Open Source: Is It Really Open?

Rob Enderle

I am fascinated with behavior. You learn a lot by observing and reading about it and you often learn that what you thought was true isn't.

Previously, I've argued that open source wasn't open because the people behind it were generally not honest about who they were. A very public example came to light recently with Wikipedia. An anonymous contributor represented that he had credentials he did not have. Only after an investigative reporter looked into it was he found out.

People lie all the time about their background and credentials and Wikipedia has since put in place a policy to ensure people editing have the background they claim, but given that they don't have to actually use their own names, I wonder how well that will work. I've used Wikipedia myself and it surprises me how often, when writing back using this to prove a point, people say something to the effect of, "you can't trust anything on Wikipedia." Hardly a scientific sample but we've certainly seen it used for character assassination. If you look up my own page, you can probably see that is how a couple of folks tried to do that to me.

Wikipedia to Open Source

With Wikipedia, the layman can often determine that something isn't right. In my own profile, an unbiased reader should quickly be able to see that the information is limited to a couple of folks who didn't like what I said about Linux and Apple over a small portion of my life and that there was no effort to ensure accuracy or integrity. It doesn't even try to be balanced. Of course, Nicholas Carr seems to argue (also worth reading) that because Wikipedia is "open" the quality sucks. I wonder, then, if that is true here, why isn't it true with code?

More to the point would be the accusations that it is being used to spread malware, which would seem to connect to code quality and trust. Open sure doesn't seem to be working that well in this case.

In the case of the fake PhD, a reporter, after substantial work, was able to determine that what was being said was untrue. But, the guy had been hired by Wikia Inc. because even they didn't do a background check. He has since been fired. People simply don't check and, when they do, few go through the trouble to vet the false information they see. If that is true with something as easy to check as Wikipedia, why would it not be true of open source software?

In short, what I'm saying is, how do we know that "open source" code is, in fact, being reviewed effectively by anyone? There are actually, compared to Wiki, very few people qualified to do such a review.

If it is open, but everyone assumes someone else is doing the review (but no one does), isn't it the same as being closed? If you have an open window but no one looks through it, is it actually any different from a wall? (Now, you have to admit, that at least sounds deep.)

Open Source and Human Behavior

A few months ago, I read about a study (this is worth the effort to click on and read, by the way) in Time that resulted after a young woman was stalked and killed in the middle of the street in a lucrative neighborhood in front of lots of folks who could have helped but didn't. The study indicated that groups of people, even when faced with a clear reason to do something like help a woman in obvious distress, didn't because of group pressure that worked against taking action.

With open source, everyone seems to say that someone is looking at the code. But, in my experience, most who say this are not qualified to look at the code themselves and can't name the person they know that actually did the review. Granted, it is assumed that Red Hat and Novell look at their code, but then Microsoft looks at their code as well and this would simply be parity.

Now certainly, if someone is going in to modify the code, you can do that in open source but you can often do that, with proper approval, with a proprietary product as well. Microsoft's Shared Source initiative is an example, and in both cases you'll have to pick up any related extra service load yourself.

The Truth About Open Source

It seems to me that open source is really only open if you, or someone you actually know, makes use of the capability. Otherwise, it really isn't that much different in use from a proprietary product. Yes, it can make you feel better for using it but you have the same risks of someone doing something you might not like, and never knowing about it, that hangs over a proprietary offering -- unless you actually check to make sure that isn't true.

And given what is clearly an increased risk of folks sending out bad things that look like something else, maybe a little diligence would be wise with open source regardless. Of course, it's not as if malware were on the rise with Linux, right? Oh wait...

And, if you can't read source code, then what real advantage is open source for you? Now there could clearly be other advantages. It could certainly be more reliable or do the job better, but then that is how you are, and should be, analyzing it, not whether it is "open" or not. In short, "open" is only an advantage if you make use of it and, by doing so, obtain a result that provides an advantage to you.

Everything has its advantages and disadvantages. Where we run into problems is when we ignore one side and simply focus on the other when making a decision. I'm not saying don't use open source. I'm simply saying that if "open" is a condition, then make sure it really is an advantage.

