As Promised: My Response to Dr. Edgar

Dr. Edgar points out that the three foundations of the Bill are:

1. Free access to public information by the citizen.

2. Permanence of public data.

3. Security of the State and citizens.

As we all know, #1 has nothing to do with whether the software is open source or not or whether you must pay for the software (In the end, the government has to build the apps in which their data is stored, regardless of whether the original software is open source or not... and that will cost significantly more than the software packages they using). However, as Edgar correctly points out:

"To guarantee the free access of citizens to public information, it is indespensable that the encoding of data is not tied to a single provider. The use of standard and open formats gives a guarantee of this free access, if necessary through the creation of compatible free software."

Which is a interesting point, though I would suggest that it isn't a valid one. The file formats themselves in most of these cases have little to do with anything. For one, the Office apps can just about all save in XML now (documented and standardized...even if it is a proprietary standard). However, lets talk databases now. Who the hell is going to reverse engineer the format of a SQL server database to get their data out when T-SQL is already a standardized way to get that data in and out? Even if the information on the file format was available, it would be a rediculous suggestion that someone should write their own raw data reader. Yes, you are going to face migration costs if you move to another platform, but using open source tools doesn't solve this. If you want to move from MySQL to PostgreSQL, you face the same issues as moving from MySql to MS SQL.

The suggestion that the government might one day create it's own "compatible" word processors and sql servers is really astonishing. Maybe the Dr. isn't that familiar with the software development process... or maybe he takes the fact that the copy of Word he used to type his response took hundreds of developers thousands of man years to develop.

"To guarantee the permanence of public data, it is necessary that the usability and maintenance of the software does not depend on the goodwill of the suppliers, or on the monopoly conditions imposed by them. For this reason the State needs systems the development of which can be guaranteed due to the availability of the source code."

Fortunately, the usability of the software is determined by the market, not the suppliers. However, the maintenance issue is another interesting point. I guess that their is a very small possibility that Microsoft will all of the sudden decide it doesn't want to make any more copies of Word or SQL Server and it will just drop the product line all-together. Don't see this happening any time soon though, and it is hardly something to waste much time worrying about.

"To guarantee national security or the security of the State, it is indispensable to be able to rely on systems without elements which allow control from a distance or the undesired transmission of information to third parties. Systems with source code freely accessible to the public are required to allow their inspection by the State itself, by the citizens, and by a large number of independent experts throughout the world. Our proposal brings further security, since the knowledge of the source code will eliminate the growing number of programs with *spy code*."

The first part of this statement has nothing to do with OpenSource vs. Non-OpenSource, but the line about the state itself having to inspect the source code is pretty lame. Like any group of less than 10,000 people is going to be able to look over the millions of lines of code in an operating system like Windows to make sure it meets their code requirements. Ahh...you might say, but this is why OpenSource is good: anyone can look at the source. Yah, but who actually does? If anything, giving your code out to the world does nothing to increase your security, unless you trust that the good guys are smarter and more properly funded than the bad guys. This usually isn't the case. This is like posting your network map up on your web site for all the hackers to take a look and drool over. It is like the army broadcasting the current position of all their troops to the enemy and saying, "just don't bomb these red dots, because that would cripple our ground forces." Not very rational to me, but some people think with different metaphors... A solution like Microsoft's Shared Source is much more preferable, because it is like sharing your network map with a group of your network consultants or sharing your information about your troop locations and movements with your allies, rather than the world.

"Furthermore, the Bill *stimulates* competition, since it tends to generate a supply of software with better conditions of usability, and to better existing work, in a model of continuous improvement."

Yah, right. So, this "continuous improvement model" (a la "OpenSource") has generated a lot of more usuable software... like... umm? what? Yah, it betters existing work, but making a pile of crap smell nicer doesn't change the fact that it is still a pile of crap. Look at GIMP. Look at OpenOffice. Look at KDE. Then, come back and tell me with a straight face that they are easier to use than the proprietary equivalents (PhotoShop, Word, Windows). Some pundits might argue, "but those projects are still a lot younger." Yah, your point? If they aren't ready for prime time, then neither is a bill which supposes they are.

