Slashdot Mirror
Bringing OSS Into a Closed Source Organization?
Piranhaa writes "At the major corporation I work for, there is currently a single person who decides what software to approve and disapprove within the organization. I've noticed that requests from users for open source Windows programs get denied, nearly instantaneously, on a regular basis. Anything from Gimp, to Firefox, even to Vim don't make the cut due to the simple fact that they are open source. Closed source programs from unknown vendors have a much better chance at approval than Firefox does. The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get. I'm a firm believer in open source code, but I also know closed source has its place. So what would be the best way for me to argue, with all the facts, to allow these people to come to their own conclusion that open source is actually good? Would presenting examples of other big companies moving to open source work, and if so what are some good examples? Or can you suggest any other good approaches?"
Either live with your idiot bosses and stop complaining, or ditch that miserable excuse for an employer.
Some people/companies just want a name to blame if something goes wrong. Rather than requesting the right to install Vim, request the ability to purchase a license for Vim. Many projects have already setup mechanisms to do this or are willing to do so.
If this doesn't work because:
then go to your manager and also the person or people who decide to how good of a job the "software evaluator" [single person] is doing. Point out a real business need for a particular application: "Vim has XXX feature. It is not available in any other software. If I had this feature, I'd be able to do YYY, which will [save/make] our company $[insert figure here]. Did I mention that it is written by a google employee, and that our competitor, ZZZ is probably going to use it if we don't? Here's a list of other companies that use Vim [insert fortune 100 here]. Can you please make [single person] justify why he is putting us at a competitive disadvantage?" Cost is rarely a concern. So save the fact that it is free as an additional argument that you can make if [single person] suggests some other app.
If you are passionate enough about your tools, you can always walk--some companies hire talented employees and understand that they will be more productive with their preferred tools. (If you find yourself in such a company, don't spoil it--produce results with your tools, so that the company will be rewarded for this wisdom.)
If you want to be a dick, point to comparisons of some no-name proprietary program that [single person] approved that turned out to have a security hole and that your app does not suffer this hole and try to pull other tricks to demonstrate that [single person] is incompetent.
I would have resigned if I were you.
The largest prime factor of my UID is 263267.
The fact is that because open source is open, if someone tries to put some hostile code inside it, it will be seen and stopped there and then. With closed source, if hostile code gets put in, you're relying on a much smaller bunch of people to spot it, and there is always the possibility they will all collude together to put something in.
With open source, you can evaluate it.
People use the same argument against wikipedia, "anyone can edit it, therefore it cannot be trusted", but the same counter argument can be applied to that as well.
don't stick your neck out like that OSS people won't thank you and ALL mistakes in any software you somehow get approved will be your own personal fault. it sounds like your too low in the food chain to be steering the direction of the company
If you mod me down, I will become more powerful than you can imagine....
Seriously, you need to find the person and find out what their concern is. Is it a maintenance cost? A desire to avoid mixing and merging tools in-house? Are they concerned about who will be responsible, or liable, for problems with open source tools?
If their concerns aren't justified, and they can't be negotiated with, then they may need to be fired, or you may need to leave in order to get the tools you need. But their concerns are sometimes well founded: I've seen people who need a 99.999% uptime who were absolutely terrified of open source tools, had implemented closed source and very robust tools, but didn't realize that it absolutely prevented new development. That was OK, their requirements were very stable indeed. But it meant that they could not support projects from other parts of the company.
Ditch the fuckers. That's what I did.
Look at it this way: if the management are stupid enough to believe that any old code can be included in an Open Source project, then the company is going down the shitter anyway.
Also make sure you tell HR, in your exit interview, what a bunch of useless cunts the management are. Am venting here, obviously when I was in your place I was far more tactful, informative and business-orientated.
It likely isn't worth the effort. I really like FOSS myself, but one needs to have some perspective. This isn't getting food to the hungry, or getting some medicine to the poor. If upper management has an irrational hatred of OSS, so be it. Live with it, or resign. Based on what you're saying, the person doesn't seem open to reason -- and there is no point of using open source for non rational reasons.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
i question the wisdom of this. how many companies have the time to waste doing this vs going to a vendor and shelling out for an "assured" solution? it'd cost less in man hours to simply purchase windows than audit an entire linux distro for malware.
i think the "but you can read the code" retort is easily answered with "but who's going to pay to read it?"
If you mod me down, I will become more powerful than you can imagine....
I'm sorry for posting as an AC, but the /. login doesn't seem to be working (no matter what I type in to the captcha, it doesn't let me verify my password!).
This guy is God as far as software at this company goes. He can do what he wants and unless there's a major catastrophe, his supervisors will let him continue to do so. If what you say is accurate, then he's made up his mind and there is no reason to change it at all.
You ask for "the best way for [you] to argue..." That's it right there. As long as you argue, you lose. He doesn't want to argue, he wants to be right and that, by definition, is what he is for anything he says at this company. He doesn't want to hear from you, doesn't care, and in any argument, if he so much as listens, he is indulging you.
True, he's an idiot, but that doesn't matter. He has no reason to change so he won't.
If you want him to change, remember he's like electricity: He takes the path of least resistance. For him to change or even look into change, then that path has to be made easier than him not even bothering to look.
When you can make it easier for him to look at FOSS than it is to ignore it, he'll start looking, but not until then -- and likely not even then if he has a grudge against it and doesn't want to admit it.
with a hooker and a camera!
It sounds like a bad environment for a programmer. I'd leave them with their closed source programs and look for a job in a better company.
I've worked in several large corporations, and was faced with similar challenges.
Often times, open source software is not viewed as a serious option because (depending on what software you're looking at) there isn't a singular reliable source of support, and due to legal reasons, a large corporation just cannot afford to take a 'gamble' with open source. You need to pick your battles and pick them well.
I'm not implying that open-source software is better or worse than commercial software, but the dedicated support definitely is lacking in the open source world.
The last thing a pointy-haired boss wants to hear is that you're waiting for someone to reply to your post on the forums, or that you're getting on IRC to find out if someone ran across the same problem and what the solution was.
For example, ZenOSS is a great monitoring tool, but the documentation is complete garbage, filled with errors, omissions, and even broken sentences. Mind you, this also includes their Enterprise version, and their support is also lousy. You'll be lucky if you get a response within 24 hours from when you submit a trouble ticket as a Enterprise customer.
Redhat, on the other hand, is much more responsive. You'll get a reply or at least an acknowledgment that they got your email within 20 minutes, which at least is enough to give management the 'warm fuzzies'. They're really just another Linux vendor, but they have a support line, and they have the fancy brochures and certifications, and that adds legitimacy. It tells the business world that they mean business, and are not just some long-haired smelly CS grads with a pet project.
Sounds like this person has a deeply vested interest. I would guess that the real problem with open-source software is that it's free (as in "beer"!) so no chance to cash-in by playing favourites.
Find out where the kickbacks are coming from and blow the whistle.
New mod option wanted: -1 DrunkenRambling
Purchasing Windows doesn't give you an "assured" version either. The industry has learned that hard lesson over and over. You're much better off just licensing an open distribution like Red Hat, because you get the corporate support side as well as the community audit side.
The fact is that even if you don't have time to read the source, other people do, and a complete distribution has the unique level of multi-party quality assurance money can't buy.
Microsoft is probably the worst possible example anyway. They regularly put in their own malware. There's no audit required to know that WGA is pure and simple malware. It's absolutely moronic to name them as an example of an "assured" solution vendor.
Sam ty sig.
if you want to be a real stickler about security with OSS software, why not compile the binaries yourself? Bam, no reason for OSS
WÌÌfÍ--ÍSÌÒÍ...Í...ÌHÌÍfÍÍÍ--ÍÍÍ
And your assured solution could be, say, have a glaring security issue.
Fortunately, software companies aren't asses that sue people for disclosing things, want all bug reports public so companies can take precautions against problems, and definitely will fix bugs in a timely manner,
If the company goes under or is largely unresponsive, we'll simply use a different software. Any data that we may have used, we'll just convert away from them. This will be a walk in the park too, since we'll definitely have an option to export to many other programs (to avoid vendor lockin, of course), or we'll simply read the proprietary data file format ourselves using a script to convert the data!
There are so many examples of such honourable companies, like... uhm...
err... :D
While I was working for a former employer, we were engaged in negotiations with a very large company that would act as a distributor (to a certain market) of our products. Said unnamed company in the distribution contract wanted us to sign off that "no open source software products were used in the development process, and that no OSS was present in the product".
Why?
Frankly, I understand the concern. If you are a development shop, then if OSS creeps into your product (due to a careless (and thoughtless) developer copy-pasting code, for instance) then the legal ramifications may be grave. Potentially, depending on the license, you are required to disclose the entire source of your product, and provide a usage/distribution license to whomever receives that code -- basically, a single minute action can sign off your rights to your software. your distributors have also violated copyright, and are in similiar hot water (e.g. their efforts in promoting your product are now potentially worthless).
The result? Some companies are so afraid of this "poison pill", that they simply don't let any OSS in their gates. Does this promote OSS? Maybe. IIRC, I recall that some friends working for the dark side (M$) report that no OSS is allowed there (or in some parts thereof).
I use OSS extensively. The former company I worked for had a whole heap of OSS in its development process (but not in the developed chip/product). Actuallly, considering that a non-OSS company (Altera) used OSS in its supplied development chain (gcc, for instance) that we were using, there really was no conceivable way that the company I worked for could've signed off on the "no OSS" bit of the contract.
Doubt you will be able to change your control guy's mind with reason, so you have to play politics. Find an example where expensive software was bought instead of OSS and tell his/her boss how much the policy (note not "the person" - bosses can work it out) is costing the company. Of course, if the guy IS the boss or is related to the boss, just find another employer if it's that important to you.
Andrew Yeomans
The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get.
That's why open source has source. You can examine the source code to see if there are any strange patches. Compile it yourself and then you know what kind of binary you're going to get.
That's also the big benefit of open source. There are thousands of eyes looking through it for the larger projects. You also get the benefit of customizing the source for your own purposes (and if you don't distribute the end results, you don't need to distribute the source of your changes, either, for the software under GPL).
