Bringing OSS Into a Closed Source Organization?

Piranhaa writes "At the major corporation I work for, there is currently a single person who decides what software to approve and disapprove within the organization. I've noticed that requests from users for open source Windows programs get denied, nearly instantaneously, on a regular basis. Anything from Gimp, to Firefox, even to Vim don't make the cut due to the simple fact that they are open source. Closed source programs from unknown vendors have a much better chance at approval than Firefox does. The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get. I'm a firm believer in open source code, but I also know closed source has its place. So what would be the best way for me to argue, with all the facts, to allow these people to come to their own conclusion that open source is actually good? Would presenting examples of other big companies moving to open source work, and if so what are some good examples? Or can you suggest any other good approaches?"

Don't bother

[nyet]

Either live with your idiot bosses and stop complaining, or ditch that miserable excuse for an employer.

Re:Don't bother

[Kethinov]

I'm inclined to agree.

The whole mentality here is that anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get.

If someone important in the IT department at my company said something as grossly fucking stupid as that, then one of two things would happen. I'd either get him fired, or I'd quit and go work for a company that hires qualified people.

Re:Don't bother

[SausageOfDoom]

Forgive me if I'm being stupid, but this is actually something I worry about. I'm a heavy user of open source, but surely it is true that "anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get" - isn't that kinda the point of open source? And we just hope that someone else notices if the changes are bad?

I know this sounds like I'm trolling, but I'm not - it's a serious question. How do you know you can trust open source projects? I've always assumed that large projects - particularly linux distros and their package repositories - have some kind of QA and code audit system in place, but how do they work? Are a couple of naughty obsfucated lines really going to get caught?

Sure, many eyes on the source code and all that, and there would be the same risk from employees at closed source organisations - only difference being it's easier to get to work on an open source project, and if you get caught adding bad code, you don't lose your job.

This sort of thing is becoming an even bigger problem with the web in general; facebook apps, igoogle gadgets, even things like firefox and jquery plugins - the more I think about it, the more paranoid I become.

What processes are in place to protect users from malicious code?

Re:Don't bother

[Ed+Avis]

If you think that anybody can change the source code, then just try it. Get a line or two of your code into Linux, Firefox and Openoffice.

Re:Don't bother

[Curtman]

What processes are in place to protect users from malicious code?

The same ones that protect us from malicious proprietary software, execept there is many many more people doing it, and it is a hell of a lot easier to do.

Re:Don't bother

[Jesus_666]

Not everyone gets write access to the repository. If you want your changes to go in you have to write a patch and an explanation of what that patch does and submit that to the appropriate maintainer. The maintainer then reviews the patch and is free to accept pr reject it. Obfuscated code will not make the cut as maintainers want the codebase to be readable so it can be better maintained (unless cryptic code is required for speed purposes, in which case you better explain it in detail). You might try to sneak in a subtle bug and that might work or not, depending on how many people review the patch, how thorough they are and how much testing the new release gets before it hits the web.

That's really the only way to accept outside patches bcause without this system the code would soon become a convoluted mess full of incompatible code and patches against ancient versions of modules that no longer exist.

Play the game or go to a higher authority

[Noksagt]

Some people/companies just want a name to blame if something goes wrong. Rather than requesting the right to install Vim, request the ability to purchase a license for Vim. Many projects have already setup mechanisms to do this or are willing to do so.

If this doesn't work because:

A single person who decides what software to approve and disapprove within the organization.

then go to your manager and also the person or people who decide to how good of a job the "software evaluator" [single person] is doing. Point out a real business need for a particular application: "Vim has XXX feature. It is not available in any other software. If I had this feature, I'd be able to do YYY, which will [save/make] our company $[insert figure here]. Did I mention that it is written by a google employee, and that our competitor, ZZZ is probably going to use it if we don't? Here's a list of other companies that use Vim [insert fortune 100 here]. Can you please make [single person] justify why he is putting us at a competitive disadvantage?" Cost is rarely a concern. So save the fact that it is free as an additional argument that you can make if [single person] suggests some other app.

If you are passionate enough about your tools, you can always walk--some companies hire talented employees and understand that they will be more productive with their preferred tools. (If you find yourself in such a company, don't spoil it--produce results with your tools, so that the company will be rewarded for this wisdom.)

If you want to be a dick, point to comparisons of some no-name proprietary program that [single person] approved that turned out to have a security hole and that your app does not suffer this hole and try to pull other tricks to demonstrate that [single person] is incompetent.

Re:Play the game or go to a higher authority

[tr_x_data]

Open-source software often times as very poor support options. Forums and IRC are not substitutes to a dedicated phone support line that's manned 24/7.

