<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
There are two reasons people use foss. We can debate why these
reasons are true till the cows come home (and likely will :) ), but in
no particular order, this is what it boils down to:<br>
1) free<br>
2) works better<br>
<br>
And point #2 isn't always a prerequisite.<br>
<br>
Linux on the server has been both #1 and #2 for quite a while. On the
desktop, I think in the last 2-5 years it's now become #2 as well -
better than alternatives. The folks building the desktop stuff have
made astonishing progress in that time. Boggles my mind that what I'm
running on my desktop has been built by people doing it for free after
work. It's been an almost exponential increase in features. <br>
<br>
Which brings up something I find really cool to speculate on. If 5
years ago linux on the desktop sucked (and it did) and 3 years ago it
was on par with other OS (worked great, had some issues) to it's
current state (better than other OS, faster, looks better, works
better, more features) then what the heck is my desktop going to look
like in another 5 years? I can't wait!<br>
g.<br>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:john@netdirect.ca">john@netdirect.ca</a> wrote:
<blockquote
cite="mid:OFC8501F3B.7EE09134-ON852576A5.0064182D-852576A5.00664A2B@netdirect.ca"
type="cite">
<pre wrap=""><a class="moz-txt-link-abbreviated" href="mailto:kwlug-disc-bounces@kwlug.org">kwlug-disc-bounces@kwlug.org</a> wrote on 01/08/2010 01:00:12 PM:
</pre>
<blockquote type="cite">
<pre wrap="">From: Lori Paniak <a class="moz-txt-link-rfc2396E" href="mailto:ldpaniak@fourpisolutions.com"><ldpaniak@fourpisolutions.com></a>
I don't believe that the culture of FOSS makes the software more secure.
In fact, there are examples of how it makes software more insecure. For
example, the libssl fiasco in Debian/ubuntu of two years ago. There,
the community (Debian package maintainer) decided to add value to the
code by eliminating all the "unnecessary" files from the code. Of
course, along with them went the entropy to make decent keys. It took
more than a year for the community to notice that SSL keys produced by
the code were defective and do something about it.
</pre>
</blockquote>
<pre wrap=""><!---->
You cannot possibly mean that misusing a library is not possible in closed
source world.
</pre>
<blockquote type="cite">
<pre wrap="">On the upside, this example showed how the community could quickly act
to remove the defective code from service and repair the damage.
</pre>
</blockquote>
<pre wrap=""><!---->
This is one of the key facets that I think makes FOSS more secure.
</pre>
<blockquote type="cite">
<pre wrap="">When presenting the advantages of open source, we ought to stick to
demonstrable facts and avoid the psuedo-science of software sociology.
FOSS is made by people, just like code from the other guys and gals.
</pre>
</blockquote>
<pre wrap=""><!---->
I find it useful to talk about motivations and capabilities. Demonstrable
facts tend to be statistics which are point-in-time measurements. The
former has more longevity.
</pre>
<blockquote type="cite">
<pre wrap="">Like all software, it is broken and/or will eventually need modification
if it is good enough to be used. The advantage of FOSS is that you are
guaranteed the permission and background code make these
repairs/changes. Try getting critical security patches for XP in 5
years.
</pre>
</blockquote>
<pre wrap=""><!---->
I don't think we have to wait that long to see Microsoft software that is
in use that doesn't have patch support.
One might also contend that I can't find software patches for Red Hat 8.0.
Despite being able patch the code myself, I'm just not tuned into the
security community well enough
</pre>
<blockquote type="cite">
<pre wrap="">As for 'lots of eyes make for small bugs' chestnut, the counter-argument
would be that in desktop-land Linux has 1% of the eyeballs, OSX, 9% and
Microsoft 90%. Hence, the Apple desktop is 9x more secure than Linux
and Windows 90x. If you disagree, then you also disagree with the
original claim. The issue of software security is too complicated to
summarize in a single phrase.
</pre>
</blockquote>
<pre wrap=""><!---->
The counter-counter argument is that those OSX and MS eyeballs you refer
to don't have complete vision. They essentially testers because they can't
see the code.
How many programmers, researchers, students and other concerned people are
reading FOSS code? How many are reading closed code?
I talked with Rob Day recently and realised that he fits one of my
theorized anecdotes about FOSS.
I used to use a theoretical case to explain this. Imagine a programmer
that has a pet peeve about something. It could be wasted memory space,
logic inefficiency, or some subtle or far-fetched vulnerability. He
decides to scour a FOSS package looking to find or eradicate the issue and
comes up with modest space savings. Would a corporate body have done this?
If the perceived cost-benefit was too small, or just smaller than other
options, then they would not do it. Would a community do this? Yes of
course because one individual took initiative.
Rob Day exemplified this because he had a peeve and knew how to deal with
it. He saw a problem with the kernel source code. The config variables
used in determining what features are compiled into the kernel had lots of
errors. This was a problem that bothered Rob, but didn't bother other
kernel programmers enough to do something about it. Rob did something
about it. He created a relatively simple program that scanned for typos,
uploaded the list to a web site and notified module maintainers of the
problem.
Will all the kernel programmers out there, Rob was the first to come up
with that idea. Imagine tens of thousands of programmers contributing to
the kernel over the years and only one that created a solution to this
problem. How many people have worked on the Windows kernel? probably
hundreds, maybe a thousand. How many good ideas are not implemented?
John Van Ostrand
Net Direct Inc.
CTO, co-CEO
564 Weber St. N. Unit 12
map
Waterloo, ON N2L 5C6
<a class="moz-txt-link-abbreviated" href="mailto:john@netdirect.ca">john@netdirect.ca</a>
Ph: 866-883-1172
ext.5102
Linux Solutions / IBM Hardware
Fx: 519-883-8533
_______________________________________________
kwlug-disc_kwlug.org mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kwlug-disc_kwlug.org@kwlug.org">kwlug-disc_kwlug.org@kwlug.org</a>
<a class="moz-txt-link-freetext" href="http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org">http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
</blockquote>
<br>
</body>
</html>