Women in Technology

Hear us Roar



Weblog:   The Growing Politicization of Open Source
Subject:   What about the quality of the software purchased by the government
Date:   2002-08-16 14:16:09
From:   korwin
Response to: What about the quality of the open source

I changed the title, because it is more fair representation of the things that i argue about and is not related to the open source programs only.


Here's what i think on FSF, open source and this proposal:


Can you say that you know the company that made Linux? Hmm, who would be responsible if a bug in OpenOffice changes the measurement units in my document from inches to centimeters and my subsidiary delivers to me 100000 wrong details? I don't say that you would be able to sue the proprietary software companies. But if the government is forced to impose a quality standards first, before source openness, i would expect to see the proprietary software companies to react first and in fact deliver software that is compliant with those standards. Can you imagine a company to accept the responsibility for OpenOffice? Yes, i know Sun has StarOffice alternative, so there is a big company that can do this, but who else? And as far as i know Sun would not submit all of it's code back to the open source community.


Requiring the government to purchase only open source programs, so that people have the opportunity to examine how their data is being processed with the argument that the transparency would make the programs more secure and reliable - this is ridiculous. It's like asking the government to force Ford and the other car companies to publish their blueprints and not impose any standards. I mean - why require crash test, if the blueprints are available and any decent auto mechanic would be able to fix it for you if it was not safe? And than shouldn't we as taxpayers be able to have the fair access to the blueprints of the public transportation system? Even if don't know what to do with them, we could hire experts to audit them. To make sure that of course those cars are safe?


Would i be interested in the actual algorhitm used to sort all the government records about people - not, because "it wouldn't do me any good". Would i be interested whether the software that sorts those records is safe and secure enough so that they are not lost or stolen - yes, but i don't need the software sources to make sure this is indeed fact. The good of the people would be ensured if (as you and other people here briefly mentioned) the government requires open data formats _and_ if the government establishes standard procedures and tests to ensure minimum level of software quality. Anybody who wants to sell to the government should pass these tests and procedures adn should conform to these standards. Period. It shouldn't matter if it is open source or closed source, as long as it complies with these requirements. You don't require Ford to publish their blueprints because "it wouldn't do most people any good whatsoever". You do require though that Ford cars are acceptable safe. And everybody is happy with this situation.


Will FSF assume the responsibilty that Emacs will not loose your data becaus of some bug or that gcc will in fact provide the proper code for your hardware and will not fry your CPU? Will FSF allow to be sued if this happens? How will they guarantee those programs indeed work (besides "You are free to examine those programs and fix them if there is any bug in there. Oh, and btw - you have to give your work to us. But we guarantee they work properly - they have been reviewed by lot of other people and all the bugs were fixed. Err, what do you mean by 'who are those people'?")


To summarize my rant : Why the open source advocates and FSF do not advocate wide addoption of IT industry standards for quality assurance and testing process? Why do they not work for establishing government level of software acceptance for things like security, reliability and performance? Are these things less important than the availability of the source? Imho, the movement to require the government to purchase only open source software has nothing to do with the good of the people. It is a political move by FSF to establish another kind of monopoly - one that favors them.

Full Threads Newest First

Showing messages 1 through 7 of 7.

  • What about the quality of the software purchased by the government
    2002-08-16 14:54:24  zwack [View]

    Ummm... Thanks for your rant... I think...

    You did not answer ANY of my questions though...

    So hopefully we can get a clear understanding of what I suggested, and then you can explain why I am wrong...

    "Can you say that you know the company that made Linux? Hmm, who would be responsible if a bug in OpenOffice..."

    Well, I still had a vendor in there, one who was willing to provide support. The government is going to buy a solution from somewhere. If it's Linux and they buy it from RedHat then RedHat would be responsible for supporting that software. If it's StarOffice and they buy it from Sun then Sun provide the support... If it's OpenOffice and they buy it from "OpenSource 'R' Us" then OpenSource 'R' Us would provide support.

    They don't have to accept responsiblity for the bugs, just provide support. They should try and fix the bugs or get someone else to, but they need to provide some form of support. If you think I am being easy on them with the "don't have to accept responsibility for" bit then I would suggest you go read some EULAs from Microsoft... or indeed anyone else.