For most, I think, open is simply rhetoric and, if that's true, we either need to change that or stop talking about "open" as if it really means anything.



Add Comment      Leave a comment on this blog post
Mar 9, 2007 3:25 AM David David  says:
As a close observer of one of the biggest OSS projects around (the KDE desktop environment). I can assure you that no try to insert any malware into KDE code (websvn.kde.org) would stand a chance, because the developers really do take a look at the code.  And the term "the developers" applies to a big group of people that share the goal to produce clean, good code and a good user experience in the end. All those devs (no matter if payed by Trolltech, Suse or any other company or not) like what they do, and this has impact on quality. Also those developers change over time and especially in OSS Projects that are around for a long time and have a lot of users, there are a LOT of people looking at each others code. Here we have the peer review practice that also a lot of closed source companies try to get established. Only that it's not one a peer review but a review by many.  Reply
Mar 9, 2007 10:35 AM Tony McNamara Tony McNamara  says:
If the code is critical to your operation, you will look at it both professionally ( as to your ability to interpret what it's doing) and critically ( as to it's ability to interface with your other code).If the code is critical to your career development, as in the learning  of computing in your study program you will look at it critically and as professionally as you can. Think millions of eyeballs.That is the advantage of open. You can legally and practically do it.That is an advantage which is unmatched. Legal and practical. Designed for your advantage. Clean and simple.I fail to understand how you can logically argue otherwise.  Reply
Mar 9, 2007 12:00 PM pinroot pinroot  says:

Enderle:...Hardly a scientific sample but weve certainly seen it used for character assassination.If you look up my own page, you can probably see that is how a couple of folks tried to do that to me. Me:Poor Rob, always the victim.You're always pointing out how anyone who disagrees with you is personally attacking you, how you're always a victim of the linux/apple zealot (or anyone who gets so tired of your biased viewpoint that they eventually 'go off' on you while pointing out how biased and one-sided you are).Now you want to compare OpenSource to Wikipedia.Unfortunately, that's only because Wikipedia has recently come under fire for the validity of some of its articles.  Enderle:More to the point would be the accusations that it Wikipedia is being used to spread malware, which would seem to connect to code quality and trust.Open sure doesnt seem to be working that well in this case. Me:Apparently you're talking about accusations that Wikipedia, not OpenSource software, is being used to spread malware, but the way you state it is misleading (or to give you the benefit of the doubt, maybe just confusing;after reading several of your blog entries, I think it's just that you don't know how to write clearly).I think I heard something about this, and as I recall, the target was Microsoft users (typically not known as OpenSource proponents).But I can't understand how you can make the leap from an open forum Wikipedia to OpenSource code.Maybe I need to keep reading...Enderle:...how do we know that open sourcecode is, in fact, being reviewed effectively by anyone?There are actually, compared to Wiki, very few people qualified to do such a review.Me:Well, I think that this is just your opinion.State some facts that say that OpenSource code isn't effectively reviewed, and that the reviewers are (or aren't) qualified.Until you do, it's just your opinion, so quit stating it as fact.Enderle:If it is open, but everyone assumes someone else is doing the review (but no one does), isnt it the same as being closed?If you have an open window but no one looks through it, is it actually any different from a wall?(Now, you have to admit, that at least sounds deep.) Me:Wow...Rob gets Zen-like.Hey Rob, what's the sound of one hand typing?I still need some facts showing that Tom thinks Dick is reviewing the code that Harry is running, but in actuality, no one is.Because, here's something to think about.I'm working in an environment where someone writes a database app in MS Access.No one has vetted the code (which is 'open' in so far as anyone who has access to the database can figure out a way into the backend of it).  How do I ( or any of us) know what is going on with the code?No one is doing a review.Is it really open?I'm expected to accept it as is, yet I have no idea what's really in there (the code).And this type of thing goes on in companies all across the world.And by your reasoning, it's ok, we should blindly accept it, because it's not OpenSource(TM).Enderle:With open source, everyone seems to say that someone is looking at the code.But, in my experience, most who say this are not qualified to look at the code themselves and cant name the person they know that actually did the review.Granted, it is assumed that Red Hat and Novell look at their code, but then Microsoft looks at their code as well and this would simply be parity.  Me:The point is, the code is open to examination, by ANYONE.Just because I say that it's open for examination and I'm not qualified to examine it doesn't change things (as you would try to have us believe). Reply