I might worry about the projects where anyone in the world has CVS/SVN/GIT/HG commit access. Most don't do that. It's not like Wikipedia. And if you wonder if some project may have some nasty patches applied by less than honorable people, just look through the revision history or download some older tarballs, and look through the changes.
now we need to go OSS in diesel cars
Attack me all you like, but to me, and to probably a lot of other users, it doesn't matter whether something is open-source or not, as long as it does it's job well, and it's (hopefully) free.
That's not to say I don't support open-source where I can, since it usually has a more vocal and readily available community to help you when the program goes belly up.
As a small addendum, remember those fellows that found OSS in the infamous sony rootkit (by various strings present, IIRC). A week or two later the same guys (or someone else) found OSS in some other commercial software product. IIRC, there was some legal action (from FSF?) following this.
It used to be, that if you screwed up and placed OSS in your product that the chances of being caught in the act of theft were fairly low. Currently, the chances of being caught (even if your act was inadvertent) are significantly higher.
1) Convince his superiors that a particular open source program is the best available for the job. If this works, try with another one, but make sure you point out the open source nature of the program.
2) Talk to your workmates about open source software that you use, and try to get them to request some of this software to be available to them. For bonus points, try to get them to complain (with email evidence) when software is rejected to the people who evaluate the performance of staff.
It'll take a long time, and you'll have better success (and more likelihood of him being replaced) with the top-down approach, but the bottom-up approach is probably more likely to develop good word-of-mouth links to OSS.
Ask me about repetitive DNA
As with any idea you want to sell, you have to pitch it in terms of what the company wants. Most companies aren't going to be motivated by a philosophical argument. You have to ask yourself: If the company started using open source software, would it have a significant postive effect on the bottom line? If not, your unlikely to succeed.
Open source...is about the user.
Closed source...is about the company producing the software.
Open source is often written by the very people that will use the software, and they don't want crap in their software.
Closed source is often written by people that will use it, but they need it to sell money. So is it cheaper to push crap out the door or gold plated jewelry?
Vote with your feet, and when asked in your exit interview why you left, tell them the truth.
If I ever ended up working at a place like that somehow, I'd quit the same day I found out about this policy.
They can suffer with less than optimal software.
At my previous job, I heard some really crazy reasons, from non-technical PHBs, for outlawing free software. All kind of nonsense up to and including Russian hackers planting backdoors/trojans in OSS apps.
In the end, the best way to make these non-technical PHBs see sense was to simply point out all the OSS they were already using, without even knowing it.
Those HPUX servers? Running Samba shares.
That F5 SSLVPN network appliance? FreeBSD!
The most priceless moment was when I discovered the main OSS opponent was an avid Firefox user. He referred to it as "Microsoft Firefox".
>i question the wisdom of this. how many companies have the time to waste doing this vs going to a vendor and shelling out for an "assured" solution? it'd cost less in man hours to simply purchase windows than audit an entire linux distro for malware.
>i think the "but you can read the code" retort is easily answered with "but who's going to pay to read it?"
I'd question your sanity. The argument is not "but you can read the code" ... the argument for open source is this: "but everyone can read the code".
"Everyone can read the code" is a far different argument to "I can read the code" or "you can read the code" or "our company can read the code". The position that open source takes is in fact "everyone can read the code". Everyone and anyone who wants to.
"but who's going to pay to read it?" you ask? There are an estimated 1.5million open source developers right now. So at least 1.5 million people already do read it. I suggest then that the answer to your question is "whoever pays those 1.5+ million million people".
Finally, since 1.5+ million developers already read the code, and they use that selfsame code themselves (this is the killer point, BTW), it is already audited for malware. Those developers simply aren't going to use code if they see malware in it. Who would be stupid enough to submit malware into an open source project in plain sight, with 1.5+ million developers looking at what you are trying to do to them?
That job of "audit an entire linux distro for malware" ... it is already done for you. It is an automatic part of the service.
In my organization I wrote up a risk analysis for Open source and closed source software,
detailing the risks in each.
How does malicious or dangerously buggy code get into each type of project. how do you assess the threat in both types of software:
What is the review process?
How big is the project?
did you compile the software yourself? who did?
how did you get the software/source code. etc.
This document was picked up by other people who eventually turned it into company guidelines for OSS adoption.
Me.
Seriously, after all these years of success and reliability, anyone claiming Open Source software is an organizational threat is simply in the tank for Microsoft. Firefox, a threat? VIM, a threat? While Internet Explorer and MS Word are paragons of safety? The man is provably out of his fscking mind.
Schwab
Editor, A1-AAA AmeriCaptions
In my experience, your best bet in these cases is to walk the company's official path for software acquisition.
If no such path exists, your first step is to convince management to create it. Your common goal is to get the best sollutions for the problems at hand.
Here is a very usefull link of the dutch government on making FLOSS a viable option for software acquisition:
--> http://www.ososs.nl/files/acquisition_of_open-source_software_-_text.pdf
If it is good enough for the Department of Defence then it should be good enough for a any corporation. However, if IBM, Sun, SGI, Hewlett Packard, AOL and Dell are not good enough to convince your bosses, then I don't think anyone will.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
the gpl allows you to bring open source inhouse and keep it closed if you do not use publically
so where do i need closed source to begin with?
to pad my lawyer buddies?
stupid is as stupid does and go ahead waste peoples money, fraking noobs are everywhere and ya wonder why the world economy is going turdy
all the greed has done its work
so either learn to live with the problem, or just run away from it? you must be a real winner.
most socially/emotionally healthy individuals have a powerful tool at there disposable called "interpersonal communication." by honing your communication skills, you can exchange thoughts and opinions with other people, perhaps even persuading them that FOSS is a viable alternative to proprietary software. but this is generally not a tactic used by people who spend their entire lives as a powerless passive observer.
assuming you know to speak up for yourself, there are a lot of ways to introduce FOSS to a close source organization.
Honest question here, does the 24/7 support ever solve problems? The only time i ever bothered to complain about a faulty product ( a television set that was under guarantee ) all that happened was i got dicked around for 18 months while it got taken away, brought back, failed again, taken away etc. I assume the job of 'support' is to occupy the customer until they get bored of complaining/die/find a work-around/buy a different product.
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
These folks usually need a near death experience to change their mind. You won't change it. It's only when competitors are closing in, that's when folks like these give up their superiority complex and do what the engineers say. But by then it's already too late.
Step 1. Convince him to buy an expensive, complex and impossible to manage closed source program that he will approve, Lotus Notes or anything by SAP comes to mind, preferably for a totally inappropriate purpose.
Step 2. Maneuver yourself into being next in line for his job.
Step 3. Encourage end users to complain about the software as much as possible. Plot behind the scenes to make sure his bosses know he is responsible.
Step 4. Once he is fired, take his job and replace the closed source software with open source.
Good luck!
Negative moral value of force outweighs the positive value of good intentions.
Shouldn't this have been in Ask Slashdot instead of News?
What I mean by "make an in-house version" is that if they are concerned about new binaries causing problems, they could, in the case of something like Vim, which doesn't connect to outside machines and pose a direct security risk, simply scrutinize the source for and then build a binary and store that binary on-site and permit people to use only that one. This means that some of the benefits of open source are lost, but at least you get to use the software for the most part.
They don't necessarily have to scrutinize source -- presumably the notion that software might be dangerous is also true in the case of commercial software and if that is true, then they should have methods of qualifying specific installations of a program as safe, regardless of the type of transaction through which they would acquire the software. I realize that companies often do not have such qualifying methods and instead rely on the implied threat of a lawsuit to prevent commercial software vendors from selling them malware, (either intentionally malicious or not,) but the legal recourse is usually far inferior to just having software that does only what the users think it does. Legal recourse is an expensive and risky endeavor that often doesn't really make up for all the damage done; there are, of course, examples of where the suing entity made a killing from their victimization, but there are a lot of far less exciting outcomes where the victim still ended up taking various types of loss even if they won the lawsuit. You could point that out to them, but keep in mind that you will be essentially pointing out that their usual arguments are incorrect and that you know they are actually just engaging in ass-covering. This may go over badly.
You can still suggest that they qualify a binary, though. That is reasonable, in my opinion, if you can justify the utility of the software you want in monetary terms regardless of what arguments you may present as to why their no-open-source policy doesn't make sense.
Just tell your boss that many closed source software uses open source software libraries, for example, libraries that do compression or image processing (e.g. PNG, JPEG). So he is already living with the risk.
Your open source software blocker is being paid off by the vendors. Maybe not in cash, might be just in dinners, trips to "conferences", or perhaps just in building his ego.
This is one of the barriers to OS software adoption that is not yet recognized.
Remain calm! All is well!
At the major corporation I work for, there is currently a single person who decides what software to approve and disapprove within the organization.
Give Mr. Jobs my regards.
It sounds like his argument against FOSS is fact-based, not political. Address the facts.
He believes that anyone can change the source of an open source application and recompile it. That is TRUE. He is right to identify that as a vulnerability. The mitigation is to only download binaries from trusted sources and verify them with checksums, or to download the source, inspect it, and recompile.
His conclusion that applications from proprietary sources are therefore inherently more secure because they cannot be recompiled, however, is INCORRECT. From a security standpoint, using a binary file requires a higher level of trust because it is more opaque. It is far easier to to hide an attack in a binary file precisely because one cannot inspect it as easily as one can a source file.
The threat order, from most threatening to least, is:
The point is, NOTHING should be accepted without verifiable trust. Being able to personally inspect the source code provides an additional level of protection, and is therefore SAFER from a security standpoint.
For personal use, I trust everything at level 3 and higher (binary from trusted agent, no checksum). That's fairly risky, but acceptable for a single machine. If I were in charge of the corporate desktop, I would elevate to level 4 (binary from trusted agent, with checksum). This is the level that Microsoft products are distributed at, for example. If I really were concerned about the security of an application -- say, if I were in charge of writing voting machine software -- I would insist on elevating all the way to level 6 (source from trusted agent, with checksum, scanned by me and recompiled with a new checksum.)
