Archive for October, 2007

New OSI licences from Microsoft

Published by Stuart Yeates on October 19, 2007 in Legal and Software. Comments

The Open Source Initiative have announced the approval of a pair of licenses from Microsoft. The Microsoft Public License (Ms-PL) and the Microsoft Reciprocal License (Ms-RL) are:

…refreshingly short and clean, compared to, say, the GPLv3 and the Sun CDDL. They share a patent peace clause, a no-trademark-license clause, and they differ only in the essential clause of reciprocation. (slashdot)

This is another step on the road to open source for Microsoft, a road already mapped up with projects like Wix, an open source licensed packager for Microsoft Windows systems. Hopefully these new licences will mean that more projects native to Microsoft platforms (such as those at codeplex) will use an open source licence.

Personally I’m a little worried about the Ms-RL’s use of the word “file,” a technical term used without definition, which a sufficiently well paid lawyers could probably cause problems over: “What if it’s in an email not a file?” “What about when it’s embedded in hardware” etc. But them I’m not a lawyer, so I may have the wrong end of the stick.

Closed Vs Open Source Security

Published by Ross Gardler on October 13, 2007 in Development, Software and Strategy and Policy. Comments

A recent post on the How Software is Built blog (often a good read) seems to be very confused about open Vs closed source quality control processes, especially with respect to security vulnerabilities. Unfortunately this is one of those posts that reminds the reader that the blog is sponsored by Microsoft.

First we have the question:

In this day and age, isn’t it easy enough to quantify vulnerabilities?

A comment from “Swashbuckler” gets the answer exactly right. Quantifying known vulnerabilities is easy, but quantifying unkown vulnerabilties is impossible. No tool or QA process will allow you to quantify unkown vulnarabilities.

Software quality is not only about the bugs you know exist, it is also about the ones you don’t know exist.

OK, so that one may be an innocent mistake on the authors part, after all, it was phrased as a question (albeit a rhetorical one). However, the post then goes on to say:

I simply don’t get the same feeling from the open-source people we’ve talked to. When we’ve brought the subject up, the response is almost universally “many eyeballs,” and faith (without data) that “many eyeballs” is effective.

OK, I don’t know who the author has talked to, but it is certainly true that some projects, be they open or closed source, rely on haphazard QA processes. So this statement alone doesn’t bother me too much, but it is followed with:

Am I completely off base? Do things like the Linux kernel and Apache go through rigorous security reviews?

So the author has not talked to two of the communities where security is critical. If the author does not know the answer to this question then they have no right to make the previously quoted assertion.

The answer, by the way, is yes. Both Linux and the Apache web server go through rigourous security reviews.

Many people (errr… many eyes) use the cutting edge code in development and run their internal security tests before rolling out across their multi-million pound businesses or embedding the code in their multi-million pound revenue generating software/hardware products. The many eyes principle is notjust about people reading code contributions, although that is an important part of it. It is also about many eyes on the development as it happens, as opposed to after it is released as a QA’d product.

The author then asks:

Is there proof that “many eyeballs” in open source is at least as good as something like the Security Development Lifecycle in Microsoft?

Both Linux and Apahce, the examples chosen by the author see significant contributions from staff at companies like IBM, Sun, Oracle, RedHat, HP, Google, Amazon, Yahoo!, Facebook (and so on). Does the author really think that these multi-million pound businesses just take the latest Linux or Apache web server release without testnig it? Does the author really think that they don’t get involved with a new release during the QA stages of development? Does the author really think thay they sink developer resources into these projects but ignore the QA process?

Of course, there are also all the smaller businesses who work on development too, they are part of the QA process as well.

That’s what “many eyes” means. I can’t tell you if it is better or worse than any other QA process. However, I would bet that companies who use open source to drive their multi-million pound businesses feel that their own organisations QA processes are “at least as good as something like the the Security Development Lifecycle in Microsoft”.

Free WiFi wherever you go

Published by Ross Gardler on October 7, 2007 in Community. Comments

FON has been doing it for some time, and with some success (I use it myself). Now BT have partnered with them, this could really tip the balance, maybe we really will get free WiFi wherever we go…

With your help we’re building the world’s largest Wi-Fi community. You allow other members to securely log onto your Wi-Fi and in return you can securely log onto the hundreds of thousands of other Wi-Fi connections in the network. Best of all, there is no cost. (from BT FON web site)

If you are ever in my neck of the woods you’ll be able to use my bandwidth. Why don’t you join up and return the favour (you don’t need to be a BT customer).

Why is Facebook labelled as a fad?

Published by Ross Gardler on October 6, 2007 in Discussion and Community. Comments

Brian Kelly wonders why some software products are considered to be fads and why some are not. He says:

The Apache server software saw steady growth in its use from its launch. But I never heard anyone criticise Web server administrators for being fashionable, or doom merchants predicting that the growth would come to an end and, therefore, there is little point in using the software.

And yet such arguments are being made when other software, such as Facebook, becomes popular. Why is this, I wonder?

