Hello all. I'm doing a school research project on open source software, and I wanted to get you all's opinion of it. Where do you guys think open source software is going in the business world? Is it secure enough, or could piracy easily take place as a result of the open code sharing? Thoughts?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS Thoughts on Open Source
- Thread starter AppleDev879
- Start date
- Sort by reaction score
This question doesn't make sense.
Open source means the source code can be freely reused. That's the exact opposite of piracy. So at a basic level, it's impossible for open source code to be pirated. You can't steal something that's free for the taking. [1]
It's also unclear what you mean by "is it secure enough". Do you mean "Is it free of bugs that can be exploited by malicious software to cause unexpected harm?" Or do you mean "secure" in the sense of being unable to be pirated?
If you mean the latter, then that doesn't make sense. If you mean the former, then there's a certain amount of evidence that having more people look at the code means more likelihood of finding bugs. Reality is more complex than that: not every line of code receives the same scrutiny, not every person viewing the code has the skill or insight to see subtle bugs, and not every bugfix is flawless.
[1] Although not falling under the general definition of software piracy, there are cases of software license violations that have been committed against open source software. Such as: the GPL or LGPL not being followed, credit/copyright info not being given, etc. To my knowledge, these have all been resolved in the end by the violating party eventually adhering to the stated license terms, without actually going to court or paying extor..., er, uh, monetary damages.
It will be roughly the same as it is now. Some businesses will find it useful for some products. Others not so much. Still others not at all.
In other words, if you were to do a general survey of open source software today, then the future (say over the next 5 years) will be roughly the same. Longer than 5 years out is just wild-assed guessing. To get a sense of that, go look at predictions from 5 years ago. Example:
http://www.pbs.org/cringely/predictions/bob/2006/index.html
There's usually a flurry of predictions made in late December or early January in most tech-oriented columns. Heck, a little over 11 years ago, we were all doomed, DOOOOOMMed I say, by the yawning chasm of the stupendous Y2K disaster. And it only a few years ago that Zune was going to crush iPods, Windows was soon to be in every phone, and Google wasn't being evil (well, only being evil in small but portentous ways).
There are a number of books on the subject, three of which I've read:
Free Software, Free People (Richard Stallman)
Just For Fun (Linus Torvalds)
Wealth of Networks (Yochai Benkler) - you probably need to cherry pick chapters/sections from this book
There are several kinds of uses, each with its own path:
- Internal system/tools/applications implementation - e.g., development systems/tools, CMS, OMS, Issue Management Systems, etc. - this is an example of a business using binaries of an open source project to conduct their business
- Commercial software implementation - i.e. leverage open source library / components in products which will be sold / made available to the public.
- Other uses....
The area which is messy is "Commercial software implementation" which requires careful identification of associated licenses and understanding of how it impacts the commercial aspects for the product. Finally, these licenses, even if compatible at a commercial level, do not do anything from a patent protection standpoint... so the company stills has the same risk, perhaps even a greater risk...
As previously stated, there is little "piracy" of open source code. I guess someone could co-opt the open source code, pretend it is theirs and release it with a different license, which seems like a form of piracy. I don't think that is very worrisome though.
Eric Raymond's Cathedral and the Bazaar http://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar is another one.
B
Others have recommended books on the subject, and surely there are many other sources of information that would be appropriate. Are you also wanting opinions of "lay people" on the subject for your paper (lay insofar as many of us haven't published scholarly work on the subject, I'm guessing)?
As for where open source software is going in the business world, do you mean adoption of open-source software in business or the actual business of open-source software?
For the latter:
http://investors.redhat.com/releasedetail.cfm?ReleaseID=559647
For the former I can speak to specific experience of linux being used very heavily on the server-side, and to a lesser extent on the desktop. I also have experience with PostgreSQL being used as a backend for large applications. I'm sure others can provide anecdotal evidence of this sort of thing as well, though I don't know how worthwhile anecdotal evidence is for a paper.
As others have pointed out "secure enough" or "piracy..." isn't really an either/or question. The way you posed it doesn't make sense. You may want to rephrase it, otherwise people will just be guessing (as I'll do) at your meaning. If the question of security is: "Is open-source software more prone to attack because potential attackers can review the code themselves for vulnerabilities? Is closed-source software more secure because the code is hidden (security by obscurity)?" this has certainly been explored at length. You can search for discussions of open-source having the potential security benefits of "a thousand eyes" poring over it for problems, etc. I think the most interesting comparison would be a security review of a piece of software that is closed-source which is then made open-source. If testing/review of security problems is performed before the source is widely available then after the source has been publicly available for some time (allowing problems to be found/fixed) this would give you some interesting information. I don't know if such a study has been performed, but if i were writing a paper on this subject i would look for something like this.
