Slashdot Mirror
Industrial Strength Open Source Code?
dnnrly asks: "I work for a company that writes software for the pharmaceutical industry. We have to work in quite a tight regulatory environment because some of our code ends up in the process of drug testing. Seeing as the FDA are quite picky about making sure that there can be no errors in testing new drugs, our clients have strict rules that we must follow for coding. We have to review all of the code that is written, making sure that everything is traceable to a design specification. Where we use 3rd party software/code we have to make sure that it comes from an ISO9000 source. This is a bit of a problem when we would like to use open source stuff in our code. Projects like log4net and NUnit would be tremendously useful in our code but we're not allowed to use them because they don't tick the right boxes. Now, *I* know that these projects (and others) are incredibly stable just because of the volume of use that they have seen but that isn't enough for some people. How can we certify such software?"
No offense intended, but an ISO 9000 source?
ISO 9000 just means the people that "certify" this have all their procedures documented.
I'd be much more interested in a company that delivered software that worked, and stood behind it, rather than a company that puts all it's time and effort into ISO 9000. Every time I hear someone asking for that, they're more interested in being buzzword compliant than anything else.
Man, oh man.... The next thing people will be saying is that the company mission statements actually make a difference.
"Seeing as the FDA are quite picky about making sure that there can be no errors in testing new drugs."
Simply import it into your own code base, and then review it as if it was written internally. Basically, learn it inside out, as if you wrote it yourself. If that is not legally sufficient, then the laws need to be rewritten since the lines they would be attempting to delineate would at this point be completely imaginary. It doesn't matter whose head it originates from, what matters is that it is fully reviewed and completely understood to the point where everyone on your team is prepared to stand behind the entire body of code. If that confidence comes from actual understand, it becomes irrelevant who wrote the code in the first place. How would it be any different if, instead, it was code written by somebody who no longer works at the company.
...
You need to get the kind of people involved who can statistically show that particilar software approaches lead to less problems. Otherwise, you're stuck with the expense NASA goes to in writing software.
Could you, for the purposes of certification, take ownership of the libraries you want to use? By "take ownership" I mean either a) acquire, or b) create the necessary design documents for the libraries, then code review them as you would your own code.
ISO9000 just means you have documented procedures and you track the steps you take when you follow those procedures.
You shouldn't even need to go to the lengths of merging the code bases.
Document the procedures for auditing and verifying external software to the standards of your internally written software, create an ISO9000 process for tracking those procedures, and follow them.
This brings to mind a conversation I had the other day.
;) These people cost money. And it's one thing to freely dedicate your time to devlopment, but it's quite another to freely donate large sums of personal money.
I think the main reason that (F)OSS is still having trouble competing (despite the widespread acceptance amoungst industry experts) is because of budget.
In this case, the budget to get a piece of software properly certified.
There are many aspects of creating software that require non-technical administrative personell to handle. I don't remember ever hearing about OSA (Open Source Accountants)
It is truly inpspiring that so many can work together so well towards a common goal, and it is truly stunning to take in the vast amount of software available which is written pretty much completely philanthropically.
But the problem is that few actually get paid to do this, it is done in spare time.
In my conversation I wondered how else software writers could make money, besides the tried and tested subscription and serial-activation systems in widespread use today. How else could programmers, who are doing some of the most mind-bending, skillful crafting of any career, get compensated for their work?
Wouldn't it be great if AMD, Intel, ASUS - or indeed any large electronics manufacturer - would offer up a pool to develop software?
The trick would of course be that the software should of course be standards compliant and thus run even on competitors hardware. But maybe AMD could have a certification that says, "written for and extensively tested on AMD hardware".
Software seems that it should be freely available - it just seems the nature of all information in general - but there is that problem that the programmer needs to make money.
It just seems to me that logically the consumer should buy the hardware - the physical, tangiable thing - and that it should be up to the hardware manufacturers to make hardware as a whole more useful.
Here's the irony in my eyes - right now hardware manufacturers pay Microsoft in order to get a little sticker that says "built for Windows XP".
This doesn't seem right. It seems totally backwards to me.
It reminds me of a quote from "V for Vendetta": "People shouldn't be afraid of their governments, governments should be afraid of their people."
In other words, "Harware manufacturers shouldn't be beholden to the software companies, software companies should be beholden to the hardware."