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get.
What, and all the viruses that can attach themselves to existing binaries clearly have never existed?
If you have the source code, then you have the opportunity to compile your own binary and be sure what's in it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Don't bother. Go get another job elsewhere.
Or as someone posted earlier, "Either live with your idiot bosses and stop complaining, or ditch that miserable excuse for an employer."
We use OSS almost exclusively where I work... the only commercial software we use is Microsoft, and even that we try to avoid as much as possible.. (there's only a very few window's pc's with MS office for example.)
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
You've put yourself in a vulnerable position by having asked for permission. Now that the answer is 'no', installing those specific packages anyway is being disobedient, and you'll have a much harder time convincing them otherwise.
Otherwise I'd recommend you to just install firefox etc. already. There can't be any objections to this from a financial, legal or security perspective; in fact, as your company pretends to be worried about security, why not go with the browser that has the better security track record, rather than sticking with the closed-source browser (which has proven to have the worst security track record of all)?
As for the random changes, when you get the sources 'at the source' (i.e. firefox from mozilla.org, mysql from mysql.com etc), any potentially unsafe third-party changes will have been reviewed (and an MD5 checksum guarantees that the sources have not be tampered with). The risk in using it is no bigger than the risk of accidentally installing closed-source malware.
But as other posters have pointed out, for your company it's probably the bottom line that counts. I agree with the poster mentioning that you should take care of your 'software approver', as he seems to care more about his power-trip than about the company.
Finally, I think you'll have a better time at a company that embraces open-source. Start looking around for something better, you'll be glad you did.
The author of the article says:
"The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get."
Not if you can prove to your superiors that the source code you want to use is managed and moderated by code maintainers in order to review the code prior to it being submitted into a code branch...
... and that your superiors have a policy of only obtaining code from said moderators and code maintainers at officially announced places of acquisition of stable code branches.
This covers many popular free and open-source software from many organisations such as the Free Software Foundation, Mozilla, the Linux Kernel Organisation, and others, whereby the contributor base is large enough for the code to be peer-reviewed and managed in ways that will prevent such malicious attempts at code pollution from ever becoming a reality. If you can show that the project belongs to an organisation that honours its reputation for the production of quality software, then it would make the rejection of the use of such software due to this argument much more difficult to justify.
While this doesn't cover every free or open-source project under the sun, it does cover many of the more popular major projects where a Windows build is available or supported.
--tonza
If they don't know that Firefox is the best browser existent, than they are uneducated. You have two choices, then:
1. Educate them.
2. Give up and use IE or whatever crap.
This is also true of other FOSS programs, but Firefox is certainly step one, in my opinion.
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
Look for someone who'll happily charge you for doing nothing, let's call them dummysoft.
Then put in your request for vim from dummysoft for x hundred dollars.
Dummysoft can then send you a link to their download site at, say, vim.org, and take the money.
If you can't find any volunteers then I'll happily do it.
I have implemented a high-profile system in a large multinational, using open source. I too found it hard to get OSS accepted, but not for the reasons I first expected. Most of the initial arguments were quickly countered.
- Malware? We were confident enough to see there were sufficient controls around code changes.
- Support? Easily handled by our existing channels, even for elaborate changes and additions.
- Quality? Millions of users can't be wrong...
The one thing we struggled with was: liability. Our own, our manager's, the software approval guy's. The problem is this: what if that bit of open source software contains proprietary code, and the owner of that code suddenly starts asserting his rights? At best, we will be forced to stop use of that software.
You can argue that this is also a possibility with commercial software, which is true. But with commercial software, the owner of the infringed code will go after the creator of the software. Better yet, we too get to sue his pants off. In the case of open source, they are likely to sue not the creators or distributors of the software, but the people using it. That means us, and the legal eagles don't like that, oh no. Remember the old maxim "No one has ever been fired for buying IBM"... that goes doubly for OSS. OSS exposes you to lawsuits, and when the stuff does hit the fan, the buck stops with you.
In the end, OSS was allowed in our corporation, provided that it isn't used for mission critical purposes if no commercial drop-in replacement exists. If the software develops issues, there's still no vendor to blame for me, but I can live with that, personally.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
You need to get a sense of perspective here. In the past month we've been experiencing the very start of what people are comparing with The Great Depression. You're living in the US where your unemployment benefit/insurance has a fixed time limit, homelessness was already out of control in the boom time (with large numbers being unable to secure a place in what would be short-term emergency accommodation anywhere else in the developed world in "trailer parks"), and you're bitching about not having access to some favourite Windows apps?
My advice to you: don't make waves, treasure what you have, and pray to your deity that you aren't forced into looking for work in the next 12-36 months.
Sorry, I'm an outsider to the US, and I keep hearing this thing about the right to bear arms.
Isn't this the reason you own guns: to defend yourselves from utter tossers in the workplace? What's the point in all this gun ownership, if you can't kill middle-managers?
There's absolutely nothing in any OS license I'm aware of that restricts resale of code.
You have 2 types of people, advocates of open source and the governance types. Clearly, you will fit within the first group and your boss in the second. This is a religious fight and one that cannot be won by convincing the other type of your right.
I have done this battle and lost every time, until I understood the system. The governance type often has much less knowledge than you for making a balanced choice. He wants to be assisted by some technical teams to get a second opinion. The way they report will include terms such as open source etc... and thus the proposal will get refused.
Try to organise a software evaluation team for problem x that will report to the governor. Try to make sure you have a large part in the written end report. Try to make sure that there is a paid support option in the open source solution.
In the end, they will not pay support, take the open source and there will not be a second voiced opinion that can be interpreted any way.
We all know that open source will win in the long term, because the support of many will always be more important than the financial gain of a single company. The fight will always continue because the gain of some will always inspire unfounded opinions. I just hope that you win this battle.
"The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get."
That's closed source, in open source you know what code is in the binary...since it's..well...open?
My sister-in-law worked for a huge company, one very similar to Dilbert's employer. She was at least partly, if not fully, in charge of the decision to reject all open-source software. I had a long debate with her on this topic, but she's completely unwilling to move. She firmly believes software is worth no more than what you pay for it, and those promoting free software are dangerous socialists, anti-free-market crusaders trying to tear down America.
I've also tried to convince her over the years that George Bush is a poor president, who has in fact made some mistakes. While she's a super-bright energetic well educated woman, my sister-in-law is incapable of thinking any republican president has ever done any wrong.
I think people like my sister-in-law are firmly planted in important corporate positions throughout our country, insuring that Dilbert-Land will continue unimpeded. To them, free-as-in-speech is a silly concept for children. You give it lip-service, but never put any money there! What counts is free-as-in-market. These free-as-in-speech programmers are just more Vietnam protesting nit-wits who will ruin the country.
Beer is proof that God loves us, and wants us to be happy.
I happen to use many OSS portable apps, like firefox winscp and open office (even thought word is there) but I used to install gimp portable, and no longer have to as someone requested our computer tech guy to install gimp on all the computers!
So now I can introduce my colleagues to open source software for their simple/mid level image editing and they don't have to stuff around in paint anymore!
There are folks though that will not even try gimp 'cause its not photoshop, and are perfectly happy to use paint instead!!!
like phosphorescent desert buttons singing one familiar song
That is simply not true in practice. Most people do not audit the source code of their favourite Linux distribution. Even if they did, there's no guarantee that the code they have installed from the DVD was compiled from the source that they looked at. Contrary to popular opinion in the open source community, most people don't want to compile all their software themselves.
It's not even as if having availability of source code means you will find all of the hostile code that is in it. Debian managed to distribute a seriously compromised version of OpenSSL for two years without any of the "many eyes" noticing.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
... or maybe he just hates freedom
"The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get."
If that is their mentality, you have already lost with all arguments.
You cant try to understand that not everyone can get code to applications, only a trusted onces. Altought, everyone can send patches and new code, but it will _always_ get viewed by at least one truested coder and even can get easily modified someway in the process if the code is not so good already.
It is as easy to get a malware code to opensource software, as it is to get to closed source software. But you, as client, has better change to modified, fix, and check the software source code if you use open sourced version.
I dont know where it comes, but someway, that open source means for someones same thing as there would not be security- and quality control at all...
My advice is to evaluate the merits of your software shortlist on EQUAL basis. Get your decision makers to agree criteria for the selection of software BEFORE starting your evaluation and then choose the best scientifically. Factor in initial capital spend, running costs, feature-match and roadmap. The best software might not always be OSS although I've found many OSS and quasi OSS to have a very compelling business cases.
In case you are interested (in various contracts), The following have been the ones I've seen the most:
What I'm not really seeing in my customers even though I'd really like to:
One of my recent customers has a big investment problem with their VB6/IIS5.0 platform - they have invested 2 or so million GBP (double that for USDollars) and find themselves unable to upgrade to .NET now that MS platform has gone "out of support" this is due to the poorly architected platform and in part their poor use of the platform - it is these contracts where OSS is winning (OSS Java Enterprise and some are looking at LAMP) because clients are ultra sensitive about commercial lock in...
It would work like this: you see a need that could be addressed very well using OSS package X. You also ensure that there is budget to buy software.
What you do next is to get a software consultancy you trust to take that piece of OSS software, modify it slightly (e.g. a new splash screen) and sell it to your company. That's perfectly legal, if a bit sneaky, and therefore requires heavy-duty CYA precautions.
First off, make certain that you cannot be suspected of fraud (i.e. do a thorough requirements study and a cost-benefit study and make sure that the resold OSS stuff wins on those grounds).
Next make sure that the company your company will buy the stuff from provides your company with a service agreement and certain guarantees (they will have to talk with an insurance firm for that, but they can silently charge for that in their asking price; that's not unusual for consultancies).
Together that will allow you to show that you purchased good measure for your company's money, even if the company could have gotten the software for free. The reason being that your company purchased support and guarantees, which arguable are the sole difference between OSS and closed-source stuff. The fact that the packaged OSS software won the contract after comparison with commercial competition will show that the company got what it wanted.
