open source has 1 big problem..and it has been PROVED!



opensource is very cheap to purchase but it costs more in long term for maintenance costs.

Yeah, proved by a group financed by Microsoft.

bullshit. open source is usually less maintainable then pricey software is.

Mozilla is better maintainable than Netscape was.

Linux is better maintainable than Windows (just check how many security flaws there are in Microsoft products).

And the best example: my own closed-source software is the least maintainable of all!

(And no, I'm not joining this discussion even though it looks like it ^^

I think the essence of open source is freedom for the user. If you want a new feature, you can get anyone to implement it; you're not tied to whoever made the software. You decide when you want to upgrade, not the software company. You don't have to trust the programmers blindly, instead you can have anyone check the source for backdoors.



Basically, having exclusive rights to the source is power. And power is often abused.

Quote:

open source has 1 big problem..and it has been PROVED! opensource is very cheap to purchase but it costs more in long term for maintenance costs.

I don't think you can make such a statement about open source in general. Only about a specific open source package compared to a specific closed source package. Even in the latter case, look carefully at the details: often switching from closed source to open source is examined, which includes training for people to learn a new software package. If you have to choose between an open source package and a closed source package in a situation where you are running neither, the costs are different.



By the way, for anything except mathematics, I have some reservations about things that are "proven". Statistical evidence always has a margin of error (typically around 5%) and is easy to misinterpret, especially if the researcher is biased (which is not uncommon, they're only human after all). Finally there is ofcourse the media, where statements are simplified, often by people that are not experts on the subject they write about. In the case of research such a simplification can lead to too-general or even wrong conclusions.



There are huge differences between open source packages. I've seen code that is very well written and I've seen code that is so bad, I'm amazed it works at all. I think the same is true for closed source, but you only get to see parts of it if you happen to work for the company that wrote it.

Quote:

In my opinion.. I don't understand how open source sofware can offer decent security. If everyone, even hackers, can look into the source code. It seems to me that it's a lot easier to find the weak spots. On the other hands, more people are solving security issues... hmz...

With open source, anyone can find weak spots easier: both trustworthy people and people that are up to no good. Usually the former find it first, because their number is larger. What is important, is that after a weak spot is found, it is often fixed quickly. Too many closed source companies wait a long time fixing problems after they are found, but not exploited in the wild.



When I'm looking for services where security matters, I prefer modular approaches to do-it-all programs. Everything you don't run, is one security risk less. Also, you can greatly reduce the damage of a security flaw by running services with the minimal set of privileges they need. For example, I prefer Postfix and TinyDNS to the better-known alternatives Sendmail and Bind.





If you want to see open source in action, look at openMSX. We have been able to do quite a bit in only 1.5 years of development. That was possible because of code donations from people who are/were working on other emulators (including Marcel de Kogel, Alex Wulms, Sean Young and Frits Hilderink), code that was already open sourced (including the OPLL emulation and libraries such as SDL) and because unlike most MSX emulators it is developed by a team instead of a single person.



By the way, if you're a Java programmer, check out the open source software produced by Apache's Jakarta Project jakarta.apache.org. They've got anything from an XML parser to a Java bytecode manipulation library, from a project builder to a servlet engine.

Still, a lot of open source software shows nasty fixes by underexperienced developers. Most open source projects could use a little more management. And maybe the source should only be open to a limited ammount of people. This to ensure the quality of the final product and to prevent security issues.

Quote:

Still, a lot of open source software shows nasty fixes by underexperienced developers.

I don't see that happening, do you have any examples?

Usually changes to open source packages are made by experienced developers; not just anyone gets write access to the source archive. New developers often begin with sending in patches, which are reviewed by developers working on the project for a long time.

Quote:

Most open source projects could use a little more management.

Much open source code is written by volunteers. They probably don't like it if someone starts managing their free time.

Quote:

And maybe the source should only be open to a limited ammount of people. This to ensure the quality of the final product and to prevent security issues.

