Slashdot Mirror
UK Conservatives Slammed Over Open Source Stance
Golygydd Max writes "The UK government has been criticised by the opposition Conservative (Tory) party for its lack of support for open-source software. Now, according to Techworld, a security company that has examined the Tory plans has come out against the use of open source software, citing the number of security problems inherent in the software. This is a sensitive issue for the UK government, still smarting from the loss of 7m family records from HM Revenue and Customs in 2007. What makes this criticism interesting is that this is an attack on the policies of what will certainly be the next British government — it's unusual for a party to be criticised like this before it comes to office. It's an indication of how IT is going to be a battleground in the future general election."
> it's unusual for a party to be criticised like this before it comes to office
Clearly timothy is unfamiliar with UK politics.
Whenever America disappoints me, I look to the UK with the Nanny-state and their repeated .gov breaches. Thank you to the Queen for giving us a country for a lesser comparison.
...Now, according to Techworld, a security company that has examined the Tory plans has come out against the use of open source software, citing the number of security problems inherent in the software...
I think we need to be objective here. Software both closed source and open source is created by human beings.
By nature, these human beings make mistakes.
The question then becomes: Which model of software development fixes security issues faster? We should collect statistics here and convince these Britons that OSS is still the best model around.
We should also remind the skeptics about OSS, that more than 80% of internet traffic is handled by OSS systems, so if OSS were that insecure, it would show...fast.
"Our own research, however, has concluded that open source software exposes users to significant and unnecessary business risk, as the security is often overlooked, making users more vulnerable to security breaches," said Fortify vice president, Richard Kirk.
US outfit Fortify Software has come up with research to prove it.
Uh, wow, a US company that sells software doesn't want the British government to switch to open source software? What a radical position to take! Of course, it couldn't have anything to do with the fact that its hard to price gouge a rich government for security software if they're not running propriatary crap. I'm sure if they had their way the Brits would all be running Vista and MS Office.
The world you experience is only a close approximation of reality.
...it's unusual for a party to be criticised like this before it comes to office.
How is it unusual? It happens all the time. And anyway, the whole summary doesn't make sense.
The UK government has been criticised by the opposition Conservative (Tory) party for its lack of support for open-source software.
And, then:
a security company that has examined the Tory plans has come out against the use of open source software
So, the security company agrees with the current government? How is this news?
"It's an indication of how IT is going to be a battleground in the future general election."
Not really. Politicians will grasp at anything to make sensational claims about their opponents. Doesn't matter if it involves IT, their sex lives or what they eat for breakfast.
American here, maybe politics are better in the UK. (but I doubt it)
We should collect statistics here and convince these Britons that OSS is still the best model around.
Yeah, maybe we look here https://opensource.fortify.com/ They scanned 103 projects with a total of 24668646 loc and found a total of 403 error which makes for 1 error in 61212 loc or 4 errors per projects. Not too bad I'd say. Oh, btw of those 403 errors found 383 are already fixed.
1. Identify greatest long term threat to my industry
2. Conduct "Research" on threat and publish to increase FUD.
3. Sell products to "fix" FUD issues.
4. Profit!
Subject: No ?????????
Filter error: Your subject looks too much like ascii art.
You saw him repressing me, didn't you?
brandelf -t FreeBSD
Politics is about, "We would do things better than you do!", open source software is just an unfortunate, innocent bystander in this process. If Labour were open source advocates, the Tories would be saying exactly what the, presumably Labour funded, security company are saying right now.
Personally, I think the time has come for another interesting political scandal so they will leave the software industry alone.
For those of you not familiar with UK politics, it works a bit like this...
There are 2 main parties, plus a 3rd with a small but meaningful number of seats. Each of the two main parties elect a leader who becomes candidate for PM. Labour are historically the party for the working man, formed out of the unions, however, in recent years they have figured out that the working man is significantly less likely to invite you for a spin on their yacht, so have shifted their position a little.
The current opposition party, the conservatives (or 'Torys'), usually have MPs that come from the rich and privately educated set, such as the hilarious London mayor Boris Johnson (seriously, look this guy up, he is a laugh a minute). They stand for strong family values, but are actually quite likely to be found having a three-way homosexual romp in a public toilet while their wife is at home taking care of the kids.
