O'Reilly Network    
 Published on O'Reilly Network (http://www.oreillynet.com/)
 See this if you're having trouble printing code examples


EuroOSCON - Remembering the End User

by Daniel H. Steinberg
10/19/2005

Editor's note: Daniel Steinberg reports on some of the sessions and keynotes that spanned the first two days of O'Reilly's first-ever European Open Source Convention, taking place in Amsterdam. In one way or another, these sessions--by Jeff Waugh, Alan Cox, and Simon Phipps--focused on the user. For more news items, press releases, blogs, and photos about the convention, check out our EuroOSCON Conference Coverage page.

There is both an upside and a downside to having a conference in Dam square in Amsterdam. It's a great location: a beautiful city with a ton of things to do, all within walking distance of the Dam. But the first-ever EuroOSCON starts each morning at 8:45 a.m. This can be a challenge to attendees to get the most out of the city while still attending the evening sessions and making it to those early-morning sessions.

During the Monday evening extravaganza, Larry Wall gave the 9.3th "State of the Onion" and Damian Conway reprised his "Fun with Dead Languages" talk from OSCON. He began with Lisp, which "may not be dead, but it's pining for the fjords" and ended with executable Latin. Control structures, variables, and brackets all translated into the presumably "very dead" language of Latin. The Tuesday morning addresses considered the relationship between non-technical end users and open source software.

Enabling Users

Open source developers often forget that one percent of their end users are geeks while 99 percent of the users are not technical. In fact, Jeff Waugh of Ubuntu and GNOME says that the percentage of technical users is probably closer to 0.01 percent, who write the software, and everybody else just wants to get their jobs done. In his response to Asa Dotzler's OSCON address on the "Search for the Linux Desktop," Waugh explains, "There's been a cultural change in the GNOME community. We realize that freedom is not just for geeks. Freedom is not just for the people who write the software, but also for the people who use it." This change of focus led to GNOME embracing usability, accessibility, and internationalization.

Jeff Waugh

As a demonstration of how deeply they have embraced this change, Waugh showed the global settings panel menu from GNOME 1.4. Users could set everything from the speed of animations to making buttons flush with panels, to an option to indicate whether or not to display newly installed software in menus. In GNOME 2.0, none of these options exist. He reported on a study that concluded that if you try to trick your users by making your software look like other programs, your users will resent the fact that your software doesn't work like the software it resembles.

Waugh reported that a great deal of their increased usability in dialog boxes came from their decision to use verbs. Where traditional dialog boxes might have a great deal of text followed by the options Yes, No, or Cancel, they've added more descriptive text followed by Save, "Close without updating," or Cancel. Waugh demonstrated the benefit to users by taking out a special pair of glasses that enable developers to see a dialog box from the perspective of non-technical end users. The descriptive text was blurred out and all that the users could see were the final choices. By placing action phrases on the text buttons, the actual choices available to these users was instantly clear.

Defending Against Users

Alan Cox, Red Hat Fellow, said that the biggest risk to a company's computer security is the employee using the system. They operate inside of your system and they need access in order to do their jobs. They work for you and mean well. In short, the challenge ahead of us in computer security is to stop well-meaning people from doing things they shouldn't do.

One approach is to think about modularity. It helps to separate code that does different things. It is difficult to write a set of rules that says, for example, what Firefox does. But what if you could split the code into more easily definable pieces. One piece might load a JPEG but it has no business talking to the file system. An HTML file might talk to the network but it doesn't talk to password files. This enables you to build defenses against components that are trying to gain access to parts of the system that they shouldn't.

Alan Cox

O'Reilly European Open Source Convention
Convention Coverage

EuroOSCON

O'Reilly European Open Source Convention
October 17-20, 2005
Amsterdam, The Netherlands

Another possible approach is based on lessons learned from the virus world and the real world. If we randomize the way in which memory is laid out or the way in which a machine behaves, it will be harder to exploit. The reason is that every time you run a program, things will be subtly different. The downside of this, of course, is that it makes debugging more challenging. This can lead to the world of writing once, debugging everywhere.

Do we actually need to defend against users? Cox reminds us that human policy quickly gets forgotten and users don't understand the implications. You can tell someone not to open attachments, and for a while they will comply. But after a while they will get an email with some innocent-looking screensaver and they will open it and potentially infect your entire office. Cox suggest that it would work better to teach the computer to enforce the security policy. In this way, the virus or trojan becomes a call to the help desk. The user might call and say, "I've downloaded this screensaver and it doesn't work." After considering the pros and cons of trusted computing, Cox concluded that what we need is variations between systems, firewalls that operate by default, and "always on" default protection.

Explaining Open Source to Users

Sun's chief open source officer, Simon Phipps, quickly differentiated between the needs of developers and the needs of end users in his keynote address. His view of open source software was built around what he called "The overlooked corner, the forgotten freedom, and the hidden menace."

Simon Phipps

For Phipps, open source software is built on a source code commons. After an initial contribution, use of the source is controlled by the license. He thinks that much of the discussion of open source begins and ends with the license. He said that much of his current effort is spent reducing the number of licenses being used by Sun. Equally relevant, in his opinion, is the motivational model used to encourage a diverse developer community with a range of motivations to create work on top of the commons. According to Phipps, the "overlooked corner" is the governance of the community. The governance regulates contributions back into the commons and bad governance, he argues, is "the primary vector for disease."

To illustrate the issues surrounding freedom, Phipps separated open source development from open source deployment, saying that neither are the domain of hackers anymore, and he noted that "whatever sets one person free might enslave another." He showed a picture of scuba divers and said that they are free to swim wherever they want to. They are, however, restricted by the need to be near replacement oxygen tanks, and the tanks should have an interface compatible with their gear. He used this to argue that standards are important to end users because that enables substitutability. He said that freedom for developers is in the code; for end users, it's found in replaceable choices. He concluded that "freedom for all is a product of open formats and open source software."

One of the big challenges to freely available technology is software patents. Phipps contends that we cannot convince corporations not to pursue this "hidden menace," but that we can combine multiple strategies to defend against them. He recommended the mandatory application of both compulsory licensing, where there is a blanket grant of patents restricted to licensed code, together with non-assert covenants, where there is an agreement not to assert rights against a cooperating community.

Daniel H. Steinberg is the editor for the new series of Mac Developer titles for the Pragmatic Programmers. He writes feature articles for Apple's ADC web site and is a regular contributor to Mac Devcenter. He has presented at Apple's Worldwide Developer Conference, MacWorld, MacHack and other Mac developer conferences.


Return to the O'Reilly Network

Copyright © 2009 O'Reilly Media, Inc.