Mar 9, 2007 12:01 PM pinroot pinroot  says:
You say that "Red Hat" or "Novell" look at their code, but it's not just these companies who look at the code.If their code is released under the GPL, then ANYONE who wants to look at it can look at it.Whether or not people actually do look at it is something else entirely.But in the case of a proprietary codebase, only certain people are privy to the source, mostly those who wrote it and no others.To use your example, it would only be parity if Microsoft offered up their code for public review (as Red Hat and Novell already do).Whether or not it's actually reviewed would be irrelevant.Enderle:It seems to me that open source is really only open if you, or someone you actually know, makes use of the capability.Otherwise, it really isnt that much different in use from a proprietary product.Me:Yeah, it seems to you.You really have no idea what the basic concept of OpenSource is all about, do you?Either that, or you choose to ignore what many others have tried to tell you, as well as completely refuse to do a little research on your own and see just what OpenSource is all about.You'd rather remain proudly ignorant.Enderle:And given what is clearly an increased risk of folks sending out bad things that look like something else, maybe a little diligence would be wise with open source regardless.Me:I have no idea what you're saying here.The link actually takes you to a site which talks about people downloading an illegal key for Vista which actually turns out to be a trojan.What does a trojan aimned at people trying to pirate proprietary software have to do with OpenSource software?Enderle:Of course, its not as if malware were on the rise with Linux, right?Oh waitMe:This is what Rob is pointing to (but read it all to get the complete story):In a report titled "2005:*nix Malware Evolution," the Russian antivirus software developer pointed out that the number of Linux-based malicious programs -- viruses, Trojans, back-doors, exploits, and whatnot -- doubled from 422 to 863.Numerically, that pales compared to the 11,000 Kaspersky found for Windows in the second half of 2005 alone.Enderle:And, if you cant read source code, then what real advantage is open source for you?Me:OpenSource code is out there for anyone to read.If you can't "read it" or understand it, you can at least find someone else who can.Using your logic, Rob, I can't read proprietary code, so what real advantage does it have for me?Enderle:Im not saying dont use open source.Im simply saying that if openis a condition, then make sure it really is an advantage. me:Amazing.This is the one point where I agree with you.Too bad that you buried it down in the end, where most people who might have agreed with this point (but none of the rest of what you have to say) would have completely missed it.Fortunately for you, it gives you the opportunity to say that no one listens to you, you're a victim and all sorts of other pitiful stuff (poor Rob, the victim or the OS 'zealots').Enderle:For most, I think, open is simply rhetoric and, if thats true, we either need to change that or stop talking about openas if it really means anything.Me:Ah, back to the BS.OpenSource is rhetoric (unlike the crap you spew) and basically if 'Open' doesn't mean what Rob (and his clients/supporters) wants it to mean, then we need to abandon it.Sorry Rob, I don't think it's going to go away just because it doesn't fit into your and your clients narrow worldview.It's going to take more that your FUD to make it go away.pinroot@gmail.com

