What's So Precious About Bad Software?

David Gerard invites to read Carla Schroeder from Enterprise Networking Planet, who gets down to the real reason why companies want to keep their code proprietary, with examples. Quoting: "We are drowned in tides of twaddle about precious IP, Trade Sekkrits, Sooper Original Algorithms that must not be exposed to eyes of mere mortals, and all manner of silly excuses. But what's the real reason for closed, proprietary code? Embarrassment."

kinda true

[sdedeo]

As a scientist, I write a lot of code to do things that other people have already done. I sometimes think about "releasing" it -- informally, without a license, just on a webpage or something. But it really is embaressment that holds me back -- it's poorly documented, full of hacks, and basically inelegant.

I remember as an undergraduate suggesting to my advisor that I release my (actually rather pretty) code that I wrote to do general relativistic raytracing around neutron stars. His response? "People will not understand your code, they will misuse it, and then they will blame you when it gets them in trouble." You might expect someone who's doing raytracing around compact objects to not be so silly as to do something like that, but I think you'd be mistaken: I know I treat the few publicly available codes in my field (e.g., camb) with great disrespect, bitch all the time, and generally am part of the large community that makes it far more trouble than it's worth for the poor people who worked so hard on it.

Re:kinda true

[irtza]

I agree with your sentiments as well; however, I got over that sense of embarassment. I am not a computer scientist by profession. I write code to accomplish a task I wanted to do. The code is largely funcional, but may break around end cases or often has poor exception handling. Every now and then, I'll go back and clean some code up. I decided that there may be people who are willing to take this code and fix it up, or maybe somebody who can't program is looking for something quick and dirty to do what I have already done. For this reason, I released a substantial number of my programs as a single package on sourceforge. Some functionality is redundant to other projects, some is not.

Heck, I just realized I could recruit people here ;) if they are willing to help.

Re:kinda true

[letxa2000]

But what's the real reason for closed, proprietary code? Embarrassment."

Oh, please. That's got to be the goofiest premise I've seen in a long time.

Code is kept "secret" because the companies, rightly or wrongly, think it gives them a competitive advantage. Heck, some companies should be embarrassed about the appearance of their product, do you really think some suits care about how it looks on the inside? Does Coke keep its formula secret because it's embarrassed or because it wants to make its product harder to copy? Same goes for software.

Heck, many open source products are no beauty to peer into, either. The code is so nasty that the argument of "If you don't like it, you can fix or modify it yourself" is reduced to a smart-ass comment with no real validity. Modify that code? First you have to be able to understand the mess. Unless you've been responsible for the mess from the beginning, or have a lot of time to invest in figuring out the mess, good luck with that.

Re:kinda true

[Kadin2048]

Code is kept "secret" because the companies, rightly or wrongly, think it gives them a competitive advantage. I'm not saying this is never true, in fact I think it's probably the case more often than not. But at least in some cases, I've known/seen companies who have indicated a willingness to open-source their code -- meaning that they've thought about the competitive aspects and realize that it's not going to hurt, and might help, them -- suddenly drag their feet at the last minute, or spend months or years "preparing" to open-source their code. I think this is directly related to embarrassment over the poor state of their codebase.

I think there's a feeling that in order to open-source something, you have to have it all wrapped up in a neat little bundle, that you can't just take last Tuesday's CVS checkout and dump it onto a web server somewhere as a tarball, even if that's what the community really, really wants. (A dirty tarball today being better than a slick project and a wiki and everything in three years.)

I've actually seen this happen; you can get management on board with the OSS concept in the abstract, but when it comes to actually giving out their code, and they start feeling like it might make them look bad ... suddenly they clam up and come up with excuses. This is most apparent when the code being considered is abandonware or otherwise dead, and the only effect it could possibly have is to hurt a competitor; companies (and individuals) are paranoid of the damage to their reputation that messy code could have, particularly if lots of insecurities or design flaws are exposed.

Been there. Seen that. Got the T-shirt.

[thatskinnyguy]

Some of the proprietary code that I've seen is like a beater car:
-Held together with duct tape and bondo
-Only works by the hand of God
-Looking at it is an example of several works in progress from several different people

Yes. Companies that do that have a right to be embarrassed.

Then again, I've seen the other side of the spectrum where the proprietary code is "SOOPER" efficient and works better than any out of the box solution. Isn't that why you do things in-house to begin with?

Re:Been there. Seen that. Got the T-shirt.

[dc29A]

It is much worse than that in my opinion. I had to recode many parts of this ancient yet very important financial application. You wouldn't believe the horrors in that code. Goto galore, single threaded server components, buffer overflows and whatnot. However, that was nothing compared to the plethora of security deficiencies. Database root user with blank password for one. Absolutely no auditing. Everything sensitive transmitted in clear text. Insane amount of business logic bugs. If this company releases this source code, it closes shop next day because people would realize how insecure their software is.