That is simply wrong. A wide used and successfull OSS Software (CMake, Subversion, Apache, Vim, Eclipse) to name just a few of those we use in our Company (a very Big Company with more than 700K Employees) have excellent support. It comes in forms of Forums, thousand of Google hit's on every problem and of course IRC and Mailinglists.
As main user or tool responsible person of some of those applications, I never encountered a Problem that I couldn't find quality problem solving information for.
CSS support via closed ticket systems that aren't even indexed by search engines simply can't provide a similar support in my eyes.

Open Source Software comes along with "open problem solving" and that is a big advantage over their closed source counter parts.

Re:Play the game or go to a higher authority

[mlts]

If a company has a chief compliance officer, they are likely bound under some corporate regulation like Sarbanes-Oxley, HIPAA, or something else. To keep the officers from going to prison, one of the things they need to do is "due diligence".

This is making sure that every product in a chain is certified by a vendor in some way. For example, operating systems must be FIPS and Common Criteria certified, encryption products must be listed in the US Governments certified AES libraries, and so on.

Yes, some open source products make this list. SUSE and RedHat Enterprise Linux both have the certificates. However, not many open source solutions do, which is why businesses just go with a Microsoft stack for their applications.

For example, if a business is running a MS stack, and there is a serious data breach, said business can show their policies in place, show that they have done due diligence by using commercial software everywhere, with certified configurations, they will not have to worry about civil stuff like stockholder lawsuits, or criminal stuff like the SEC coming in with audit papers and handcuffs.

Unfortunately, should a similar breach happen with a company that has an open source stack, and can't really prove due diligence by showing that every piece of their IT puzzle was certified by someone (usually a US government agency)... well, they are facing a world of civil and criminal liability.

To be honest, the chance of getting open source software into an environment that has to be so heavily audited and regulated is almost zero. Commercial, closed source software dost cost, but part of the cost is insurance and the ability to blame someone else other than the company or its officers and staff should something bad happen.

Another legal issue of why businesses choose closed source solutions is patent indemnification. If a software company doesn't have this protection for its customers, should a patent violation occur with the software, not just the software company, but all its customers can wind up being sued for obnoxious amounts of money, and possibly shut down. Again, RedHat is one of the companies that offers this protection for an open source product, but few others do.

None of this is related in any way to the quality of programming of open source software. Its all security theater, but its what keeps a company in business and its officers out of prison with the regulations in the US.

Re:Play the game or go to a higher authority

[Bert64]

The problem is that large companies are packed full of people with little or no problem solving skills...
They either don't want to, or are incapable of trying to solve problems themselves, and would rather pay extra for someone else to do it...
Yes, they're basically not doing their jobs, and yet these blatantly incompetent people end up being paid a lot of money.

On the other hand, those people who are smart enough to solve problems (and it really isn't that hard) can set up support consultancies and employ people to do what you're doing on behalf of other companies.

I've seen countless situations where relatively simple problems were unable to be solved internally, and the people who's responsibility it was to fix them just wanted to hand them off to a third party as quickly as possible, and simply didn't have the skill to diagnose what was wrong.
The issue took a few seconds to diagnose, and a few seconds to fix once someone with the right mindset started looking at it.

You've Already Lost

[TheWanderingHermit]

I'm sorry for posting as an AC, but the /. login doesn't seem to be working (no matter what I type in to the captcha, it doesn't let me verify my password!).

This guy is God as far as software at this company goes. He can do what he wants and unless there's a major catastrophe, his supervisors will let him continue to do so. If what you say is accurate, then he's made up his mind and there is no reason to change it at all.

You ask for "the best way for [you] to argue..." That's it right there. As long as you argue, you lose. He doesn't want to argue, he wants to be right and that, by definition, is what he is for anything he says at this company. He doesn't want to hear from you, doesn't care, and in any argument, if he so much as listens, he is indulging you.

True, he's an idiot, but that doesn't matter. He has no reason to change so he won't.

If you want him to change, remember he's like electricity: He takes the path of least resistance. For him to change or even look into change, then that path has to be made easier than him not even bothering to look.

When you can make it easier for him to look at FOSS than it is to ignore it, he'll start looking, but not until then -- and likely not even then if he has a grudge against it and doesn't want to admit it.

Re:Open Source means there's LESS chance of malwar

[setagllib]

Purchasing Windows doesn't give you an "assured" version either. The industry has learned that hard lesson over and over. You're much better off just licensing an open distribution like Red Hat, because you get the corporate support side as well as the community audit side.

The fact is that even if you don't have time to read the source, other people do, and a complete distribution has the unique level of multi-party quality assurance money can't buy.

Microsoft is probably the worst possible example anyway. They regularly put in their own malware. There's no audit required to know that WGA is pure and simple malware. It's absolutely moronic to name them as an example of an "assured" solution vendor.

Other concerns: OSS creep into commercial code

[bboxman]

While I was working for a former employer, we were engaged in negotiations with a very large company that would act as a distributor (to a certain market) of our products. Said unnamed company in the distribution contract wanted us to sign off that "no open source software products were used in the development process, and that no OSS was present in the product".