Neither party gives the slightest toss about open source software (at least, not even close to the level that we do here), but they *do* care about scoring some points. If FOSS is the battlegroud-dujour so be it... tomorrow it will be the colour of the sky!
Incidentally, you have have detected a slight hint of British cynicism in my post, it is pretty common. When Obama got elected I was thinking, "Does this guy have a brother that can come and help us out?", then I found out he has a brother that has recently been charged with drug offenses in Kenya... but to be honest, I am still thinking... 'He'll do!'.
The British Government, or at least, branches of it, used to be very open source friendly. Developing software and publishing it with a very permissive license attached to the source code.
Alas, since the Blair Regime started, that all seemed to come to an end... and the British people had to learn to put up with huge IT spending to private firms, usually affiliated with Fujitsu or Microsoft ... and those public IT projects would famously fall flat on their faces and be quietly shelved.
Just look at the recent hiccups with the UK Biometrics scheme... 'nuff said.
No sig. Move along - nothing to see here.
A simple Google Search shows rather more than just being a vendor of some random proprietary software. Fortify is a Microsoft partner which has indulged in joint product launches with them and this isn't even mentioned in the original article.
This is yet another example of a Microsoft inspired campaign of lies. This group never changes and they and their software should be automatically excluded from all state contracts for ethical violations.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
A link to the company's study: http://www.fortify.com/servlet/download/user/OpenSource_Security_WP_V5.pdf
While they raise a couple interesting points, my first impression is that they broadly generalize from a small sample set. Specifically, they only look at about 10 Java projects (including Tomcat, Hibernate, and JBoss), and proceed to conclude that the open source community is unresponsive to security threats. Conspicuously absent are any Linux distributions (let alone any *BSD... they have obviously never heard of OpenBSD), OpenOffice, or any tools likely to make it into desktop use for the UK government.
Oh, and the solution to all this apparently is to rely on their company's security auditing services to make sure that your company doesn't have "hidden security holes".... Riiiight....
'Every story, if continued long enough, ends in death.' --Ernest Hemingway
Actually both the city of London (which would tend to contain Tories, they're often investment bankers) and the BBC (which contains champagne socialists) both use a lot of open source, mainly scripting languages, databases and web servers.
However, in both cases, anybody 'political' wouldn't actually dirty their hands with 'software' AND software engineers wouldn't dirty their hands with 'politics'.
As for the 'report' it's basically self-promotion by the company in order to peddle its wares.
On y va, qui mal y pense!
Because there's nothing more objective than deciding what conclusion you want to convince people of before collecting the statistics! (You don't happen to work for Gartner, do you?)
In case I missed something there are multiple parties in the UK who will contest the next election - there are no certainties. Whilst the Tories may have a strong lead now in the polls anything could happen between now and the election.
TFA references a study by Fortify Software that is the basis for the statements against OSS. Here's the link to the study. http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
Fortify Software is not exactly a neutral party for conducting studies of the fitness of FOSS for enterprise software use. Half its Board of Directors have ties to enterprise software and service corporations like PeopleSoft, Sybase, Oracle, and Microsoft. I think I might get a second opinion.
The "press release" by Fortify for this claims that Larry Suto performed the test. He has a reputation for faulty, perhaps even fraudulent, testing methods. He also only tested 11 specific Java apps (and Fortify sells "audited" versions of those apps). The tests were performed using Fortify's software, no other testing software was used. So the accuracy of this test relies on the accuracy of Fortify's software, which hasn't been independently tested as far as I can tell. The press release also mentions findings by the Forrester Group, who are well known for a history of spreading inaccurate FUD about non-MS software.
Open Source for Open Minds
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances. the big font stating "use at own risk" is a massive turn off for government and rightly so.
Um.. Microsoft's EULA basically says the same thing.
I've yet to be in an enterprise which uses enterprise-level change control.
Working for one of the world's largest commercial companies: Closest thing to "source control" was a rigorous automated backup process across network shares.
Working for a small commercial company which sold commercial data processing tools for some of the world's largest commercial companies, and the U.S. Military, and various parts of the U.S. Government: Closest thing to "source control" was laws requiring our code be held in escrow for every release. We routinely released completely untested versions and claimed that it was a re-build of the same sources. Eventually management was convinced to start using source control after asking if anyone had an old copy of a file lying around and I quickly produced it from my local repository. Just before I left, I brought up the issue of segmentation faults and memory corruption, and was told "we can't avoid signalling if we're given bad inputs".