The fact of the matter is that I just wish that after I pay $2,000 for my nice new system that it would run right out of the box. Macintosh is close - but I would have the added stipulation that the software on any hardware system be standards based so that I don't have a Dell OS, IBM OS, HP OS, Alienware OS...etc.
These are just thoughts, and I understand that there are many counterpoints.
My Computer Music Tutorial Videos
I have a fair bit of experience on the medical device side, not pharma - but they should be somewhat similar.
The FDA has standards for validationg COTS (Commercial Off-The-Shelf Software). ISO9000 is useful, but not necessary for FDA "stuff". For example, I don't think that any OS (Windows, Linux, etc..) is ISO9000 compliant, but your software runs on it, no? How could that be if ISO9000 was mandatory?
It seems to me that, for the FDA to be happy, you'd need to run some sort of reasonable validation of the COTS software, based on how it's being used; write a set of requirements, write a set of tests that prove that those requirements are met, and go to town. It would be good to recognize in the FMEA (Failure Modes and Effecta Analysis) that the COTS software probably has somewhat of a chance of failure - but then, the FDA (at least on the device side) has already announced that you must assume that software will sometimes fail, no matter how it's been tested. Finally, be exacting about audit trail - versions used, how things were built and installed, and so forth.
If your customer insists on third-party code being ISO 9000, despite the FDA not requiring it, then you're SOL. However, that requirement just doesn't make sense, unless they are not using an OS to run their software on (as described earlier).
Good luck!
I'm not familiar with this software nor their licenses, but can't you just take a build of their software, fork it off as your own build and start treating it as internally made software? The greatest expense would be then certifying that first build.
"In my conversation I wondered how else software writers could make money, besides the tried and tested subscription and serial-activation systems in widespread use today. How else could programmers, who are doing some of the most mind-bending, skillful crafting of any career, get compensated for their work?"
If "Well, I never would have bought it anyway" is a valid answer towards those who expect monetary compensation. Then "I thought it was free" is a valid answer towards those expecting other forms of compensation.
1. We have to review all of the code that is written, making sure that everything is traceable to a design specification.
2. Where we use 3rd party software/code we have to make sure that it comes from an ISO9000 source.
Since it is "open source" wouldn't just #1 apply? I think #2 would only be if you can't review the source, or do you guys get that privledge at that level?
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
ISO9000 means one thing:
"but there is that problem that the programmer needs to make money"
OK
open yellow pages
notice businesses A to Z
notice computers and software used in most of those businesses
pick one, lotta choices, find some business you really could like
get job there
use software and your computer skills to make money in that business, for that business, whatever that is
you have now "made money with software" If you get to program some and you like it, cool. If you have to wrangle some machines around and do cabling, cool. Whatever. You are a computer guy, but maybe you might have to do other things as well-who cares?
there is no need at all to try and be a "pure" software company,or a "pure" programmer 100% of the time, in fact, it's becoming a dinosaur and there is right now 50 million people on the planet learning how to code, with another 100 million (whatever, some gigantic number that is rising fast) waiting in the wings. It is transforming from leet into ordinary. Ho hum stuff. It is not 1980, it is not the time when only a few thousand people knew how to code. And we have a ton of good code out there now to use. It has become diminishing returns really for most projects. How many different ways can you add up numbers, enter text in a paragraph form or arrange graphics on a page anyway? This should be a *clue*.
The real world has real work to be done, software is a part of it,but don't try to force it to become all of it, especially with the Free and free stuff. Take advantage of it to go do some real work, don't make the software the work. You can use a hammer and saw to work and build stuff, or sit there all day long and polish the hammer and file down the teeth on the saw, admire how pretty it is, tweak the set this way or that by one degree, etc,and wonder how to make money doing that, but it really is better to just go build something with the tools. Occasionaly you may need a little polishing and filing, but for the most part it just might de-evolve into a lot of non productive busywork if you fixate on that.
So, don't imagine that this is going to be an easy one. Open Source projects by IBM might be easier to get past the Great And All-Seeing (but definitely not all-knowing) Pointy Haired Bosses - at least some will be familiar with the phrase "nobody ever got sacked for buying IBM" and may even still believe that. Some of the Apache projects might be workable, provided you use the line of reasoning that since Apache is listed on IBM's website as a project they are working on, it is covered by the "nobody ever got sacked for buying IBM". You don't have to tell them that IBM is only one member of a large consortium, and it might be better not to.