Why?

Frankly, I understand the concern. If you are a development shop, then if OSS creeps into your product (due to a careless (and thoughtless) developer copy-pasting code, for instance) then the legal ramifications may be grave. Potentially, depending on the license, you are required to disclose the entire source of your product, and provide a usage/distribution license to whomever receives that code -- basically, a single minute action can sign off your rights to your software. your distributors have also violated copyright, and are in similiar hot water (e.g. their efforts in promoting your product are now potentially worthless).

The result? Some companies are so afraid of this "poison pill", that they simply don't let any OSS in their gates. Does this promote OSS? Maybe. IIRC, I recall that some friends working for the dark side (M$) report that no OSS is allowed there (or in some parts thereof).

I use OSS extensively. The former company I worked for had a whole heap of OSS in its development process (but not in the developed chip/product). Actuallly, considering that a non-OSS company (Altera) used OSS in its supplied development chain (gcc, for instance) that we were using, there really was no conceivable way that the company I worked for could've signed off on the "no OSS" bit of the contract.

They probably already use OSS anyway

[nexu56]

At my previous job, I heard some really crazy reasons, from non-technical PHBs, for outlawing free software. All kind of nonsense up to and including Russian hackers planting backdoors/trojans in OSS apps.

In the end, the best way to make these non-technical PHBs see sense was to simply point out all the OSS they were already using, without even knowing it.

Those HPUX servers? Running Samba shares.

That F5 SSLVPN network appliance? FreeBSD!

The most priceless moment was when I discovered the main OSS opponent was an avid Firefox user. He referred to it as "Microsoft Firefox".

great advice!

[lysergic.acid]

so either learn to live with the problem, or just run away from it? you must be a real winner.

most socially/emotionally healthy individuals have a powerful tool at there disposable called "interpersonal communication." by honing your communication skills, you can exchange thoughts and opinions with other people, perhaps even persuading them that FOSS is a viable alternative to proprietary software. but this is generally not a tactic used by people who spend their entire lives as a powerless passive observer.

assuming you know to speak up for yourself, there are a lot of ways to introduce FOSS to a close source organization.

1. start small. compile a list of FOSS software that you use at work to help you be more productive. personally, i use WinSCP, PuTTY, MySQL, PHP, YUI Library, etc. i would not be able to do the work required of me without these tools, at least no without paying much more for less efficient results.
2. document all of the proprietary software your company licenses which could be replaced by FOSS equivalents providing equal or better results--this includes desktop applications and sever software. emphasize the TCO that could be saved.
3. write a proposal. come up with some small non-vital applications that can be migrated to FOSS without disruptive business operations. for instance, set up an intranet site using FOSS software; perhaps a company wiki running on a LAMP server; or switch all IE browsers to Mozilla Firefox.

Re:great advice!

[unlametheweak]

most socially/emotionally healthy individuals have a powerful tool at there disposable called "interpersonal communication.

That only works if you are dealing with a socially and emotionally healthy individual that has interpersonal communication skills. I've seen very little of this in Management. In fact if management did have any type of skills in this situation they wouldn't have such unfounded biases towards open source software developers or the products they produce.

Re:Leaveve it alone

[turgid]

I used to work for BNFL (now the Nuclear Decommissioning Authority) and this was exactly their attitude. I tried very hard to explain things and not over-step my authority or sound like I was trying to undermine my superiors but the reply was always patronising, "We'd rather pay for a software license and have support when things go wrong." Note I'm not talking about nuclear safety-related software, merely office and programming tools.

After a few years, I got sick of the stifling environment and lack of direction and left for a better paid job.

I went to work for a big US computer company. Things were totally different there.

After another few years, the office close and I had to get a new job with a smallish British company. They were very open-source friendly although the Director of Software really admired Microsoft. There really was trouble there since as the skill base left due to fascist management, and the Director of Software tightened his grip, things went the other way. I quietly, discretely and politely offered to save the company £1000 that they were going to spend on some backup software for servers that essentially just did a dd of the root disk. I got a flame back telling me to keep my pathetic little minion mouth shut and I resigned like the 16 others before me. Two more resigned during my month's notice.

I'm much happier at my new place. It's a big company again with lots of rules and process, but their hearts are in the right place - the right tool for the job - and they appreciate ideas from their technical staff.

The moral of the story is be prepared to move on if the company doesn't suit you. It may take many months to find something new, but it's worth it. Work is a substantial part of your life. That time is too valuable to waste on something that makes you miserable.

Re:I don't get this

[jcr]

Isn't this the reason you own guns: to defend yourselves from utter tossers in the workplace?

No, we own guns to prevent the government from having a monopoly on deadly force. Governments have different options available to them when the people are armed, than they do when the people are unarmed.

-jcr