As for the piracy issue, i'm not sure what angle you're taking on this. Are you trying to explore if the permissiveness of open-source software has a negative impact on the perceived value of software by users, leading to a decreased willingness to pay for non-free software? Hence their willingness to pirate said software will increase? If not, what do you mean by piracy? In general open-source software can't be stolen because it is already free. Generally it isn't considered piracy if open-source software is repackaged under a new license that violates the original license or some other license-related tomfoolery takes place.
You may want to narrow your scope, as the subject of open-source software is very broad. You probably wouldn't try to write a paper on the history of North Africa, unless you intended to write very broadly.
-Lee
Thanks for the responses. I'm sorry if I was unclear about piracy. I meant to ask: if source code was distributed freely between groups, could the software become less secure since hackers could see the code?
That's possible, but the opposite also holds true: a hacker might be able to see the code and say "Oooh, look, here's a vulnerability" -- but then, so can thousands of other developers who can then immediately fix it. The vulnerability would either be patched before the hacker could even exploit it, or as soon as the hacker makes his first move, people would begin analyzing the code and immediately discover the area of code that was exploited.
Generally open-source is probably more secure, exactly because hackers can see the code. For a comparison, look up the number of 'drive by' vulnerabilities (those that can infect a user's computer by just viewing a malicious webpage) in IE (closed-source) vs. Firefox (open source), and also Safari/Chrome (both open source, based on webkit). I'm sure you'll find the total number of security issues is higher for Firefox, but that there are more 'serious'/high-threat-level security issues on IE, and that they are not fixed as quickly. Also, nobody outside of Microsoft has audited the IE code and Microsoft may not disclose all vulnerabilities that are reported.
You should also remember that much of the code that under-pins OS X is open-source (pretty much everything except the GUI, really). Nearly all of the world's fastest super-computers run on Linux, which is open-source.
Software can't "become" less secure by being viewed; it already is less secure, whether someone currently knows this or not. And by "less secure" I mean "insecure" or "contains a vulnerability".
Your real question seems to revolve around the ease of finding vulnerabilities, not whether some particular code actually contains vulnerabilities or not. In that regard, I don't think lack of source code plays a big part in finding vulnerabilities.
These days, hackers (or security researchers, or QA and testing facilities) don't necessarily look at source code, even if they have access to it, in order to find vulnerabilities. Fuzzing and other attacks can be automated, and if a crash or other misbehavior happens as a result, the triggering pattern can also be captured automatically. In other words, hackers can find vulnerabilities simply by programming a computer to perform an attack, and waiting for the target to fail. Yes, skill and knowledge are needed to write the attack, to decide what data to send, how to change it, etc. That's where specialized knowledge and experience play a big role.
After a vulnerability is found, the hacker might look at the relevant source (if it's available), and work out what the bug is. Or if they don't have source, they'll just disassemble or decompile the failing code site. Disassembling the executable isn't really a big obstacle once a vulnerability has been found. Finding the vulnerability and then crafting an exploit for it are the harder parts.
One reason for not relying on available source is that the bug might not be present in the source code. It might be a bug in the compiler, in the optimizer, in the linker, in a shared library, or in some other component of the build process. It's also possible that the real bug isn't in the failing code at all. There could be a bug in unrelated code that overwrites data it shouldn't, leading indirectly to a vulnerability somewhere else, perhaps sometime much later.
http://en.wikipedia.org/wiki/Fuzz_testing
RE: piracy, it might not be possible to pirate OSS in the traditional way, but someone could still violate its license, e.g. selling GPL'ed software without including the source.
I'm pretty sure there was a recent case of Microsoft or a similarly large company using some open source component in their software but not distributing the source as required by its license. Unfortunately I can't quite remember the exact details.
I'm pretty sure there was a recent case of Microsoft or a similarly large company using some open source component in their software but not distributing the source as required by its license. Unfortunately I can't quite remember the exact details.
I'm sure you know, but to clarify - Safari is not open source, only the Webkit engine is.
I think a great case study of this is Angry Birds, which is built upon Erin Catto's Box3d libraries without attribution. While what they did may not be illegal, it certainly seems unethical to profit from someone else's work without following their license requests.
If you look around you will find that they do credit him now... especially after this event.
http://www.mobilecrunch.com/2011/02...ne-calls-out-rovio-for-not-giving-him-credit/
Last edited: