Slashdot Mirror
Bringing OSS Into a Closed Source Organization?
Piranhaa writes "At the major corporation I work for, there is currently a single person who decides what software to approve and disapprove within the organization. I've noticed that requests from users for open source Windows programs get denied, nearly instantaneously, on a regular basis. Anything from Gimp, to Firefox, even to Vim don't make the cut due to the simple fact that they are open source. Closed source programs from unknown vendors have a much better chance at approval than Firefox does. The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get. I'm a firm believer in open source code, but I also know closed source has its place. So what would be the best way for me to argue, with all the facts, to allow these people to come to their own conclusion that open source is actually good? Would presenting examples of other big companies moving to open source work, and if so what are some good examples? Or can you suggest any other good approaches?"
Either live with your idiot bosses and stop complaining, or ditch that miserable excuse for an employer.
Some people/companies just want a name to blame if something goes wrong. Rather than requesting the right to install Vim, request the ability to purchase a license for Vim. Many projects have already setup mechanisms to do this or are willing to do so.
If this doesn't work because:
then go to your manager and also the person or people who decide to how good of a job the "software evaluator" [single person] is doing. Point out a real business need for a particular application: "Vim has XXX feature. It is not available in any other software. If I had this feature, I'd be able to do YYY, which will [save/make] our company $[insert figure here]. Did I mention that it is written by a google employee, and that our competitor, ZZZ is probably going to use it if we don't? Here's a list of other companies that use Vim [insert fortune 100 here]. Can you please make [single person] justify why he is putting us at a competitive disadvantage?" Cost is rarely a concern. So save the fact that it is free as an additional argument that you can make if [single person] suggests some other app.
If you are passionate enough about your tools, you can always walk--some companies hire talented employees and understand that they will be more productive with their preferred tools. (If you find yourself in such a company, don't spoil it--produce results with your tools, so that the company will be rewarded for this wisdom.)
If you want to be a dick, point to comparisons of some no-name proprietary program that [single person] approved that turned out to have a security hole and that your app does not suffer this hole and try to pull other tricks to demonstrate that [single person] is incompetent.
I would have resigned if I were you.
The largest prime factor of my UID is 263267.
The fact is that because open source is open, if someone tries to put some hostile code inside it, it will be seen and stopped there and then. With closed source, if hostile code gets put in, you're relying on a much smaller bunch of people to spot it, and there is always the possibility they will all collude together to put something in.
With open source, you can evaluate it.
People use the same argument against wikipedia, "anyone can edit it, therefore it cannot be trusted", but the same counter argument can be applied to that as well.
Seriously, you need to find the person and find out what their concern is. Is it a maintenance cost? A desire to avoid mixing and merging tools in-house? Are they concerned about who will be responsible, or liable, for problems with open source tools?
If their concerns aren't justified, and they can't be negotiated with, then they may need to be fired, or you may need to leave in order to get the tools you need. But their concerns are sometimes well founded: I've seen people who need a 99.999% uptime who were absolutely terrified of open source tools, had implemented closed source and very robust tools, but didn't realize that it absolutely prevented new development. That was OK, their requirements were very stable indeed. But it meant that they could not support projects from other parts of the company.
It likely isn't worth the effort. I really like FOSS myself, but one needs to have some perspective. This isn't getting food to the hungry, or getting some medicine to the poor. If upper management has an irrational hatred of OSS, so be it. Live with it, or resign. Based on what you're saying, the person doesn't seem open to reason -- and there is no point of using open source for non rational reasons.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
i question the wisdom of this. how many companies have the time to waste doing this vs going to a vendor and shelling out for an "assured" solution? it'd cost less in man hours to simply purchase windows than audit an entire linux distro for malware.
i think the "but you can read the code" retort is easily answered with "but who's going to pay to read it?"
If you mod me down, I will become more powerful than you can imagine....
I'm sorry for posting as an AC, but the /. login doesn't seem to be working (no matter what I type in to the captcha, it doesn't let me verify my password!).
This guy is God as far as software at this company goes. He can do what he wants and unless there's a major catastrophe, his supervisors will let him continue to do so. If what you say is accurate, then he's made up his mind and there is no reason to change it at all.
You ask for "the best way for [you] to argue..." That's it right there. As long as you argue, you lose. He doesn't want to argue, he wants to be right and that, by definition, is what he is for anything he says at this company. He doesn't want to hear from you, doesn't care, and in any argument, if he so much as listens, he is indulging you.
True, he's an idiot, but that doesn't matter. He has no reason to change so he won't.
If you want him to change, remember he's like electricity: He takes the path of least resistance. For him to change or even look into change, then that path has to be made easier than him not even bothering to look.
When you can make it easier for him to look at FOSS than it is to ignore it, he'll start looking, but not until then -- and likely not even then if he has a grudge against it and doesn't want to admit it.
with a hooker and a camera!
It sounds like a bad environment for a programmer. I'd leave them with their closed source programs and look for a job in a better company.
I've worked in several large corporations, and was faced with similar challenges.
Often times, open source software is not viewed as a serious option because (depending on what software you're looking at) there isn't a singular reliable source of support, and due to legal reasons, a large corporation just cannot afford to take a 'gamble' with open source. You need to pick your battles and pick them well.
I'm not implying that open-source software is better or worse than commercial software, but the dedicated support definitely is lacking in the open source world.
The last thing a pointy-haired boss wants to hear is that you're waiting for someone to reply to your post on the forums, or that you're getting on IRC to find out if someone ran across the same problem and what the solution was.
For example, ZenOSS is a great monitoring tool, but the documentation is complete garbage, filled with errors, omissions, and even broken sentences. Mind you, this also includes their Enterprise version, and their support is also lousy. You'll be lucky if you get a response within 24 hours from when you submit a trouble ticket as a Enterprise customer.
Redhat, on the other hand, is much more responsive. You'll get a reply or at least an acknowledgment that they got your email within 20 minutes, which at least is enough to give management the 'warm fuzzies'. They're really just another Linux vendor, but they have a support line, and they have the fancy brochures and certifications, and that adds legitimacy. It tells the business world that they mean business, and are not just some long-haired smelly CS grads with a pet project.
Sounds like this person has a deeply vested interest. I would guess that the real problem with open-source software is that it's free (as in "beer"!) so no chance to cash-in by playing favourites.
Find out where the kickbacks are coming from and blow the whistle.
New mod option wanted: -1 DrunkenRambling
Purchasing Windows doesn't give you an "assured" version either. The industry has learned that hard lesson over and over. You're much better off just licensing an open distribution like Red Hat, because you get the corporate support side as well as the community audit side.
The fact is that even if you don't have time to read the source, other people do, and a complete distribution has the unique level of multi-party quality assurance money can't buy.
Microsoft is probably the worst possible example anyway. They regularly put in their own malware. There's no audit required to know that WGA is pure and simple malware. It's absolutely moronic to name them as an example of an "assured" solution vendor.
Sam ty sig.
if you want to be a real stickler about security with OSS software, why not compile the binaries yourself? Bam, no reason for OSS
WÌÌfÍ--ÍSÌÒÍ...Í...ÌHÌÍfÍÍÍ--ÍÍÍ
And your assured solution could be, say, have a glaring security issue.
Fortunately, software companies aren't asses that sue people for disclosing things, want all bug reports public so companies can take precautions against problems, and definitely will fix bugs in a timely manner,
If the company goes under or is largely unresponsive, we'll simply use a different software. Any data that we may have used, we'll just convert away from them. This will be a walk in the park too, since we'll definitely have an option to export to many other programs (to avoid vendor lockin, of course), or we'll simply read the proprietary data file format ourselves using a script to convert the data!
