Today, Synaxis introduces a new monthly series of interviews, “OSS Thought Leaders.” The purpose is to give our readers and clients access to those thinkers who can describe the trends in OSS, help you better understand OSS’s value, and better deploy OSS in your organization. Today, we sit down with Brian Proffitt to discuss OSS security, licenses, costs, and the software’s surprising non-surprise.
Brian Proffitt (@TheTechScribe) is an adjunct professor at the University of Notre Dame’s Mendoza College of Business and the author of 24 books on mobile technology and personal computing. He writes regularly for ReadWriteWeb, Linux Pro Magazine, and IT World, among others.
Synaxis: Because open source is "community maintained," should organizations be concerned that it is less secure than proprietary software?
Proffitt: Let’s begin with an observation that is often overlooked: There is nothing magical about OSS, it’s just software that’s developed in a different way. Therefore, OSS is no more or no less secure than proprietary software.
Issues surrounding security boil down to one of two things. Either someone makes a mistake when coding, or someone slips something into the code that will cause problems down the line. I would argue that OSS has a slight edge over proprietary software, because there are so many eyes looking at the code. This increases the chance that someone will discover any mistake or malicious line that someone tries to slip into it. There are no studies on this, but it’s something that I have come to believe based on a dozen years’ experience.
Synaxis: Still, the concern exists, especially in nonprofits, associations, and government, that security is an issue.
Proffit: Yes. That’s true, but things are beginning to turn. Private industry drove the adoption of OSS very early in 2000 because companies like IBM jumped on it and pushed Linux. Federal governments are now catching on, having seen which way the wind is blowing, and are coming around. They are finally recognizing that OSS is just software, like any other type of software. Likewise, nonprofits and associations.
Synaxis: Assuming consumers accept that it’s just software, are there then different "kinds" of OSS they should pay attention to?
Proffitt: There are two main branches of what is broadly known as OSS. One is open source software, the other is free software. From the layman’s point of view, they’re the same thing. The key differences exist in the types of licenses they operate under.
Free Software licenses are restrictive in the sense that if you use software and modify it, and then want to share it with someone else, you must share your changes with the original project. The perceived problem here is if you create something distinctive that gives your organization an edge, you must share it with the project, thereby telegraphing your creation.
OSS came later. At the end of the day there are no real sharing restrictions on OSS, hence we call them permissive. You can choose to share or not to share the changes you make.
Synaxis: So how does this affect people who are looking to move to OSS, narrowly defined?
Proffitt: If the client is just going to use the software, then the license question is rendered moot. The real question is how the vendor chooses to distribute the software, which is an issue for the vendor, not the client. I have used free and open source software now for going on 12 years, and I’ve never had to worry about licenses because I’m not changing the code in the software.
Synaxis: That seems pretty straightforward, so why does the licensing issue seem to be such a concern for consumers?
Proffitt: It’s because when you deal with OSS, the licensing question is dealt with upfront. But as noted, unless you’re altering the base code, the licensing issues are going to be moot for the vast majority of clients, even large organizations and governments.
With proprietary software, the license issues don’t emerge until after you’ve purchased the program and are trying to decide how to deploy it.
Synaxis: Because Drupal and other open source platforms require developers, some clients worry they are simply trading proprietary fees for open source development costs and not saving money. What is your reaction?
Proffitt: You may make an argument that you’re trading costs, but when you compare what you’re getting, and the time saved, OSS is going to save you a lot of time and headaches.
If a customer decides he or she needs a module, you acquire it, then pay a developer a modest amount to adjust it so that it works for you. That’s it. With proprietary software, you have to make a future request back to the producer and hope that it’s a high enough priority for them to fix it when they update the program.
In the OSS environment, you can get the change you made just the way you want it in short order. In proprietary situation, simply by making the request, you are advertising to the world what kind of change you are making. In an OSS situation, if you make a change, you don’t have to telegraph anything to anybody. You hire the developers, they come in and make the change quickly, and those changes are exactly what you want.
Synaxis: What is the greatest obstacle organizations face when shifting to open source, and how best can they overcome it?
Proffitt: There are a number of potential issues. If your technology team is comfortable programming with .NET or Visual Basic, it’s not surprising that they will be threatened by software not written in that code.
Removing that angle, there is still a general sense that OSS is inherently not good enough. That’s being proven wrong on a daily basis. But if it’s your IT department, they’re not going to really care about that. If the City of Munich is using LibreOffice, people may reason, let them hang themselves. Not my company, and not my software.
But people are changing. Most of the technology you see coming out of Cloud Computing and Big Data is OSS. There are only a few proprietary software packages in the BD world. Big Data and the OSS developed for mining it, mean the whole “is OSS good enough” issue is becoming less interesting. We see OSS being deployed everywhere.
The final complaint I hear a lot is that OSS isn’t mature. This is something that you have to watch, though even that’s becoming less of an issue. Drupal, Joomla, and Wordpress are well-tested and tried solutions. Newer OSS may, but certainly not always, be less than optimally mature.
Once the decision is made to go with OSS, people find that working with a commercial developer is not that different from working with proprietary software developers, except that the prices are typically lower. If they’re not lower, the consumer needs to be asking why. You can always go down the road and find another vendor who does what your does. If I want to get Linux changed, I have dozens of opportunities to fix it, and at my price point.
Synaxis: What would surprise people most about OSS?
Proffitt: At the end of the day, it’s just software. OSS wants to be appreciated on its own merits. It should be considered like any other piece of software. But now, customers have a choice. Instead of depending on a proprietary company, you can use any vendor you want to integrate, and support, your site.