Shell's TechBlabber

…ShelLuser blogs about stuff ;)

5 cases where Open Source Software went wrong

Open Source Software (“OSS”) has drastically changed the way we work within the world of IT, or ICT as is the ‘modern’ phrase. And don’t get my article in the wrong way: OSS is a very important phenomenon and one which opens up possibilities which would otherwise have been fully out of reach. Take this blog: WordPress is basically an open source product, I’m convinced that the website itself is hosted using Apache; an open source webserver, the product is written in PHP which is an open source scripting language and I wrote most of this post offline using Open Live Writer. An, you guessed it, open source Windows application (based on Microsoft’s now abandoned Live Writer).

But unfortunately, as with all good things, there are plenty of people who claim that Open Source is totally flawless and something we desperately need all the time. Yet that is not always the case. So here are 5 cases where OSS went wrong…

5 – Sun Microsystems > double standards.

The Open Source movement has always been driven by freedom, but sometimes that freedom is a very one sided story which can even lead up to displays of sheer arrogance. Which is exactly what happened with Sun. Sun Microsystems was a company which really believed in the importance of open source software and freedom within the field of IT. In case you don’t remember them: Sun was the developer and owner of Solaris Unix / SunOS, the original founder of the Java programming language and they were also the mastermind behind the massively popular ZFS filesystem.

Instead of merely sharing propaganda Sun truly believed in their products and vision, and backed it up in every way they could. For example: the Sun JavaONE webserver was one their de-facto commercial webserver, also used by Sun themselves. Yet if you were an individual, or merely into open source software, then you were allowed to use this free of charge. I myself ran SunONE for several years and it was quite ahead of its time.

Unfortunately Sun also experienced the severe stubborness (and in my opinion also sheer arrogance) of the open source movement. Because Java was Sun’s key product they were determined to provide its source code and allow the community to extend on it. And they did… During the period of Java SE4 and Java SE5 the source code for the JDK could be freely downloaded. The only caveat: you were requested not to use it for commercial purposes, research and study only. However, you were allowed to build on it and create (and publish!) things of your own. That didn’t work too well with the open source community and for years Java got denied. According to them Open Source needed to be fully free, so also provide the users with the freedom to use the source code as they wanted, without limitation. Let me pull up a quote:

The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale.

Yet the widely accepted GPL open source license also doesn’t allow you to take code, then use it in any way you want. You can’t use that in a project of your own which is using another license. Even if that license is an officially accepted open source license. So where’s the freedom in that? It plain out restricts me from using the source as I want to, but that’s all ok because this limitation is applied by an open source license. But the moment a company applies such restrictions then they’re limiting your freedom all of a sudden.

This even went so far that several Linux distributions pulled the original Java JDK (sun-jdk) from their repositories and replaced it with a crude open source variant (which wasn’t even fully compatible let alone useful). But this was all for the greater purpose. Of course, when Microsoft released C# as one of the languages within their .NET framework things became immediately different again: that was obviously Microsoft providing a Java rip-off.

Being determined Sun gave it their everything and in my opinion a little bit too much. Because we probably all know the end of this story: in 2010 they were taken over by Oracle, and that was basically the last we’ve seen of them.

Now, I’m not saying that their failure was fully because of open source, that’s nonsense, but the reason I explicitly mention them is because it shows that the open source movement can be just as stubborn and hypocrite as your average company. Sun were driven and passioned for open source, they even used several company resources (paid programmers) to help the FreeBSD project with porting the ZFS engine into the FreeBSD kernel. In case you didn’t know: FreeBSD is an open source Unix-like operating system, and one which – in my educated opinion – much closer follows the original Unix philosophy than any Linux distribution does.

4 – Blender > Programmers != End users

Blender is an awesome open source 3D modeler. It allows you to create 3D environments, render them and thus create some astonishing CGI graphics. And the best part: it’s totally free of charge. Unfortunately Blender’s learning curve is quite a steep one. For example: where everyone is used to using their left mouse button to click on an option Blender insist on using the right mouse button. And that’s but one example…

Now, one could argue that in order to learn a new program you need to be open to new ideas and developments. Although that is most certainly true Blender is one of many examples where open source developers chose to fully ignore existing and widely accepted standards and instead create a new one of their own. Sure, in Rome do as the Romans do. But even the Romans realized the importance and advantages of not re-inventing the wheel all the time.

Over the years “open source” has somewhat degraded in a huge collection of fractured standards where almost every bit of software is doing things “their way”. For example: there are several different Linux distributions and all of them are considered to be ‘Linux’, sometimes even using the same package manager (= a utility to install/remove software). But despite that fact there is often a huge difference in the way the same software package gets installed and configured. Configuring Apache on Ubuntu or Debian is a totally different thing, even though Ubuntu is actually based on Debian.

Another example good example of this is the Berkeley Database (“Berkeley DB”). They applied heavy changes between minor versions, often resulting in several versions being installed on your average Linux distribution. Not very efficient if you ask me…

More than often a programmer has totally different ideas about user friendliness and efficiency than an end user does. It’s a given: a programmer develops their own software, so obviously they’re familiar with the way it works. Yet that familiarity is also the main problem. Its easy to overlook inconsistencies if you don’t know any better. I’ve read this blog post so many times that it’s really not unthinkable that I overlook some typos. That’s because I’ve worked hard on it, I know several paragraphs from mind and what they should read. So when reading them I more or less have a certain expectation up front which can easily result in me overlooking the obvious.