Working for possibly the largest I.T. Company in the world, processing data for the U.S. Government: One person in charge of source control. No branching allowed. Occasionally heard complaints from the guru that people were overwriting each-other's changes. Never heard the word "security" mentioned at any point. Found out I could get a root shell and modify anyone else's source code by passing bad parameters to the reporting system.
-- 'The' Lord and Master Bitman On High, Master Of All
As much as you might be right, it doesn't change the fact that it works. It's a little bit like the wikipedia problem - it can cite 100 sources that all use information lifted off wikipedia, it just seems reliable and independently confirmed even though there's really only one source. In this you got one piece of FUD "confirming" another piece of FUD and to the general public it will look like "massive independent confirmation" instead of "whole lot of FUD being passed aorund in their own FUD-circle". A lie doesn't become less of a lie if you keep repeating it, but it does become more credible unfortunately.
Live today, because you never know what tomorrow brings
Then why use it for your website? http://toolbar.netcraft.com/site_report?url=http://www.fortify.com
I don't want my tax-money to be used to fatten the coffers of corporate giants. They'll use the money to lobby against my fair use rights.
80% of traffic is spam, so how is that OSS doing now that you have some perspective? ;)
Whilst the Tories may have a strong lead now in the polls anything could happen between now and the election.
They barely even have that, it's been down to four points within the last quarter. Extraordinary, given the pig's ear the present lot have made of it, but people still don't trust the Tories.
From FTA:
US outfit Fortify Software has come up with research to prove it.
I'm willing to bed that the company in question has promised a large political donation, and this article has been seeded to make sure it all looks like a rational decision when the Torys wangle them a huge IT contract in return.
Every SINGLE friggn' political issue I ever get involved with, before long I realise: it's big business throwing money at corrupt politicians - and the politicians gladly take it. That IS politics now - the giving and taking of money and the protection of the interests of big businesses.
"And the meaning of words; when they cease to function; when will it start worrying you?"
such security fixes could dry up overnight on a OSS project. that's the whole point i'm trying to get through to people, start thinking like you've got 100 million dollar projects relying on this stuff. who are you going to trust this to, some guy called bob on sourceforge, or a multi billion dollar company with resources to get you out of the shit?
If you mod me down, I will become more powerful than you can imagine....
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances. the big font stating "use at own risk" is a massive turn off for government and rightly so.
Um.. Microsoft's EULA basically says the same thing.
Not only that, but with OSS you can actually do a risk assesment by inspecting the source code. In the case of proprietary software that gives no warantee, how can I asses my risk?
What I find interesting is that in most cases you really want to "use at your own risk", after having assessed that risk properly. Because, if I buy a piece of software from Mario's Super Software company for $100, but it blows up in my face for $10 million.... my $100 refund isn't going to comfort me all that much...
It's a little bit like the wikipedia problem - it can cite 100 sources that all use information lifted off wikipedia, it just seems reliable and independently confirmed even though there's really only one source.
citation needed.
c++;
Seriously it doesn't. If you are buying on the scale that governments do you can get any company selling propriety software to share source with you under NDA as part of the contract. No company is going to turn down a government contract in the hundreds of millions (perhaps even billions) to keep their source code safe and if they are stupid enough to do so then you don't want to deal with that company anyway.
The problem isn't access to the code or being able to modify it.
The problem is a solid, secure implementation. This is where the UK government are incompetent. They couldn't organise a piss up in a brewery let alone setup a secure computer system. I don't care what product MY money buys (after all it is MY money buying it) I just want it to be secure and well implemented. I love F/OSS but i'm not going to say we should us something just because it is F/OSS over "better" proprietary software.
They are not looking at the REAL problem.
Showing that a statistically insignificant number of Java applications failed a test by a proprietary system which nobody is allowed to decompile so they can reproduce the results.
Hmm. Perhaps I am being a crotchety old science traditionalist, but the definition of the word 'research' seems to have changed of late.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Well the US DoD seems to be trusting to OSS with forge.mil. I know the company I work for does a variety of UK government contracts as well and we're using more and more open source (mainly Eclipse and its plugins, Protege and OWL in my area of work).