There are so many examples of such honourable companies, like... uhm...
err... :D
While I was working for a former employer, we were engaged in negotiations with a very large company that would act as a distributor (to a certain market) of our products. Said unnamed company in the distribution contract wanted us to sign off that "no open source software products were used in the development process, and that no OSS was present in the product".
Why?
Frankly, I understand the concern. If you are a development shop, then if OSS creeps into your product (due to a careless (and thoughtless) developer copy-pasting code, for instance) then the legal ramifications may be grave. Potentially, depending on the license, you are required to disclose the entire source of your product, and provide a usage/distribution license to whomever receives that code -- basically, a single minute action can sign off your rights to your software. your distributors have also violated copyright, and are in similiar hot water (e.g. their efforts in promoting your product are now potentially worthless).
The result? Some companies are so afraid of this "poison pill", that they simply don't let any OSS in their gates. Does this promote OSS? Maybe. IIRC, I recall that some friends working for the dark side (M$) report that no OSS is allowed there (or in some parts thereof).
I use OSS extensively. The former company I worked for had a whole heap of OSS in its development process (but not in the developed chip/product). Actuallly, considering that a non-OSS company (Altera) used OSS in its supplied development chain (gcc, for instance) that we were using, there really was no conceivable way that the company I worked for could've signed off on the "no OSS" bit of the contract.
Doubt you will be able to change your control guy's mind with reason, so you have to play politics. Find an example where expensive software was bought instead of OSS and tell his/her boss how much the policy (note not "the person" - bosses can work it out) is costing the company. Of course, if the guy IS the boss or is related to the boss, just find another employer if it's that important to you.
Andrew Yeomans
The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get.
That's why open source has source. You can examine the source code to see if there are any strange patches. Compile it yourself and then you know what kind of binary you're going to get.
That's also the big benefit of open source. There are thousands of eyes looking through it for the larger projects. You also get the benefit of customizing the source for your own purposes (and if you don't distribute the end results, you don't need to distribute the source of your changes, either, for the software under GPL).
I might worry about the projects where anyone in the world has CVS/SVN/GIT/HG commit access. Most don't do that. It's not like Wikipedia. And if you wonder if some project may have some nasty patches applied by less than honorable people, just look through the revision history or download some older tarballs, and look through the changes.
now we need to go OSS in diesel cars
As a small addendum, remember those fellows that found OSS in the infamous sony rootkit (by various strings present, IIRC). A week or two later the same guys (or someone else) found OSS in some other commercial software product. IIRC, there was some legal action (from FSF?) following this.
It used to be, that if you screwed up and placed OSS in your product that the chances of being caught in the act of theft were fairly low. Currently, the chances of being caught (even if your act was inadvertent) are significantly higher.
1) Convince his superiors that a particular open source program is the best available for the job. If this works, try with another one, but make sure you point out the open source nature of the program.
2) Talk to your workmates about open source software that you use, and try to get them to request some of this software to be available to them. For bonus points, try to get them to complain (with email evidence) when software is rejected to the people who evaluate the performance of staff.
It'll take a long time, and you'll have better success (and more likelihood of him being replaced) with the top-down approach, but the bottom-up approach is probably more likely to develop good word-of-mouth links to OSS.
Ask me about repetitive DNA
As with any idea you want to sell, you have to pitch it in terms of what the company wants. Most companies aren't going to be motivated by a philosophical argument. You have to ask yourself: If the company started using open source software, would it have a significant postive effect on the bottom line? If not, your unlikely to succeed.
Open source...is about the user.
Closed source...is about the company producing the software.
Open source is often written by the very people that will use the software, and they don't want crap in their software.
Closed source is often written by people that will use it, but they need it to sell money. So is it cheaper to push crap out the door or gold plated jewelry?
At my previous job, I heard some really crazy reasons, from non-technical PHBs, for outlawing free software. All kind of nonsense up to and including Russian hackers planting backdoors/trojans in OSS apps.
In the end, the best way to make these non-technical PHBs see sense was to simply point out all the OSS they were already using, without even knowing it.
Those HPUX servers? Running Samba shares.
That F5 SSLVPN network appliance? FreeBSD!
The most priceless moment was when I discovered the main OSS opponent was an avid Firefox user. He referred to it as "Microsoft Firefox".
In my organization I wrote up a risk analysis for Open source and closed source software,
detailing the risks in each.
How does malicious or dangerously buggy code get into each type of project. how do you assess the threat in both types of software:
What is the review process?
How big is the project?
did you compile the software yourself? who did?
how did you get the software/source code. etc.
This document was picked up by other people who eventually turned it into company guidelines for OSS adoption.
Me.
Seriously, after all these years of success and reliability, anyone claiming Open Source software is an organizational threat is simply in the tank for Microsoft. Firefox, a threat? VIM, a threat? While Internet Explorer and MS Word are paragons of safety? The man is provably out of his fscking mind.
Schwab
Editor, A1-AAA AmeriCaptions
In my experience, your best bet in these cases is to walk the company's official path for software acquisition.
If no such path exists, your first step is to convince management to create it. Your common goal is to get the best sollutions for the problems at hand.
Here is a very usefull link of the dutch government on making FLOSS a viable option for software acquisition:
--> http://www.ososs.nl/files/acquisition_of_open-source_software_-_text.pdf
If it is good enough for the Department of Defence then it should be good enough for a any corporation. However, if IBM, Sun, SGI, Hewlett Packard, AOL and Dell are not good enough to convince your bosses, then I don't think anyone will.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
the gpl allows you to bring open source inhouse and keep it closed if you do not use publically
so where do i need closed source to begin with?
to pad my lawyer buddies?
stupid is as stupid does and go ahead waste peoples money, fraking noobs are everywhere and ya wonder why the world economy is going turdy
all the greed has done its work
so either learn to live with the problem, or just run away from it? you must be a real winner.
most socially/emotionally healthy individuals have a powerful tool at there disposable called "interpersonal communication." by honing your communication skills, you can exchange thoughts and opinions with other people, perhaps even persuading them that FOSS is a viable alternative to proprietary software. but this is generally not a tactic used by people who spend their entire lives as a powerless passive observer.
assuming you know to speak up for yourself, there are a lot of ways to introduce FOSS to a close source organization.
Honest question here, does the 24/7 support ever solve problems? The only time i ever bothered to complain about a faulty product ( a television set that was under guarantee ) all that happened was i got dicked around for 18 months while it got taken away, brought back, failed again, taken away etc. I assume the job of 'support' is to occupy the customer until they get bored of complaining/die/find a work-around/buy a different product.
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
These folks usually need a near death experience to change their mind. You won't change it. It's only when competitors are closing in, that's when folks like these give up their superiority complex and do what the engineers say. But by then it's already too late.
Step 1. Convince him to buy an expensive, complex and impossible to manage closed source program that he will approve, Lotus Notes or anything by SAP comes to mind, preferably for a totally inappropriate purpose.
Step 2. Maneuver yourself into being next in line for his job.
Step 3. Encourage end users to complain about the software as much as possible. Plot behind the scenes to make sure his bosses know he is responsible.
Step 4. Once he is fired, take his job and replace the closed source software with open source.
Good luck!
Negative moral value of force outweighs the positive value of good intentions.
Shouldn't this have been in Ask Slashdot instead of News?
What I mean by "make an in-house version" is that if they are concerned about new binaries causing problems, they could, in the case of something like Vim, which doesn't connect to outside machines and pose a direct security risk, simply scrutinize the source for and then build a binary and store that binary on-site and permit people to use only that one. This means that some of the benefits of open source are lost, but at least you get to use the software for the most part.
They don't necessarily have to scrutinize source -- presumably the notion that software might be dangerous is also true in the case of commercial software and if that is true, then they should have methods of qualifying specific installations of a program as safe, regardless of the type of transaction through which they would acquire the software. I realize that companies often do not have such qualifying methods and instead rely on the implied threat of a lawsuit to prevent commercial software vendors from selling them malware, (either intentionally malicious or not,) but the legal recourse is usually far inferior to just having software that does only what the users think it does. Legal recourse is an expensive and risky endeavor that often doesn't really make up for all the damage done; there are, of course, examples of where the suing entity made a killing from their victimization, but there are a lot of far less exciting outcomes where the victim still ended up taking various types of loss even if they won the lawsuit. You could point that out to them, but keep in mind that you will be essentially pointing out that their usual arguments are incorrect and that you know they are actually just engaging in ass-covering. This may go over badly.
You can still suggest that they qualify a binary, though. That is reasonable, in my opinion, if you can justify the utility of the software you want in monetary terms regardless of what arguments you may present as to why their no-open-source policy doesn't make sense.
Your open source software blocker is being paid off by the vendors. Maybe not in cash, might be just in dinners, trips to "conferences", or perhaps just in building his ego.
This is one of the barriers to OS software adoption that is not yet recognized.
Remain calm! All is well!
At the major corporation I work for, there is currently a single person who decides what software to approve and disapprove within the organization.
Give Mr. Jobs my regards.
It sounds like his argument against FOSS is fact-based, not political. Address the facts.
He believes that anyone can change the source of an open source application and recompile it. That is TRUE. He is right to identify that as a vulnerability. The mitigation is to only download binaries from trusted sources and verify them with checksums, or to download the source, inspect it, and recompile.
His conclusion that applications from proprietary sources are therefore inherently more secure because they cannot be recompiled, however, is INCORRECT. From a security standpoint, using a binary file requires a higher level of trust because it is more opaque. It is far easier to to hide an attack in a binary file precisely because one cannot inspect it as easily as one can a source file.
The threat order, from most threatening to least, is:
The point is, NOTHING should be accepted without verifiable trust. Being able to personally inspect the source code provides an additional level of protection, and is therefore SAFER from a security standpoint.
For personal use, I trust everything at level 3 and higher (binary from trusted agent, no checksum). That's fairly risky, but acceptable for a single machine. If I were in charge of the corporate desktop, I would elevate to level 4 (binary from trusted agent, with checksum). This is the level that Microsoft products are distributed at, for example. If I really were concerned about the security of an application -- say, if I were in charge of writing voting machine software -- I would insist on elevating all the way to level 6 (source from trusted agent, with checksum, scanned by me and recompiled with a new checksum.)
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get.
What, and all the viruses that can attach themselves to existing binaries clearly have never existed?
If you have the source code, then you have the opportunity to compile your own binary and be sure what's in it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Don't bother. Go get another job elsewhere.
Or as someone posted earlier, "Either live with your idiot bosses and stop complaining, or ditch that miserable excuse for an employer."
We use OSS almost exclusively where I work... the only commercial software we use is Microsoft, and even that we try to avoid as much as possible.. (there's only a very few window's pc's with MS office for example.)
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
The author of the article says:
"The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get."
Not if you can prove to your superiors that the source code you want to use is managed and moderated by code maintainers in order to review the code prior to it being submitted into a code branch...
... and that your superiors have a policy of only obtaining code from said moderators and code maintainers at officially announced places of acquisition of stable code branches.
This covers many popular free and open-source software from many organisations such as the Free Software Foundation, Mozilla, the Linux Kernel Organisation, and others, whereby the contributor base is large enough for the code to be peer-reviewed and managed in ways that will prevent such malicious attempts at code pollution from ever becoming a reality. If you can show that the project belongs to an organisation that honours its reputation for the production of quality software, then it would make the rejection of the use of such software due to this argument much more difficult to justify.
While this doesn't cover every free or open-source project under the sun, it does cover many of the more popular major projects where a Windows build is available or supported.
--tonza
If they don't know that Firefox is the best browser existent, than they are uneducated. You have two choices, then:
1. Educate them.
2. Give up and use IE or whatever crap.
This is also true of other FOSS programs, but Firefox is certainly step one, in my opinion.
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
Look for someone who'll happily charge you for doing nothing, let's call them dummysoft.
Then put in your request for vim from dummysoft for x hundred dollars.
Dummysoft can then send you a link to their download site at, say, vim.org, and take the money.
If you can't find any volunteers then I'll happily do it.
I have implemented a high-profile system in a large multinational, using open source. I too found it hard to get OSS accepted, but not for the reasons I first expected. Most of the initial arguments were quickly countered.
- Malware? We were confident enough to see there were sufficient controls around code changes.
- Support? Easily handled by our existing channels, even for elaborate changes and additions.
- Quality? Millions of users can't be wrong...
The one thing we struggled with was: liability. Our own, our manager's, the software approval guy's. The problem is this: what if that bit of open source software contains proprietary code, and the owner of that code suddenly starts asserting his rights? At best, we will be forced to stop use of that software.
You can argue that this is also a possibility with commercial software, which is true. But with commercial software, the owner of the infringed code will go after the creator of the software. Better yet, we too get to sue his pants off. In the case of open source, they are likely to sue not the creators or distributors of the software, but the people using it. That means us, and the legal eagles don't like that, oh no. Remember the old maxim "No one has ever been fired for buying IBM"... that goes doubly for OSS. OSS exposes you to lawsuits, and when the stuff does hit the fan, the buck stops with you.
In the end, OSS was allowed in our corporation, provided that it isn't used for mission critical purposes if no commercial drop-in replacement exists. If the software develops issues, there's still no vendor to blame for me, but I can live with that, personally.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Sorry, I'm an outsider to the US, and I keep hearing this thing about the right to bear arms.
Isn't this the reason you own guns: to defend yourselves from utter tossers in the workplace? What's the point in all this gun ownership, if you can't kill middle-managers?
There's absolutely nothing in any OS license I'm aware of that restricts resale of code.
My sister-in-law worked for a huge company, one very similar to Dilbert's employer. She was at least partly, if not fully, in charge of the decision to reject all open-source software. I had a long debate with her on this topic, but she's completely unwilling to move. She firmly believes software is worth no more than what you pay for it, and those promoting free software are dangerous socialists, anti-free-market crusaders trying to tear down America.
I've also tried to convince her over the years that George Bush is a poor president, who has in fact made some mistakes. While she's a super-bright energetic well educated woman, my sister-in-law is incapable of thinking any republican president has ever done any wrong.
I think people like my sister-in-law are firmly planted in important corporate positions throughout our country, insuring that Dilbert-Land will continue unimpeded. To them, free-as-in-speech is a silly concept for children. You give it lip-service, but never put any money there! What counts is free-as-in-market. These free-as-in-speech programmers are just more Vietnam protesting nit-wits who will ruin the country.
Beer is proof that God loves us, and wants us to be happy.
I happen to use many OSS portable apps, like firefox winscp and open office (even thought word is there) but I used to install gimp portable, and no longer have to as someone requested our computer tech guy to install gimp on all the computers!
