I am fascinated with behavior. You learn a lot by observing and reading about it and you often learn that what you thought was true isn't.
Previously, I've argued that open source wasn't open because the people behind it were generally not honest about who they were. A very public example came to light recently with Wikipedia. An anonymous contributor represented that he had credentials he did not have. Only after an investigative reporter looked into it was he found out.
People lie all the time about their background and credentials and Wikipedia has since put in place a policy to ensure people editing have the background they claim, but given that they don't have to actually use their own names, I wonder how well that will work. I've used Wikipedia myself and it surprises me how often, when writing back using this to prove a point, people say something to the effect of, "you can't trust anything on Wikipedia." Hardly a scientific sample but we've certainly seen it used for character assassination. If you look up my own page, you can probably see that is how a couple of folks tried to do that to me.
Wikipedia to Open Source
With Wikipedia, the layman can often determine that something isn't right. In my own profile, an unbiased reader should quickly be able to see that the information is limited to a couple of folks who didn't like what I said about Linux and Apple over a small portion of my life and that there was no effort to ensure accuracy or integrity. It doesn't even try to be balanced. Of course, Nicholas Carr seems to argue (also worth reading) that because Wikipedia is "open" the quality sucks. I wonder, then, if that is true here, why isn't it true with code?
More to the point would be the accusations that it is being used to spread malware, which would seem to connect to code quality and trust. Open sure doesn't seem to be working that well in this case.
In the case of the fake PhD, a reporter, after substantial work, was able to determine that what was being said was untrue. But, the guy had been hired by Wikia Inc. because even they didn't do a background check. He has since been fired. People simply don't check and, when they do, few go through the trouble to vet the false information they see. If that is true with something as easy to check as Wikipedia, why would it not be true of open source software?
In short, what I'm saying is, how do we know that "open source" code is, in fact, being reviewed effectively by anyone? There are actually, compared to Wiki, very few people qualified to do such a review.
If it is open, but everyone assumes someone else is doing the review (but no one does), isn't it the same as being closed? If you have an open window but no one looks through it, is it actually any different from a wall? (Now, you have to admit, that at least sounds deep.)
Open Source and Human Behavior
A few months ago, I read about a study (this is worth the effort to click on and read, by the way) in Time that resulted after a young woman was stalked and killed in the middle of the street in a lucrative neighborhood in front of lots of folks who could have helped but didn't. The study indicated that groups of people, even when faced with a clear reason to do something like help a woman in obvious distress, didn't because of group pressure that worked against taking action.
With open source, everyone seems to say that someone is looking at the code. But, in my experience, most who say this are not qualified to look at the code themselves and can't name the person they know that actually did the review. Granted, it is assumed that Red Hat and Novell look at their code, but then Microsoft looks at their code as well and this would simply be parity.
Now certainly, if someone is going in to modify the code, you can do that in open source but you can often do that, with proper approval, with a proprietary product as well. Microsoft's Shared Source initiative is an example, and in both cases you'll have to pick up any related extra service load yourself.
The Truth About Open Source
It seems to me that open source is really only open if you, or someone you actually know, makes use of the capability. Otherwise, it really isn't that much different in use from a proprietary product. Yes, it can make you feel better for using it but you have the same risks of someone doing something you might not like, and never knowing about it, that hangs over a proprietary offering -- unless you actually check to make sure that isn't true.
And given what is clearly an increased risk of folks sending out bad things that look like something else, maybe a little diligence would be wise with open source regardless. Of course, it's not as if malware were on the rise with Linux, right? Oh wait...
And, if you can't read source code, then what real advantage is open source for you? Now there could clearly be other advantages. It could certainly be more reliable or do the job better, but then that is how you are, and should be, analyzing it, not whether it is "open" or not. In short, "open" is only an advantage if you make use of it and, by doing so, obtain a result that provides an advantage to you.
Everything has its advantages and disadvantages. Where we run into problems is when we ignore one side and simply focus on the other when making a decision. I'm not saying don't use open source. I'm simply saying that if "open" is a condition, then make sure it really is an advantage.
For most, I think, open is simply rhetoric and, if that's true, we either need to change that or stop talking about "open" as if it really means anything.