Women in Technology

Hear us Roar



Weblog:   The Growing Politicization of Open Source
Subject:   Misunderstandings
Date:   2002-08-16 16:13:33
From:   korwin
Response to: Misunderstandings

"According to all these projects, no official would be punished by licensing propietary software [1,2] as far as he/she can convincingly prove that no free/open-source solution exists for his/her needs."


First, this assumes that open-source software and free software are the same thing. Shouldn't this be rewritten as "no official would be punished by licensing propietary software [1,2], as far as he/she can convincingly prove that no free solution (whether open- or closed-source) exists for his/her needs."?


Second, this puts the price of the software solution as the most important factor. What about the scenario where there is open-source software that is free and will do the job, but nobody can guarantee that it is secure enough and would not pose risk for the IT infrastructure of the government? Should this software be preferred to a closed-source software whose vendor is willing to guarantee the security of it's solution?


The open source does not intrinsically guarantee any of these principles:


* Free access to public information.
* Permanence of public data.
* Security of the State and citizens.


Furthermore, the open source software has nothing to do with these principles. Will any open source program actually guarantee to me that the public data will be permanent or secure if maintained by it to the degree that i could sue the software vendor (who would that be in the case of gcc btw)? In fact, these bills in it's current form put the second and the third principles at stake since they mandate that the government officials make their choice based on whether the software is open source and free and not whether it conforms to any levels of acceptance (as it should be).

Full Threads Newest First

Showing messages 1 through 1 of 1.

  • Misunderstandings -- replying Korbin's objections
    2002-08-16 17:04:18  cinabrium [View]

    First:
    The assumption of free software = open source was done for (over)simplification only. Anyways, the projects speak about "software libre" (free as in
    freedom) but the definition is a subset of the open source definition (see http://www.opensource.org/docs/definition.php )

    Second:
    The price of the software is *NOT* a factor in any of the projects. Let me kindly remind you that Internet Exploder is free as in beer. In your scenario, the government could get the open-source software and thoroughly inspect it and/or hire a bunch of maintainers or a company able to keep it up and running OR believe the proprietary closed source software vendor's promises... What would you do? How does the vendor guarantee the security of its solution?

    Third:
    No software "per se" (free or proprietary) guarantees the principles. But you can't guarantee them without open formats and source availability, unless you are willing to assume the costs of reverse engineering (sometimes prohibited by licensing conditions) any time you want to migrate or any time the vendors decide that they are not going to support a certain piece of software anymore. What happened with your nice spreadsheets in Visicalc or with those beautiful essays you wrote in Wordstar?
    And furthermore:
    I prefer to be sure of how the tire was built instead of suing Firestone after my neck is broken. But i must concede that quality assurance of the software could be reached by more means than mandating the availability of the source code. However, no quality assurance procedure will be correct and complete unless the code can be openly inspected and tested. As a cryptographer, I follow the principle that no algorithm, protocol, system, is deemed secure before open and deep scrutiny by the entire scientific community[1]. The same holds for the software.
    Regarding "ex-post" liability, I think that if the law mandates that software vendors are liable for *any* damages arising from software failure, I would feel more comfortable signing such guarantee for gcc than for any closed-source compiler. In any case, software vendors won't accept such liability (have you read any EULAs lately?) so the argument goes byzantine.

    Many tanks for your well reasoned observations!

    --
    NOTES:

    [1] Skipjack, an algorithm designed by the NSA (the best troupe of cryptographers around), was kept secret. When NSA finally decided to make it public, serious flaws appeared in less than three months (see e.g. http://www.cs.technion.ac.il/~biham/Reports/SkipJack/ )

Showing messages 1 through 1 of 1.