Some projects were connected to IBM and other major corporations but are now independent. Postfix is an example of that. I believe evlog (Enterprise-grade event logging for Linux) is also such a project. Speaking of evlog, I would DEFINITELY suggest using it in any commercial or Government setting. It's not that good and Linux has plenty of other security, but "Enterprise-grade logging" is mandatory in many cases and this provides it. It ticks the right box, even if it doesn't do a whole lot more for you. It's a pure CYA and nothing more.
ISO 9000 (or later) compliance is probably the toughest requirement, as it stipulates documenting the process and activities, where the level of documentation depends on how critical the project is, and Open Source projects have neither that type of documentation or any real concept of criticalness as components are freely reusable. Your best bet is to work through vendors that are themselves ISO 900x certified AND supply either the Open Source OR the links to those projects, then argue that by documenting the use of a project that comes from an ISO 900x certified source, you inherit the certification indirectly. Some bosses will buy that easier than others and depending on the structure of the organization, you may have flexibility on who you present the case to. If so, shop.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Logging software is part of the product. Testing software isn't (though it likely is much more important.) I am damn near certain that there is no regulation that would affect the software you use to test your software. (Think about it. If that was the case the FDA would have to certify that Windows was built according to process blah, blah, blah, and that, mercifully, has not happened.)
But it's not the compliance budget, as you say.
It's the fact that the license cost is zero that works against open source.
Huh?! Yeah, I know, that's hard to understand, but stay with me.
Think about it from the POV of whatever the "head of IT" is called in your company.
What's going to work for him come new job time? What will most qualify him for a "step up" in his career?
In one sentence: the size of the projects he's run. How is that size measured? Budget.
So there is zero incentive for "heads of IT" to go open source. That just reduces the overall size of project budgets, and reduces their standing in the pecking order the next time a sweet job comes up.
"I managed the implementation of a $20million project to replace the finance system." The interviewer will probably be further impressed if that sentence is followed up by "I decided on Big Brand Name X" especially if the interviewer has seen expensive ads for that brand name on billboards in airports.
Be nice to think that people were making technical decisions on the grounds of techincal excellence, or suitability for purpose, but that's an idealistic dream. People make decisions based on "what's best for me", and your head of IT is no different.
All the code that goes into your program must be certified and follow the coding rules.
But must all the tools? Is your compiler? Is your IDE? I'm not sure that all the supporting infrastructure needs to be held to the same standard as code that goes into the final build. IF a tool finds a flaw, is that flaw somehow not a flaw if the tool is not certified?
My Karma: ran over your Dogma
StrawberryFrog
Philanthropically? Um. no. Free and Open Source software is written because the author needs it. They requre the use of it. By allowing others to use it, the author loses nothing, they are not losing their time because they needed the software in the first place and the effort to copy it is negligible.
Writing Free and Open Source software is just as selfish as any other act. Software which is written with high ideals, for the betterment of man will not succeed because it isn't fulfilling a need.
But the problem is that few actually get paid to do this, it is done in spare time.
Simply not true. A huge amount of free and open source development work is performed by staff developers who are writing software which their organisations need.
Software is called soft because it's maleable, it can be moulded to fit the needs of the users. It's highly unlikely that any piece of software would exactly fit the needs of all users so there is a market out there for the customisation of almost all software, with free and open source software it's particularly easy, there is a market for customisation, service, support.
If you are a developer thinking of creating software for the benefit of mankind or the open source movement... Think again, there's enough abandonware out there already. Do it because you need it.
p.s. Free and Open Source software isn't having any trouble at all competing, it's filling niches left right and centre, though you may not see it filling your niche right now.
Deleted
I think what he wants, is to import open source code directly, without extra testing and reviewing, under the premise that it's popularity is a good enough guarantee of quality.
For example, if I need a kernel in my ISO9000 application, it's obvious that the Linux kernel has infinitely better quality than anything I could develop in-house. In fact, it's better than anything all the "certified" software developers in the world, staked together, could produce. And that just goes to show you the real value of certification.
