Slashdot Mirror
Bringing OSS Into a Closed Source Organization?
Piranhaa writes "At the major corporation I work for, there is currently a single person who decides what software to approve and disapprove within the organization. I've noticed that requests from users for open source Windows programs get denied, nearly instantaneously, on a regular basis. Anything from Gimp, to Firefox, even to Vim don't make the cut due to the simple fact that they are open source. Closed source programs from unknown vendors have a much better chance at approval than Firefox does. The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get. I'm a firm believer in open source code, but I also know closed source has its place. So what would be the best way for me to argue, with all the facts, to allow these people to come to their own conclusion that open source is actually good? Would presenting examples of other big companies moving to open source work, and if so what are some good examples? Or can you suggest any other good approaches?"
Either live with your idiot bosses and stop complaining, or ditch that miserable excuse for an employer.
Some people/companies just want a name to blame if something goes wrong. Rather than requesting the right to install Vim, request the ability to purchase a license for Vim. Many projects have already setup mechanisms to do this or are willing to do so.
If this doesn't work because:
then go to your manager and also the person or people who decide to how good of a job the "software evaluator" [single person] is doing. Point out a real business need for a particular application: "Vim has XXX feature. It is not available in any other software. If I had this feature, I'd be able to do YYY, which will [save/make] our company $[insert figure here]. Did I mention that it is written by a google employee, and that our competitor, ZZZ is probably going to use it if we don't? Here's a list of other companies that use Vim [insert fortune 100 here]. Can you please make [single person] justify why he is putting us at a competitive disadvantage?" Cost is rarely a concern. So save the fact that it is free as an additional argument that you can make if [single person] suggests some other app.
If you are passionate enough about your tools, you can always walk--some companies hire talented employees and understand that they will be more productive with their preferred tools. (If you find yourself in such a company, don't spoil it--produce results with your tools, so that the company will be rewarded for this wisdom.)
If you want to be a dick, point to comparisons of some no-name proprietary program that [single person] approved that turned out to have a security hole and that your app does not suffer this hole and try to pull other tricks to demonstrate that [single person] is incompetent.
Seriously, you need to find the person and find out what their concern is. Is it a maintenance cost? A desire to avoid mixing and merging tools in-house? Are they concerned about who will be responsible, or liable, for problems with open source tools?
If their concerns aren't justified, and they can't be negotiated with, then they may need to be fired, or you may need to leave in order to get the tools you need. But their concerns are sometimes well founded: I've seen people who need a 99.999% uptime who were absolutely terrified of open source tools, had implemented closed source and very robust tools, but didn't realize that it absolutely prevented new development. That was OK, their requirements were very stable indeed. But it meant that they could not support projects from other parts of the company.
I'm sorry for posting as an AC, but the /. login doesn't seem to be working (no matter what I type in to the captcha, it doesn't let me verify my password!).
This guy is God as far as software at this company goes. He can do what he wants and unless there's a major catastrophe, his supervisors will let him continue to do so. If what you say is accurate, then he's made up his mind and there is no reason to change it at all.
You ask for "the best way for [you] to argue..." That's it right there. As long as you argue, you lose. He doesn't want to argue, he wants to be right and that, by definition, is what he is for anything he says at this company. He doesn't want to hear from you, doesn't care, and in any argument, if he so much as listens, he is indulging you.
True, he's an idiot, but that doesn't matter. He has no reason to change so he won't.
If you want him to change, remember he's like electricity: He takes the path of least resistance. For him to change or even look into change, then that path has to be made easier than him not even bothering to look.
When you can make it easier for him to look at FOSS than it is to ignore it, he'll start looking, but not until then -- and likely not even then if he has a grudge against it and doesn't want to admit it.
with a hooker and a camera!
Sounds like this person has a deeply vested interest. I would guess that the real problem with open-source software is that it's free (as in "beer"!) so no chance to cash-in by playing favourites.
Find out where the kickbacks are coming from and blow the whistle.
New mod option wanted: -1 DrunkenRambling
Purchasing Windows doesn't give you an "assured" version either. The industry has learned that hard lesson over and over. You're much better off just licensing an open distribution like Red Hat, because you get the corporate support side as well as the community audit side.
The fact is that even if you don't have time to read the source, other people do, and a complete distribution has the unique level of multi-party quality assurance money can't buy.
Microsoft is probably the worst possible example anyway. They regularly put in their own malware. There's no audit required to know that WGA is pure and simple malware. It's absolutely moronic to name them as an example of an "assured" solution vendor.
Sam ty sig.
While I was working for a former employer, we were engaged in negotiations with a very large company that would act as a distributor (to a certain market) of our products. Said unnamed company in the distribution contract wanted us to sign off that "no open source software products were used in the development process, and that no OSS was present in the product".