Now be sure to check this theory with your personal lawyer first (but don't tell the company), then involve your company's legal department during purchasing; go through channels and get their buy-in once you have people willing to act as a vendor.
Now since it's OSS they will have to deliver the source code, but that doesn't matter. It doesn't have to say so in great big letters in the purchase agreement; it might even say that it delivers an *un-customised* version of the software by way of on-site escrow and hint that this is due to them being a startup. That's all. The trick is to get this past whoever approves software purchases. If he's stupid (likely, or he wouldn't go around blocking OSS stuff) you're likely to be able to get away with it. But make sure you are blameless if found out, or you'll loose your job and gain a lawsuit!
If you think a bit "formally" you'll see why this works: your company wants to buy software objects of class A (commercial software). What you have are software objects of class "B" (OSS software). So the only thing you need to do is create an object of class "A" which borrows the "implementation" from an object of class "B", but which adds a (legitimate) shell that makes it class "A", and everyone is happy.
Alternatively propose to buy a package (e.g. Open Office) for which there exists a commercial version and neglect to mention that it's also available as OSS.
If you don't have the amount of control that will let you do this, I can think of nothing else.
Cheers.
You can try marketing something like openssh as the best tool for the job, and point out the places you already use it. And then try pointing out all the other bits of open source that make it into windows, commercial unixes, routers, and just about everything else.
It's worth trying but you might be onto a loser anyway.
From personal experience I can tell you that the people that do well in multinationals are not qualified professionals, they are 'professional manager' idiots who 'talk the talk'. These people care about money, reputation and thats all. Sadly multinationals provide lots of places for these kind of people.
Try convincing people the value of using the best tool for the job, it's certainly worth a shot. Then if that doesn't work either put up with it or look for somewhere better to work. The other option is to use whatever you like and neglect to tell them. Chances are they are too dumb to notice anyway.
Maybe the easy way out is to buy yourself a laptop and install the software which you need on it. If you install GNU+Linux and Compiz Fusion you may even convince some of your colleagues that you have a point there.
Also raise this issue in a meeting and make sure that it is on record that your requests were denied and by whom. If you want to stay in this company you may need proof down the line that it was not your decision.
I've tried to improve things in a company before. They could have saved thousands of dollars of operating costs per day and everyone could have gone home one hour early. Now that I've left I am glad for every mistake they're still doing. Let them fail spectacularly!
personally i've been in the enterprise environment and in many cases, microsoft and closed vendors IS a good answer, remember that these peoples job is to judge software based on it's ability to do the job, nothing else. in my industry billion of dollars in product could be wiped out if even one of our pieces of software miscalculates - would you trust that to people on the internet that you have no recourse against if they are wrong?
If you mod me down, I will become more powerful than you can imagine....
Viruses in debian? You're not living on the same planet as us.
Making laws based on opinions that stem up from false informations leads to witch hunts.
I've had employees ask for software like yourself. Most of the time they already aren't getting their job done, and the new software won't help them achieve that end. Usually these requests come from 'fiddlers' that can't comprehend that what they are trying to do has nothing to do with the reason they were hired. Sure the software is cool, sure it saves time, but it's only saving time in doing something I don't want them to do. That's not what I hired you for, especially since you are not getting your work done already. Quit fiddling about and get it done.
But, with GPL 3, for instance, if you sell a modified work (GPL code + your own) you must grant the recipient a GPL license to the derivative work (GPL + your own).
The recipient is then allowed to distribute the product to whomever he wishes as long as he meets GPL (granting a GPL license downstream). So, how would you be able to make a second, third or fourth sale, now that additional parties are allowed to sell (or just pass on for free) this product?
This effectively makes your product free, if it is distributed to more than a few select customers.
Let the f-cktards wallow in their own shit. Do you really want to live in it with them?
Where were you when she was marrying your brother?! Always make sure to get their views on open source before, it saves any nasty surprises later on.
You are missing the point between what you consider quality software and software that passes a government audit. Just like the parent said, if we are looking at a product and it doesn't pass regulations - we can't even really look at it.
Now the question you should ask here is what passes regulations. With the laws being so vague and having so many contradictions, the real answer about what passes and what doesn't is what the big third party auditors say passes. So what you consider assured is much different than what the government will let us consider assured.
This isn't to say open source software doesn't get in - we have many linux server farms, apache and a host of other open source products that we use (happily).
A for instance though is that one of the requirements for compliance is that all servers need to have anti-virus. You could prove beyond a shadow of a doubt that concreteBox1 sans internet attachment cannot get a virus - yet you still need to prove it has an updated AV product on it. You can try to fight it, but with 50,000+ systems it just isn't worth it.
Another example is two factor authentication being required for any remote VPN solution, requiring AV and firewall. To meet this requirement we use third party products such as F5 (Juniper has some, etc). They all have the built-in scanning engines for Windows and even Mac (e.g. OPSWAT), but not Linux. This means that Linux is pretty much not acceptable as a workstation due to compliance.
Does Linux NEED AV/Firewall? It doesn't *matter*. It matters that we as a company are required to be able to scan to prove they have it and most third party products don't support it yet. We keep pushing though (can you hear the frustration?).
I am not saying in any way that open/closed is better, cheaper or less anything. What I am saying is if you are in a company that is that regulated sometimes it really is cost prohibitive to look at any company that can't provide you with an easy pass to your audits. The companies that the parent listed - RedHat, Novell, Microsoft - and anything they support are what we tend to go with because we know our audits will fly.
The people you have to convince of your theories are the companies that do the audits for PCI, SOX and a whole host of others.
If you took away auditing a lot of companies our size might have a completely different perspective.
I'm keen on learning how to do this type of investigation. I have suspicions at where I work about how some projects are given to vendors but I don't know how to find out. Any tips?
... in my case I was trying to get firefox installed onto a work computer because we are still using IE6 and a web application used by the company (one built in house mind) doesn't run well in old and busted IE6. Now the fun part. I was denied getting it installed because firefox was a security risk. Apparently IE6 is safe and secure????? According to some of the wankers on this forum, I should now quit my job in protest. Guess what, I LIKE my job (a novel concept, I know) and I am NOT going to quit just because I can't get some software installed. I will however still fight for alternatives to closed source wherever possible. Will I win? Probably not but I am happy in the knowledge that I tried my hardest.
lobbying works. talk to this guy, invite him for dinner, tell him that you want to lobby for open source and ask him if he would be interested in a discussion about it. at the discussion, listen to his concerns and don't dismiss them. give him the feeling that these concerns are valid, then tell him that you are going to try to convince him, ask him if he's fine with that, then give some counterarguments. if you don't get through with the whole thing, invite him again, make him like you. when he likes you, he's not having a hard time considering your arguments. if everything fails, talk to his boss about the same stuff. don't be scared. we're all reasonable people, it's just that decisionmakers are usually misinformed and thus, scared.
Do not trust this signature.
> WGA is not malware, it's totally retarded to even suggest it.
http://politech.wordpress.com/2006/07/27/microsofts-wga-malware-in-sheeps-clothing/
http://www.theregister.co.uk/2006/07/03/wga_worm/
http://blogs.msdn.com/wga/archive/2007/05/11/malware-posing-as-windows-product-activation.aspx
> And give me one example of a copy of windows from a ms genuine partner that contained real malware
http://www.mydigitallife.info/2008/10/08/new-asus-eee-box-pcs-loaded-with-virus/
http://www.techradar.com/news/computing/pc/asus-ships-new-eee-pcs-with-live-virus-474622
> i can think of 2 - 3 examples of OSS repositories being infected with virus code in the last couple of years, most notably debian.
You had better tell this person then ... who was unable to find any Debian viruses at all.
http://answers.yahoo.com/question/index?qid=20080926175039AAANYlO
Seriously ... a Debian virus? Are you nuts?
Debian servers have been "hacked" a couple of times ... meaning that someone guessed a password and managed to log on. The servers maintainers watched what they were doing for a few minutes to see if there really was an exploit in use ... but they cut the connection as soon as it became clear that it was a simple case of a guessed password, and the hacker was vainly trying a few well-out-of-date methods to try to elevate privileges. No files were modified.
You really need to try to find out what a computer virus is, and while you are researching it, you might think how immensely improbable it is to be able to put a virus into open source code.
It seems that they are totally unqualified for the job they are doing, so just take over. People like that are easily pushed out of the way. Once you are in charge, implement all the Open Source you like. It is for the of the company anyway. I would start by going over the dumb asses head to the first boss that is running the numbers pinching pennies and does not know shit about computers and show him FREE replacements. Money talks, bs walks in biz.
Living in Chile
The source is open, but the compiled binary is closed, and the source of that binary is a central download repository that can be "trusted". So the company can either download it once and distribute the software themselves or can approve a particular URL as approved for downloading.
The only possible "fear" they could have is to adopt something that by license requires source to accompany the binary. In that case once it is, also have a policy of deleting the binary and read me and whatever to "save disc space" and keep a backup of those items at the company's central server with password access. The "company" being the person owning dozens of copies can do whatever they want with their copies once downloaded. The employees are not the owners, they are employed users FOR the company.
Jerry
So you are not allowed to use vim becaus it is Free Software. Fine then find out the most expensive commercial editor with the most restrictive license and order that. Repeat with every single OSS app that you might want to use. Have fun, your boss pays the show.
Rather than couch your request in terms of FOSS, why not request FOSS as SAS from a supporting vendor? The principal FOSS counter-argument (nobody to pay, so nobody to hold liable) gets neutered by the SAS contract. If it isn't worth such a subscription, then what's the business need? [SAS = Software As Service, also written SAAS]
If you were to assume that we lived in a GPL'd world, game companies could still charge money for their game assets (sound, textures, models, etc). To the end user there wouldn't be anything different except their discs would have a "src" directory. Most companies would probably go down this route anyway if there were a decent FOSS game engine around, as it stands it's just cheaper for them to license some middleware like Unreal Engine 3 or Gamebryo.