Besides, what's the real difference between relying on an OSS project with no license fee for five years then (possibly) having to migrate and learn something new but similar versus being charged year on year for Office 2003 then having to migrate to 2007 and all its new UI and still being charged year on year?
Read the guy again
The Conservatives have usually portrayed themselves as the family of family values, Married, 2.4 kids, stable etc
But in real life enough Tory MPs were seen to be living a life other than they preached. One even died during a bout of erotic asphyxiation
So it is Hypocrisy he is against, not same sex relationships
I mean, they just say "security problems inherent in the software" but the Tories didn't SAY what software. Just that it should be OSS. So how can some company say that "the software has security problems" when they don't even know what software is going to be used???
Let's see
The current political editor is a former Tory Party Appartatchik
The mail Politics program his hosted by Andrew Neil, former Murdoch editor of the Times in the Thatcher Glory Days (tm) and has Michael Portillo, former Tory Cabinet Minister and the token leftie is someone wwho fell out with the Labour Party a long time ago
THey employ at least two children of former cabinet ministers (Carol Thatcher, though maybe not for much longer, and Maxine Mawhinney)
I'm guessing that the political news in the BBC gets a Tory friendly treatment
We can also look here http://www.fortify.com/partners/technologyPartners.jsp and note that Microsoft is one of their partners.
I'd trust my own employees with access to the sourcecode, or lacking employees competent in the area, consultants with the same source code access. With the consultants I'd also have the added bonus of being able to replace them, where they not able to fix my problems :)
You know, you _do_ have to pay for support, FOSS or closed source. But you do get what you pay for. And with FOSS, that includes the ability to switch vendor without switching the software.
oh no, not again. David Cameron has picked up on another techy buzzword and is hoping to slam Labor into the ground with it. This isn't about FOSS at all, it's about the political machinations of a desperate man and a desperate party, futily attempting to win favour with the masses.
I'm sorry David, but we will never forget Maggie Maggie Milk Snatcher, nor will we forget your morning 'green friendly' cycle to work while your briefcase goes by car
It pays to be obvious, especially if you have a reputation for being subtle.
err... less of the FUD please.
First of all, why on earth are you assuming a multi million dollar project is going to be using software supported by some guy called bob?
Rewrite that as using open source software supported by Canonical, Novell, Red Hat or Sun, and all of a sudden Open Source is competing on much more equal footing, and your first argument goes out of the window. After all, you could just have easily bought some closed source software off 'Bob' for your multi-million pound project.
What that, you don't trust Bob's software, and would rather buy from a big company? Funny that.
And do you *really* think Microsoft's EULA disclaimers don't apply to large organizations? Bill Gates didn't get Microsoft to where they are today by the company being dumb. I've seen their volume license terms, and if anything they're *more* restrictive, not less. By all means, quote me a paragraph or two from one of these 'favourible' EULA's that show me I'm wrong, but somehow I don't think that's going to happen.
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances. the big font stating "use at own risk" is a massive turn off for government and rightly so.
That may be true, but part of accepting the risk of OSS is that you also can take an active part in making it better. And in some cases, perhaps more so than by being a beta-tester of a closed commercial software. Provided that a particular OSS is fairly mature in the project cycle, has a fairly large userbase, and has a big enough team of developers who are responsive and attentive to the users, you can get a nice development and feedback loop that rivals or exceeds the QA testing of comparable commercial offerings.
(Even if you can't program worth a gnat's fart nor read source code, nor have money to donate to a project, as an OSS user you can still contribute. You do your part by reporting all unknown bugs, the conditions that cause them, and by discussing particular interface issues and possible fixes or improvements.)
It may not have any assurance of quality, but with the great possibility for refinement in some OSS applications, that doesn't mean there isn't any quality there. More often than not, OSS also has the goal achieving excellence. Some very good OSS applications have made their name and reputation on that aspect.
"What makes this criticism interesting is that this is an attack on the policies of what will certainly be the next British government â" it's unusual for a party to be criticised like this before it comes to office."
No it isn't. In fact it's incredibly common. They do it face to face every week with Prime Ministers Questions. These debates get incredibly heated and they're constantly slagging off each others' policies. Outside of parliament the papers continue attacks on policy, as do the talking heads on various news channels. Heck the Tories are still getting flak for Thatcher.