So now I can introduce my colleagues to open source software for their simple/mid level image editing and they don't have to stuff around in paint anymore!
There are folks though that will not even try gimp 'cause its not photoshop, and are perfectly happy to use paint instead!!!
like phosphorescent desert buttons singing one familiar song
fucking bullshit it is - they are NOT providing any kind of service and you use it at your own risk, it says it in bold print in the license. now are you telling me that as the CIO of some billion $ company with the livelihoods of 1000's of people in the palm of your hand, you would be willing to go with such an unknown quantity as random developers you have no association with who MIGHT have audited that code for you???? i question YOUR sanity if the answer is yes.
If you mod me down, I will become more powerful than you can imagine....
That is simply not true in practice. Most people do not audit the source code of their favourite Linux distribution. Even if they did, there's no guarantee that the code they have installed from the DVD was compiled from the source that they looked at. Contrary to popular opinion in the open source community, most people don't want to compile all their software themselves.
It's not even as if having availability of source code means you will find all of the hostile code that is in it. Debian managed to distribute a seriously compromised version of OpenSSL for two years without any of the "many eyes" noticing.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
"The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get."
If that is their mentality, you have already lost with all arguments.
You cant try to understand that not everyone can get code to applications, only a trusted onces. Altought, everyone can send patches and new code, but it will _always_ get viewed by at least one truested coder and even can get easily modified someway in the process if the code is not so good already.
It is as easy to get a malware code to opensource software, as it is to get to closed source software. But you, as client, has better change to modified, fix, and check the software source code if you use open sourced version.
I dont know where it comes, but someway, that open source means for someones same thing as there would not be security- and quality control at all...
My advice is to evaluate the merits of your software shortlist on EQUAL basis. Get your decision makers to agree criteria for the selection of software BEFORE starting your evaluation and then choose the best scientifically. Factor in initial capital spend, running costs, feature-match and roadmap. The best software might not always be OSS although I've found many OSS and quasi OSS to have a very compelling business cases.
In case you are interested (in various contracts), The following have been the ones I've seen the most:
What I'm not really seeing in my customers even though I'd really like to:
One of my recent customers has a big investment problem with their VB6/IIS5.0 platform - they have invested 2 or so million GBP (double that for USDollars) and find themselves unable to upgrade to .NET now that MS platform has gone "out of support" this is due to the poorly architected platform and in part their poor use of the platform - it is these contracts where OSS is winning (OSS Java Enterprise and some are looking at LAMP) because clients are ultra sensitive about commercial lock in...
It would work like this: you see a need that could be addressed very well using OSS package X. You also ensure that there is budget to buy software.
What you do next is to get a software consultancy you trust to take that piece of OSS software, modify it slightly (e.g. a new splash screen) and sell it to your company. That's perfectly legal, if a bit sneaky, and therefore requires heavy-duty CYA precautions.
First off, make certain that you cannot be suspected of fraud (i.e. do a thorough requirements study and a cost-benefit study and make sure that the resold OSS stuff wins on those grounds).
Next make sure that the company your company will buy the stuff from provides your company with a service agreement and certain guarantees (they will have to talk with an insurance firm for that, but they can silently charge for that in their asking price; that's not unusual for consultancies).
Together that will allow you to show that you purchased good measure for your company's money, even if the company could have gotten the software for free. The reason being that your company purchased support and guarantees, which arguable are the sole difference between OSS and closed-source stuff. The fact that the packaged OSS software won the contract after comparison with commercial competition will show that the company got what it wanted.
Now be sure to check this theory with your personal lawyer first (but don't tell the company), then involve your company's legal department during purchasing; go through channels and get their buy-in once you have people willing to act as a vendor.
Now since it's OSS they will have to deliver the source code, but that doesn't matter. It doesn't have to say so in great big letters in the purchase agreement; it might even say that it delivers an *un-customised* version of the software by way of on-site escrow and hint that this is due to them being a startup. That's all. The trick is to get this past whoever approves software purchases. If he's stupid (likely, or he wouldn't go around blocking OSS stuff) you're likely to be able to get away with it. But make sure you are blameless if found out, or you'll loose your job and gain a lawsuit!
If you think a bit "formally" you'll see why this works: your company wants to buy software objects of class A (commercial software). What you have are software objects of class "B" (OSS software). So the only thing you need to do is create an object of class "A" which borrows the "implementation" from an object of class "B", but which adds a (legitimate) shell that makes it class "A", and everyone is happy.
Alternatively propose to buy a package (e.g. Open Office) for which there exists a commercial version and neglect to mention that it's also available as OSS.
If you don't have the amount of control that will let you do this, I can think of nothing else.
Cheers.
You can try marketing something like openssh as the best tool for the job, and point out the places you already use it. And then try pointing out all the other bits of open source that make it into windows, commercial unixes, routers, and just about everything else.
It's worth trying but you might be onto a loser anyway.
From personal experience I can tell you that the people that do well in multinationals are not qualified professionals, they are 'professional manager' idiots who 'talk the talk'. These people care about money, reputation and thats all. Sadly multinationals provide lots of places for these kind of people.
Try convincing people the value of using the best tool for the job, it's certainly worth a shot. Then if that doesn't work either put up with it or look for somewhere better to work. The other option is to use whatever you like and neglect to tell them. Chances are they are too dumb to notice anyway.
personally i've been in the enterprise environment and in many cases, microsoft and closed vendors IS a good answer, remember that these peoples job is to judge software based on it's ability to do the job, nothing else. in my industry billion of dollars in product could be wiped out if even one of our pieces of software miscalculates - would you trust that to people on the internet that you have no recourse against if they are wrong?
If you mod me down, I will become more powerful than you can imagine....
Viruses in debian? You're not living on the same planet as us.
Making laws based on opinions that stem up from false informations leads to witch hunts.
But, with GPL 3, for instance, if you sell a modified work (GPL code + your own) you must grant the recipient a GPL license to the derivative work (GPL + your own).
The recipient is then allowed to distribute the product to whomever he wishes as long as he meets GPL (granting a GPL license downstream). So, how would you be able to make a second, third or fourth sale, now that additional parties are allowed to sell (or just pass on for free) this product?
This effectively makes your product free, if it is distributed to more than a few select customers.
Where were you when she was marrying your brother?! Always make sure to get their views on open source before, it saves any nasty surprises later on.
You are missing the point between what you consider quality software and software that passes a government audit. Just like the parent said, if we are looking at a product and it doesn't pass regulations - we can't even really look at it.
Now the question you should ask here is what passes regulations. With the laws being so vague and having so many contradictions, the real answer about what passes and what doesn't is what the big third party auditors say passes. So what you consider assured is much different than what the government will let us consider assured.
This isn't to say open source software doesn't get in - we have many linux server farms, apache and a host of other open source products that we use (happily).
A for instance though is that one of the requirements for compliance is that all servers need to have anti-virus. You could prove beyond a shadow of a doubt that concreteBox1 sans internet attachment cannot get a virus - yet you still need to prove it has an updated AV product on it. You can try to fight it, but with 50,000+ systems it just isn't worth it.
Another example is two factor authentication being required for any remote VPN solution, requiring AV and firewall. To meet this requirement we use third party products such as F5 (Juniper has some, etc). They all have the built-in scanning engines for Windows and even Mac (e.g. OPSWAT), but not Linux. This means that Linux is pretty much not acceptable as a workstation due to compliance.