"In respect of the jobs generated by proprietary software in countries like ours, these mainly concern technical tasks of little aggregate value; at the local level, the technicians who provide support for proprietary software produced by transnational companies do not have the possibility of fixing bugs, not necessarily for lack of technical capability or of talent, but because they do not have access to the source code to fix it. With free software one creates more technically qualified employment and a framework of free competence where success is only tied to the ability to offer good technical support and quality of service, one stimulates the market, and one increases the shared fund of knowledge, opening up alternatives to generate services of greater total value and a higher quality level, to the benefit of all involved: producers, service organizations, and consumers."

Yes, and this is exactly the point. You create jobs in the service sector and never allow any decent sized commercial software companies to grow up. As a result, companies in your country are faced with two options:

1) Buy the software from company X based in some other country.

or

2) Use some free software and pay for support from company X based in some other country.

Yah, the possibility exists that you might have some linux based consulting companies spring up, but as soon as the market becomes big enough, RedHat sweeps in and provides better support and takes the money back to home base, somewhere else. You probably don't even get many new jobs in your economy now, since the support is shipped off to some call center in another location anyway and those little startups that did manage to stick around can no longer survive.

Of course, this isn't even to mention that the potential revenue per hour from a killer app (or even a decent selling app) is much greater than the providing services, since the revenue growth is exponential, not linear.

"But it is also well-known that the bugs in free software are fewer, and are fixed much more quickly, than in proprietary software"

Or commonly assumed. However, as we know, last year there were more linux security advisories than MS advisories (http://www.wininformant.com/Articles/Index.cfm?ArticleID=27428). Maybe some day people will stop believing the linux FUD?

"the inclusion of the intellectual property of others in works claimed as one's own is not a practice that has been noted in the free software community"

uhh.... ever heard of SCO? (http://www.linuxworld.com/2003/0310.barr.html). A congress person resorting to implied ad homenim attacks? Can you imagine that :-).

"Now the use of free software contributes significantly to reduce the remaining life-cycle costs. This reduction in the costs of installation, support etc. can be noted in several areas: in the first place, the competitive service model of free software, support and maintenance for which can be freely contracted out to a range of suppliers competing on the grounds of quality and low cost. This is true for installation, enabling, and support, and in large part for maintenance. In the second place, due to the reproductive characteristics of the model, maintenance carried out for an application is easily replicable, without incurring large costs (that is, without paying more than once for the same thing) since modifications, if one wishes, can be incorporated in the common fund of knowledge. Thirdly, the huge costs caused by non-functioning software ("blue screens of death", malicious code such as virus, worms, and trojans, exceptions, general protection faults and other well-known problems) are reduced considerably by using more stable software; and it is well-known that one of the most notable virtues of free software is its stability. "

Yah right. Installation (not even to touch on uninstallation) is NOT easier for any open source product I have used. Yes, it is getting better, but it aint window's installer. Support isn't going to be any cheaper either. And let's talk about matinence for a while. You ever tried to change some of these "standardized","open format" config files on a linux system? Time to break out your text editor and search through a couple gigs of howto's. Wouldn't be as bad if there was something like MSDN for linux... but it is still a pain in the arse when all your config files use some random format that the 13 year old who wrote that part of the operating system decided upon (ok, that is ad hominem, I admit... but it might be the truth). Just because linux doesn't doesn't give you a blue screen when it goes down doesn't mean it doesn't go down. We recently had a hell of a time with a "non-windows" box over here which randomly decided to overwrite a config file with HTML. The only solution support could give us was to reinstall the OS, because that was when the file was created and it wasn't easy to restore.

"Let us analyze your stament in two parts. Your first argument, that migration implies high costs, is in reality an argument in favour of the Bill. Because the more time goes by, the more difficult migration to another technology will become; and at the same time, the security risks associated with proprietary software will continue to increase. In this way, the use of proprietary systems and formats will make the State ever more dependent on specific suppliers. Once a policy of using free software has been established (which certainly, does imply some cost) then on the contrary migration from one system to another becomes very simple, since all data is stored in open formats. On the other hand, migration to an open software context implies no more costs than migration between two different proprietary software contexts, which invalidates your argument completely."