As it stands though, selling service for a tool like Reason and expecting it to support development costs would be insane. The software is the product! People going off on the whole "sell support" nonsense don't seem to understand that certain types of software only have value insofar as they work as advertised. You don't buy support for a workbench, it either holds your tools and lets you work or it doesn't. If it doesn't you're not gonna use it no matter how free it is.
Nick
You have to be a bit subtle or your ass will be in a sling. If it is obvious that you are 'snooping around' you will be dog meat. Be warned!
I've been in a couple of organizations where people have been a bit corrupt.
1 - School board. The guy who looked after physical plant for the board had his staff do a lot of work on his cottage. He was probably doing other stuff as well. He got canned as did the director of education. Detecting this fraud just required listening to the staff gossip. Taking the board's plumber or electrician out for a beer would have got you all the evidence you needed.
2 - College. The new director of IT tried to change suppliers. He didn't last long. I think his boss was the one getting the kickbacks.
Kickbacks are hard to detect using regular accounting because they don't leave a conventional accounting trail. The best way to find them is by looking at the lifestyle of those you suspect. The best way to do that is to get to know them personally.
A lot of organizations are VERY sensitive to employee lifestyles. The father of one of my friends had his whole life audited because his house was a little too nice and his car was a little too flashy. It turned out that he was just an astute guy who should have been in business, not the civil service.
http://books.google.ca/books?id=o5jApbkp_hAC&pg=PA172&lpg=PA172&ots=6nxGc_rEYx&dq=detecting+kickbacks+lifestyles
I have yet to hear of any form of recourse whatsoever because a piece of MS software malfunctioned. Ever actually read that thing that most click "I Agree" on to make it go away?
She's quite right, in a backwards way. For a company, the difference between free and expensive software is often of no consequence. Paying $1000 for a licence that saves you $2000 is a no-brainer. Paying nothing for the same software is similarly a no-brainer. The point is all about the $2000 saved, not the cost of the licence.
Now part of the trouble with free, open source software is that it comes poorly documented and supported (though I'm not sure the 'support' part is important as most closed source idea of support is "that'll be fixed in the next version" anyway - just like oss)
The big differentiator is training and documentation and basically getting you going to save that $2000 in the first place. Another important fact is that some OSS is crap, and there's no easy way to distinguish between the good and bad (closed source is similar, but its more pronounced for OSS). So the boss can easily complain that the bar for testing and proving its ok is higher, and therefore costlier.
And I know I've just explained how OSS is 'bad' because it costs you upfront, and closed is good because it costs you upfront, but that's the way the argument against FOSS goes.
I suppose you could try the argument that the capitalist system has brought the economy to its knees, so its worth trying an alternative in just one industry sector, or showing Microsoft's codeplex, with the ingrained concept that 'its MS so its ok' that she'll already have built-in to her mindset. Once you start using OSS (MS) software, it should be easy to introduce other OSS software too.
I use that to start a FOSS introduction: who has ever used Open Source or has frequent contact with a company that does. Very few hands raised..
Insert
...don't make the cut due to the simple fact that they are open source.
Was that explicitly stated by this person?
If not, you're just assuming and there could be another reason. I suggest asking the guy for the reasons why the software was rejected.
"The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get. I'm a firm believer in open source code, but I also know closed source has it's place. So what would be the best way for me to argue, with all the facts, to allow these people to come to their own conclusion that open source is actually good?"
A) Yes you can know what kind of compiled binary you're going to get -- compile it yourself. And if they don't trust people in their own company to do it ... the company has deeper problems.
B) What, exactly, is stopping a commercial vendor from compiling whatever they want into their program, or someone on their staff who is taking money from a competitor, and doing exactly the same thing your masters are worried about for an open source program? The difference is, you have no way to audit the code for the commercial one. You're trusting the commercial vendor to be honest. Why should you, if they won't show their code?
When you work at really large companies, you learn that almost every day a new lawsuit is filed against you. Where I used to work, we appeared to have a policy of settling lawsuits to avoid bad press. It didn't matter whether the suit was valid or not. I don't know what the real policy was, just that nobody seemed to have any balls above me.
There was also a policy against open source software unless it came with commercial indemnification. INAL, but I took that to mean that the company didn't want to risk its business income because someone internally decided to use some FOSS software and we got sued over it. A cease-and-desist order would interrupt services to our 50M paying customers. When you look at it that way, not allowing OSS at all doesn't seem so stupid, does it?
The "owner" of an open source project doesn't usually have anything worth suing for, but a Fortune 10 company does, so that's who the lawyers go after. The good news is that most commercial UNIX vendors provide indemnification for the OSS they include with their OS installs, now. They don't indemnify all OSS, just the major stuff. They maintain a list. It is odd what is and isn't on it.
Anyway, the old company that I worked for was bought by THE COMPANY credited with inventing UNIX, so many of those policies changed. In fact, the bigger company has a policy that asks which OSS was considered instead of purchasing software. I'm guessing that they retained their "right to use" when they sold UNIX to another company many years ago. But I don't really know. OTOH, that new company seems to have lawyers with some balls. The new company has thousands and thousands of patents in their portfolio that almost every software developer uses daily - without having a license, so they aren't afraid of lawsuits.
Eventually, Microsoft will HAVE to start suing companies that use Linux to prevent violation of the MS patents and get income, or MS will slowly die.
The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get.
I've encountered Microsoft reps spreading that nonsense, but of course it's utterly false. Anyone can change their own copy of some open source code, that's the point - you can customize it (or hire someone to customize it) to your needs. But that doesn't mean that anyone can waltz in and change Redhat's digitially signed costly-paid-support binary distros or Linus' source tree for that matter!
The crazy idea folks pick up (I've seen it) is that "open source" means e.g. a globally accessible CVS repository that anyone on the internet can commit to willy-nilly. But of course, there are essentially no open source projects that work that way. That would be utterly insane! But that is the exact misunderstanding that Microsoft-using shops often have, thanks I believe to their friendly golf-buddy microsoft reps.
It may sound illogical to you, that "no one could believe that", but humans can believe all manner of stupid, illogical, inconsistent crap, so always start out by checkng if the person does in fact believe that idiocy. Don't blame them for believing it (even if it is really their fault for being so gullible) - try to find out why they believe it (chances are microsoft is involved somewhere)
One of the major points against most OSS in big companies is support. It is usually cheaper to buy a piece of software together with support than to hire highly trained professionals that could eventually provide support for a free OSS. And actually open or closed source itself has nothing to do with the problem. The real issue is community developed/supported vs. commercially developed/supported.
One benefit of a commercial distribution of OSS is that all of the components undergo extensive QA and are fully supported and then signed with a cryptographically strong key.
The fact that anyone can change the source and submit it is a huge plus if those changes are subsequently examined, discussed, tested, documented and supported. Explain the difference between free as in beer and free as in speech. freeware is very different than open source.
If they are open to serious security discussions, one tactic might be to try to get across a fundamental rule that pretty much all computer security people have been saying for decades:
If you're serious about security, you don't run any software unless you have the source, your people have studied it, and you've compiled it yourself.
If you don't do this, you can't claim to be serious about security, because the people you got the software from could have added all sorts of extra "features", and you have no way of knowing about them until they bite you.
This applies to all software from any source. The main thing different about open-source software is that the code is available to all its users, and they can share information about it without the vendor's permission. Another advantage is that, if you have the source, you can fix a problem that your people find; you don't have to wait for the vendor to get around to fixing it for you.
But you might not want to use the phrase "open source" at the start. Chances are that any manager who hates the idea is really just reacting to PR about the name, and has no idea what it means. After all, it obviously can't hurt you to have the source. At worst, you can just ignore it, and you'll be no worse off that with closed-source software. It's also possible that there's a confusion between "open source" and "free" software, since those concepts often go together. If so, you might work on getting them to understand the difference (and that "free" in this case doesn't mean "zero price" ;-).
Of course, it could be that the person in question is forbidding open-source because they're on the take, and are actively bringing in software with backdoors. This is a very real possibility in some organizations. You might try to find ways of figuring out whether this is the situation, and if it is, get the hell out of there. In the meantime, you might remind yourself occasionally that there's a chance that this person knows what they're doing, and talking about this could be dangerous to your health.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
You are correct with your suggested path. ... a lot. They may have a number of patents, hardware and software and process in their portfolio.
Anyplace that is 100% against OSS is usually a place that is involve with lawsuits
They probably have huge amount of monthly cash flow too.
Let's use an example - a true example from when I worked at a big company, BigCo.
1) BigCo was a phone book publisher.
2) BigCo routinely paid artists and art houses for images. The terms of use for each image could be different.
3) Law-firm has an art-house client that produces DVDs full of stock images for 1 use agreements. If you decide to use the image, then you need to pay the art-house for that use. Law-firm pitches to art-house that they will sue BigCo over copyright claims since they found a similar photo in the phone book to one of their stock photos. $200,000.
4) Law-firm files the suit and requests discovery documents. BigCo puts 20 people on the legal team to perform discovery and finds for this particular image they can prove an internal artist created the image use. They have multiple pencil drawings showing the duck/plumber image creation from B/W to 4 color with the exact shape and colors used in the phone book. The lawsuit is invalid.
5) Rather than perform the research for any other possible infringements - which I believe don't exist due to the companies processes for artwork - they decide to settle to make the law firm go away.
This happens all the time. An image can easily be swapped out or removed. Imaging you are BigCo and a contractor "borrowed" some open source code for the main software that makes your company run. For a few years, nobody knows and it works better than any other competitors software. Then one of the extra features of the borrowed code gets advertised - everyone wants it and the #2 competitor has that capability AND a patent on that process. #2 does a google search and finds that OSS project implemented something like their stuff. They sue BigCo, not the OSS project/developer - who turns out to be a former employee of #2. Legal judgment - for #2 and you have to stop using that process. #2 won't sell you rights to use the process. Your customers think of BigCo as a thieving, stealing company and cancels all orders and contracts - not just for the bad software, but all software. BigCo goes out of business.
The solution is to run commercial versions of OSS. Ie, pay a company to review the code and guarantee it.