ISO 9000 mainly revolves around the procedures for developing the software being documented. Now, I may be oversimplifying things, but in the Open Source world, isn't *every* procedure documented, since the whole process is totally transparant?
I mean, you can *see* when the code was changed, you can *see* when bugs were fixed, you can see any QA that was done (if any)...
Shouldn't any Open Source product be able to get ISO 9000 certification, if they do the paperwork? I know that paperwork is *massive*, but if this guy's company wants to get NUnit certified, maybe his company could hire the consultant to do just that?
ISO9000 is just part of it, and ISO9000 audits are a joke. Right now I'm testing avionics code, tracability of requirements is of course big. To use a 3rd party tool in verification that tool must be verified to the same standard that the project is being verified against. So for Level C code, all 3rd party tools must be verified for DO-178B Level C, and for Level A projects, the tools have to be verified to Level A as well. There are various loopholes as well. To speed things up writing C unit tests for an embedded target, I wrote a test code generator. The reason my generator doesn't need to be certified, is the output still needs to be reviewed by a human. Since I'm only generating code templates, the tool generating that source does not need to be certified. If I were generating all the test code and not reviewing it, it would need to be a 'qualified tool' which means it needs to be verified. I hope that helps.
Do the necessary unit testing to make sure it fits your requirement.
I work as a software engineer for a company that manufactures an FDA approved medical device. We are ISO certified as well (for design and manufacturing). There are no restrictions on using open source software for FDA medically approved devices. We use Linux on our embedded single board computers, several of the boost libraries, and many more open source libraries. If you have restrictions using open source in your workplace it is most likely because your ISO certified design process limits open source use. The design process is defined by your company and certfied by TUV auditors for ISO compliance. The actual ISO 9001 documents that specify what is required for an ISO certified medical company is actually very light. Oftentimes companies make additional restrictions upon themselves for their ISO certified design process (usually some dipstick with an MBA and no engineering sense whatsoever, but doesn't realize it). For example, if someone (let's assume the dipstick MBA) at your company stated in your design process (prior to the initial ISO certification) that open source code cannot be used and the ISO auditors certified your design process with that exclusion, then your company is bound to that limitation (even though the FDA or ISO standards don't limit open source use). Bummer eh? Good luck. It's a shame you have to deal with those restrictions.
I fully agree with the parent comment.
o c517237928
And quoting from the document 'General Principles of Software Validation; Final Guidance for Industry and FDA Staff' at http://www.fda.gov/cdrh/comp/guidance/938.html#_T
The Scope section of the document refers to just this type of situation:-
'Where the software is developed by someone other than the device manufacturer (e.g., off-the-shelf software) the software developer may not be directly responsible for compliance with FDA regulations. In that case, the party with regulatory responsibility (i.e., the device manufacturer) needs to assess the adequacy of the off-the-shelf software developer's activities and determine what additional efforts are needed to establish that the software is validated for the device manufacturer's intended use.'
So - it is clear what the FDA wants - it clearly does NOT stop you from using Free/Open Source Software, it just requires you to use quality processes to ensure the software is verified / tested for your intended use - which you SHOULD anyway do, if want to develop INDUSTRIAL STRENGTH software.
--
venu
Nobody ever followed completely all the rules of ISO9000, everybody cheats to some degree even to the level where documents and actual development doesn't have anything in common. Do be ISO9000 compliant all you need to have the necessary docs.
If you want any OSS project be ISO9000 certified all you have to do is employ somebody who creates these docs. He doesn't have to actually develop all he has to do is create all the docs. Yet none of the actual developers have to change anything since what counts are the docs and nothing else. Just keep in mind ISO9000 does not show how the actual development is done, it only shows how it is documented. When you have realized this small but important difference you'll never fail any ISO9000 audit.
O. Wyss
See http://wyoguide.sf.net/papers/Cross-platform.html
It's like 'how do you certify a new drug'. Taxol is an extract from yew trees; in principle an 'open-source' pharmaceutical, you discover it growing, rather than synthesise it from first principles. It's rumoured to be useful in treating some forms of human cancer.
It doesn't save everyone; but it does extend the lives of some.
