwd: I don't beleive open source is always the answer David M. Wilson (Dec 11)