Ie, don't run Firefox, run "Acmefox".
There is no reason to tilt at windmills and care about human obstacles if you still get paid, so unless I am both directed and empowered to solve problems where I work I don't care about solving them. If an organization cherishes their problems, fuck 'em.
I get paid to make my employer continue wanting to pay me. :)
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Actually, to add to this, look at the training industry around proprietary software. People want to be sent on training courses with free lunch. They want the company to buy big useless books. They want a shelf of big, useless, attractive books. They want to add Vendor Certified Whatever to their CV. This is another area where OSS needs to catch up.
Instead, show them Firefox, Compiz/Beryl, or KDE with SuperKarumba.
The advice to try and argue with them on the basis of facts, any kind of technical merit, or worst of all, the FSF's value system, is blatantly autistic, and utterly doomed to failure.
Microsoft does never and has never appealed to people on the basis of technical or philosophical merit. Microsoft has always appealed to people purely on the basis of aesthetics and base superficiality. With a neurotypical audience, that is the only thing that works, and don't let anyone tell you otherwise.
Find something open source that is bright, flashy, and shiny, and show them that. Get one of the videos on YouTube showing off Beryl with loud, dramatic techno music. That will probably work well.
Trying to tell normal people about freedom in the FSF's context will simply make them think you're a freak, and will thus do the opposite of what you're attempting.
in my industry billion of dollars in product could be wiped out if even one of our pieces of software miscalculates
All that money on the line, and you're willing to trust a program whose source code you can't examine? Amazing.
If it's really the alteration they're worried about, dig around on Google and create a short list of all the commercial shrink-wrap programs and consumer hardware that's shipped with viruses and malware embedded in it over the last 5 years or so. even the iPod was hit with this just 2 years ago. Highlight the vendor's reactions, including the denials that there was a problem until confronted with incontrovertible proof. Then pull up the few stories of this happening to open-source vendors like Debian, pointing out how quickly it was detected and fixed (Debian's was found less than 24 hours after the compromise), how quickly customers were informed so they could fix the problem, and how few of these have occurred compared to closed-source software. I'd also play up the direct-from-author factor. All the compromises of OSS have been by placing compromised binaries on servers. OSS allows you to ignore binaries and get source packages instead, compiling them yourself. If you don't ever download binaries, you can never get hit with a compromised binary. Closed source doesn't allow you to bypass the whole problem like that. Finish by noting the only attempted source compromise I can think of, the attempt to introduce malware into the Linux kernel a while back and point out that the attempt was detected almost at the point it was attempted, long before it got to the point where it would've been even considered for inclusion in the publicly-distributed source code.
Also note that with OSS most of the major vendors provide MD5 checksums of their packages that you can check yourself to insure your binaries are identical to what the vendor produced, and many of them use cryptographic signatures on the packages that you can verify against their published keys to insure the package actually came from them. No commercial vendor provides this, so there's really no way to insure the discs you get really have the vendor's versions on them and haven't been altered. Even physical media isn't insurance here, not with how easy it is for even the average person to burn a disc. And note that this ability to verify packages also allowed customers, in the cases of the security breaches noted above, to determine whether they'd actually been affected by the breach and whether they really needed to clean up bad software or were in fact safe. Victims of the closed-source compromises had to just assume they'd been affected whether they had or not.
Not, mind you, that the above will do much good. The people objecting to open-source don't care about any of this. They just don't want to deal with anything new, anything that might disturb their precious status-quo and familiar environment.
If you work for a fortune 500, best of lucky trying. Most of them are so entrenched with deals with major software vendors (MS, Norton, etc) that they'll go to extreme lengths to help out their buddies. I've seen everything from not allowing Mac's on the property to threaten people's jobs b/c they make a blog on their personal time with their personal resources, off the clock that may say something negative about Microsoft or some other company.
He may be arbitrarily denying requests for open source software for the reason that it simply isn't tested with the company's standard desktop pc disk image. I have (and would continue to do so) denied open source and closed source requests from desktop users, because the resources allocated to me to provide desktop support do not allow me to test every approved desktop application (custom or standard) against the requested application to be sure one won't scrap with the other. I am writing this from a linux pc at home btw, so I've no personal fear of open source. I would love to see my workplace move toward open source, but the current situation demands that we stay the devil that we know - windows on the desktop.
-Troll, Flamebait, and Offtopic are NOT equivalent to disagreement.
I think the better way to look at the problem is to start with this question:
"How do you know you can trust *any* software project?"
Well, how do you do answer that question? There are lots of ways of answering this question
but the one that stands out for me is this:
1) Trust, like respect, has to be earned. Has Project "foo" screwed me over in the past?
Yes or no, no equivocation?
2) If the answer is Yes, was it an isolated event? Was it an accident? Did the project people repair their mistake quickly, or did they let it linger and left me hanging?
a) If it was an isolated event, and they stayed on top of it, then yeah, I'll give them a second
chance.
b) If it was an isolated event and they left me hanging, screw them, they're out. Next!
c) If it was not an isolated event, then that's it, they're out permanently. My time is limited and I can't afford to wait for them to reform themselves.
Now that's *my* criteria for deciding. Your criteria is ... your criteria. Based upon *my* criteria and my *experience* I can say the following:
1) Most of the Free Software (GPL, MPL, BSD, etc. licensed) that *I* use is excellent --- it does what I want, it's well documented *for me*, it has a good *publicly documented* record of fixing bugs and staying on top of things.
2) Most of the Proprietary Licensed software that *I* have used has been crap in the sense either it does *not* do what I require, or it's buggy, or it's poorly documented, or it has legal encumbrances that make it problematic to use, etc.
I want to be very careful here. I am *not* asserting that most Free Software is awesome and most proprietary software is crap. I'm only asserting that the software that *I* have *tried* from those models of software licensing have pretty much been: Free Software == Awesome, and Proprietary == Crap.
Now *why* is this true? Because I don't use Joe Random Free Software and don't use much Joe Proprietary Software.
The Free Software has been vetted by my OS of choice: Debian Linux. If it's in Debian's repositories then I'll give the software a shot. If it's not in Debian's repositories I don't want to look at it. I'm not interested in ever having to manually download, configure, make, make install software. I trust Debian as my big ass filter of crapware. If some Debian developer took the time to package some Free Software then it must be good, because Debian's guidelines for getting software into the repository is not for the faint of heart. That and the fact that their bucket brigade of QA ensures that when the software makes it into Debian's stable branch it might be obsolete but it's rock hard stable.
I don't use much proprietary software today. The only thing that comes to mind is Adobe's flash player. I used Microsoft Windows before Windows 2000 came out and by that point I had given up on them for being flaky once too many times. I used NVidia's kernel module for accelerated 3D graphics, and it was ok for a while, until I got burned once too many times when I upgraded Linux kernels and Nvidia hadn't kept up with Linux. The final straw was when Nvidia declared my hardware as legacy. In the case of Adobe's flash player, it's gotten better I think. The only thing that bothered me about it was its tendency to crash iceweasel, and not work very well with konqueror, and stealing audio (oss sound driver I think). The only reason it's still with me is because of youtube and because I'm waiting for gnash (Free Software) to be stable enough and not
suck up too much CPU usage.
When you download source code in the recommended way, you can also download cryptographic checksums which check the code you downloaded against what is actually supposed to be. The argument that open source is less secure is made by those out of FUD or ignorance. Point of fact: open source operating systems and software are actually more secure because they have been extensively peer reviewed and debugged. If someone in a decision making capacity uses bias against open source software it may be very difficult to convince them otherwise. I found it funny once when a "self-proclaimed" anti-open source peer of mine touted his success of scoring a Juniper SSL VPN appliance. I was more amused at his dismay when I pointed out that Juniper makes extensive use of FreeBSD. At first he was full of disbelief but the proof is in the pudding. Look at the credits in the manual. Instead of opening his mind he got more fervent. This is basic human nature folks.
Read the postscript in this article: Linux Journal
The problem is that you're working with dogs!
Sometimes it's best not to mention the term 'open source', depending on who you're talking to.
You wouldn't brag about free speech to your friends in China. It's all about what they define the word as meaning, not what you define it as.
People are stubborn with words. Once they define a word to mean something ('open source'='risk') it's hard to break it.
Maybe you could call it non-profit 501(c)3 software?
My corp is generally pretty free with anything we use, though I've seen some weird things.
In 2005/06, I was using Firefox and would get high priority emails that Firefox was considered a security risk because some flaw was just found so I would have to use IE6. Of course the flaw was fixed in a day or two and I would just keep using Firefox anyways, never went any further than that.
And while we're generally allowed to use any kind of software for development, etc., they're pretty strict on what is deployed. It's pretty much an Apache license only rule, and while I'm not well versed on the differences between the GPL, BSD, and Apache, it seems odd not to even consider the others (we weren't going to modify the OSS, just use as is). If anyone has any insight on that, it would be cool.
The biggest problem is that our architects who make software decisions seem to be in the pockets of Microsoft, Adobe, IBM, etc. We're always buying expensive, cumbersome, proprietary solutions instead of going OSS. Now I understand that sometimes they are better, but last year we switched a really annoying change system developed by Microsoft, and many developers have to develop on Websphere/RAD, stuff like that.
Reviewing just the first hour of video games.
Don't give up on her. Remember the rule of advertising - constant repetition works just as well as truth.
With free-as-in-market people I like to talk about how free software's lower cost to replicate and thus create a new competitor drastically improves competition in the market. Proprietary software markets suffer from monopolies and other distortions from the government granted temporary monopolies (patents, copyright, etc) and simple lack of source code.
She should be reminded that the payment for the software doesn't need to be done after it is made, especially when the copying cost is near zero. Payment for most free software is done upfront - paying people to write the code.
People like your sister-in-law usually don't grasp the important differences between information and physical items and how those differences require different economies. Sneak in as many thought experiments as you can about the nature of information. Here is one that I use: http://themagicfish.org/
Complexity Happens
You should run into your boss' office looking alarmed, and scream "we've been compromised. Shut down ALL networks. Do it NOW!"
