Uproar Over Open Source Security Story Continues

The headline “Open Source Code Contains Security Holes” on an InformationWeek article has grabbed a lot of attention. Two more blog posts on the topic:

And today there’s a followup blog post by “Security Holes” author Charles Babcock and a response from Paul Beach, a developer and administrator for one of the open source projects mentioned in Babcock’s original article:

Still missing is an answer to the key question: do open source applications have more security flaws than closed source? The Department of Homeland Security, sponsor of the open source testing, states the estimated error rate at one security flaw for every 1000 lines of code among tested open source software. How does this compare to closed source? Coverity’s announcement makes no mention of closed source error rates.Can someone cite some statistics showing a difference between the two types? Post your stats, sources and comments below.

Open Source Uproar Over Security Testing

The tech press and open source blogosphere shifted into overdrive today on the news that software security firm Coverity — at the behest of the U.S. Department of Homeland Security — had released the results of security tests on a number of popular open source applications. You can see some of news and comment here:

In the last item, I give Dana Blankenhorn credit for pointing out the obvious — identifying security flaws is a good thing — and open source projects may be more likely to get fixed quickly than their closed source counterparts. For an in-depth look at the whole issue of government-sponsored software security testing (it’s not just about open source), check out these articles from SDTimes:

So here’s a point to ponder and comment upon: do you worry more about security issues with open source software than you do with proprietary/closed source code? Post your thoughts below.

Open Source Forecasts for 2008: CEO Predictions 10-Pack

Everyone says you get more with open source. So here you go — ten CEOs of open source companies offering their views on the enterprise open source outlook for the New Year. Sponsored by the Open Solutions Alliance (OSA), the CEOs of member companies responded to four questions about open source issues for 2008. Some sample prognostications:1. What will trigger increasing adoption of open source in the enterprise in 2008?

“There will be an increasing confluence between the open source and software as a service models. These are the two most powerful trends in software today, and while they’ve traditionally been seen as separate, parallel developments, they are rapidly combining to create the new business model for enterprise software. The combination is not just at the development level – BaaS companies adopting open source technologies to lower the cost of operations and R&D – but more importantly, on the distribution side.” — William A. Soward, CEO, Adaptive Planning

2. What is the biggest challenge for the open source software industry in 2008?

“More lawsuits will be brought against large corporations and technology companies in 2008 as open source advocates step up enforcement of the APL v2, v and other open source licenses.” — Doug Levin, CEO, Black Duck

“Figuring out business models that will produce viable, long term software companies rather than ‘flash in the pan’ ubiquity plays. Merely racing to see who can give the most away to a buyer who will take as much as the can get before paying money will not produce viable software companies.” — Javier Soltero, CEO, Hyperic

3. How big an effect will licensing have on open-source software in 2008?

“Open source licensing will continue to bother enterprise users but the dissemination of best implementation practices including license management will reduce this issue somewhat.” — Michael Grove, CEO, OpenIT Works

“We don’t see much impact here. Customers continue to get educated about the code they use and about open source licensing in general, so FUD will have less of a factor than in the past.” — Kim Polese, CEO, SpikeSource

4. What will be the biggest surprise in open source in 2008?

“During ’08, the pressures CIOs will face to drive greater business innovation with a fixed (or low growth) IT budget will conspire to challenge every possible traditional software license. The 80% of the IT budget used to maintain existing or legacy systems must become more productive in order to satisfy the business goal of improved innovation.” — Brian Gentile, CEO, JasperSoft

“The biggest surprise in 2008 will be to see Open Source players register three-digit growth rates!” — Bertrand Diard, CEO, Talend

Get the complete list of questions and responses from the Open Solutions Alliance (OSA) site. (PDF)

Open Source News Roundup – 07 Jan 08

Quick roundup of open source items making news over the last week or so:

What will the Open Source year 2008 bring?

Looking into the crystal ball to forecast the future is difficult on many domains, but specifically also in the fast moving Open Source domain. We tried it anyway.

  • Continuous consolidation is going to happen in the commercial software vendor scene. This will create room for successful open source vendors.
  • Open Source adoption in the enterprise will continue, in the application infrastructure space the use of Open Source is already common sense, but more and more Open Source solutions will be viable candidates also for typical business solution domains. It has started with Business Intelligence and Enterprise Content Management, it will continue with Customer Relationship Management.
  • Web 2.0 and Enterprise 2.0 will continue to be Open Source plays mainly and accelerate adoption of Open Source in the Enterprise even more.
  • Open Source vendors will also consolidate, we will see the rise of new Open Source “Ueber” providers, similar to RedHat.
  • More commercially available products will be based on Open Source software, this will boost the usage of Open Source components but also the related “assembly methodology”, as applied by Optaros, Alfresco and others.
  • Commercial vendors will continue to increase the viability of their offerings by open-sourcing critical components and platforms.
  • Open Source companies will continue to look for the holy grail of “how to make money with Open Source” and invent new creative license and subscription models.
  • New open standards such as Open Social or Google Android will be the base of many new Open Source project and initiative.

So, to summarize, we don’t expect 2008 to be a year of revolutions but rather of numerous important evolutions.

… And a Happy (and Open) New Year

Welcome to 2008! But before we look ahead, let’s consider this item from last year:Top 10 Websites in the U.S. — Monthly Averages

Rank Brand Unique Audience (000)
1. Google 110,002
2. Yahoo! 108,111
3. MSN/Windows Live 95,501
4. Microsoft 94,856
5. AOL Media Network 91,653
6. Fox Interactive Netowrk (aka MySpace) 64,648
7. eBay 59,586
8. YouTube 49,815
9. Wikipedia 45,496
10. Apple (includes iTunes) 43,495

Source: Nielsen Online, NetViewWhat struck me about this list was how crucial open source software was to the success of many of these sites — maybe even those two in third and fourth place that begin with “M”. Certainly there will be more open source in use during 2008 at firms and sites large and small. It should be a banner year.Here are a few more end-of-the-year items of interest:

Open Source Census: Will enterprise usage get counted?

