Slashdot Mirror

Take a look at http://www.dwheeler.com - in particular, Open Source Software and Software Assurance (Security) and Why OSS/FS? Look at the Numbers!.

As you already know, this claim that "anyone can edit the open source software" is nonsense. They're conflating editing a file with getting that file into the supply chain. Anyone can edit a proprietary program, too; just open up a hex editor and start modifying. The issue is, can a malicious attacker modify the program AND get their changes into the binary you end up with? This isn't easy at all in the major OSS projects (the kind your company is likely to consider). Any OSS project has some kind a "trusted repository", the "official" version that people pull from. For a change to get into your system, the trusted repository has to be subverted AND not detected later. We already know of an attempt to subvert Linux that failed, so it's not as easy as they think it is. If they are REALLY concerned that they "don't know what the binary is", then get the source and recompile it.

Don't expert proprietariness to save you. Indeed, because the source code isn't being widely examined, any malicious code that gets in will be more difficult to find later.

The U.S. Department of Defense's policy is consider OSS equally with proprietary software, as does the entire U.S. government. In fact, the U.S. Department of Defense heavily depends on open source software, and they almost certainly have more stringent security requirements than your company.

If a company can't handle technological shifts in information technology, they risk their own long-term survival. OSS is now mainstream and widely used.

Take a look at http://www.dwheeler.com - in particular, Open Source Software and Software Assurance (Security) and Why OSS/FS? Look at the Numbers!.

As you already know, this claim that "anyone can edit the open source software" is nonsense. They're conflating editing a file with getting that file into the supply chain. Anyone can edit a proprietary program, too; just open up a hex editor and start modifying. The issue is, can a malicious attacker modify the program AND get their changes into the binary you end up with? This isn't easy at all in the major OSS projects (the kind your company is likely to consider). Any OSS project has some kind a "trusted repository", the "official" version that people pull from. For a change to get into your system, the trusted repository has to be subverted AND not detected later. We already know of an attempt to subvert Linux that failed, so it's not as easy as they think it is. If they are REALLY concerned that they "don't know what the binary is", then get the source and recompile it.

Don't expert proprietariness to save you. Indeed, because the source code isn't being widely examined, any malicious code that gets in will be more difficult to find later.

The U.S. Department of Defense's policy is consider OSS equally with proprietary software, as does the entire U.S. government. In fact, the U.S. Department of Defense heavily depends on open source software, and they almost certainly have more stringent security requirements than your company.

If a company can't handle technological shifts in information technology, they risk their own long-term survival. OSS is now mainstream and widely used.

In fact, Mitre told them that they were already using FOSS so much that "...banning FOSS would have immediate, broad, and strongly negative impacts on many sensitive and security-focused DoD groups to defend against cyberattacks." (Quoting from the executive summary)

You can read the whole thing here. So, it's taken four years for the DoD to finally put in place an official policy encouraging the use of FOSS when the guys in the trenches have apparently been doing so routinely for about a decade. Typical. :)

How many government officials here in America could you actually convince to launch a campaign promoting free software? Not many, if any.

Such a capmain has already been launched, take a look at eGovOS.

I don't have any hard numbers on this, but I would not be surprised if the American government money has sponsored more open source code and standards than any other country if not all of them combined.

What the heck is FLOSS ?

There was a 2002 paper published by the Mitre Corporation that used the term "FOSS", meaning "free and open-source software". As far as I know, this was the first use of the term, but it may go back a bit farther than this.

I don't, however, have any idea what "FLOSS" is supposed to mean. Assuming that it isn't related to dental hygiene, what is it supposed to stand for ? "Free {Linux, liberty, low-cost} open-source software" ? Just a nonsense corruption of "FOSS" ?

The closest explanation I can find is this blog entry by David Wheeler: "Free-Libre / Open Source Software". Is this really what people are trying to say ?

Steve Ballmer spoke at a recent Air Force conference that I attended. He let us know that the U.S. Air Force is the single largest customer of Microsoft.

You do know that the US Government is the largest customer for just about EVERY vendor. Right?

If you want to see how the government is looking at non-MS solutions you should attend eGovOS next year. www.egovos.org

For submitting a new listing (free) for the next edition of the book, go here.

If you view the html source on their web page you'll see they used javascript.

Isn't javascript proprietary?