After your boss gets you to calm down, you explain to him that Cisco uses FOSS gcc to compile the code on their routers.
you can just come out of the closet and admit to being a fag instead of beating around the bush.
Popular OSS projects (Linux, Apache) have plenty of commercial support options from a variety of vendors. You don't need to "own" the software to provide support for it. Documentation is similar. Find a vendor that supports it and tell them you're willing to pay for better documentation.
If it's bug fixes and features you want, make it clear you're willing to pay for those too. Alternatively, hire your own small staff of programmers to do this yourself. You don't have to open source your features/bug fixes unless you choose to redistribute the resulting software. Sound expensive? Compare these total costs with the total costs for other software you're considering.
Yes there is. When any corporation is looking at software to meet some need, if you're doing your job right, this will involve getting demos of the software, and if possible, installing a test version and trying to get it working with your environment. For a large enterprise, you're an idiot if you buy software based on the glossy brochure without actually trying to use it first. Since this is easy to do with OSS, there's no excuse for not being aware of the product's deficiencies before you commit to it.
You can download a release that we have built and get a support contract with guaranteed 72h fixes, indemnification and what not from us.
Since our source is open you don't have to wait for us to find the problem, but you can do it yourself. I have worked with closed source companies and it is so annoying to deal with their support organizations that you'll have to start decompiling the source yourself. You can save yourself that without getting in DIY trouble.
And yes, your boss looks like a moron for not knowing this. He must have been hiding in a cave for the last 10+ years ;)
Show a man some news, distract him for an hour. Show a man some mod points, distract him for the rest of his life.
He's the guy who posted this question, and I don't see any post from him anywhere in the comments. Questions of interest: Has anyone asked the Grand Poobah of Approved Software *why* he makes the choices he does? Is there a defined and published review criteria? Who does he report to, and what if any guidelines is he following? Who wrote those guidelines? Who can change them? Is there any mechanism for challenging the approval/disapproval of software? How big is the organization? What industry is it in? What outside rules/regulations is the org subject to?
There are a few that prohibit resale, but none of the large & established ones do.
Then the next time your company asks how to cut back in these difficult economic times tell them you could have saved ~$4000 in h/w, s/w, and OS costs if not for [insert name here].
Maybe you'll end up with their job.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Well, maybe it is not for interest of everybody. But I bet the owner of this discussion works on Brazil, maybe in the same company as I do. =) Well, actually I belive that the truth is that we have to accept what our bosses say, and this is from my point of view worldwide. One reason they may forbid the use of OSS/FOSS is because they pay other companys software with their software, or maybe they just have a contract to buy some software from other vendors that are also customer from the company. This is what I think ocurrs where I work. I also belive that some companies are afraid of being sued by OSS Software developers, I'm not sure, but also, large companies prefer to buy from other large companies.
There are no licenses that prohibit resale that are listed as "Free" by the FSF or "open" by the OSI, as there are none that would meet the four freedoms or the "open source definition"/DFSG.
Don't conflate strongly copyleft licenses with all open source licenses.
If you have a niche product & your customer base is enterprise users, others will still purchase your product and/or purchase support from you. F/OSS could be a strategy to widen your distribution in order to gain customers. See, e.g. MySQL.
Of course. But my parent was talking about OSS, not FLOSS. I pondering pointing that out, but did not. Sorry, I should have done..
A large company shouldn't have one person with this much authority but no repercussions. If it's really that bad, and the person is really that idiotic, it's not worth staying there.
Remember that during your working years, you spend a quarter of your entire life working! Make sure you enjoy it.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
My client's inability to solve problems (plus his haste to create ever more problems in the course of his "business development") is exactly what keeps me employed there for nearly two years as a consultant. While I have made good progress as a problem solver myself, I have not yet been able to educate most people there to become effective problem solvers themselves.
Any hints on how to achieve that?
Hi, my name is Mr. Technology lead in the Software Dev. Department. Today had a very busy schedule meeting w/ #SOME_EXPENSIVE_SOFTW_SOLUTION_COMPANY and had a 6 hr presentation in #SOME_REMOTE_LOCATION_OFFICE where we discussed the details of the licensing package for our company. My boss already lined up the budget and my team and I are ready to start a 1 wk training in SAN DIEGO next month. During lunchtime at #SOME_FANCY_STEAKHOUSE I got an emailf from #SOME_DOUCHEBAG_UNDERLING suggesting me to consider an open source solution.
I got a good chuckle while my new buddies insisted on picking up the check.
- these are not the droids you are looking for -
almost every vendor in existance has explicity information in their EULA that states that they are not responsible for anything basically related to any type of "protection"
Every vendor in existence except Microsoft, perhaps? I agree wholeheartedly with the GP. Nobody ever got fired for buying Microsoft. I'm not being a shill here, or trying to be funny -- it's just the truth. If you need to cover your ass -- and by "need" I mean "have the legal responsibility to" -- downloading Windows binaries of OpenOffice.org from a Web site backed by no vendor just isn't going to cut it. Even VI isn't going to cut it if there's some small chance that you'll wake up one morning and find that VI seems to be corrupting everyone's saved files, and there's nobody to call to fix the problem for you. That's what CFOs want to hear: that in the however-unlikely eventuality that there's a serious problem with software, you have a Throat to Choke. And that's what commercial software vendors offer. Large enterprise customers don't get their license terms from a little piece of paper slipped inside the software box. They call the vendor's sales department and arrange lunch, and go from there.
Breakfast served all day!
Hi, I have too much time on my hands and, instead of actually solving the problems in front of me, I want to pick the wrong battle with the wrong people and take on the software approval process. It won't affect the company I work for in any way thus making it a completely pointless waste of time, but I just can't help pushing my nose where it doesn't belong. Any suggestions?
If you have one person deciding what your technical team needs to do it's job, your company is, or is going to be, way too inefficient to cope with today's business environment. Not only that, but the person/people making the decision about SW in your company, and those that hired them too, they are complete, utter, and flaming idiots with no common sense (and yes, that made me feel better). So here is what you pitch -- transparency of source means "audit trail" and more security than closed.
If your company really is concerned about and needs this kind of security, you are truly better served with open software than closed. You can pitch going to Red Hat, or other distribution company, and download, audit, and compile from source. You can feed back any security issues you found -- and you can't do that with closed source. Who knows what back doors a closed source vendor has put into their code?
This is waaaayyyy OT but I'm curious what you meant by NVidia declaring your hardware 'legacy'. Up until last year, I was using an 8 megabyte NVidia card in a machine with a AMD K-6 processor and 64 megabytes of RAM with (almost) current drivers. I say almost because the last working driver was released last April and the machine died in November. Not bad for a decade+ old computer.
BTW it wasn't my desktop machine, but it made a great firewall/router.
So you're still wrong.
It could be that the person has an agenda (Stock, options, etc.) in certain proprietary companies and they don't want to lose retirement money. Of course, there is the notion that the person instantly saying 'No' is not qualified to assess software and are hoping to 'sue the pants off' any company that doesn't deliver X, and they don't otherwise have any means of assessing software. The real joy here, is that smaller companies/competitors will save some medium to large mountains of cash by using OSS (and get better performing software as a bonus), and eventually mightycorp will eventually learn or die. Entire countries are adopting OSS officially. For a company to say "well gee, I just don't know..." is to not boldly go where millions have gone before. It doesn't make you a chicken, it makes you an idiot.
I think people like my sister-in-law are firmly planted in important corporate positions throughout our country, insuring that Dilbert-Land will continue unimpeded.
Not that I think the "invisible hand" of the market fixes everything, but this should be one of them. If open source is so superior, new companies will emerge and old companies will adapt or die as their margins vanish. When Henry Ford introduced the assembly line, do you think all the other car producers followed? Most of them didn't and are today in the history section. It doesn't take more than one company taking that as a "radical cost cutting measure" and survive a downturn where the others doesn't and it's done, the dinosours will be dead and the smarter company lives. Sure you might care about that as a stockholder of a dinosaur, but for everyone else I think the market will sort that out for itself.
Live today, because you never know what tomorrow brings
A number of enterprise-grade open source projects, such as most of the free J2EE stack and Linux, have attractive books available. That's well handled.
Commercial training is another matter though. I completed highly recommended week-long Oracle training and discovered it was not far removed from an online tutorial, yet took much longer. I guess that's just how some people prefer to receive knowledge.
Sam ty sig.
"Miserable excuse"? Why? Because key decisions are being made by someone who isn't qualified to make them? Welcome to the workplace. Most organizations have somebody like that. No, I take that back. If the ten or so organizations (both private and public) that I've worked for are representative, they all do!
Sometimes you have no choice but to give up and move on. But that better be your last choice, because your new job will have its own set of underqualified bozos. And sometimes you have to live with situations that make it impossible to do your job well. But that better be your second-to-last choice if you take any pride in your work.
As for Piranhaa, he's asking the wrong question. Obviously the decision maker who's vetoing all OS requests knows knows jack about software. So presenting ideas about the advantages of OS (which include security from the very "code pollution" this guy is worried about!) is a waste of time.
Here's the question you should be asking: why is a major corporation giving veto power over software acquisitions to somebody who doesn't know anything about software? That's a major problem all in itself, never mind the OS issue.
Take a look at http://www.dwheeler.com - in particular, Open Source Software and Software Assurance (Security) and Why OSS/FS? Look at the Numbers!.
As you already know, this claim that "anyone can edit the open source software" is nonsense. They're conflating editing a file with getting that file into the supply chain. Anyone can edit a proprietary program, too; just open up a hex editor and start modifying. The issue is, can a malicious attacker modify the program AND get their changes into the binary you end up with? This isn't easy at all in the major OSS projects (the kind your company is likely to consider). Any OSS project has some kind a "trusted repository", the "official" version that people pull from. For a change to get into your system, the trusted repository has to be subverted AND not detected later. We already know of an attempt to subvert Linux that failed, so it's not as easy as they think it is. If they are REALLY concerned that they "don't know what the binary is", then get the source and recompile it.
