Tuesday, October 19, 2004

Open Source vs Closed Source

Been ages since I wrote something here - been extremely busy with bug fixing : the experiences of which I will share at a later point of time (learned some lessons there :( )

This blog is motivated by what Kousik wrote "security of open source".
Closed source vs Open source is a sensitive topic - which is better/preferable/more practical.
The views that I express here are subject to change and are my current thoughts about this topic right now - which might change when I wake up tommorrow ;)
hmm a bit late to think about it after 12+ hours of travel and another 10 hours of work without a break in between !

Jokes apart , I planned to post this in Kousik's blog and then thought the better of it.
I have ended up posting comments longer than the blog I was commenting on in the past too :D

So here goes my pov (leaning a bit towards security aspects that Kousik discusses) :
--

This is an age old debate - and usually I dont take sides in this : can turn into a nasty flame war in no time.

But more seriously , I dislike two main things :

a) Companies believing that their products are more secure 'cos it is closed source.
b) Companies open source their products to get others (read open source developers) to clean up their mess, implement missing features , etc.

(a) is obviously false - just 'cos you have not shared the code does not mean exploits are impractical to find/are not found !
This has been disproved time and again - as a very bad example for this , we have the huge number of M$ exploits : without the source being out.
And I must say some pretty good exploits too - like that worm which targetted lsass.exe recently , the TSR's and polymorphic virii of old ! , etc
Also , knowledge of the exploits happen late in a closed source system - when a customer notices a breakin sufficiently to raise alarm bells.
Also , as soon as a exploits gets found , the cracker tends to attack multiple targets before the exploit is noted (hmm isn't this also true for open source - but maybe to a lesser degree)
So closed source helps only if the relevent people (dev and testing) are very very competent (top notch ?!) and the company can hire some rigourous testing teams who nitpick on everything.
This is under the assumption that the relevent company can hire closed source developers more comptetent than the best from open source who might get motivated to work on this product.
The so-called "security expert consultants" might also help ;)

(b) I particularly dislike the huge amount of junk that companies nowadays open source just 'cos they are finding that maintaining and managing the code is too expensive for them - hence we have a whole load of crap getting unloaded as open source.
By itself this is harmless - but it does not stop there.
Any furthur support for customers , is in some way , expected to be rendered by open source community - the same way they support linux , debian and the rest.
And when this does not happen , these executives , customers and journalists blame this on the failure of open source movement !
Assuming that open sourcing some project xyz will immediately raise interest and get a huge bunch of people to work on it is pure fiction - only few project manage to raise a faithful dev/test/user fan following and others which are sucessful usually have few mentor companies behind to forsee the direction of the product.

From my perspective , closed source and open source are just two ways of developing software - I am not particularly fanatic about either.
I would prefer source to be open quiet strongly - but it is not a religious thing.
Given a choice where this is not much of a performance hit , I prefer the open source version.

Examples where I would prefer open source effort would be
i) critical pieces of the system - so that people would always have a choice.
OS , your primary compile/linking/loading sub-system , critical applications (productivity suites ) , etc. (what about games ?! ;) )
Basically anything that has a mass necessity so that there is no lockin's and the user always has a choice.
Another field , which I have started noticing recently , is scientific apps.
I have intereacted with a few researchers - esp from biochem , genetics , microbiology.
And they were like asking me how tough it is to develop open source tools.
Sad thing is , the only tools that are available are very expensive.
IMO , scientific progress should not be stopped due to lack of proper tools - If the relevent scientists are unable to develop required open source tools , then the open source developers should be ready to help them out.

ii) Algorithms - especially security and crypto algos.
Not really very confident about this one - but my gut feeling is , the more number of people who attack and try to find loopholes , the better - since if the algo survives a higher cross-section - the possibility of it being stronger is higher !
(Note: assuming relevent people attempt it - not any tom dick and harry with a bunch of brute force passwd/key gens - still useful , but to a much lower degree )

iii) This place for sale - I am sure there are more categories that are relevent and are smack in the domain of open source.

I tend to dislike open source in quiet a few cases.
Topping this list are clone software , projects which rip the useful parts of commercial projects , shoddy pieces of work - and yet claim to be commercial replacements (it is ok to say we are attacking same problem domain - but to say that you can replace a 500+ man hour product with a weekend hack is quiet preposterous !).
As an example , how seriously can you respect a project which aims to be a windows replacement for linux ?!!!

What I see is , for an open source proj to suceed , you require :

I) A dedicated dev team who will stick with the proj for an extended amount of time.
II) A user community - preferably large - who actually use the product.
III) Fresh requirements , frequent updates , good testers.
IV) Preferably some closed source software whom the open source guys want to beat - preferably the closed source guy being a monopoly ;) - just kidding , but some competition does no harm !
V) And something I tend to forget - a preferably liberal source code license.

------

Above , when I mean open source , I mean not only that the source is open , but so is the license.
One without other tends towards closed source.
All views will be preferably reviewed tommorrow - though dont count on it !
This entry has taken a semi-rambling propotions .....
All comments welcome - though please pleaseeeeeeeee - no flames :)
I will try to research on sol10 again - was so much awed by zfs , that I kept at it for an extended amount of time reading up on fs design ... now that I am done with it , onwards towards dtrace and the rest !

0 Comments:

Post a Comment

<< Home