Open source solutions provider OpenLogic just announced the Open Source Census, “a newcollaborative initiative to quantify the global use of open source inenterprises.”

“Enterprises will be able to scan any of their computers and contribute the scan results back into The Open Source Census database [and] the basic anonymous aggregate data collected through The Open Source Census will be provided for free on a web site. This aggregate data will list the number of times each project has been installed on computers across all participating enterprises.”

The plan starts with the release of the Open Source Discovery application under the new Affero GPLv3 license plus an effort to enlist developers, software firms and ISVs in support of the project.About time, too. Everyone seems to think an initiative of this type is long overdue. Shane Schick’s Computerworld (Canada) blog notes the unreliability of both Canadian and US software piracy figures — which are statistical estimates — because the groups simply ignore open source applications. Remarking on the census, he adds:

“This would be a lot more accurate than the market forecasting that the Gartners, IDCs and Forresters of the world do. … For an industry that is focused on the management of information, it’s surprising how willingly IT professionals are to be left in the dark about the true state of the market.”

More posts on this topic include:

Are you in the dark about open source? Post a comment and tell us what you know — or don’t know — about the open source usage in your organization.

Will GAGPL (GNU Affero GPL) Choke Web Heavyweights?

The GNU Affero GPL (GAGPL) Version 3 and the companion Affero GPL version 2 licenses released last week provide for public access to source code (modified or not) running on a network server. The current GPLv3 license does not cover this specific scenario, hence the new license version.To give an example, if you are browsing the latest hosted social media application and it displays the GAGPLv3 license, you should be able to locate and download the source code for the application you are using. You might have to pay a fee — remember the “free” in free software means freedom to copy, not the price — but you will have the source with the modifications to use as you see fit, subject to the other stipulations in the license. As developers adopt this license, will it cause web sites to rethink dependence on open source components?Palle Pedersen’s blog post “Is AGPL (Affero GPL) the Doom of Google?” has a lengthy analysis of the issue. He notes:

A wide adoption of the AGPL would change a current standard practice for creating a web application, where the developers start with a few pieces of GPL software and then modify the software until it suits their needs. With AGPL software in the mix, a business decision would have to be made on whether to use AGPL software and make source code for modifications and additions available – or to avoid AGPL software and spend more time developing software which can be kept out of the hands of competitors and potential hackers.Larger companies, e.g. Google and Yahoo, are actually among the best positioned to live in this new world. They can carefully evaluate the trade-offs on a case-by-case basis and can introduce processes to make sure that AGPL code does not sneak into places where it should not be.

It will be interesting to watch the rate at which this new license is adopted. One source for tracking open source license adoption rates is Black Duck Software’s Open Source License Resource Center. Read the Free Software Foundation’s announcement of the new license here.

Dojo goes 1.0!

Congratulations to the Dojo Toolkit for releasing 1.0 this week.As described in the SitePen Press Release:

Dojo provides easy-to-use, high-quality UI components and JavaScript infrastructure critical for building responsive web applications without the need for proprietary plugins or single-vendor solutions. Only 25K in size, the base of Dojo delivers key support for Ajax, progressive enhancement, animations, and opens the door to a wealth of high-quality widgets and extension modules. Dojo supports the Firefox, Safari, Internet Explorer, and Opera browsers.

Also shipping with Dojo core in 1.0 is the Dijit framework for widgets (including support for accessibility and internationalization of widgets, as well as programmatic widget creation), and the DojoX set of extensions (including CometD and Dojo Offline). Finally, the Dojo packaging system and D.O.H. unit testing harness demonstrate the maturity of the project from a development management / engineering perspective – it isn’t just about adding more features but making those features usable for development projects who adopt Dojo.

Open Source & the Alt.Net Community

They’re even talking about “participative communities” over in the .NET universe as the alt.net movement (insurgency?) gains momentum. Martin Fowler’s Bliki summarized the AltNetConf in Austin, TX a few weeks ago. He describes key participants as “a group of long-time users of Microsoft technologies who feel that their development philosophy has been getting out of sync with the perceived orthodoxy from Redmond.”Highlighting their shared approach to software development methods (think agile), Fowler addresses a key topic — the relationship between software providers and software users:

“A participative community is different, they don’t just want the vendor to listen and provide suitable products – they want to participate in the development of new products. It’s just such a participative community that’s taken the initiative in the Java world. JUnit, IBatis, Spring, Hibernate et al didn’t come out of the vendors, but were developed by “customers”. One of the things about the nature of the software industry is that many customers are every bit as capable of producing vital products as vendor companies, especially when combined with the community and ethos of open source.The great question ahead for Microsoft is how to engage with a participative and opinionated community like this. Treating such a group as an opponent will result in the loss of valuable products, and more importantly the capable people connected with them. Engaging with a community like this brings great opportunity. I would argue that the participative community around enterprise Java has saved the enterprise Java platform. A big challenge for Microsoft in all this is that this means finding a way to accommodate with open source development. …One other issue in a community like this is that it’s a community that doesn’t equate criticism with animosity. Many vendors suffer from the belief that anyone who criticizes them is their enemy. In truth often your friends are at their most valuable when they are critical.”

It will be interesting to see if Microsoft can be “open” enough to accommodate the alt.net movement. Given the caliber of the people involved, Microsoft’s loss would be open source’s gain. –

NeuereÄltere