The egovos.org site is powered by Zope. Let's see how she stands up to a Slashdotting. Any bets?

From http://www.egovos.org/about...

The Center of Open Source & Government works with governments around the world on Open Source policy and strategy.

1. Why OSS/FS? Look at the Numbers! has lots of quantitative data showing that you should consider using OSS/FS. The whole thing is long; Why OSS/FS? Look at the Numbers (presentation) is useful as a short presentation of the info.
2. The MITRE report on OSS use in the DoD shows that OSS is already being widely used there.
3. On May 28, 2003, the DoD issued a formal memo placing OSS/FS on a level playing field with proprietary software, without imposing any additional barriers.
4. If you want to reference guidance on how to evaluate OSS/FS, see How to Evaluate Open Source Software / Free Software (OSS/FS) Programs.
5. Although it's from a government view, you might find this presentation helpful: What Should Governments Examine in Acquiring COTS Open Source Software (OSS)?

Hope those references help.

1. Why OSS/FS? Look at the Numbers! has lots of quantitative data showing that you should consider using OSS/FS. The whole thing is long; Why OSS/FS? Look at the Numbers (presentation) is useful as a short presentation of the info.
2. The MITRE report on OSS use in the DoD shows that OSS is already being widely used there.
3. On May 28, 2003, the DoD issued a formal memo placing OSS/FS on a level playing field with proprietary software, without imposing any additional barriers.
4. If you want to reference guidance on how to evaluate OSS/FS, see How to Evaluate Open Source Software / Free Software (OSS/FS) Programs.
5. Although it's from a government view, you might find this presentation helpful: What Should Governments Examine in Acquiring COTS Open Source Software (OSS)?

Hope those references help.

One of the better groups of people on this issue can be reached starting at http://www.eGovOs.org.

egovos for eGov Open Source, naturally.

The people at there are also responsive, like, if you ask them a question they answer this century.

Have a good talk.

Looks like the Department of Defense has actuallygiven the nodto open source - or at least recognized its existence.

Two sites to check out are egovos.org and this one at netaction.org. There's also the other side.

Um... no.

bzzzttt

Thanks for playing, here's a lovely parting gift.

Tony Stanco is heavily involved in government & computing issues, most notably the the push of Free and Open Source software. And, he's been pretty succesful at it. I'm guessing that since you are posting this an AC, you may be affiliated with one of the opponents (e.g., Microsoft, BSA) of his efforts.

Here's his official bio snippet from freedevelopers.net, a group he also founded:

"Tony Stanco is the founder of FreeDevelopers.net, an international `CommunityCompany' for the development of GPL Software with members from over 50 countries. Before starting FreeDevelopers, he was a senior attorney with the Securities and Exchange Commission, Internet and software group, in Washington, DC. He has a LL.M. in securities regulation from Georgetown University Law Center.

Recently Tony was appointed as a Senior Policy Analyst at the Cyberspace Policy Institute, George Washington University."

I don't know Tony aside from what I've read by and about him, but I definitely like him based on that. I believe he brings much needed non-geek perspective to the community when it comes to policy issues and FOSS.

You FUD monkeys will have to do better than this. Who watches the watchers? We do. :-)

The dipshit that posted the article linked the wrong doc. Here is the right one: http://www.egovos.org/pdf/OSSinDoD.pdf

link to ACTUAL pdf that we're discussing, not the second one referenced by the headline...

http://www.egovos.org/pdf/OSSinDoD.pdf

What I'd like to know is why does an organization that sets United States federal technology policy guidelines post their policies on the web by scanning a paper document into PDF format! So we can all see a facsimile of John P. Stenbit's signature?!

I notice that the Infoworld article is 3 days old, but has not once been linked to from the start page. However, reviews of Microsoft products are, minus any critique of DRM- or Software-as-subscription- issues. Likewise for ZDNet and other sites. BYTE, perhaps, was getting a little too independent in its columns and is no longer available online.

Even with primo product placement and censored product reviews, we're still heading towards a tipping effect where Microsoft will disappear as a relevant player in the world's IT sectors.

F/OSS has been responsible for most of the Internet and Web. The bursting of the dot-com bubble co-incides with the short rise of the new-comer Microsoft, which has focused on growth through acquisition rather than innovation and on marketing rather than techology. Perhaps with the disappearance of this last dot-com pyramid scheme, we'll see new growth or even a small boom as businesses go back to what works.

