On Fri, Jan 8, 2010 at 11:01 PM, Paul Nijjar <span dir="ltr"><<a href="mailto:paul_nijjar@yahoo.ca">paul_nijjar@yahoo.ca</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Fri, Jan 08, 2010 at 05:35:28AM -0500, Robert P. J. Day wrote:<br>
><br>
> that's the sort of thing i'm interested in -- arguments that go<br>
> beyond the warm fuzzies and use precise and well-defined examples of<br>
> *how* OSS is more secure.<br>
<br>
</div>I am not sure that FLOSS is more secure. I am pretty sure I don't<br>
believe the eyeballs argument. Here are some reasons why:<br>
<br>
0. There are too many free riders. Companies can get away with<br>
releasing GPL "Community Versions" and closed-source "Enterprise<br>
editions" of their software because they know we are free-riders and<br>
won't fill in the missing bits in the community version software.<br></blockquote><div><br>It does not matter how many free riders are there. What matters is the<br>0.01% of the users who participate and contribute back to the project<br>
in meaningful ways.<br><br>If you have a critical mass of these, the project is healthy. How much <br>depends on the project size, scope, development model, ...etc.<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
1. Many bugs don't get reported, because you have to be an expert to<br>
report a bug, and you need to be running the latest bleeding-edge<br>
version of whatever software is in question. You also need to phrase<br>
your question in exactly the right way using exactly the right<br>
terminology, or people snark at you and point you to ESR's patronizing<br>
"Smart Questions" document.<br></blockquote><div><br>Yes, the bleeding edge version is a problem. We see that in Drupal a lot.<br>This causes a delay in reporting, but eventually things get fixed. It takes<br>two versions instead of one, but it does get fixed.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2. Many of the software projects we depend upon are subsidized by big<br>
companies for reasons I often cannot understand and do not see as<br>
sustainable. Then they are bought by Oracle and people freak out.<br></blockquote><div><br>Fair concern here (re: MySQL). But the GPL is what protects the project. <br>It remains to be seen if the code base for MySQL is too great for a community<br>
to sustain the project in an open development model or not. <br><br>In Drupal, companies sponsor features by employing core developers, but <br>in no way do they dictate what features go in. It is all by community concensus.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I know I am exaggerating and not providing numbers. I still despair<br>
for the future of free software. Many eyeballs only work if enough of<br>
those eyeballs are willing to contribute improvements.<br></blockquote><div><br>A healthy project is the one that has enough eyeballs AND hands. It depends<br>on the community building skills of the founders. If they alienate the community<br>
the project may die, or it may fork.<br><br>Remember MamboServer? It was forked to Joomla and that was healthy for <br>a long time. The name changed, but the code AND the community lived on.<br></div><div>-- </div></div>Khalid M. Baheyeldin<br>
<a href="http://2bits.com">2bits.com</a>, Inc.<br><a href="http://2bits.com">http://2bits.com</a><br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>
Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>