“But surely Open Source software is less secure, because everybody can see it, and they can just recompile it and replace it with bad stuff they’ve written?”
Hands up who’s heard this?* I’ve been talking to customers – yes, they let me talk to customers sometimes – and to folks in the Field**, and this is one that comes up, it turns out, quite frequently. I talked in a previous post (“Disbelieving the many eyes hypothesis“) about how Open Source software – particularly security software – doesn’t get to be magically more secure than proprietary software, and talked a little bit there about how I’d still go with Open Source over proprietary every time, but the way that I’ve heard the particular question – about OSS being less secure – suggests to me that we there are times when we don’t just need to a be able to explain why Open Source needs work, but also to be able to engage actively in Apologetics***. So here goes. I don’t expect it to be up to Newton’s or Wittgenstein’s levels of logic, but I’ll do what I can, and I’ll summarise at the bottom so that you’ve got a quick list of the points if you want it.
The arguments
First of all, we should accept that no software is perfect******. Not proprietary software, not Open Source software. Second, we should accept that there absolutely is good proprietary software out there. Third, on the other hand, there is some very bad Open Source software. Fourth, there are some extremely intelligent, gifted and dedicated architects, designers and software engineers who create proprietary software.
But here’s the rub. Fifth – the pool of people who will work on or otherwise look at that proprietary software is limited. And you can never hire all the best people. Even in government and public sector organisations – who often have a larger talent pool available to them, particularly for *cough* security-related *cough* applications – the pool is limited.
Sixth – the pool of people available to look at, test, improve, break, re-improve, and roll out Open Source software is almost unlimited, and does include the best people. Seventh – and I love this one: the pool also includes many of the people writing the proprietary software. Eighth – many of the applications being written by public sector and government organisations are open sourced anyway these days.
Ninth – if you’re worried about running Open Source software which is unsupported, or comes from dodgy, un-provenanced sources, then good news: there are a bunch of organisations******* who will check the provenance of that code, support, maintain and patch it. They’ll do it along the same type of business lines that you’d expect from a proprietary software provider. You can also ensure that the software you get from them is the right software: the standard technique is for them to sign bundles of software so that you can check that what you’re installing isn’t just from some random bad person who’s taken that code and done Bad Things[tm] with it.
Tenth – and here’s the point of this post – when you run Open Source software, when you test it, when you provide feedback on issues, when you discover errors and report them, you are tapping into, and adding to, the commonwealth of knowledge and expertise and experience that is Open Source. And which is only made greater by your doing so. If you do this yourself, or through one of the businesses who will support that Open Source software********, you are part of this commonwealth. Things get better with Open Source software, and you can see them getting better. Nothing is hidden – it’s, well, “open”. Can things get worse? Yes, they can, but we can see when that happens, and fix it.
This commonwealth does not apply to proprietary software: what stays hidden does not enlighten or enrich the world.
I know that I need to be careful about the use of the “commonwealth” as a Briton: it has connotations of (faded…) empire which I don’t intend it to hold in this case. It’s probably not what Cromwell*********, had in mind when he talked about the “Commonwealth”, either, and anyway, he’s a somewhat … controversial historical figure. What I’m talking about is a concept in which I think the words deserve concatenation – “common” and “wealth” – to show that we’re talking about something more than just money, but shared wealth available to all of humanity.
I really believe in this. If you want to take away a religious message from this blog, it should be this**********: the commonwealth is our heritage, our experience, our knowledge, our responsibility. The commonwealth is available to all of humanity. We have it in common, and it is an almost inestimable wealth.
A handy crib sheet
- (Almost) no software is perfect.
- There is good proprietary software.
- There is bad Open Source software.
- There are some very clever, talented and devoted people who create proprietary software.
- The pool of people available to write and improve proprietary software is limited, even within the public sector and government realm.
- The corresponding pool of people for Open Source is virtually unlimited…
- …and includes a goodly number of the talent pool of people writing proprietary software.
- Public sector and government organisations often open source their software anyway.
- There are businesses who will support Open Source software for you.
- Contribution – even usage – adds to the commonwealth.
*OK – you can put your hands down now.
**should this be capitalised? Is there a particular field, or how does it work? I’m not sure.
***I have a degree in English Literature and Theology – this probably won’t surprise some of the regular readers of this blog****.
****not, I hope, because I spout too much theology*****, but because it’s often full of long-winded, irrelevant Humanities (US Eng: “liberal arts”) references.
*****Emacs. Every time.
******not even Emacs. And yes, I know that there are techniques to prove the correctness of some software. (I suspect that Emacs doesn’t pass many of them…)
*******hand up here: I’m employed by one of them, Red Hat, Inc.. Go have a look – fun place to work, and we’re usually hiring.
********assuming that they fully abide by the rules of the Open Source licence(s) they’re using, that is.
*********erstwhile “Lord Protector of England, Scotland and Ireland” – that Cromwell.
**********oh, and choose Emacs over vi variants, obviously.
Alice, Eve and Bob - a security blog 
6 thoughts on “The commonwealth of Open Source”