It's not really open then, is it? Who will decide whether I am trustworthy enough to see the source? And based on what knowledge?



To ensure the quality, it is enough to limit write access, no need to limit read access. About the security issues: hiding issues by keeping the source secret may work in the short term, but in the long term I have more faith in fixing the issues, which is done faster if many people see the source.

Quote:

>>Still, a lot of open source software shows nasty fixes by underexperienced developers.<< I don't see that happening, do you have any examples?

Well.. ehm.. for instance.. the CMS this very website is based on I really underestimated the ammount of tweaking that had to be done. (On the other had, it's a good thing the CMS is opensource, otherwise we would have had to do everything by ourselves... )

Quote:

Much open source code is written by volunteers. They probably don't like it if someone starts managing their free time.

I wasn't talking about managing the spare time, but about managing 'who fixes what'. (without the 'when')

Quote:

It's not really open then, is it? Who will decide whether I am trustworthy enough to see the source? And based on what knowledge?

The project manager . Like I said, I would like to some hybrid version of open/closed source. Without the restrictions of 'closed source' and avoiding many downsides of opensource

Quote:

>>>>Still, a lot of open source software shows nasty fixes by underexperienced developers.<<<< >>I don't see that happening, do you have any examples?<< Well.. ehm.. for instance.. the CMS this very website is based on I really underestimated the ammount of tweaking that had to be done. (On the other had, it's a good thing the CMS is opensource, otherwise we would have had to do everything by ourselves... )

But would the same core developers have produced something better if it were closed source? Ofcourse having better developers will benefit any project, no matter whether it is open or closed. And even good developers usually don't get things right on the first try, so it could simply be the immaturity of the project.

Quote:

>>Much open source code is written by volunteers. They probably don't like it if someone starts managing their free time.<< I wasn't talking about managing the spare time, but about managing 'who fixes what'. (without the 'when')

Bug tracking systems are used for that. Most moderately and large sized projects use one. For example SourceForge offers one, many other projects use Bugzilla. In small project such things are usually managed on a mailinglist.

Quote:

>>It's not really open then, is it? Who will decide whether I am trustworthy enough to see the source? And based on what knowledge?<< The project manager .

The last question still remains: based on what knowledge?



Also, does making it harder to exploit the code outweigh the opportunity to get more developers? Remember that closed source is no hard protection against exploits at all, for example plenty of Windows exploits are documented. It only makes finding exploits slightly harder.



We could also examine the results: are today's open source programs more often exploited than their closed source equivalents? As far as I can see:

• Exploits for both open and closed source projects are regularly posted on security mailinglists. While it is hard to directly compare the numbers (for example multiple Linux distributions will each report the same issue), I think it is safe to say that both are in the same order of magnitude.
  
  
• Web servers are by definition accessible to the public and therefore an easy target to exploit. Many of them run open source software, such as Apache on Linux or BSD. If those servers were broken into too often, the people running them would be changing to different software, yet there is no decline in the percentage of open source powered web servers.
  
  
• The number of exploits per individual project varies a lot per project, when compared to other projects in the same class (open/closed). So other factors such as project priorities (security vs new features, performance, flexibility etc), maturity and developer talent seem to make a bigger impact than the availability of the source.
  
  

So while I cannot prove open source is equally or more secure than closed source, I think it's reasonable to conclude that the number of security issues it has is not that far apart from closed source.

Quote:

Like I said, I would like to some hybrid version of open/closed source. Without the restrictions of 'closed source' and avoiding many downsides of opensource

Personally, I only see one downside of open source: getting resources. Developers, servers, hardware to run the software on etc. For example, getting developers for interesting tasks usually succeeds, but getting people to do boring but essential tasks can be difficult. In a commercial environment the payment compensates for part of the work being boring, but not all open source projects are lucky enough to have companies supporting them with paid developers.