Another application I worked on, had vendors dictate features and managers (without any technical background) gave us encryption routines. Worse than hacks, retarded XOR and shift routines that a 2 year old could crack. These same managers have used really badly coded RadioactiveX components made for browsers as a "high performance" server component. And of course they wonder why their servers can't take any load.

Embarrassment is probably a good reason why companies withhold source code, but I think it's more the fear of losing business over extremely shitty and insecure software is their primary concern.

Re:Two reasons...

[ShatteredArm]

I think #2 would be the major reason here. It's not just to hide "bad code". Why would you put all kinds of money and resources into your work, just to have someone else take it and profit off it after just a few tweaks? It's like asking, "Why doesn't Coca-Cola release their secret recipe?" Is it because it's bad?

Re:Two reasons...

[Unoti]

What's stopping them from compiling the important our-eyes-only stuff into an executable and putting the rest of the magic in a library which is released?

More improtantly, what's there to motivate them to do that? It's extra work for development, extra work for support, longer time to market, more risk of malfunction compared to just writing the code naturally. And what's the benefit? If I were managing a programming that wanted to do that, I'd ask him what the benefit is for this extra work and complexity, and if he didn't have an answer, I'd tell him to focus on what's important and get this product out the door without goofing off.

Don't forget NIH syndrome

[$RANDOMLUSER]

Then there's the Not Invented Here effect. Need B-trees? Don't buy a third party implementation, 'cause that costs money, and don't use an open source one, 'cause it's encumbered with GPL, just write your own b-tree library. Of course, it's not as pretty and bug free as the other implimentations, but it's OURS; and yeah, it would be embarassing to let other people see how crufty it is. I think this is one of the secrets of Java's popularity, most everything is built in already.

Re:Don't forget NIH syndrome

[fyngyrz]

It it were only happening with B-trees. I have seen projects that even ignored libc, and had their on memory management, special logging and tracing routines

We have our own memory management; we do it because it allows us to ensure that there are no memory leaks, anywhere, ever. We have our own linked list management because it is a fraction of the size of the alternatives and does exactly what we need. We have our own file dialogs (and treeview dialog logic) because the OS offerings were buggy for almost a decade. We have our own JPEG routines because we need to load all manner of proprietary and oddball JPEGs. We have our own tree structure code for our ray tracer, particle systems and so on because we can make really big trees and unless we control the memory allocation, the tree becomes too fragmented in memory for it to be handled efficiently. I could go on like this for quite a while. In short, though, there are some very good reasons to skip over the canned solutions. And that's assuming that the canned solutions work perfectly, as described.

When one of your operating platforms is Windows, you either learn to do for yourself or you end up with a buggy application, because Windows itself is prone to long term unfixed (and sometimes unfixable) problems. Write your own code and you can eliminate the problems. That's a pretty strong motivation.

Code in libc may be hard to beat when it comes to doing what that code does; but who is to say you need exactly what libc offers? Memory management is a good example. We require firewalled memory boundaries, cumulative usage tracking by routines and by blocks of routines, named memory groups, live overrun detection, dead pointer detection, real-time and post-run logging. And the code has to be really, really good... if there's a bug, we can't wait for the libc maintainer(s) to fix it. With these kinds of needs, pretty soon you end up writing code. It's pretty straightforward, really.

There's a competitive advantage, too. If a bug is found, your turnaround time can be measured in hours if it is in your own code. For every bug that turns out to be a consequence of an OS or otherwise "not your code" library, bugfixes are much more likely to take longer or simply be impossible. Example? We can process streams of image frames. MS's file dialog let you select many files at once. Seems like a natural fit, right? Click on one file, shift click on another, you've got a block, we should process them. Winner! Well, yeah. But.

If you selected more than about 100 files, MS's file dialog would fail to properly terminate the returned file names, and cut off the last one arbitrarily. Leading to all manner of things, not the least of which was not the behavior that the user was trying to achieve. But wait, there's more! Unless the customer, completely unintuitively, selected the last file first and the first file last, the files would be provided to us by the OS out of order. So? (I hear you thinking.) Just process them in the other order, right? Well, yeah, but the first file in the list we got would be mangled in the natural order. And besides, it wasn't the first one the user selected, just a mangled file name somewhere around number 100 or so. What a mess.

We complained to MS for years about these things without result, until I had simply had enough and wrote our own file dialog. End of problem. Now it just works. Plus, since I was writing it anyway, I did it so the file dialog offers tree views, thumbnails, properties, regular expressions, file management, clipboard tricks, you name it.