    What I want is for the mandate to be for Open Standards for the file and data formats. This makes sense to me... And as you like your car analogy it's like me saying "Here are the sepcifications for a tyre for a '65 Mustang..." And then looking around to see who made tyres that fit that specification. I could get Firestone or Michelin or any number of other brands of tyres made to that specification. They're not all made by one company. Similarly if I was to say "Here is the file format for a word processed document..." Multiple vendors could produce software that could read and write the same document. Some of them might be closed source, some of them might be open source... Some of them might even involve people following procedures in a manual that caused them to produce a file using an ascii text editor that met the standard. I don't care. But I can look at the specification, write my own tool to manipulate it and do what I want with the document. Multiple vendors providing software that can interact is true CHOICE. If I like the spell checker in tool 1 but the Mail merge in tool 2 there is nothing to stop me using 2 for a mail merge and 1 for the spell checker. If tool 3 has a mail merge that's almost as good as that in 2 and a spell checker that is almost as goos as that in 1 then I might decide that 3 was good enough for my needs and only use that. If however each vendor only supports their own proprietary data formats then I have to choose one tool that will do... And if Tool 3 didn't exist I would have to decide if Mail Merge or Spell Checking was important to me. And if I choose tool 1 and the manufacturer goes out of business... What then? I have to either convert my data to work with tool 2 (and data conversion is not a fun process) or I have to keep using tool 1 and doing without any new features.

    I don't agree with RMS that all developers should have to use GPL. I think that that is your choice. (I do, but I made that decision, nobody forced me to). Equally I don't agree that I should be forced to use proprietary products because nobody knows what their data format is.

    If Governments mandated Open Standards for File and Data Formats that would encourage software that can interoperate. Interoperability is good for everyone except the dominant market leader. Vendor Lock-in is bad for everyone except the vendor that you are locked in to. Interoperability encourages TRUE innovation. If the market leader can retain their market share by providing new features that people want then everyone benefits. They might have to work a bit harder than with lock-in... But it gives everyone a fair chance.

    Z.
    • What about the quality of the software purchased by the government
      2002-08-16 15:38:23  korwin [View]

      On the topic of what government should require from the software vendors:

      I disagree with the legislation proposal, not with you. Let's require open standards, not open source. But also, let's require security, reliability and performance acceptance level even before the open standards. Ask the (proprietary or open source) software companies to deliver software that works.

      On the topic of the open source software model and more specifically the GPL one:

      Purchasing a softare should give you the right to sue the software vendor if this software fails to work as it is supposed. (Government requirements, quality standards and conformance tests would be a base for this to happen. :-)) If i am hurt because a car malfunctions, i can sue the car manufacturer. The same should apply to software. The thing here is - i can see the proprietary software companies as Microsoft being able to actually comply with such requirements; however, i fail to see how an open source company would be able to do it. As you said - OpenSource 'R' Us might sell me the software and might be willing to provide support (well, that's their revenue model), but i doubt they would be willing to go to the court to defend somebody else's code.

      Are you personally willing to guarantee the security and the reliability of a software solution you would sell to some of your client? I assume you use gcc - would you be willing to stand by the binaries, produced by it, to the degree of taking the responsibility and allowing to be sued?
      • What about the quality of the software purchased by the government
        2002-08-16 16:04:18  pkobly [View]

        >I disagree with the legislation proposal, not
        >with you. Let's require open
        >standards, not open source. But also, let's
        >require security, reliability and
        >performance acceptance level even before the
        >open standards. Ask the (proprietary or open
        >source) software companies to deliver software
        >that works.

        While this is a laudable goal, how do we assert that the software works or is secure? Black-box testing is simply *not* sufficient to assert quality with any credibility. Open source, allows the purchaser or the user (in this case the government) to perform its own testing and audits, rather than simply relying on the bare assertions of a vendor.

        Remember, the Pinto went through testing before it was unleashed on the world.

        > Purchasing a softare should give you the right
        > to sue the software vendor if this software
        > fails to work as it is supposed.

        This requires a complete definition of how the software is supposed to work, and under what conditions. That definition often does not exist in general purpose computing.

        If you ever get the right to sue vendors, then you ought to consider the likelihood of vendors being able to pay out on lawsuits. That same problem exists with many consumer goods. But it's a moot point now. Small companies are just as able to pay out the $0 judgements that you can get now as are big companies.

        > Are you personally willing to guarantee the
        > security and the reliability of a software
        > solution you would sell to some of your client?

        Is Microsoft?

        > I assume you use gcc - would you be willing to
        > stand by the binaries, produced by it, to the
        > degree of taking the responsibility and
        > allowing to be sued?

        I would be more willing to do so while using gcc than while using a proprietary compiler. I don't have to rely exclusively on the assertions of a third party that the compiler works correctly.
        • What about the quality of the software purchased by the government
          2002-08-16 16:28:09  korwin [View]

          >> Are you personally willing to guarantee the
          >> security and the reliability of a software
          >> solution you would sell to some of your client?

          >Is Microsoft?