The way I see the future, there will be a place for both open and closed source. Open source will mainly be used for infrastructure software, such as operating systems, server frameworks etc and closed source will mainly be used for specific applications. I do think that in ten years from now, the majority of software on an average PC will be open source. However, since open source will mainly be used for infrastructure software, what is most visible to the user might well be the closed source minority. (Remind me in ten years to check how far off my prediction was. I just know we'll still be MSX-ing then...)



Mac OS X is an example of this: the basic OS is an open source BSD port called Darwin, the GUI is Apple's own close source work. The rationale between this separation is that a company wants to concentrate their resources on what makes their product special. The basic OS layer is well-understood (Unix dates back to the 70's and the same concepts still work well today) and does not offer any features that desktop users will care about. Apple was forced to upgrade their outdated OS layer; if they would have written one from scratch it would have taken a lot of time and money, without any benefits to the end user over existing OSes. The GUI however, is what makes Mac OS X different from Windows and Unix desktops like KDE. So this is where they want to keep their efforts to themselves.



IBM does something similar for the Eclipse IDE: the IDE framework is open source, together with several key plugins such as a syntax-highlighting editor, build tool integration, configuration management integration etc. But some of the more advanced plugins are sold by IBM as part of Websphere Studio. By open sourcing the core, IBM gets free development on the framework and a lot of useful plugins they may not even have thought of themselves. And by selling additional modules they still have the ability to make money.

Wow, what a post, mth . I do agree with you on a lot of things, but...

Quote:

So while I cannot prove open source is equally or more secure than closed source, I think it's reasonable to conclude that the number of security issues it has is not that far apart from closed source.

...however, still a small percentage of computers are running Linux compared to Windows. This means that



1) Hackers probably aim more at the most-used OS: Windows. Especially since it's cool to be anti-MS.

2) Relatively more security issues should come to light as more people are likely to find a security issue just by using the software alone



It's very hard - if not impossible - to say if Linux is really better (or not) when it comes to security.

Quote:

It's very hard - if not impossible - to say if Linux is really better (or not) when it comes to security.

I think it's impossible to say any OS is better than another, because it all depends on your needs and experiences.

Quote:

>>It's very hard - if not impossible - to say if Linux is really better (or not) when it comes to security.<< I think it's impossible to say any OS is better than another, because it all depends on your needs and experiences.

Where did you gather all this wisdom Guyver? You've got a fresh look on things. I cannot say else then that I really must agree with you.



I use linux and windows at home and at work. I really don't get people who have an attitude against one of them.

My linux machine is my server. My windows machines are my work stations. Each OS does what it's good for

In open source you can customize the levels of security without giving the keys to the rest of the community, so you dont have to trust any opaque tool it is only upon yourself.

I think open source brings top technology to lots of people ( costs and save dev. time ), so much more people can then enter this business. And with lots of more players the inter-emulation endtail to better software.

So open source is good even for customers of commercial software !

Nice copy 'n paste work Leo.. Or did you learn all that by heart?

Quote:

bullshit. open source is usually less maintainable then pricey software is.

I highly doubt that. Closed source software is often developed within 1 company, with all employees on the same floor. There is much less need for coordination and good documentation than in the case of opensourced software, because if there is a problem somewhere it is easy to just ask the person who created that part.

However in the case of opensource software, it usually is developed by a team of people all over the world (I say usually here because just the fact that I release my source to the public doesn't nessecarily mean I accept contributions to the project from outsiders). Such a wide distribution of programmers and such a potentially high number of them requires very strict rules for project management and documentation.

Aside from that you can also benefit from the experience of much more people than your own team. That alone is a huge advantage and if they can give you tips or even restructure/reprogram vital parts of the code it does a great deal of good to the 'maintainability' of the software. And the chance of all the developers quitting the project is much smaller aswell; if the software company goes bankrupt, the product development will stop, or if the code is sold to another company they have to pick up with it again. In the case of opensourced code it is usually not 1 company involved and so the chances for everyone quitting at once is low. So there will always be some people in the team left which already have experience with the project, hence improving the transition and the continuation of it.

~Grauw