Does Linux NEED AV/Firewall? It doesn't *matter*. It matters that we as a company are required to be able to scan to prove they have it and most third party products don't support it yet. We keep pushing though (can you hear the frustration?).
I am not saying in any way that open/closed is better, cheaper or less anything. What I am saying is if you are in a company that is that regulated sometimes it really is cost prohibitive to look at any company that can't provide you with an easy pass to your audits. The companies that the parent listed - RedHat, Novell, Microsoft - and anything they support are what we tend to go with because we know our audits will fly.
The people you have to convince of your theories are the companies that do the audits for PCI, SOX and a whole host of others.
If you took away auditing a lot of companies our size might have a completely different perspective.
... in my case I was trying to get firefox installed onto a work computer because we are still using IE6 and a web application used by the company (one built in house mind) doesn't run well in old and busted IE6. Now the fun part. I was denied getting it installed because firefox was a security risk. Apparently IE6 is safe and secure????? According to some of the wankers on this forum, I should now quit my job in protest. Guess what, I LIKE my job (a novel concept, I know) and I am NOT going to quit just because I can't get some software installed. I will however still fight for alternatives to closed source wherever possible. Will I win? Probably not but I am happy in the knowledge that I tried my hardest.
anyway this isn't strictly about MS so holding up one of their stupid EULA's doesn't help you
If you mod me down, I will become more powerful than you can imagine....
lobbying works. talk to this guy, invite him for dinner, tell him that you want to lobby for open source and ask him if he would be interested in a discussion about it. at the discussion, listen to his concerns and don't dismiss them. give him the feeling that these concerns are valid, then tell him that you are going to try to convince him, ask him if he's fine with that, then give some counterarguments. if you don't get through with the whole thing, invite him again, make him like you. when he likes you, he's not having a hard time considering your arguments. if everything fails, talk to his boss about the same stuff. don't be scared. we're all reasonable people, it's just that decisionmakers are usually misinformed and thus, scared.
Do not trust this signature.
Rather than couch your request in terms of FOSS, why not request FOSS as SAS from a supporting vendor? The principal FOSS counter-argument (nobody to pay, so nobody to hold liable) gets neutered by the SAS contract. If it isn't worth such a subscription, then what's the business need? [SAS = Software As Service, also written SAAS]
If you were to assume that we lived in a GPL'd world, game companies could still charge money for their game assets (sound, textures, models, etc). To the end user there wouldn't be anything different except their discs would have a "src" directory. Most companies would probably go down this route anyway if there were a decent FOSS game engine around, as it stands it's just cheaper for them to license some middleware like Unreal Engine 3 or Gamebryo.
As it stands though, selling service for a tool like Reason and expecting it to support development costs would be insane. The software is the product! People going off on the whole "sell support" nonsense don't seem to understand that certain types of software only have value insofar as they work as advertised. You don't buy support for a workbench, it either holds your tools and lets you work or it doesn't. If it doesn't you're not gonna use it no matter how free it is.
Nick
I have yet to hear of any form of recourse whatsoever because a piece of MS software malfunctioned. Ever actually read that thing that most click "I Agree" on to make it go away?
I use that to start a FOSS introduction: who has ever used Open Source or has frequent contact with a company that does. Very few hands raised..
Insert
One benefit of a commercial distribution of OSS is that all of the components undergo extensive QA and are fully supported and then signed with a cryptographically strong key.
The fact that anyone can change the source and submit it is a huge plus if those changes are subsequently examined, discussed, tested, documented and supported. Explain the difference between free as in beer and free as in speech. freeware is very different than open source.
If they are open to serious security discussions, one tactic might be to try to get across a fundamental rule that pretty much all computer security people have been saying for decades:
If you're serious about security, you don't run any software unless you have the source, your people have studied it, and you've compiled it yourself.
If you don't do this, you can't claim to be serious about security, because the people you got the software from could have added all sorts of extra "features", and you have no way of knowing about them until they bite you.
This applies to all software from any source. The main thing different about open-source software is that the code is available to all its users, and they can share information about it without the vendor's permission. Another advantage is that, if you have the source, you can fix a problem that your people find; you don't have to wait for the vendor to get around to fixing it for you.
But you might not want to use the phrase "open source" at the start. Chances are that any manager who hates the idea is really just reacting to PR about the name, and has no idea what it means. After all, it obviously can't hurt you to have the source. At worst, you can just ignore it, and you'll be no worse off that with closed-source software. It's also possible that there's a confusion between "open source" and "free" software, since those concepts often go together. If so, you might work on getting them to understand the difference (and that "free" in this case doesn't mean "zero price" ;-).
Of course, it could be that the person in question is forbidding open-source because they're on the take, and are actively bringing in software with backdoors. This is a very real possibility in some organizations. You might try to find ways of figuring out whether this is the situation, and if it is, get the hell out of there. In the meantime, you might remind yourself occasionally that there's a chance that this person knows what they're doing, and talking about this could be dangerous to your health.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
There is no reason to tilt at windmills and care about human obstacles if you still get paid, so unless I am both directed and empowered to solve problems where I work I don't care about solving them. If an organization cherishes their problems, fuck 'em.
I get paid to make my employer continue wanting to pay me. :)
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Actually, to add to this, look at the training industry around proprietary software. People want to be sent on training courses with free lunch. They want the company to buy big useless books. They want a shelf of big, useless, attractive books. They want to add Vendor Certified Whatever to their CV. This is another area where OSS needs to catch up.
Instead, show them Firefox, Compiz/Beryl, or KDE with SuperKarumba.
The advice to try and argue with them on the basis of facts, any kind of technical merit, or worst of all, the FSF's value system, is blatantly autistic, and utterly doomed to failure.
Microsoft does never and has never appealed to people on the basis of technical or philosophical merit. Microsoft has always appealed to people purely on the basis of aesthetics and base superficiality. With a neurotypical audience, that is the only thing that works, and don't let anyone tell you otherwise.
Find something open source that is bright, flashy, and shiny, and show them that. Get one of the videos on YouTube showing off Beryl with loud, dramatic techno music. That will probably work well.
Trying to tell normal people about freedom in the FSF's context will simply make them think you're a freak, and will thus do the opposite of what you're attempting.
in my industry billion of dollars in product could be wiped out if even one of our pieces of software miscalculates
All that money on the line, and you're willing to trust a program whose source code you can't examine? Amazing.
If it's really the alteration they're worried about, dig around on Google and create a short list of all the commercial shrink-wrap programs and consumer hardware that's shipped with viruses and malware embedded in it over the last 5 years or so. even the iPod was hit with this just 2 years ago. Highlight the vendor's reactions, including the denials that there was a problem until confronted with incontrovertible proof. Then pull up the few stories of this happening to open-source vendors like Debian, pointing out how quickly it was detected and fixed (Debian's was found less than 24 hours after the compromise), how quickly customers were informed so they could fix the problem, and how few of these have occurred compared to closed-source software. I'd also play up the direct-from-author factor. All the compromises of OSS have been by placing compromised binaries on servers. OSS allows you to ignore binaries and get source packages instead, compiling them yourself. If you don't ever download binaries, you can never get hit with a compromised binary. Closed source doesn't allow you to bypass the whole problem like that. Finish by noting the only attempted source compromise I can think of, the attempt to introduce malware into the Linux kernel a while back and point out that the attempt was detected almost at the point it was attempted, long before it got to the point where it would've been even considered for inclusion in the publicly-distributed source code.