Here’s my take:

Facebook has limitations that cannot be worked around. It forces me (as a user) to work the way they want me to, their method of working is inneficient (at least for what I am trying to achieve). As a result I don’t see the value and I, possibly rashly, label it as a fad.
In contrast the Apache web server can be customised to work the way I want it to. I’m not forced to follow someone elses way of working, although I can choose to do so if I agree with the fashion. In other words I can choose to set the trend or follow it. Having options means there is a greater chance to retain your market.

Brian then goes on to hypothesise that:

I think this is because services such as Facebook don’t fit in with the ideology of the ‘chattering classes’ - it’s not, open source, for example. And, unlike Apache, there is a lot of money associated with Facebook, with large companies (such as Microsoft and Google) looking to invest in the company.

This is a common mistake. Open source is not (at least should not be)  an ideology of the “chattering classes”. It is a development methodolgoy that gets real work done, for real people, in real profitable organisations.
It’s interesting that Brian claims that there is no money being invested in the Apache web server. Who does he think pays for the people who develop it? The server is embedded in a huge range of high profile commercial products from a very large range of companies, much larger than those reported to be interested in Facebook. If the Apache web server were not owned by a non-profit I suspect its valuation would be far higher than Facebooks.
Sure, there is money <b>associated</b> with Facebook, but nothing truly significant in terms of profit. On the other hand, there are huge profitable organisations that are fully dependant on the Apache web server and sink considerable amounts of money into its development.
I therefore cannot agree that the reson some users like Facebook and others do not has anything to do with money, at least not if we ignore the chattering classes and listen to those with opinions we value. Instead I think it is more to do with the ability to make the product do what you want. Of course, for every person claiming it is a fashion there is another claiming it will be here for ever. We should listen to those voices too.

Brian says “as professionals we should base our judgments on evidence, rather than beliefs and, if the evidence shows that our beliefs aren’t working, then we may need to modify our beliefs, rather than ignore the evidence.” I fully agree.

Can anyone show me the evidence that Facebook is not a fad? I doubt it.

Can I show you the evidence that Facebook is a fad? No, I can’t
Brian then goes on to cite the netcraft survey as evidence about the changing fashions in the server market:

On the other hand, maybe Apache is starting to become unfashionable; after all as a recent Netcraft survey reportedits market share [is] declining closer to the 50% mark, as Microsoft … gained over 3 million hostnames“.

Sorry, I don’t see that as evidence. Look past the headline that Brian quotes, take a look at the historical figures in the survey (they are on the page Brian links to).

The Netcraft survey shows there has been no real change in market penetration since Dec 2001 for both Apache and Microsoft, and no significant change for Apache since Dec 1999. What we are seeing may be just another short term fluctuation, or it may be the start of a genuine change in market make-up. It is impossible to tell from the survey data.

Statistics can be used to prove anything, only time will tell us the truth. The same is true for Facebook, having a huge number of users today is not eviudence that they will have users tomorrow. It is dangerous to ignore the evidence of the past failures of walled gardens in the Internet space (e.g. Compuserve, Telecom Gold, MiniTel, Prestel and AOL) when compared to the flexibility of a truly open system. Only AOL survived by tearing down its walls. The dot com boom and bust saw similar results, the only really significant players in those early e-commerce days that held out were Amazon and EBay - both were early adopters of the open API approach to their data.

All this is hardly conclusive evidence, but it is why I tend more to the “fashion” side of the argument. Of course, my opinon is based on history and we all know that history is not an accurate indicator of the future. Unfortunately, for me, history is all I have (apart from my gut instinct that is).

Use the fork, Luke

Published by Ross Gardler on October 5, 2007 in Development and Software. Comments

Open source means (amongst other things) that you have access to the source code. But what if you have no intention of even looking at the code, is access to the source code important to you?

It should be.

To illustrate why, let me paint a picture:

You’re IT department has installed a new piece of software across all desktops in the organisation. Your users like it, in fact, it becomes a key part of their daily life. Everyone is happy.

Over time the software improves and bugs are fixed. It’s time to upgrade to a newer version.

It’s going to cost money, so you enter a new procurement phase, the decision is upgrade to the latest and greatest version of the current solution or switch to another solution. The upgrade is cheaper, in terms of technical, licence and training costs and the competitors are not significantly better, so upgrade it is.

[Notice it makes no difference up to this point as to whether you have access to the source or not.]

More time passes, technology has moved on and your users are demanding another upgrade so they can do all the latest cool stuff. Time for a new procurement phase.

Now, lets imaging that the company behind your chosen product has decided to stop supporting it. It is at this point that access to the source becomes important.

A closed source product would have been left behind. There would have been no development from the point at which support was withdrawn. You have limited choices, stick with the old version or switch to another product.

On the other hand, an open source solution may have been picked up by any of its users, or more likely a community of its users and development could have continued. If nobody has picked it up you now have that option, instead of spending money on a new product, data conversion and retraining you could take the code and start a new project, either with internal resources or by paying a third party. Of course, you could still choose to switch to another product, but remember that your data conversion costs will almost certainly be lower since you have access to the source code of your existing solution.

This is exactly what happened recently when Linspire chose to discontinue development of their web authoring system Nvu. Users created a new community and have just made a bug fix release.

We don’t like to fork open source, but sometimes, if the original community is broken we need to. It is the potential to fork that makes open source sustainable.