No, it wasn't perfect first time out the door, but within a few weeks of release, the customers had ferreted out the weak points and they were all fixed and the working application was back in the customer's hands. I haven't seen a bug report on the file dialog in years now. But if I do... I'll put that bitch down like a KKK'er at an MLK rally.

It isn't wasn

Code Paranoia

[edibobb]

Most companies who protect their code don't need to worry too much about it. It would take their competitors as much time to steal their code as it would to write new code. Analyzing a "foreign" project and then integrating it into another usually takes a lot of time. And then, the result would probably not be as good as new code. There might be some "ahh... so that's how they do that!" moments, but probably not worth the effort of stealing and analyzing the software. The main reason I would protect code would be to prevent lawsuits. Someone could analyze the code, find flaws, stage losses, and sue. Even this is pretty unlikely in a medium-to-small sized company.

Obvious?

[dracocat]

Well, we invested a lot of money and resources to get the product written so that we could make money from it.

If we publish it and another companies takes it and uses it to make a competing product we will make less money.

Do we need another reason?

Different Approaches

[quo_vadis]

Another thing to consider is the fundamentally different mentalities the two camps (open source vs closed source) have. For closed source, all that matters is shipping a working product. So what if it breaks if you have more than 4GB of RAM or your directory naming convention must be exactly so. The open source approach on the other hand tends to be we wont call our product done till the code is perfectly optimized for all systems from a VAX to a Blue Gene. Also, one must consider that individuals and companies are at different ends of the spectrum when it comes to reasons why they have not released code. For individuals, there is personal criticism from programmers about their code. But, one has to keep in mind that not all individuals are programmers. If a recent physics PhD chooses to release the code he used to process output of his high energy particle physics simulations for his thesis, he would be heaped with scorn for spaghetti code despite the fact the code accomplished its primary purpose (get enough data to get the guy his degree) and did it in a reasonable time frame. For companies, there is simply a strong sense of possessiveness. They are loath to give away anything; including code for products they dont use or support anymore.

Ridiculous article.

[rjh]

The proposition here is "upper management knows the code is a mess and is embarrassed by it, so they insist on keeping the code closed."

Who here thinks upper management knows what code looks like, at all? Not bad code, not good code, but code, period. Does anyone really believe that the executives who make policy decisions about whether to release code are in any way qualified to comment on code aesthetics?

Hell, I think most programmers are unqualified to comment on code aesthetics. For a lot of people, programming is just the daily grind. People who actually put their heart and soul into crafting a piece of mathematical art are very rare. So if management can't recognize good code and an awful lot of the IT department is apathetic to good code, how is it possible that the decisionmakers know enough to be embarrassed by the code?

And if we can realize this in just ten seconds of thinking, why didn't Schroeder think of it herself?

As near as I can tell, the reason why companies like closed source is very simple: it preserves the asymmetry of information necessary for their bottom line. A free market depends on both parties knowing the product being bought and sold. When you buy a new car, you can read Consumer Reports, you can read Car and Driver, you can read any of a dozen specialist automotive rags that will tell you in excruciating detail what a certain car's dual overhead cam configuration means in context of their competitor's choice for a single overhead cam. The buyer has complete access to information, and that puts the buyer in a position of strength.

Asymmetric information, where the seller knows far more than the buyer, puts the buyer in a position of weakness. If the product is a black box, then you can't really get an informed independent critique; you have to instead rely on the claims of the people selling the product. Which is great, as long as you're the seller.

doubt is a barrier to entry into a market

[technoCon]

Last week at XP West Michigan, the speaker advanced the theory that a company with an older codebase is invariably a competitive disadvantage and that anyone who builds a new system that does the same thing will eat their lunch. He went so far as to claim that this mechanism would result in Microsoft's doom. And I partially agree because "technical debt" in a codebase behaves just like this.

I think that an existing codebase may occasionally NOT be a mess or a competitive drag on a company. I'm not claiming this is frequent, but that it is possible.

Now, let's suppose I'm a young, hungry company who wants to eat a big, established company's lunch. If I know his codebase is chock full of "technical debt," I'll know he's at a disadvantage because everything he does to respond to me will have to carry along the burden of that technical debt. This means I have a better chance of beating him than if he's got clean code. BUT if I don't know if his codebase is crufty or not, that'll sew doubt into my analysis. That doubt will give me pause and provide a barrier to entry into that market.

You'll note that I made no mention of IP heretofore.

Thus, the company with a codebase that is ashamed of its codebase will be keep the extent of its cruftiness secret, to discourage competitors. Conversely, if a company knows its codebase rocks may consider IP to keep things mum, but if it buys into the line of thinking above, it may show off its codebase to warn off potential competitors.