Reply
Mar 10, 2007 1:48 AM Rob Enderle Rob Enderle  says:
I keep hearing these broad assertions of millions of eyeballs reviewing code. But most know there arent millions of people qualified to do a review. And we also know that even when people are paid to do code review they often as not dont do it.Primarily because it is rather dull.Recall when SCO first came out and said there was UNIX code in Linux. A good number of these eyeballs said absolutely not even though there were lots of lines of code that were commented that were pulled directly from UNIX. We later found out they were in the public domain and it was OK for them to be there but the fact no one seemed to know they were their suggests no one was reading the code right? If you every read Japan Inc. you would now that the only way to assure quality is to have named people responsible for it. The problem before than was everyone owned quality and when that happened no-one actually owned it. I think that may often be the case here.People do assure the distros work properly but there are nowhere near the number of eyes specifically looking for problems as there are looking at Windows. Look at all of the security firms working this. When they do look at Linux they seem to find problems suggesting there are problems unfound.So, all Im saying, is if Open Source is important you probably should assure that someone you trust has actually looked at the code. Otherwise there is no way of really knowing if anyone did. You just have faith, and religion and software dont seem to mix well. Reply
Mar 10, 2007 3:45 AM Rob Enderle Rob Enderle  says:
You missed the point.The point was if people don't actually need or use the "Open" part then, to them, "Open" really doesn't matter and it implies a benefit that may not exist for them.Be like buying a convertible car if you never intend to put the top down. Whats the point and wouldnt that change how you made your choice? What prompted this was the sense that way too many people on the Open bandwagon dont seem to have the skills needed to review code.And, even those that do dont actually review it. If thats the case, if you neither can nor will actually look at the code (nor check to see if anyone else did), then what real meaning is Open to you? That was the point, not whether you could but whether you would look at the code. If you never open or look out of a window, isnt it kind of a weak wall? Reply
Mar 10, 2007 5:37 AM Mikeal Mikeal  says:
Every major open source project does peer code review, without exception. There aren't "Millions of eyeballs" but at least one person reviews every line of code, and code is usually revised a couple time before commit on EVERY major open source project. It's just a fact.I actually work on open source projects and can attest to this. Even when you have commit access you don't commit before peer review on a major FOSS project. You obviously don't know what you're talking about and are making broad assertions. You are absolutely right about code review not happening when people are "being paid", and having worked in corporate environments can attest to the fact that code review doesn't happen for every checkin in proprietary software. But FOSS projects are different, and rely on collective knowledge, so they all have stringent policies on code review. The "Open" part is for those that care and wish to contribute, and that openness is what produces better code, hands down, than what comes out of places like Microsoft. I can attest to this, I've worked in proprietary and FOSS and code quality is much much higher in FOSS.The quality of developers in FOSS is much higher than most proprietary projects, it's just a fact that anyone who's actually worked in both environments knows. Sure, not everyone USING the product has the ability to do code review or develop on the project but a small percentage that do have that knowledge and decide to get involved have to write code up to the standards of that project.IF you're going to continue to talk about open source please stop making assumptions and do some actual research or interviews with anyone who works in the field your discussing. This is getting absurd and you're continuing to discredit yourself. Reply
Mar 10, 2007 9:11 AM Rob Enderle Rob Enderle  says:
But who audits this? If you've worked in a software company you know there are typically policies for managment review and QC review. But, you know stuff gets through both even though both levels are compensated to do the review. In many cases now there are also peer reviews and you also know they aren't always done. With FOSS there are likely instances where this works and where it doesn't. It can't always work but we don't seem to know know often it doesn't. As far as I can tell no one actually knows and, if true, this means no one is looking and if no one is looking....One final question, if "at least one person" reviews the code. How do you find out who that person was?If I pulled a line of code at random could I tell who reviewed it? Reply
Mar 10, 2007 12:11 PM Solvalou Solvalou  says:
Open source is closed, HOW?After reading the article it still escapes me. You assert that open source may be not reviewed and those reviewing may not have the required credentials. Sure thing. But Open source doesn't mean "Software that gets millions of eyeballz over it written by 1337 gurus". It means the source is available. If you attack a fringe representation of it, and you think you've attacked the whole concept, you're deluding yourself and making readers lose their time over your posts. Reply
Mar 11, 2007 6:28 AM Paul Paul  says:
Quoting from Mikeal "The Open part is for those that care and wish to contribute, and that openness is what produces better code, hands down, than what comes out of places like Microsoft. I can attest to this, I've worked in proprietary and FOSS and code quality is much much higher in FOSS."You see, this is what I find disturbing about Open Source zealots:1. They are all cast-away super-heroes and only want the good for mankind2. They fight the evil villain Microsoft3. Their code will save the world4. They never even seen Windows being developed but somehow just know how unreliable all those Microsoft employees are, and just cant do their jobs properly (but somehow ended with 90% of the market)5. They conceal their identities to better protect mankind, but we should just trust what theyre telling us6. Their code is just perfect7. Their arguments are based on all 6 reasons above, thus they are vastly superior in opinionOpen Source is just another way of making money, hence open to all ramifications of human behaviour and error, including negligence. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.