Also note that with OSS most of the major vendors provide MD5 checksums of their packages that you can check yourself to insure your binaries are identical to what the vendor produced, and many of them use cryptographic signatures on the packages that you can verify against their published keys to insure the package actually came from them. No commercial vendor provides this, so there's really no way to insure the discs you get really have the vendor's versions on them and haven't been altered. Even physical media isn't insurance here, not with how easy it is for even the average person to burn a disc. And note that this ability to verify packages also allowed customers, in the cases of the security breaches noted above, to determine whether they'd actually been affected by the breach and whether they really needed to clean up bad software or were in fact safe. Victims of the closed-source compromises had to just assume they'd been affected whether they had or not.
Not, mind you, that the above will do much good. The people objecting to open-source don't care about any of this. They just don't want to deal with anything new, anything that might disturb their precious status-quo and familiar environment.
If you work for a fortune 500, best of lucky trying. Most of them are so entrenched with deals with major software vendors (MS, Norton, etc) that they'll go to extreme lengths to help out their buddies. I've seen everything from not allowing Mac's on the property to threaten people's jobs b/c they make a blog on their personal time with their personal resources, off the clock that may say something negative about Microsoft or some other company.
He may be arbitrarily denying requests for open source software for the reason that it simply isn't tested with the company's standard desktop pc disk image. I have (and would continue to do so) denied open source and closed source requests from desktop users, because the resources allocated to me to provide desktop support do not allow me to test every approved desktop application (custom or standard) against the requested application to be sure one won't scrap with the other. I am writing this from a linux pc at home btw, so I've no personal fear of open source. I would love to see my workplace move toward open source, but the current situation demands that we stay the devil that we know - windows on the desktop.
-Troll, Flamebait, and Offtopic are NOT equivalent to disagreement.
I think the better way to look at the problem is to start with this question:
"How do you know you can trust *any* software project?"
Well, how do you do answer that question? There are lots of ways of answering this question
but the one that stands out for me is this:
1) Trust, like respect, has to be earned. Has Project "foo" screwed me over in the past?
Yes or no, no equivocation?
2) If the answer is Yes, was it an isolated event? Was it an accident? Did the project people repair their mistake quickly, or did they let it linger and left me hanging?
a) If it was an isolated event, and they stayed on top of it, then yeah, I'll give them a second
chance.
b) If it was an isolated event and they left me hanging, screw them, they're out. Next!
c) If it was not an isolated event, then that's it, they're out permanently. My time is limited and I can't afford to wait for them to reform themselves.
Now that's *my* criteria for deciding. Your criteria is ... your criteria. Based upon *my* criteria and my *experience* I can say the following:
1) Most of the Free Software (GPL, MPL, BSD, etc. licensed) that *I* use is excellent --- it does what I want, it's well documented *for me*, it has a good *publicly documented* record of fixing bugs and staying on top of things.
2) Most of the Proprietary Licensed software that *I* have used has been crap in the sense either it does *not* do what I require, or it's buggy, or it's poorly documented, or it has legal encumbrances that make it problematic to use, etc.
I want to be very careful here. I am *not* asserting that most Free Software is awesome and most proprietary software is crap. I'm only asserting that the software that *I* have *tried* from those models of software licensing have pretty much been: Free Software == Awesome, and Proprietary == Crap.
Now *why* is this true? Because I don't use Joe Random Free Software and don't use much Joe Proprietary Software.
The Free Software has been vetted by my OS of choice: Debian Linux. If it's in Debian's repositories then I'll give the software a shot. If it's not in Debian's repositories I don't want to look at it. I'm not interested in ever having to manually download, configure, make, make install software. I trust Debian as my big ass filter of crapware. If some Debian developer took the time to package some Free Software then it must be good, because Debian's guidelines for getting software into the repository is not for the faint of heart. That and the fact that their bucket brigade of QA ensures that when the software makes it into Debian's stable branch it might be obsolete but it's rock hard stable.
I don't use much proprietary software today. The only thing that comes to mind is Adobe's flash player. I used Microsoft Windows before Windows 2000 came out and by that point I had given up on them for being flaky once too many times. I used NVidia's kernel module for accelerated 3D graphics, and it was ok for a while, until I got burned once too many times when I upgraded Linux kernels and Nvidia hadn't kept up with Linux. The final straw was when Nvidia declared my hardware as legacy. In the case of Adobe's flash player, it's gotten better I think. The only thing that bothered me about it was its tendency to crash iceweasel, and not work very well with konqueror, and stealing audio (oss sound driver I think). The only reason it's still with me is because of youtube and because I'm waiting for gnash (Free Software) to be stable enough and not
suck up too much CPU usage.
When you download source code in the recommended way, you can also download cryptographic checksums which check the code you downloaded against what is actually supposed to be. The argument that open source is less secure is made by those out of FUD or ignorance. Point of fact: open source operating systems and software are actually more secure because they have been extensively peer reviewed and debugged. If someone in a decision making capacity uses bias against open source software it may be very difficult to convince them otherwise. I found it funny once when a "self-proclaimed" anti-open source peer of mine touted his success of scoring a Juniper SSL VPN appliance. I was more amused at his dismay when I pointed out that Juniper makes extensive use of FreeBSD. At first he was full of disbelief but the proof is in the pudding. Look at the credits in the manual. Instead of opening his mind he got more fervent. This is basic human nature folks.
My corp is generally pretty free with anything we use, though I've seen some weird things.
In 2005/06, I was using Firefox and would get high priority emails that Firefox was considered a security risk because some flaw was just found so I would have to use IE6. Of course the flaw was fixed in a day or two and I would just keep using Firefox anyways, never went any further than that.
And while we're generally allowed to use any kind of software for development, etc., they're pretty strict on what is deployed. It's pretty much an Apache license only rule, and while I'm not well versed on the differences between the GPL, BSD, and Apache, it seems odd not to even consider the others (we weren't going to modify the OSS, just use as is). If anyone has any insight on that, it would be cool.
The biggest problem is that our architects who make software decisions seem to be in the pockets of Microsoft, Adobe, IBM, etc. We're always buying expensive, cumbersome, proprietary solutions instead of going OSS. Now I understand that sometimes they are better, but last year we switched a really annoying change system developed by Microsoft, and many developers have to develop on Websphere/RAD, stuff like that.
Reviewing just the first hour of video games.
Don't give up on her. Remember the rule of advertising - constant repetition works just as well as truth.
With free-as-in-market people I like to talk about how free software's lower cost to replicate and thus create a new competitor drastically improves competition in the market. Proprietary software markets suffer from monopolies and other distortions from the government granted temporary monopolies (patents, copyright, etc) and simple lack of source code.
She should be reminded that the payment for the software doesn't need to be done after it is made, especially when the copying cost is near zero. Payment for most free software is done upfront - paying people to write the code.
People like your sister-in-law usually don't grasp the important differences between information and physical items and how those differences require different economies. Sneak in as many thought experiments as you can about the nature of information. Here is one that I use: http://themagicfish.org/
Complexity Happens
Popular OSS projects (Linux, Apache) have plenty of commercial support options from a variety of vendors. You don't need to "own" the software to provide support for it. Documentation is similar. Find a vendor that supports it and tell them you're willing to pay for better documentation.
If it's bug fixes and features you want, make it clear you're willing to pay for those too. Alternatively, hire your own small staff of programmers to do this yourself. You don't have to open source your features/bug fixes unless you choose to redistribute the resulting software. Sound expensive? Compare these total costs with the total costs for other software you're considering.
