Re: Fwd: I don't beleive open source is always the answer

[der Mouse <mouse () Rodents Montreal QC CA>]

> Although I'm an avid fan of open source, I have a huge problem with
> that model when it comes to enterprise solutions.

I might too, if I knew what you meant by "enterprise solutions", though
based on the arguments you present, I'm incliend to doubt it.

There are circumstances where open source is not a right answer.  But I
can't see any of the arguments you marshal as being convincing, largely
(I think) because you've not found any of those circumstances.

> The argument that bugs are researched and fixed quicker for open
> source is not completely true.

Not completely, no.  "The battle is not always to the strong, nor the
race to the swift - but that's the way to bet".  The open-source model
does not always get bugs fixed faster, either - but that's the way to
bet.  And with open source, you're no worse off than you were with
closed-source, where you'd have to pay someone else to fix them;
indeed, you're better off, because you can shop around for someone to
pay to fix them.

> However, there is nothing compelling anyone to fix a specific issue.

True enough.  But try to get a big vendor (Microsoft, Sun, etc) to fix
a bug that isn't producing loads of negative PR - especially for free,
which is implicit in the open-source model - and then explain exactly
how the closed-source model differs from the open-source model in this
respect.

> If it is fixed, the fix occurs in one of the builds.  There is no
> back patching of supported versions.

This simply isn't true.  In general, that is (it's doubtless true in
some cases).  For example, fixing of old versions is exactly what
NetBSD three-number (x.y.z) releases are: post-release fixes applied to
the x.y release.

> In order to get a fix as soon as possible, you also have to take many
> other changes that may or may not be complete, safe or tested.

Even if your statement is true, it does not differentiate open-source
from closed-source.  Consider Microsoft "That's fixed in service pack
18" - but when you install SP18 you promptly discover that it breaks
something else.

And I don't think your statement is true to begin with.  You can always
do it yourself.  Or pay someone to do it, which you would have to do in
the closed-source model, one way or another.

> The idea of taking the source and making your own change is also
> unrealistic.  Since this list is all about security, I know everyone
> here would agree that any such change would require a great deal of
> testing.

You can do it yourself or you can pay someone to do it for you.  With
closed source, you don't have the first option, and you can't shop
around for the second option.  How does that make open source worse?

I also disagree that it's unrealistic:

Point 1: in most service industries, it's "first priority, restore
service; second priority, fix the problem".

Point 2: who can better test a fix in your environment, you or some
vendor to whom you're just a name in a customer database?

Point 3: you have to pay one way or another, and if you're paying your
own people to do it, you're paying just for the work, not for another
company's profit markup as well.

> You've then just made the solution your own product to support.

And what's wrong with that?  Especially since with open source your fix
will often be taken back into the main tree, at which point it's no
longer solely your headache?

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               [EMAIL PROTECTED]
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B