Why?
Frankly, I understand the concern. If you are a development shop, then if OSS creeps into your product (due to a careless (and thoughtless) developer copy-pasting code, for instance) then the legal ramifications may be grave. Potentially, depending on the license, you are required to disclose the entire source of your product, and provide a usage/distribution license to whomever receives that code -- basically, a single minute action can sign off your rights to your software. your distributors have also violated copyright, and are in similiar hot water (e.g. their efforts in promoting your product are now potentially worthless).
The result? Some companies are so afraid of this "poison pill", that they simply don't let any OSS in their gates. Does this promote OSS? Maybe. IIRC, I recall that some friends working for the dark side (M$) report that no OSS is allowed there (or in some parts thereof).
I use OSS extensively. The former company I worked for had a whole heap of OSS in its development process (but not in the developed chip/product). Actuallly, considering that a non-OSS company (Altera) used OSS in its supplied development chain (gcc, for instance) that we were using, there really was no conceivable way that the company I worked for could've signed off on the "no OSS" bit of the contract.
Doubt you will be able to change your control guy's mind with reason, so you have to play politics. Find an example where expensive software was bought instead of OSS and tell his/her boss how much the policy (note not "the person" - bosses can work it out) is costing the company. Of course, if the guy IS the boss or is related to the boss, just find another employer if it's that important to you.
Andrew Yeomans
At my previous job, I heard some really crazy reasons, from non-technical PHBs, for outlawing free software. All kind of nonsense up to and including Russian hackers planting backdoors/trojans in OSS apps.
In the end, the best way to make these non-technical PHBs see sense was to simply point out all the OSS they were already using, without even knowing it.
Those HPUX servers? Running Samba shares.
That F5 SSLVPN network appliance? FreeBSD!
The most priceless moment was when I discovered the main OSS opponent was an avid Firefox user. He referred to it as "Microsoft Firefox".
so either learn to live with the problem, or just run away from it? you must be a real winner.
most socially/emotionally healthy individuals have a powerful tool at there disposable called "interpersonal communication." by honing your communication skills, you can exchange thoughts and opinions with other people, perhaps even persuading them that FOSS is a viable alternative to proprietary software. but this is generally not a tactic used by people who spend their entire lives as a powerless passive observer.
assuming you know to speak up for yourself, there are a lot of ways to introduce FOSS to a close source organization.
It sounds like his argument against FOSS is fact-based, not political. Address the facts.
He believes that anyone can change the source of an open source application and recompile it. That is TRUE. He is right to identify that as a vulnerability. The mitigation is to only download binaries from trusted sources and verify them with checksums, or to download the source, inspect it, and recompile.
His conclusion that applications from proprietary sources are therefore inherently more secure because they cannot be recompiled, however, is INCORRECT. From a security standpoint, using a binary file requires a higher level of trust because it is more opaque. It is far easier to to hide an attack in a binary file precisely because one cannot inspect it as easily as one can a source file.
The threat order, from most threatening to least, is:
The point is, NOTHING should be accepted without verifiable trust. Being able to personally inspect the source code provides an additional level of protection, and is therefore SAFER from a security standpoint.
For personal use, I trust everything at level 3 and higher (binary from trusted agent, no checksum). That's fairly risky, but acceptable for a single machine. If I were in charge of the corporate desktop, I would elevate to level 4 (binary from trusted agent, with checksum). This is the level that Microsoft products are distributed at, for example. If I really were concerned about the security of an application -- say, if I were in charge of writing voting machine software -- I would insist on elevating all the way to level 6 (source from trusted agent, with checksum, scanned by me and recompiled with a new checksum.)
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
I used to work for BNFL (now the Nuclear Decommissioning Authority) and this was exactly their attitude. I tried very hard to explain things and not over-step my authority or sound like I was trying to undermine my superiors but the reply was always patronising, "We'd rather pay for a software license and have support when things go wrong." Note I'm not talking about nuclear safety-related software, merely office and programming tools.
After a few years, I got sick of the stifling environment and lack of direction and left for a better paid job.
I went to work for a big US computer company. Things were totally different there.
After another few years, the office close and I had to get a new job with a smallish British company. They were very open-source friendly although the Director of Software really admired Microsoft. There really was trouble there since as the skill base left due to fascist management, and the Director of Software tightened his grip, things went the other way. I quietly, discretely and politely offered to save the company £1000 that they were going to spend on some backup software for servers that essentially just did a dd of the root disk. I got a flame back telling me to keep my pathetic little minion mouth shut and I resigned like the 16 others before me. Two more resigned during my month's notice.
I'm much happier at my new place. It's a big company again with lots of rules and process, but their hearts are in the right place - the right tool for the job - and they appreciate ideas from their technical staff.