The summary is making far too big of a deal out of this. IT in itself won't be a battleground, in fact I doubt it'll make open debate outside of dedicated sessions on the subject that are attended by a dozen or so MPs and only gets aired on BBC parliament.
What will be the big issues in an election when it's called with be the following (possibly in this order); economy > crime > security (and privacy) > Green policies > education . The Tory party are not going to win any seats by spending time talking about open source.
How did 25 MILLION people's records get recounted as 7 million families? Hell, why not get the number even smaller, it was only one country's worth.
Where is this bias coming from? It's in quotes but doesn't appear on either of the linked pages.
what will certainly be the next British government
There's nothing certain about that at all.
and that is exactly the sort of commercial conditions negotiated by government... good satisfactory or money refunded. Which is entirely useless. Sometimes they go the other way... you get government people wanting vendors to sign up for unlimited liability, which they tend to balk at... for years... that's no fun either. What government often succeeds at is volume discount. But having government sue a tax paying corporation, likely employing someone who plays golf with the Minister/Secretary of.../ grand poobah... ? unlikely.
like the OSS crowd, i'm sure they merely sourced their data to fit their own agenda.
Yes like FUD.
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances.
Really I guess you have not looked at Redhat or Novel support.
OSS takes control away from the customer as to who supplies their patches
Now that trolling. If you don't like the software then you can always write your own. Of course if you like the software you can post bug reports or even fix it yourself and if you don't have the expertise you can hire someone to do that. Try doing that with closed source or proprietary software. As for the people who supply patches all you need to do is look at the "Help" or even the source to get the name of the people who are maintaining the package.
these are merely the security concerns. yes there is the usual stupid argument of being able to see the source code - but here is a clue for you - that's hellish expensive and blows the OSS is cheap myth out of the water.
Sigh! If you have done a cost benefit analysis then you would clearly see that a "supported" open source operating system is much more cheaper and reliable than a proprietary solution. You honestly don't think that just because you install a Linux distribution that everything is going to work forever, you need an administrator and depending on how much you value your data you will need some level of vendor support which is normally much cheaper than a proprietary solution.
The grammar Nazi in me states you should always start a sentence with a capital letter as is a stand alone "I". After all that is very basic English.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
Security problems?! I'd...think switching from...uh...for example...windows to linux is more of a security update. Also, bugs and security holes in oss are found faster and are easier to repair than with their closed source counterparts.
If security fixes dry up on OSS, the UK government can just get the source code and pay *anyone* to fix it. How is this better than relying on just one company, especially when that one company is a well-known scofflaw that has incurred the biggest fines in the history of EU law?
A pizza of radius z and thickness a has a volume of pi z z a
I don't think anyone would propose that a government just take a random FOSS project from freshmeat.net and put it into production, least of all with anything resembling sensitive data.
However, both Red Hat Enterprise Linux and SuSE Linux Enterprise Server have both achieved Common Criteria EAL4+ assurance, making them equivalent to Solaris, Windows Server 2003 and Windows XP in the eyes of the evaluation bodies and therefore suitable for many roles within government IT systems.
I've just sent an email to the Conservative Party (via their website) telling them that they are right, stick to their guns. I've told them we are a small UK developer who rely on OSS from major vendors to deliver a cost effective product, and that they should repond to criticism from people who simply stand to lose business by pointing out their lack of independence. I encourage others to do the same. I'm not a Conservative, I'm a long haired pinko (all right, on the right wing of the Lib Dems actually) but I think that any political party that comes up with sensible ideas should be given encouragement. Our MP used to say that he regarded every letter that wasn't boilerplate from a lobbist as representing the views of at least 500 people, so if he got 100 letters and emails on a subject saying the same thing, he took that as representative of the constituency as a whole. They DO pay attention.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
such security fixes could dry up overnight on a OSS project...start thinking like you've got 100 million dollar projects relying on this stuff.
This situation is PRECISELY when open source shows its strength. Take the massive annual license fee that you would need to pay MS to provide such support and hire your own, competent IT staff to maintain the code you want. First this means that you are creating jobs in the UK rather than paying some foreign company which should be a very important consideration for the UK government especially in the current climate. Secondly you now have your own local experts to provide support, implement the features that you want, provide support etc. etc. This puts you in a far better position than having to ring up MS. You own guys will be familiar with your usage and can give advice based on what they know the code does rather than on black-box trial and error experience. Finally you are contributing any changes and code back to the community helping those people that pay the taxes in the first place. Since this may also encourage other firms to invest in local expertise rather than ship money abroad this can help the local economy.
