Weblog:   The Growing Politicization of Open Source
Subject:   Misunderstandings -- replying Korbin's objections
Date:   2002-08-16 17:04:18
From:   cinabrium
Response to: Misunderstandings

First:
The assumption of free software = open source was done for (over)simplification only. Anyways, the projects speak about "software libre" (free as in
freedom) but the definition is a subset of the open source definition (see http://www.opensource.org/docs/definition.php )


Second:
The price of the software is *NOT* a factor in any of the projects. Let me kindly remind you that Internet Exploder is free as in beer. In your scenario, the government could get the open-source software and thoroughly inspect it and/or hire a bunch of maintainers or a company able to keep it up and running OR believe the proprietary closed source software vendor's promises... What would you do? How does the vendor guarantee the security of its solution?


Third:
No software "per se" (free or proprietary) guarantees the principles. But you can't guarantee them without open formats and source availability, unless you are willing to assume the costs of reverse engineering (sometimes prohibited by licensing conditions) any time you want to migrate or any time the vendors decide that they are not going to support a certain piece of software anymore. What happened with your nice spreadsheets in Visicalc or with those beautiful essays you wrote in Wordstar?
And furthermore:
I prefer to be sure of how the tire was built instead of suing Firestone after my neck is broken. But i must concede that quality assurance of the software could be reached by more means than mandating the availability of the source code. However, no quality assurance procedure will be correct and complete unless the code can be openly inspected and tested. As a cryptographer, I follow the principle that no algorithm, protocol, system, is deemed secure before open and deep scrutiny by the entire scientific community[1]. The same holds for the software.
Regarding "ex-post" liability, I think that if the law mandates that software vendors are liable for *any* damages arising from software failure, I would feel more comfortable signing such guarantee for gcc than for any closed-source compiler. In any case, software vendors won't accept such liability (have you read any EULAs lately?) so the argument goes byzantine.


Many tanks for your well reasoned observations!


--
NOTES:


[1] Skipjack, an algorithm designed by the NSA (the best troupe of cryptographers around), was kept secret. When NSA finally decided to make it public, serious flaws appeared in less than three months (see e.g. http://www.cs.technion.ac.il/~biham/Reports/SkipJack/ )