          Well, you should ask this question to Microsoft, not to me. I would gladly see Microsoft change the EULA for their products, but that has nothing to do with the discussion here. They are just one more software vendor that should abide by any level of acceptance the government imposes.

          Speaking os which, i still don't the answer to my question. "They do not guarantee, so we will not as well, but you should believe us when we say ours is better" is not good enough. Shouting loudly "we are better because we are open" does not make you right. Nor does "We are better because we are free".
          Now, "We do better job and have superior product and those are not just marketing gimmicks - we are willing to stand by our words and allow you to sue us if we are proven wrong; meanwhile as a bonus over the competitors - here's the source for our code. Oh, btw you can have it for free as well" is different story. If any open source software company or programmer tell me this, i would be the first to say that the open source model is better than anything else.

          >I would be more willing to do so while using gcc
          >than while using a proprietary compiler. I don't
          >have to rely exclusively on the assertions of a
          >third party that the compiler works correctly.

          And what do you rely on when using gcc? Have you went through the gcc code and did you make extensive testing of it? Well, there might be people there that did it and there is a cnance you are one of them :-), but most probably you did not. So, you do rely only on the assertions of the gcc folks.
  • What about the quality of the software purchased by the government
    2002-08-16 16:15:02  pkobly [View]

    "But if the government is forced to impose a quality standards first, before source openness, i would expect to see the proprietary software companies to react first and in fact deliver software that is compliant with those standards."

    1) How do you propose that a determination of compliance with quality standards be made? A set of black-box tests by the government? A bare assertion from the vendor?

    2) Why do you "expect to see" something where you have actually consistently seen the opposite? How quickly did Microsoft respond to the recent major SSL certificate authentication problems in IE? How quickly did the KDE team respond to the same problems found in their code?

    Answer: After a week, Microsoft still hasn't fixed the problem. Within 90 minutes, the KDE team had fixed Konqueror.

    "You don't require Ford to publish their blueprints because "it wouldn't do most people any good whatsoever". You do require though that Ford cars are acceptable safe. And everybody is happy with this situation."

    Ford _is_, however required to release some information about its cars. It is required to release specification and design information about its safety equipment so that said equipment can be evaluated and tested. It is required (recent FTC decision) to release specifications of the computer diagnostic ports, so that hobbyists and non-Ford authorized mechanics are _able_ to maintain their Ford vehicles. Ford is not permitted to stop after market parts cloners from producing replacement parts for Ford vehicles. Ford is not permitted to disallow Ford owners from reselling Ford vehicles. Ford is not permitted to disallow Ford owners from lending their vehicles to friends.
    • What about the quality of the software purchased by the government
      2002-08-16 16:41:11  korwin [View]

      >2) Why do you "expect to see" something where
      >you have actually consistently seen the
      >opposite? How quickly did Microsoft respond to
      >the recent major SSL certificate authentication
      >problems in IE? How quickly did the KDE team
      >respond to the same problems found in their code?

      With all due respect to the KDE developers, i doubt that they tested this fix on 86 and 64, with every single Linux disro that can run KDE, with all the kernels and with all the major programs that actually use the Konqueror's engine for accessing internet. There is no way to do this in 90 minutes and btw there is no one to pay for this.
      Oh, and how many test scenarios did they run to ensure that not only they fixed this, but also have not broken any other functionality?
    • What about the quality of the software purchased by the government
      2002-08-16 17:05:19  korwin [View]

      >1) How do you propose that a determination of
      >compliance with quality standards be made?
      >A set of black-box tests by the government?
      >A bare assertion from the vendor?

      Combination of these. Set of base tests that do not require knowledge of the internal work of the product, liability assertion from the vendor with penalties for non-compliance and requirement of the design of sensitive parts, like encoding algorithms.

      >Ford is not permitted to disallow Ford
      >owners from lending their vehicles to friends.

      Lending your Ford to your friend is fair use. But can you lend a copy of your Ford to your friend?

      Red Hat Network Basic service level: $60/year per system subscription. Err, if the OS is free and open source, how exactly will they maintain "per system". If i lend my RedHat copy to a friend, is he entitled to the support as well? Or is it tied to the first installation i did? How is this different from buying Windows XP for $200, besides being little bit cheaper, which might not be true, because with XP there is no time limit for the support and the updates.
      The only difference is - if i want to thinker with my RedHat installation, i could do it. I could also (with the proper technological knowledge) even resolve my issue by my own. I couldn't do this with XP. And that is big difference if i had the time to invest in this process and the desire to learn everything inside it. But if i don't and want to use my computer right out of box and just enjoy it - well, i have to pay either Microsoft or RedHat. And honestly, for now Microsoft provides more value for the money.

Showing messages 1 through 7 of 7.