Because they, like every other sane person, does not directly manage their web server, or likely even directly manage their web site.
The "if you don't like open source, why is the thing your opinions are posted on using open source!" argument is dead, because it is so stupid.
-- 'The' Lord and Master Bitman On High, Master Of All
No it isn't. You may be interested in FOSS. I am, a bit. But 99.99% of the public counld't spell FOSS, let alone know what it is.
If the proles are interested in anything beyond football, crappy reality shows and getting drunk, their main politiocal concerns are the job and housing markets, and maybe food prices & immigration.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Comment removed based on user account deletion
The point of OSS is that you can do your own security fixes, and not have to wait 7 years for a patch.
If you think that large parts of critical UK infrastructure are not already running on BIND, postfix, sendmail and apache then you are a bit behind the times.
"It doesn't cost enough, and it makes too much sense."
ok I am just having a laugh cos I know you were teasing too on the old north/south divide, we're all southern softies and you're hard as nails with ferrets down your trousers... but most of London doesn't vote Conservative. More like a split between Labour/Lib/Tory.
I lived in Hackney for ten years and that's hardly a rich place, there's not a lot of love for Thatcher and now Cameron there. Reckon there's probably more Cameron voters in the posh end of Sheffield than in Hackney or Brixton...
But yeah we probably got the Tories coming, very depressing. It's feeling more and more like the 30s every day, the BNP will probably get a lot of votes in the white working class heartlands as well, I think that's something we've got to worry about, when socialist voters turn national socialist....
Which means that he doesn't really know what goes on in London.
However, and you omit this reason (which is WHY it got informative mods) and it is 100% true. A HUGE number of people STILL blame anything that's going wrong now with what Mrs Thatcher did. They still say you can't vote Tory because Mrs Thatcher was a Tory. They complain that the problems are all because we've been turned into Americans by Mrs Thatcher.
REALLY weird.
How is this any different to a large company (think HP, Sun, IBM, etc) supporting Open Source and providing the client with the same kind of licensing and guarantees? Open Source of Closed Source has no real relevance on the level of support you get. Well in fact it does, with OSS you have the potential to choose your support provider.
-Matt
OSS is routing packets 100% effectively. It's the closed source OS that is causing most of those packets to be spam.
(PS I thought 80% of it was porn. And 80% of it was BitTorrent/P2P piracy, which makes about 260% traffic, 20% of which is wanted).
"We need to move in the direction of what are known as 'open standards'- in effect, creating a common language for government IT. This technical change is crucial because it allows different types of software and systems to work side by side in government."
So I wonder if words have been mangled, because open source software and open standards are not one and the same.
I can see why the focus of the discussion here focusses on the software side, but I think open* standards are perhaps more important than the openess of the software. At government level, I really don't think saying "We're only using software of a certain software licence type" (closed or open) is feasible.
If everybody is using the same standards, it means it's the quality of the software that counts; it becomes a choice of "This software is better" rather than "This software is worse but it means I have access to my old data". From there, more use of open source software can, and hopefully will, follow.
*I do mean "open" in the sense that the /. crowd would use the word, not, for example, how MS would use it...
I agree, but Apache is just once piece of software. I think judging all oss projects by apache or [insert oss app known for security holes here, I'm drawing a blank] makes about as much sense as judging all "proprietary" software by the example of windows or [insert proprietary app known for bug-free, secure operation, also drawing a blank]. It's silly. And even if there were a correlation, vague fear, uncertainty, and doubt do not make sense on software model.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
Why hasn't this story been fixed? The title says that the Conservatives have been criticised, and the summary says that Labour has been criticised by the Conservatives. You don't even have to be familiar with the facts to see the contradiction.
Then you use commercially-supported Linux distributions like RHEL or SLED / SLES.
The core OSS software (Linux, the GNU userland and libraries, the compiler toolchain) are not going to suddenly go unmaintained. Too many other companies rely on them - the same companies that contribute to their development.