If you go through the steps of how that got FDA approval, then you'll understand a credible way of arranging approval for "open source code where you cannot control the origin"
Also, if you're depending on "other people's closed-source code", there will be a service end date beyond which you cannot count on using it. Service End Date for Windows98 has just passed; if you have medical equipment with Windows98 built in, now would be a good time to re-engineer it.
I worked in a similar company, and had similar issues. The thing to understand is that the FDA inspectors are not (usually) software literate. Therefore they have to follow a "tick in the box" attitude to the CFR 820 (which if IIRC is the relevant regulation). This is very frustrating because it completely ignores all the real quality issues, and yet if you don't tick the right boxes then you can wind up in court or have your company closed down.
Don't blame the individual inspectors, BTW. They are just doing the job handed to them.
The trick here is to find a way to satisfy the regulations. Get your quality department on side here, because they are the ones who actually have to justify it to the inspector, and its their jobs on the line if they don't succeed.
As for open source, you need to get it considered under the same rules as other "COTS" software. I don't recall the details, but basically you have to come up with convincing evidence that some kind of process is properly followed. ISO9000 is the cheat sheet for proprietary software because its evidence that something of the right sort is done and audited. Open source doesn't have that, so you have to do it yourself.
Start by writing down what a good open source project looks like. Take as much as you can from ISO 9000 here. Do they have coding standards? Show they are adhered to. Configuration management? CVS. Code review? Contribution policy. Defect tracking? Bugzilla, and cite statistics showing that reported defects get fixed. Most large successful open source projects can ace this stuff anyway: if they couldn't they wouldn't be any good.
For requirements you have to get a bit more creative. Is it documented at the user level (e.g. API)? If so then you can call that documentation the requirements document and show that the source complies with it. The fact that this documentation was written after the software is irrelevant from your point of view because you only need to demonstrate that the software is fit for purpose, and that the documentation shows this. Write this argument down and it pretty much covers you.
You might also run a code review of a sample of the software to demonstrate that it meets your normal quality criteria.
Obviously this costs more than simply saying "supplier has ISO9000". But if its cheaper than buying ISO9000 then its still the right thing.
Incidentally, when I was doing this (a couple of years ago) some FDA staffer talked to our Quality Dept saying that open source was random, uncontrolled stuff that should never be allowed near real software. Basically they regurgitated a load of MS FUD. Be ready for this, and be ready for your QA dept to recite it back to you.
Paul.
You are lost in a twisty maze of little standards, all different.
I think the problem that OSS software has is documentation.
... not because we really even care about license issues, but just because it would require more effort to document somebody else's code than it would just to draw up the documentation and have a programmer rewrite it. The former would require running our entire system "in reverse;" it would require a programmer to read the source code of the outside project and write a specification from it, which they're not used to doing. (I can almost see the objections forming right now.)
Namely, that there isn't any. And I'm not talking about end-user documentation here, I mean process documentation. Specification documents and all that. The kind of stuff that normally gets developed alongside code, in any commercial/industrial development methodology.
There is an unspoken assumption behind the OSS ideals, and this is that the program's source code is the only documentation that anyone should ever need. This, frankly, is not true. It might be fine for code that has an obvious purpose and scope, and for systems software, but it starts to break down when you get into business software. How are you supposed to know from the source code, what the business process is that a particular segment of code is designed to support? You don't. How can you tell if something is a result of bad coding, or an incorrect design? You don't -- unless the same person both understands the code and the processes involved.
While it might be a safe assumption in many OSS projects to have the same person reading the code and analyzing the processes, this just doesn't happen in the real world. You usually have different people (even different groups of people) developing the specifications and processes, and writing the software from those specifications. In many cases, the people developing the specifications don't have the background or knowledge necessary to read the code directly.
I've said this elsewhere, but there's a lot of resistance in the OSS world to writing specifications. I don't know if this is because most of the software is written by programmers in their free time, and these people detest structured methodologies because they have to work with them in their day jobs, or if it's just a consequence of the way OSS is developed, but we're starting to see problems -- it's very hard to merge free software, where the code is the documentation, into a workflow where you have distinct levels of docs, where the code is only the very lowest level of end-product.
It's not if the systems to maintain documentation alongside code don't exist: some sort of Wiki-type interface, which was kept up-to-date against a project's official sources, would do just fine, and go a long ways towards improving the usefulness of OSS. However, there's little motivation for most projects to go to that level of effort.