Is The 'Soft Going Soft on Open Source?

By Mary Jo Foley
Microsoft's newest shared source license seems to be inching closer -- at least in spirit -- to the GNU GPL.

The open-source faithful have been harsh critics of Microsoft's shared source licensing plan and justifiably so. They have claimed that Microsoft has attempted to ride the coattails of the GNU General Public License (GPL), while simultaneously slamming the GPL as contaminating everything in its path.

Even some of Microsoft's own employees, such as David Stutz, the former Microsoft manager in charge of Microsoft's Common Language Infrastructure (CLI) Shared Source program, have expressed frustration with Microsoft's licensing rhetoric.

One More Time: Stutz's 'Sanitized' Goodbye Note

But is there a case to be made that Redmond is slowly but surely learning from its past mistakes?

Exhibit No. 1: Instead of trying to blur the lines between open source and shared source, this week, Microsoft is presenting (against a back drop of open-source protest) its shared source program as an "alternative" to the GPL at the Washington, D.C. e-Government pow-wow on open standards and open source.

Check Out the e-Government Agenda Here

Exhibit No. 2: With no fanfare, the company recently has added a new shared source licensing option to its stable that removes some (but definitely not all of the more onerous licensing clauses from Microsoft's contracts.

The new license -- called simply, the "ASP .Net Starter Kit License" -- is much streamlined and simplified, weighing in at a single page in length. Under the licensing terms, developers and users are permitted to download the ASP .Net Starter Kit source code for free, to develop on and around the code and redistribute it, commercially or internally, without paying Microsoft any royalties.

ASP .Net Starter Kit licensees do not need to return to Microsoft any changes they make to the code, Microsoft execs say. Under the GPL license, developers are obligated to submit back to the community any changes they make to the code base.

But don't start thinking that The 'Soft has gone soft on open source. There is wording in the ASP .Net Starter Kit license that prevents developers or customers from GPLing the Microsoft code, according to Microsoft execs.

"You are not allowed to combine or distribute the (ASP .Net Starter Kit) Software with other software that is licensed under terms that seek to require that the Software (or any intellectual property in it) be provided in source code form, licensed to others to allow the creation or distribution of derivative works, or distributed without charge," reads Microsoft's new license.

For the Whole Text of the New License, Click Here

What's your take? Do you think Microsoft is genuinely interested in adopting some of the positives from the open source model? Or is the company hiding behind seemingly more liberal terms and conditions? Write me at mswatch@ziffdavis.com and give me your two cents.

I don't know about the exact text per se, but the Microsoft speaker today at the Open Source in eGovernment conference in Washington DC did refer to the ASP license, that it was less than one page, and did allow user's more freedom with the code, specifically the ability to use the ASP licensed code in their own projects.

For anyone that missed it, the original MITRE report is here (this basically started things going) and the rebuttel paper from the Initiative for Software Choice is here.

Again, for those that missed it, the Initiative for Software Choice, though at an 'org' is funded by MS and others of the big software makers.

The response paper goes through quite a bit of trouble to label the GPU as a viral license and the resulting dangers as well as going into how giving 'preferential' treatment to open source will hurt the software industry (monetarily) and the government (by cutting off choice).

They definitely try to do a nice 'turn around'. Open source is hit as not being any more secure than commercial software, that the GPL (specifically) can/will pollute developed works and that the policy change is not only not needed but will deprive the government of choice and the ability to select the best software for a given job.

For completeness, the cnet article is also here.

I have been in direct contact with eGovOS too, but mentioning Openchallenge here as well cannot harm. We are trying to make this work for public authorities as well - the more the merrier :). We have already got some positive feedback:

I congratulate you with the practical and inspiring approach taken by Openchallenge. It is interesting that this scheme both stimulates the release of open source software and is also operated by people within the open source community itself. Perhaps such a "challenge posting" scheme is also of interest for public authorities to promote open source development." -- Erkki Liikanen European Commissioner for Enterprise and Information Society

...just contact us to discuss more and get things going :)

However, the enormous ocean of novice users created in the late 1990's is not producing more than a trickle of learned users. These novices are easy marks for sales teams because of their inability to tell the difference between workstations and infrastructure.

You can find the original MITRE 2002 report here.