In order to get into trouble, a huge number of companies would have to suddenly go bankrupt. At the very least, you'd need to lose all of Red Hat, Novell, IBM, Intel, Oracle, SGI, Sun, all of the embedded systems providers that use Linux (Wind River, MontaVista, and so on), probably a few hundered huge companies that rely on the Linux kernel for their core business, and virtually every PC hardware manufacturer. Oh, and Google. Probably Apple as well (they need both the GNU and BSD userlands to be developed, or their OS doesn't move forwards).
If something that bad happened, Microsoft would be fucked as well.
The further you move from the core OSS projects, the more risky it potentially becomes. Still, those smaller projects have one advantage - they're small enough that someone else can maintain them. Hell, if you have 100 million dollar bugdet, and you absolutely rely on a project that tanks, you could always take it over, or pay someone else to do it for you. Try doing that with commercial software.
Still the same sex.
And yes, during the 80s and 90s I helped lobby Parliament on the value of the British electronics and software industries, served on DTI committees, talked to our MP and Euro MP. I didn't say "oh nasty Conservatives, don't get involved." That's pointless.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances. the big font stating "use at own risk" is a massive turn off for government and rightly so.
on your home version yes. a customer as big as the uk government? they have bulk licensing terms that ensure security fixes (provided they stay on the upgrade tread mill of course).
funny, because if you wern't trolling you might be aware of these guys: ...
http://www.redhat.com/products/
http://www.canonical.com/services/support
http://www.novell.com/support/microsites/microsite.do
such security fixes could dry up overnight on a OSS project. that's the whole point i'm trying to get through to people, start thinking like you've got 100 million dollar projects relying on this stuff. who are you going to trust this to, some guy called bob on sourceforge, or a multi billion dollar company with resources to get you out of the shit?
Well i know for a fact that a lot of the software government departments use is home* rolled, so if the OSS support for a project did dry up, and for whatver reason there was no major vendor supporting it, they could support it themselves.
*by home rolled i ofc mean they get the lowest bidder to build it.
start thinking like you've got 100 million dollar projects relying on this stuff. who are you going to trust this to, some guy called bob on sourceforge,
hummor me troll, why is a closed patch from some guy at microsoft better than an open patch by some guy at redhat/canonical/novell/sun/etc
IranAir Flight 655 never forget!
Maybe they should trust the technical staff they hired to be able to fix any issues, rather than relying on third-parties all the time.. This a recurring problem I find with all government bodies and large corporates. All of the small businesses that I've worked for have had to rely on OSS, purely for financial reasons and as a result the technical ability of the IT staff there tends to be much higher than that of you average corporate/gov body.
Obviously posted by someone who isn't that much into UK politics. I'm in Scotland, and there's no way Scotland will have a Conservative government in the foreseeable future. There's a chance they could be the next Westminster government, but even that is by no means certain.
What the hell are they talking about? Is it security by obscurity (are they adopting the fallacy?) Is is viruses? WHAT VIRUSES! Is it worms? WHAT WORMS! Exactly what the hell are they talking about? Is it just idiot babble? What? Is it paid reporting by a security company (promoting interests of other companies with bucks to gain?)
The point of OSS isn't having access to the source. It's having EVERYONE having access to the source, and a mechanism for EVERYONE to be able to offer contributions to the source, and to distribute patches outside the developers' control, and even fork the source and release their own version if they don't like where the original developers are taking it. Open source works because it's an open market of ideas, not because you can read the source code.
Read-only access to a snapshot of the source code that you can't share with anyone else is utterly irrelevant to why open source is important.
I have to wonder if this is an Astroturf attack.
First, go back to the original research article. It is interesting, but it includes one open source project, Hipergate 3.0.26, which has 100 times the issues of all the other projects considered, and which skews the statistics. Note, too, that they also consider Hipergate 3.25, which has very few issues. I am not familiar with Hipergate, and it is not clear to me if these are separate products, or if version 3.0.26 is just a very buggy beta version, or even if 3.0.26 comes before or after 3.25. Poking around Sourceforge doesn't find either of these versions; the version there is up to 4.0.3.
The report itself makes the point that OSS should do better, and that it could do better. Fair enough. But what of the bigger implications ? What should be done, except maybe avoiding Hipergate 3.0.26 ?