Yes there is. When any corporation is looking at software to meet some need, if you're doing your job right, this will involve getting demos of the software, and if possible, installing a test version and trying to get it working with your environment. For a large enterprise, you're an idiot if you buy software based on the glossy brochure without actually trying to use it first. Since this is easy to do with OSS, there's no excuse for not being aware of the product's deficiencies before you commit to it.
You can download a release that we have built and get a support contract with guaranteed 72h fixes, indemnification and what not from us.
Since our source is open you don't have to wait for us to find the problem, but you can do it yourself. I have worked with closed source companies and it is so annoying to deal with their support organizations that you'll have to start decompiling the source yourself. You can save yourself that without getting in DIY trouble.
And yes, your boss looks like a moron for not knowing this. He must have been hiding in a cave for the last 10+ years ;)
Show a man some news, distract him for an hour. Show a man some mod points, distract him for the rest of his life.
He's the guy who posted this question, and I don't see any post from him anywhere in the comments. Questions of interest: Has anyone asked the Grand Poobah of Approved Software *why* he makes the choices he does? Is there a defined and published review criteria? Who does he report to, and what if any guidelines is he following? Who wrote those guidelines? Who can change them? Is there any mechanism for challenging the approval/disapproval of software? How big is the organization? What industry is it in? What outside rules/regulations is the org subject to?
There are a few that prohibit resale, but none of the large & established ones do.
Then the next time your company asks how to cut back in these difficult economic times tell them you could have saved ~$4000 in h/w, s/w, and OS costs if not for [insert name here].
Maybe you'll end up with their job.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
There are no licenses that prohibit resale that are listed as "Free" by the FSF or "open" by the OSI, as there are none that would meet the four freedoms or the "open source definition"/DFSG.
Don't conflate strongly copyleft licenses with all open source licenses.
If you have a niche product & your customer base is enterprise users, others will still purchase your product and/or purchase support from you. F/OSS could be a strategy to widen your distribution in order to gain customers. See, e.g. MySQL.
Of course. But my parent was talking about OSS, not FLOSS. I pondering pointing that out, but did not. Sorry, I should have done..
A large company shouldn't have one person with this much authority but no repercussions. If it's really that bad, and the person is really that idiotic, it's not worth staying there.
Remember that during your working years, you spend a quarter of your entire life working! Make sure you enjoy it.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Hi, my name is Mr. Technology lead in the Software Dev. Department. Today had a very busy schedule meeting w/ #SOME_EXPENSIVE_SOFTW_SOLUTION_COMPANY and had a 6 hr presentation in #SOME_REMOTE_LOCATION_OFFICE where we discussed the details of the licensing package for our company. My boss already lined up the budget and my team and I are ready to start a 1 wk training in SAN DIEGO next month. During lunchtime at #SOME_FANCY_STEAKHOUSE I got an emailf from #SOME_DOUCHEBAG_UNDERLING suggesting me to consider an open source solution.
I got a good chuckle while my new buddies insisted on picking up the check.
- these are not the droids you are looking for -
almost every vendor in existance has explicity information in their EULA that states that they are not responsible for anything basically related to any type of "protection"
Every vendor in existence except Microsoft, perhaps? I agree wholeheartedly with the GP. Nobody ever got fired for buying Microsoft. I'm not being a shill here, or trying to be funny -- it's just the truth. If you need to cover your ass -- and by "need" I mean "have the legal responsibility to" -- downloading Windows binaries of OpenOffice.org from a Web site backed by no vendor just isn't going to cut it. Even VI isn't going to cut it if there's some small chance that you'll wake up one morning and find that VI seems to be corrupting everyone's saved files, and there's nobody to call to fix the problem for you. That's what CFOs want to hear: that in the however-unlikely eventuality that there's a serious problem with software, you have a Throat to Choke. And that's what commercial software vendors offer. Large enterprise customers don't get their license terms from a little piece of paper slipped inside the software box. They call the vendor's sales department and arrange lunch, and go from there.
Breakfast served all day!
Hi, I have too much time on my hands and, instead of actually solving the problems in front of me, I want to pick the wrong battle with the wrong people and take on the software approval process. It won't affect the company I work for in any way thus making it a completely pointless waste of time, but I just can't help pushing my nose where it doesn't belong. Any suggestions?
If you have one person deciding what your technical team needs to do it's job, your company is, or is going to be, way too inefficient to cope with today's business environment. Not only that, but the person/people making the decision about SW in your company, and those that hired them too, they are complete, utter, and flaming idiots with no common sense (and yes, that made me feel better). So here is what you pitch -- transparency of source means "audit trail" and more security than closed.
If your company really is concerned about and needs this kind of security, you are truly better served with open software than closed. You can pitch going to Red Hat, or other distribution company, and download, audit, and compile from source. You can feed back any security issues you found -- and you can't do that with closed source. Who knows what back doors a closed source vendor has put into their code?
This is waaaayyyy OT but I'm curious what you meant by NVidia declaring your hardware 'legacy'. Up until last year, I was using an 8 megabyte NVidia card in a machine with a AMD K-6 processor and 64 megabytes of RAM with (almost) current drivers. I say almost because the last working driver was released last April and the machine died in November. Not bad for a decade+ old computer.
BTW it wasn't my desktop machine, but it made a great firewall/router.
So you're still wrong.
I think people like my sister-in-law are firmly planted in important corporate positions throughout our country, insuring that Dilbert-Land will continue unimpeded.
Not that I think the "invisible hand" of the market fixes everything, but this should be one of them. If open source is so superior, new companies will emerge and old companies will adapt or die as their margins vanish. When Henry Ford introduced the assembly line, do you think all the other car producers followed? Most of them didn't and are today in the history section. It doesn't take more than one company taking that as a "radical cost cutting measure" and survive a downturn where the others doesn't and it's done, the dinosours will be dead and the smarter company lives. Sure you might care about that as a stockholder of a dinosaur, but for everyone else I think the market will sort that out for itself.
Live today, because you never know what tomorrow brings
A number of enterprise-grade open source projects, such as most of the free J2EE stack and Linux, have attractive books available. That's well handled.
Commercial training is another matter though. I completed highly recommended week-long Oracle training and discovered it was not far removed from an online tutorial, yet took much longer. I guess that's just how some people prefer to receive knowledge.
Sam ty sig.
"Miserable excuse"? Why? Because key decisions are being made by someone who isn't qualified to make them? Welcome to the workplace. Most organizations have somebody like that. No, I take that back. If the ten or so organizations (both private and public) that I've worked for are representative, they all do!
Sometimes you have no choice but to give up and move on. But that better be your last choice, because your new job will have its own set of underqualified bozos. And sometimes you have to live with situations that make it impossible to do your job well. But that better be your second-to-last choice if you take any pride in your work.
As for Piranhaa, he's asking the wrong question. Obviously the decision maker who's vetoing all OS requests knows knows jack about software. So presenting ideas about the advantages of OS (which include security from the very "code pollution" this guy is worried about!) is a waste of time.
Here's the question you should be asking: why is a major corporation giving veto power over software acquisitions to somebody who doesn't know anything about software? That's a major problem all in itself, never mind the OS issue.
Take a look at http://www.dwheeler.com - in particular, Open Source Software and Software Assurance (Security) and Why OSS/FS? Look at the Numbers!.