Sure: this problem is not something limited to open source software. But this is a field where commercial software has an advantage: open source software is provided as-is, but companies actually try to earn some money. So they are per definition more inclined to ensure that their product(s) meets popular expectations.

3 – Bugzilla > Blind to reality.

Ever since e-mail became main stream we’ve seen a drastic increase in spam. In fact, I think it’s safe to say that people who don’t get any spam at all are a rarity or behind a very good spamfilter. So obviously you’d think that we all want the same thing here: making sure that the risks of people getting spammed are as low as possible. Yet that’s not always the case.

Bugzilla is, or was, one of the de-facto (open source) standards when it came to bug tracking. In case you’re not familiar with the term: it involves giving the users of a software product an easy way to report bugs, which can then be processed by the developers (or the development team) in their own way. This ensures that dozens of users can file bug reports without the risk of the developers to become overwhelmed. It’s a very good way to keep a good overview, which is essential when it comes to duplicate bug reports.

Unfortunately there’s one major caveat with Bugzilla: it insists of using an e-mail address as an account name. Not just that, originally the account name was shown in public by default, for everyone to see. That problem has been fixed overtime, right now you need to be logged in in order to actually view someone’s e-mail address, but yeah.

The reason I mention this is because it has taken the Bugzilla team 13 whole years before they finally acknowledged and addressed this problem. And even now, at the time of writing, this hasn’t been officially released yet. Something which I think anyone in their right mind would have understood and fixed right away.

So why didn’t they? Well, in my opinion for the same reasons as most software companies: why would they? As mentioned above Bugzilla has been the de-facto standard for years. Surely they knew what’s best for us, right?

Of course the real issue I’m addressing here is different: it’s often stated that one of the main advantages of open source is that anyone is free to use a product the way they want. Don’t like a project? Then simply fork it (make a copy project of your own) and apply the changes which you think are needed.

Now, that’s all fine and well with smaller projects such as (for example) a Minecraft plugin. But a project where dozens of different programmers have been working on is a completely different issue.

2 – Munich & Freiburg city council > OSS isn’t cheaper per definition.

A much heard argument in favor of open source software is that its freely available and because of that its use is per definition much cheaper than other, commercial, alternatives. Reality shows a much different example though.

What many people overlook is that for a company or organization time = money. Simply because the people working within those organizations usually don’t do this for free. And that means that efficiency is a very important subject. Well, I’ve already shown some examples above where certain – in my opinion very obvious – things don’t really go too well. And that also has its affects on acceptance and adaptation.

In Germany several city councils have really pushed the envelope and decided to fully replace all their commercial (often Microsoft based) software with open source variants. It made several headlines in the media. Now, several years later, many of them have reverted back to their old ways, but this time it more than often didn’t make the news at all anymore.

Now, in all fairness, there are (much) more factors to be taken into consideration than merely open source alone. For example: a friend of mine works within an IT team of a government division and their team was also persuaded to adopt open source software. How? Simple: the board of directors decided, without any team input, that open source was needed. And so they purchased (once again: without any warning or feedback) an x amount of RedHat Enterprise Linux environments and gave them to the team: “Please put this to good use.”.

People like to think in absolutes, but it doesn’t always work this way. Most of all I think one should not blindly focus on the type of software (open source vs. commercial) but instead concentrate on functionality. That should be your main goal.

Now, to use examples which I used myself: getting started with Blender to create a nice 3D Render is bound to take up a lot more time than using a commercial (“freemium”) alternative such as Daz Studio.

Of course that’s not saying that such a setup couldn’t work at all. But in many cases people don’t stop to think further than “it’s freely available”.

1 – Debian OpenSSL > Many eyes don’t always create more security.

Open source software is, according to some, per definition safer than commercial (‘closed source’) software because everyone can look at the source code and find flaws or inconsistencies. Many eyes provide for much better security.

And then we had the story of a Debian package maintainer who deemed it necessary to change certain aspects of the OpenSSL encryption software. Not just that: he applied changes to the very encryption engine itself. And as a result he actually created a severly exploitable backdoor. The problem was that he accidentally removed the randomizer function which resulted in every created key to become predictable.

Just for context: Debian is a very widely used Linux distribution, it’s even used as a basis for several other distributions. For example the popular Ubuntu distribution is a full decedent of Debian. We’re talking about tens of thousands of users (if not hundreds).

So why did it take 3 whole years before someone actually spotted this severe bug?

Simple really: because even many eyes can easily overlook the obvious. And just because a product is open source software doesn’t automatically mean that every user will also study its code, let alone understanding how all of that works in the first place.

But there’s more. Lets assume you found a major bug within a project, lets say the Linux kernel. Being right is also something completely different from having this recognized by others. And if you’re not very good with explaining your case then good luck convincing a bunch of die hards!

Open source software isn’t per definition safer than closed source. Quite frankly I can even argue the other way around: if a company gets hit by a severe back door in their software (or one which actually got exploited, think about Sony with their PSN hack) then this will hurt their reputation. And a bad reputation can result in less revenue.

Now, some will argue that because of that situation it’s often more beneficial for a company to keep quiet about it whereas an open source project will be more anxious to spill the beans. Although that might be true, fact of the matter is that in both cases there are no guarantees. Which is exactly what most open source advocates want you to believe: it’s safer, per definition.

But even open source has their monetary values to protect these days.

And that’s it!

Now, to counter my criticism I’ll also write a top 5 of specific advantages of open source software next time.

Advertisements

November 30, 2016 - Posted by | Editorial, TechBlabber | , , , , , , , , , , , , , ,

Sorry, the comment form is closed at this time.

%d bloggers like this: