Secure Coding mailing list archives
Re: Fwd: I don't beleive open source is always the answer
From: Martin Stricker <shugal () gmx de>
Date: Fri, 12 Dec 2003 02:14:35 +0000
Joe Teff wrote:
Although I'm an avid fan of open source, I have a huge problem with that model when it comes to enterprise solutions. The argument that bugs are researched and fixed quicker for open source is not completely true. They definitely are if one of the contributors is interested in that specific area. However, there is nothing compelling anyone to fix a specific issue. If it is fixed, the fix occurs in one of the builds. There is no back patching of supported versions. In order to get a fix as soon as possible, you also have to take many other changes that may or may not be complete, safe or tested. Waiting for a milestone build that is fairly stable and has sufficient use to shake out most of the bugs does not occur any more often than commercial releases from a vendor.
That's where enterprise support companies come into the game. Look, for instance, at Red Hat. When you buy their Red Hat Enterprise Linux, you also buy a service contract, which guarantees you QAed backports of security fixes for quite a long time (I think 4 or 5 years). Of course such service is not without cost. But then, since it is (mostly) Open Source, you can even grab the source for free and build it yourself. Or look at Debian - they don't sell their service, but there they always have a Stable branch where they backport important patches to. Of course, because Debian is a volunteer effort, the lifetime of their products is not as long as from Red Hat. You can provide enterprise-level support for Open Source software. And for the enterprise Open Source is even better than closed source: If the maintainer decides to drop support for your software or your preferred version, you have the possibility to continue support yourself, or you can pay someone to do it, or you can start a business offering this support. All this is *impossible* with closed source. This is why companies must migrate away from WinNT server, but may be able to stay with Red Hat Linux 7.3 even though Red Hat will stop support for 7.3 at end of 2003 - there is a volunteer project, and Progeny (owned by Novell) will also offer longer support, both will do this with backporting.
The idea of taking the source and making your own change is also unrealistic. Since this list is all about security, I know everyone here would agree that any such change would require a great deal of testing. You've then just made the solution your own product to support.
Which sometimes does happen (see the GNU Emacs/Xemacs fork). With Open Source you have the possibility to get extended support after the maintainer drops it. If you'll get it is another question, of course... But with closed source there is *no way* you'll get support after the owner drops it! The way Open Source works is rather new to the enterprise world, so companies which offer support for this software are not yet frequent, but they do exist. And this might very well be a great business idea... Best regards, Martin Stricker -- Homepage: http://www.martin-stricker.de/ Linux Migration Project: http://www.linux-migration.org/ Red Hat Linux 9 for low memory: http://www.rule-project.org/ Registered Linux user #210635: http://counter.li.org/
Current thread:
- Fwd: I don't beleive open source is always the answer Joe Teff (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer David M. Wilson (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer Joe Teff (Dec 12)
- Re: Fwd: I don't beleive open source is always the answer George W. Capehart (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer Martin Stricker (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer der Mouse (Dec 12)
- Message not available
- Re: Fwd: I don't beleive open source is always the answer Joe Teff (Dec 12)
- Re: Fwd: I don't beleive open source is always the answer David M. Wilson (Dec 11)