Don't expert proprietariness to save you. Indeed, because the source code isn't being widely examined, any malicious code that gets in will be more difficult to find later.
The U.S. Department of Defense's policy is consider OSS equally with proprietary software, as does the entire U.S. government. In fact, the U.S. Department of Defense heavily depends on open source software, and they almost certainly have more stringent security requirements than your company.
If a company can't handle technological shifts in information technology, they risk their own long-term survival. OSS is now mainstream and widely used.
- David A. Wheeler (see my Secure Programming HOWTO)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You ever heard of it?
Voting machines with back-doors?
2 databases in 'em, with the one that tallies the votes NOT the one that is submitted?
You got much more trustworthy "partner" in OSS than you do in such "partners" as Microsoft, which sleazes, steals, & murders its "partners" with clockwork regularity ( it says that this is "co-opetition", so it's ok ), the same Microsoft that uses hidden/private lobbying in order to get "standards" made, and then stuffs the competing-standard's group - ODF - with its own staff, while conveniently not mentioning that?
If you trust the rights-greedy governments, or the slimy corporations that deem human-rights to be OBSTACLES ( notice how our gasoline's price means Nigerians need be murdered ), then you deserve the east-Germany style world we're all gonna be contained within, in about 5-10 more years.
Many eyes means it is, OVERALL, trustworthy.
Few eyes, and those "privileged" ones, means it ISN'T trustworthy.
Hell, even the ACTRA law is closed-source, so we aren't permitted to know what law it is that we're being committed into.
Look at Hitler & Stalin, and you'll find similar methods, dude...
History shows that after rights are removed, then mass murder begins.
Things are not looking good for our world.
If you're worried about someone trojaning OSS, set up an ADMIN browser, with SAGE Atom/RSS reader in it, and subscribe to all the projects whom you rely on.
Any one of 'em gets "diddled", and you're gonna know much quicker than if you wait for the mainstream media for such news.
Also, with SAGE and friends, you can just use the "show only updated feeds", and cut down on the noise/signal ratio.
Open source = Competition Closed source = Collusion
Slashdot = Sarcasm
OSS does not come with technical support. only Community i think this is the major reason why.
People like to talk to other people when it comes to supporting or just asking a general question regarding something.
OSS generally is pretty fast paced so its hard your your IT department to keep up on all the changes (and updates).
OSS unless it evolves dies off in a few years and all that training that everyone did for a software system is basically useless.
the list goes on why Corporate American does not use OSS for front-line desktops.
"This is the kind of moron who gets written up on TheDailyWTF, and derisively laughed at for years to come."
As opposed to the kind of moron who writes people up on the TheDailyWTF.
The boss doesn't have to be right, the boss just has to be the boss.
Hi!
I have seen others say "leave your job" because they are morons. This would be the easy way, but we IT people sometimes love to fight for our views. So try this before you go to the HR dept or look for job ads.
Large enterprises are scared of things with unknown or hard to track origins. Open source software is such a thing. They might be afraid of being sued, by some guy who claims to have 5 lines of code stolen and used by the company as part of an open source. This can be a real problem, especially if a scandal breaks out and if the company is publicly listed, this can easily cost millions (and the decision makers career). I think this is one of the causes of paranoia.
Have you tried to bring in open source that comes with dual licensing? We do dual licensing, because we have found that companies like the hybrid approach of having an open source software but at the same time having a legally safe license. In this case, some of the cutomers' legal dept does not even know that the software is open source, because they do not read the GPL, but the commercial license. The commercial license has a clause with idemnifies (i think this is teh right term) the user, so if someone sues the user for copyright infringment, we take the blame. (Note: i am not a lawyer, but i did talk a lot to lawyers and picked some of the language up :-) )
Of course, not all open source can be dual licensed, because only the copyright holder can license the code, so if the code is owned by many people, not one entity, this can not be done. In our case, the code is owned by our company (because we wrote it) and for the parts tha we did not write, we use trusted sources. This way we can take the responsibility for our code, and we can also license the code with a proprietary license (as well as GPL).
You should try this dual licensing first, and later convince your bosses that if this worked, other code could work. Choose foss with a company behind it, so you get support and updates, and there is some entity you can make a contract with.
Short background:I work for a software company of 40 that produces open source ECM software and sells licenses and services to large enterprises in Hungary. Our software runs on Windows, so I quite know the problem of "wtf, foss on windows?", I can even imagine the look on your bosses face.
Tom
GP is probably thinking of the SSL initialization exploit, which did affect Etch if I recall.
DRM: Terminator crops for your mind!
I completely understand that a company [insert-title-here] would not want all employees to freely choose which software they want to use, but seriously, everyone is better off if the workers get to decide on SOME of the software they use. What's so evil and bad about using Firefox at work instead of IE? 30% market share is still not enough to prove it actually works and doesn't have KGB backdoors? I'd say your boss is an idiot for not even listening for a second.
I'm very happy with my current workplace. Everyone here basically gets to decide what programs they use, luckily they stick to doing their jobs so their computers are very clean. Most of us use Firefox for web browsing and there's never been any problems with that.
I don't need permission from my superior to install a program I need to do my job, I just do it whether it's open source or not. When I was told to set up an internal web server I chose to use Linux, my boss asked me if it's better than using Windows for the same purpose so I told him it's free, it works and it's less bloated and that's it, no more questions asked. That's how it's supposed to be...
"How do you know you can trust open source projects?"
- How do you know you can trust closed source programs? You've never seen their code, no one knows whether the program is legit except the people telling you it's ok, and //they're the ones selling it to you//. So when you buy a closed-source program, you don't have a single clue whether it will do something it's not meant to do.. don't believe me? Check here: http://vsbabu.org/software/fsxls.html - this is microsoft actually putting something into Office which had no business being there, and no one told the customers about it.
In this case it's benign, but all closed programs are more of a security hazard for being closed than the open source programs because closing the source gives the programmer full license to do what he wants with it. I can give you a hypothetical example; A company creates a program which helps you create and maintain offline versions of you profiles on popular blog/profile pages like facebook/myspace/whatever. It goes through its first iterations and looks kinda legit, but in one version it starts gathering data on your email addresses, your personal information, the personal information on other people around you, and starts monitoring your email. In a new version it then starts sending useful information on email addresses, contacts and so on to a huge botnet for spamming purposes. It does it discretely, and in the license agreement you signed, they have a "we need these rights to be able to send to the legit sites, so say yes to this". The difference between a closed source program behaving like this and an open source program is that the open source programs which tries a stunt like this will get shut down a lot faster than a closed source version.
What open source programs do is give everyone on the internet the chance of going through the code, and verifying that what the code is supposed to be doing is what the code actually does, and nothing more. You and I might not have the technical skills do do that, but there's plenty of people there who notice things if they're wrong, know how to grab the open source, compile it, compare it with the downloadable executable and can tell you whether it's dubious or not.
- So essentially, your security IT guy got a bells ringing in his head when he hears open source, it's a shame that he doesn't realize that it's the //Same bloody bell// as should be ringing for any/all closed-source software he doesn't recognise.
"What processes are in place to protect users from malicious code?"
- well, one process is called OPEN-SOURCING. You're clearly confused about what programming is, I'd turn in my geek-license if I were you.
- I'll leave it as an exercise to the reader to find simple yet effective ways to check whether their software is bad or not.
I think the follow the money and not wanting to shrink the budget apply here as well.
One thing I see missing from the arguments though is the simple fact that much oss is crap, so you must be specific when talking about oss and name projects/products and why they are nescessary. The whole gpl/oss philosophy may be important but doesn't help in winning the 'bringing OSS into a Closed Source' argument when the attitude of the boss is OSS is crap.
There are groups out there that make a living off of introducing large organizations to open source. Get in touch with one of them. These guys understand the issue from management's perspective and know how to pitch to execs. You'll get the open source you want and management will get the checks & balances, best practices, policies, references, etc. that they need to feel warm & fuzzy. If you are going to go it alone, I strongly recommend starting with a policy & audit strategy as mentioned previously in this thread.
If you find something for which an open source program exists, but no suitable commercial program, you might have the ammunition you need to make the walls crumble.
You can also take a slower approach by introducing things that are open source but not really deemed a threat - like using remotely hosted open source software for some purposes, like getting open source perl, java, javascript, or similar products for certain web based applications, and so on.
Some software may also be installed on a more or less isolated test machine - your web pages do need to work on Firefox, don't they? And someone needs to test that?
Once the licensing issues have been covered by your company that way, they will probably allow some more experiments.
Also, make sure to point out any good business reason to your superiors whenever a more liberal attitude towards letting people decide for themselves has advantages.
The person is probably just misinformed or insufficiently informed about open-source software and the benefits behind open-source projects. Link him to this page, which by now should have a whole bunch of useful comments on open-source software.
My main point would be this I guess: it's not easy to have faulty/damaging code accepted into the main branch of the bigger projects. So no, there's no damaging code in the main branch of most major OSS apps, especially the widely used ones.
I am not devoid of humor.
By framing the discussion in terms of "open source" vs. "proprietary" you have framed the focus of the argument on the quality of the software. However, if you want to establish reasons why people should trust the software, and why it is good, then you should frame the issue in the context of a broader social and ethical movement -- the free software movement. This movement, which is over 25 years old is founded on the idea of guaranteeing freedom to each and every user. I believe that an argument founded in people who wish to guarantee user-freedom for all that you have a much stronger foundation than if you talk about the software in terms of brands, products, and vendors. Root your conversation in the people who want to all software to be free, that is, software that carries the following four freedoms:
* The freedom to run the program, for any purpose (freedom 0),
* the freedom to study how the program works and its source code, and adapt it to your needs (freedom 1),
* the freedom to redistribute copies so you can help your neighbor (freedom 2),
* and the freedom to improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3).
I believe if you do this, you will be more likely to convince others as to why you should trust projects lead by individuals who have shown a clear commitment to the free software movement and who have garnered respect within this movement. Once you have established trust, and a trusted source, then convincing people about the practical merits and usability of the software should be easy.