As you already know, this claim that "anyone can edit the open source software" is nonsense. They're conflating editing a file with getting that file into the supply chain. Anyone can edit a proprietary program, too; just open up a hex editor and start modifying. The issue is, can a malicious attacker modify the program AND get their changes into the binary you end up with? This isn't easy at all in the major OSS projects (the kind your company is likely to consider). Any OSS project has some kind a "trusted repository", the "official" version that people pull from. For a change to get into your system, the trusted repository has to be subverted AND not detected later. We already know of an attempt to subvert Linux that failed, so it's not as easy as they think it is. If they are REALLY concerned that they "don't know what the binary is", then get the source and recompile it.
Don't expert proprietariness to save you. Indeed, because the source code isn't being widely examined, any malicious code that gets in will be more difficult to find later.
The U.S. Department of Defense's policy is consider OSS equally with proprietary software, as does the entire U.S. government. In fact, the U.S. Department of Defense heavily depends on open source software, and they almost certainly have more stringent security requirements than your company.
If a company can't handle technological shifts in information technology, they risk their own long-term survival. OSS is now mainstream and widely used.
- David A. Wheeler (see my Secure Programming HOWTO)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
they're not... you don't BUY windows from Microsoft.. it is distributed by OEMS so it's Asus's fault if their PCS ship with malware on the Windows disc. (wait that happened just last week! and ASUS is the starter OEM for many commercial PC operations)
Open source = Competition Closed source = Collusion
Slashdot = Sarcasm
"This is the kind of moron who gets written up on TheDailyWTF, and derisively laughed at for years to come."
As opposed to the kind of moron who writes people up on the TheDailyWTF.
The boss doesn't have to be right, the boss just has to be the boss.
Hi!
I have seen others say "leave your job" because they are morons. This would be the easy way, but we IT people sometimes love to fight for our views. So try this before you go to the HR dept or look for job ads.
Large enterprises are scared of things with unknown or hard to track origins. Open source software is such a thing. They might be afraid of being sued, by some guy who claims to have 5 lines of code stolen and used by the company as part of an open source. This can be a real problem, especially if a scandal breaks out and if the company is publicly listed, this can easily cost millions (and the decision makers career). I think this is one of the causes of paranoia.
Have you tried to bring in open source that comes with dual licensing? We do dual licensing, because we have found that companies like the hybrid approach of having an open source software but at the same time having a legally safe license. In this case, some of the cutomers' legal dept does not even know that the software is open source, because they do not read the GPL, but the commercial license. The commercial license has a clause with idemnifies (i think this is teh right term) the user, so if someone sues the user for copyright infringment, we take the blame. (Note: i am not a lawyer, but i did talk a lot to lawyers and picked some of the language up :-) )
Of course, not all open source can be dual licensed, because only the copyright holder can license the code, so if the code is owned by many people, not one entity, this can not be done. In our case, the code is owned by our company (because we wrote it) and for the parts tha we did not write, we use trusted sources. This way we can take the responsibility for our code, and we can also license the code with a proprietary license (as well as GPL).
You should try this dual licensing first, and later convince your bosses that if this worked, other code could work. Choose foss with a company behind it, so you get support and updates, and there is some entity you can make a contract with.
Short background:I work for a software company of 40 that produces open source ECM software and sells licenses and services to large enterprises in Hungary. Our software runs on Windows, so I quite know the problem of "wtf, foss on windows?", I can even imagine the look on your bosses face.
Tom
GP is probably thinking of the SSL initialization exploit, which did affect Etch if I recall.
DRM: Terminator crops for your mind!
"How do you know you can trust open source projects?"
- How do you know you can trust closed source programs? You've never seen their code, no one knows whether the program is legit except the people telling you it's ok, and //they're the ones selling it to you//. So when you buy a closed-source program, you don't have a single clue whether it will do something it's not meant to do.. don't believe me? Check here: http://vsbabu.org/software/fsxls.html - this is microsoft actually putting something into Office which had no business being there, and no one told the customers about it.
In this case it's benign, but all closed programs are more of a security hazard for being closed than the open source programs because closing the source gives the programmer full license to do what he wants with it. I can give you a hypothetical example; A company creates a program which helps you create and maintain offline versions of you profiles on popular blog/profile pages like facebook/myspace/whatever. It goes through its first iterations and looks kinda legit, but in one version it starts gathering data on your email addresses, your personal information, the personal information on other people around you, and starts monitoring your email. In a new version it then starts sending useful information on email addresses, contacts and so on to a huge botnet for spamming purposes. It does it discretely, and in the license agreement you signed, they have a "we need these rights to be able to send to the legit sites, so say yes to this". The difference between a closed source program behaving like this and an open source program is that the open source programs which tries a stunt like this will get shut down a lot faster than a closed source version.
What open source programs do is give everyone on the internet the chance of going through the code, and verifying that what the code is supposed to be doing is what the code actually does, and nothing more. You and I might not have the technical skills do do that, but there's plenty of people there who notice things if they're wrong, know how to grab the open source, compile it, compare it with the downloadable executable and can tell you whether it's dubious or not.
- So essentially, your security IT guy got a bells ringing in his head when he hears open source, it's a shame that he doesn't realize that it's the //Same bloody bell// as should be ringing for any/all closed-source software he doesn't recognise.
"What processes are in place to protect users from malicious code?"
- well, one process is called OPEN-SOURCING. You're clearly confused about what programming is, I'd turn in my geek-license if I were you.
- I'll leave it as an exercise to the reader to find simple yet effective ways to check whether their software is bad or not.
I think the follow the money and not wanting to shrink the budget apply here as well.
One thing I see missing from the arguments though is the simple fact that much oss is crap, so you must be specific when talking about oss and name projects/products and why they are nescessary. The whole gpl/oss philosophy may be important but doesn't help in winning the 'bringing OSS into a Closed Source' argument when the attitude of the boss is OSS is crap.
There are groups out there that make a living off of introducing large organizations to open source. Get in touch with one of them. These guys understand the issue from management's perspective and know how to pitch to execs. You'll get the open source you want and management will get the checks & balances, best practices, policies, references, etc. that they need to feel warm & fuzzy. If you are going to go it alone, I strongly recommend starting with a policy & audit strategy as mentioned previously in this thread.
The person is probably just misinformed or insufficiently informed about open-source software and the benefits behind open-source projects. Link him to this page, which by now should have a whole bunch of useful comments on open-source software.
My main point would be this I guess: it's not easy to have faulty/damaging code accepted into the main branch of the bigger projects. So no, there's no damaging code in the main branch of most major OSS apps, especially the widely used ones.
I am not devoid of humor.
By framing the discussion in terms of "open source" vs. "proprietary" you have framed the focus of the argument on the quality of the software. However, if you want to establish reasons why people should trust the software, and why it is good, then you should frame the issue in the context of a broader social and ethical movement -- the free software movement. This movement, which is over 25 years old is founded on the idea of guaranteeing freedom to each and every user. I believe that an argument founded in people who wish to guarantee user-freedom for all that you have a much stronger foundation than if you talk about the software in terms of brands, products, and vendors. Root your conversation in the people who want to all software to be free, that is, software that carries the following four freedoms:
* The freedom to run the program, for any purpose (freedom 0),
* the freedom to study how the program works and its source code, and adapt it to your needs (freedom 1),
* the freedom to redistribute copies so you can help your neighbor (freedom 2),
* and the freedom to improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3).
I believe if you do this, you will be more likely to convince others as to why you should trust projects lead by individuals who have shown a clear commitment to the free software movement and who have garnered respect within this movement. Once you have established trust, and a trusted source, then convincing people about the practical merits and usability of the software should be easy.