Let us analyze your statement in two parts. Your first argument is that migration will become more and more expensive. The goal here is not to migrate, that is what things like webservices are for. But, if the time comes where you need to migrate, proprietary products generally have great support for this, since they depend on it in order to generate revenue. Look at the document support in every major commercial word processor vs. that of every open source word processor and you will know what I mean. StarOffice is perhaps the only package that somewhat decent support there... but the importer architecture is horrible and is currently being reworked, because it is too tightly bound to the rest of the Star Office code. I thought the "everyone gets to see this" model was supposed to eliminate that type of thing...? Well, it doesn't, because everyone takes a look at horrible it is (the German comments and variable names don't help much), and then walks away to work on something cooler, so it takes 4 years to rework the architecture and then another 4 to rebuild the plugins on top of it.

"The second argument refers to "problems in interoperability of the IT platforms within the State, and between the State and the private sector" This statement implies a certain lack of knowledge of the way in which free software is built, which does not maximize the dependence of the user on a particular platform, as normally happens in the realm of proprietary software. Even when there are multiple free software distributions, and numerous programs which can be used for the same function, interoperability is guaranteed as much by the use of standard formats, as required by the bill, as by the possibility of creating interoperable software given the availability of the source code. "

Your response indicates a lack of knowledge of the way free software is built. It is notoriously difficult to interoperate with. The prefered method of using most widely used open source components (zlib, libjpeg, etc.) is to statically link them with your program (the standard GPL license reflects this to a wide degree). This ain't exactly interoperability. Moving on, where is the web service support in the linux OS? Sun is working on some webservice stuff, but MS was first there. The MS value proposition is built upon a component based model, this is something that, outside of the java community, most of the linux world misses (see Miguel de Icaza's "Let's Make Linux not Suck" paper for more on that).

The final statement goes something like this:

"Now, software deals with information and is itself information. Information in a special form, capable of being interpreted by a machine in order to execute actions, but crucial information all the same because the citizen has a legitimate right to know, for example, how his vote is computed or his taxes calculated. And for that he must have free access to the source code and be able to prove to his satisfaction the programs used for electoral computations or calculation of his taxes."

So, my final question would be, what the hell does that have to do with whether or not the government's tax program runs on top of Windows / .NET vs. Linux / php?

4 Comments

  • While I agree that many of the points are ill-founded, your comments about network security and the advantages of public source aren't quite right.





    Security through obscurity is a bad thing -- pretty much everyone agrees on that. You're confusing practice of security (hiding troop positions versus broadcasting them) with the means of security (moving under cover of darkness, using indirection to deceive enemy observers, etc. versus marching in a long line and hoping no one notices).





    Mmm. Not sure if that made any sense, but you seem to be advocating security through obscurity, and that's very thin ice.





    --j

  • No. Security through obscurity only is definately bad. However, obscurity is a good thing, because if the hacker doesn't know how to get into the system, then he can't. So, if I could have two different systems with relatively the same level of security, one of them, however, being obscure to the attacker, I would definately prefer the one obscure to the attacker.


  • so... 2 equally secure systems, the open version gets hacked (due to the obscurity of the closed system) and patched within 48 hours. Now which system do you prefer? The open system is now slightly more secure but the other is still obscured. Which is better?





    (not sure of the answer myself, just thinking outloud)

  • The one that didn't get hacked :-). Obviously, we are talking hypotheticals here, but if this is how things continue, the open version getting hacked and fixed, and the closed version not getting hacked, the closed is a better option. I would point out though, that in the real world both are undergoing constant improvement, it isn't just one getting more secure.





    Still, the commercial (and generally closed source) model can allow for much a much more rapid pace of improvement and innovation if it is required. For example, when the market decided that it was not going to buy Microsoft products, if Microsoft did not focus on security, Microsoft was able to halt production, send its developers to paid training with security experts, and then pay those same programmers to spend months painstakingly conducting security audits of existing code. In a very short time span, the security focus was dramatically increased and thousands of developers were re-educated. This isn't something the current open source model accomidates very well (not that it can't be done, but it is a lot harder when you don't have complete control of your teams from 9 to 5).

Comments have been disabled for this content.