I really don't have a good solution; I just know that I work in a situation very similar to the OP's, and we don't use any OSS code
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The problem with doing your own audits of open source projects is that typically the open source project will have lots of extra bells and whistles and generality that your application doesn't need. It may also depend on various libraries that your application otherwise doesn't need. It may be very difficult to untangle the 20% of functionality that you actually need from the rest of the open source package. In the end, it may be easier to just write a "good enough" solution with only 80% of the features of the 20% you wanted from the open source package. If you write it using your internal libraries and coding standards it is probably easier to review and maintain as well, at least at first.
Of course, within another year or so you will have reimplemented all of the 20% of functionality you originally wanted from the open source software, and even more. The open source software will have advanced as well, but now you will be stuck maintaining a large codebase that still doesn't do as much as you could have had if you used the open source codebase originally.
It can be a tough decision.
Don't forget that you do have to do all these checks. As a pharma manufacturer I tell the FDA that I rely on CoAs from my vendors, but I rely on them only by getting samples from them, cross-checking their work, and then also cross-checking that on the raw materials that are actually used in manufacturing. And I check during the manufacturing process and after manufacture as well just in case!
But you can't reasonably do all this for, say, a whole O/S. It's just too big and too complicated. This is why you'll see medical systems (or avionics) running on LynxOS or Green Hills' OS rather than standard Linux, ITRON or eCos (though eCos is small enough that you could probably review it yourself too). Regretfully, some are starting to ship with Windows which I am sure has not been subject to the equivalent review.
So why am I so confident in saying this?
In other words I'm probably the only person on the planet who's been under GMP, under software ISO9000 and also been a free software developer.
I work in the Pharma industry as well, and have some experience with validated systems - along with the associated regulations. CFR 21 Part 11 is the pertinent regulation for any and all pharmaceutical data systems - whether used for clinical trials or other cGMP purposes.
In a nutshell, it says nothing about an ISO 9000 requirement - that's SPECIFICALLY your company's policy. I understand why, it's the same deal as Sarbanes-Oxley compliance - they use ISO 9000 standard as the benchmark on which they make their rules, so following ISO 9000 means you'll meet compliance guidelines for process documentation and control on your data systems. It's also used as the standard for physical equipment manufacturing for pharma use, so more than likely one of your Quality guys knows about that, and figured "Hey, it's software manufacturing, and manufacturing means ISO 9000! Done!"
If you're going to use open-source software, you'll need to demonstrate to Quality that you can meet the guidelines for CFR 21 Part 11. I apologize for missing the name of the person who posted saying "act like it's your code" - but they're right. The key is good change management practice. If you use it and the company that makes it doesn't meet your Quality standards, then you need to take the source, review it, compile it yourself, test it extensively with the other applications you'll use on the same infrastructure.
And, every time you upgrade, you'll need to diff the source, document it, and compile and test again. The real deal is that it's your own Quality group setting the standard here, the FDA just wants you to show you have control, and have taken every precaution to avoid negative impact. Good luck!
It's got the perfect goods for this particular discussion.
Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
I don't have FDA experience but for industrial machinery, chemical plant safety systems, and the like, the standard followed is IEC 61508. Unlike ISO 9000, IEC61508 has various hard requirements for failure probabilities and measuring said probabilities. It also has specs like the highest possible reliability than can be assumed in engineering calculations for a device and what has to be done to mitigate failures. It occupies 7 binders on my shelf and provides the basis for how to develop systems that have a verifiably low chance of killing people. A fascinating intro to IEC 61508 is presened in the online edition of Embedded Systems Programming http://www.embedded.com//showArticle.jhtml?article ID=19201765
You could probably find a commercial software company that supports the open source software. For example, you can get support for many Apache products (HTTPD, Tomcat, Geronimo, Axis) from several vendors (HP, IBM, Red Hat, SourceLabs, SpikeSource, etc). And I remember seeing something about SourceLabs 'Certified Software', so maybe try them? S
Huh? What's wrong with a corporation to "give back" once in a blue moon
even if it's only with funding and supplying the man power for the certification of a
certain piece of OSS?
Why not guide your boss's thinking down that avenue and let the corp,
which is probably benefiting from OSS with a couple of hundred Linux servers,
give a little something back to "the community" ??!