The moral of the story is be prepared to move on if the company doesn't suit you. It may take many months to find something new, but it's worth it. Work is a substantial part of your life. That time is too valuable to waste on something that makes you miserable.
Stick Men
I have implemented a high-profile system in a large multinational, using open source. I too found it hard to get OSS accepted, but not for the reasons I first expected. Most of the initial arguments were quickly countered.
- Malware? We were confident enough to see there were sufficient controls around code changes.
- Support? Easily handled by our existing channels, even for elaborate changes and additions.
- Quality? Millions of users can't be wrong...
The one thing we struggled with was: liability. Our own, our manager's, the software approval guy's. The problem is this: what if that bit of open source software contains proprietary code, and the owner of that code suddenly starts asserting his rights? At best, we will be forced to stop use of that software.
You can argue that this is also a possibility with commercial software, which is true. But with commercial software, the owner of the infringed code will go after the creator of the software. Better yet, we too get to sue his pants off. In the case of open source, they are likely to sue not the creators or distributors of the software, but the people using it. That means us, and the legal eagles don't like that, oh no. Remember the old maxim "No one has ever been fired for buying IBM"... that goes doubly for OSS. OSS exposes you to lawsuits, and when the stuff does hit the fan, the buck stops with you.
In the end, OSS was allowed in our corporation, provided that it isn't used for mission critical purposes if no commercial drop-in replacement exists. If the software develops issues, there's still no vendor to blame for me, but I can live with that, personally.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
The reason you don't get it is because you don't fully understand. "The right to bear arms" doesn't mean you have the right to hold a gun. It means you have the rights to wield arms of a bear. Unfortunately, they're a little cumbersome, so no one really uses them.
Isn't this the reason you own guns: to defend yourselves from utter tossers in the workplace?
No, we own guns to prevent the government from having a monopoly on deadly force. Governments have different options available to them when the people are armed, than they do when the people are unarmed.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I think the better way to look at the problem is to start with this question:
"How do you know you can trust *any* software project?"
Well, how do you do answer that question? There are lots of ways of answering this question
but the one that stands out for me is this:
1) Trust, like respect, has to be earned. Has Project "foo" screwed me over in the past?
Yes or no, no equivocation?
2) If the answer is Yes, was it an isolated event? Was it an accident? Did the project people repair their mistake quickly, or did they let it linger and left me hanging?
a) If it was an isolated event, and they stayed on top of it, then yeah, I'll give them a second
chance.
b) If it was an isolated event and they left me hanging, screw them, they're out. Next!
c) If it was not an isolated event, then that's it, they're out permanently. My time is limited and I can't afford to wait for them to reform themselves.
Now that's *my* criteria for deciding. Your criteria is ... your criteria. Based upon *my* criteria and my *experience* I can say the following:
1) Most of the Free Software (GPL, MPL, BSD, etc. licensed) that *I* use is excellent --- it does what I want, it's well documented *for me*, it has a good *publicly documented* record of fixing bugs and staying on top of things.
2) Most of the Proprietary Licensed software that *I* have used has been crap in the sense either it does *not* do what I require, or it's buggy, or it's poorly documented, or it has legal encumbrances that make it problematic to use, etc.
I want to be very careful here. I am *not* asserting that most Free Software is awesome and most proprietary software is crap. I'm only asserting that the software that *I* have *tried* from those models of software licensing have pretty much been: Free Software == Awesome, and Proprietary == Crap.
Now *why* is this true? Because I don't use Joe Random Free Software and don't use much Joe Proprietary Software.
The Free Software has been vetted by my OS of choice: Debian Linux. If it's in Debian's repositories then I'll give the software a shot. If it's not in Debian's repositories I don't want to look at it. I'm not interested in ever having to manually download, configure, make, make install software. I trust Debian as my big ass filter of crapware. If some Debian developer took the time to package some Free Software then it must be good, because Debian's guidelines for getting software into the repository is not for the faint of heart. That and the fact that their bucket brigade of QA ensures that when the software makes it into Debian's stable branch it might be obsolete but it's rock hard stable.
I don't use much proprietary software today. The only thing that comes to mind is Adobe's flash player. I used Microsoft Windows before Windows 2000 came out and by that point I had given up on them for being flaky once too many times. I used NVidia's kernel module for accelerated 3D graphics, and it was ok for a while, until I got burned once too many times when I upgraded Linux kernels and Nvidia hadn't kept up with Linux. The final straw was when Nvidia declared my hardware as legacy. In the case of Adobe's flash player, it's gotten better I think. The only thing that bothered me about it was its tendency to crash iceweasel, and not work very well with konqueror, and stealing audio (oss sound driver I think). The only reason it's still with me is because of youtube and because I'm waiting for gnash (Free Software) to be stable enough and not
suck up too much CPU usage.