Of course, saying that the UK should not use Hipergate 3.0.26 is unlikely to make the news. To conclude that the UK government should not use OSS, however, I would want to see a comparison of OSS software and proprietary software on similar points. (Some proprietary software companies make it easy to post security issues, others do not, for example. Is that better or worse in practice than OSS ?)
I don't see that sort of analysis here, and that makes me suspect astroturfing. (Again, I am not saying this for the original research report, but for the announcement about the UK Conservative Party.)
The thing that makes me especially suspicious is that one would normally expect a company like Fortify to say something like, here is a opportunity to really improve OSS, the Conservative Party should announce a major software security initiative to go along with their OSS initiative and, by the way, we at Fortify have a number of products and services that would really help with that initiative.
Just to say that it is a bad idea seems to be against their self-interest, and whenever companies act against their apparent self-interest I start to wonder what's going on.
>Security issues
What?
Closed source certainly has more of them...
"That's not to say that commercial software isn't without risks, but any flaws on commercial applications tend to get patched a lot faster than on open source, as the vendors producing the software have a lot more to lose than an open source programmer," said Fortify vice president, Richard Kirk.
*COUGH* *SPLUTTER* *CHOKE*!!!
WTF!?!? What a feckin' loser!
Windows guys please stop pissing on everyone and the Linux guys stop pissing in the wind, hoping to hit Windows guys!
Who are you going to trust this to, some guy called bob on sourceforge, or a multi billion dollar company with resources to get you out of the shit?
I'm not going to trust a multi billion dollar company to get me out of shit if its track record clearly shows that it's not going to do what I need of it. If bob@sourceforge fails to be reliable too, with OSS I can at least hire anyone else; with proprietary software I can hire no one else.
(Deciding whether or not the track record shows that is left as an exercise to the reader.)
and then
At least based on the quotes in the article, which granted may not fully represent Osborne's platform, they are confusing OSS with open standards.
"This is the perfect 'one plus one equals three' opportunity." - Robert Pittman, president of AOL, on merger with Time W
"or a multi billion dollar company with resources to get you out of the shit?"
Oh, you mean like Red Hat? Or maybe Novell? Or any of the other dozens of billion dollar companies that sell open source software/support?
The thing about Microsoft propaganda is that they always leave out key facts and details.
Palm trees and 8
What is most interesting about this study is that it lacks any sort of control group. They never evaluated any proprietary solutions. I see a bunch of numbers, and JBoss seems to have the lowest error rates in its class, and hibernate in its class, but there is no way to tell what that means -- how do proprietary application servers and ORMs compare with these? The study is also very misleading; both JBoss and Hibernate are owned by Red Hat, and therefore receive the benefits of a paid security team, yet this is not mentioned anywhere in the study.
So, as we all concluded as soon as we saw this, it is FUD from a Microsoft partner.
Palm trees and 8
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances. the big font stating "use at own risk" is a massive turn off for government and rightly so.
Red Hat Linux?
It's fairly clear to anyone with a functioning brain that the Conservatives will win the next general election.
And from the summary:-
..what will certainly be the next British government..
I can't deny the Tories are strong favourites, but anyone who equates a probability of 75% - 80% with 'bound to happen' is looking to get their fingers burned, whether it's on the racetrack or the financial markets.
[ ]Half Empty [ ]Half Full [x]Twice as big as it needs to be
That is why we have no alternate governments from different parties.
Ever.
Oh, wait ...
IANAL but write like a drunk one.
Get involved in the party closer to your heart and change things (it is what I did when I was in my country, a place far more dangerous than the UK for opposition politicians).
I frankly can't stand all this defeatist whining.
IANAL but write like a drunk one.
Don't be silly. The security of a technology company's public website is very important. If they truly believed the conclusions of their report, they would take steps to make sure their site was not hosted by open source software. Even if they don't manage the web server, they could easily request to be moved to a Windows/IIS machine.
"Besides, what's the real difference between relying on an OSS project with no license fee for five years then (possibly) having to migrate and learn something new but similar versus being charged year on year for Office 2003 then having to migrate to 2007 and all its new UI and still being charged year on year?"
The difference is Vendor Lock.
It's worse than the proverbial "buying a car with the hood welded shut", because you won't be sued for cutting open a hood you own.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Well, yeah, but the GP that I was replying to implied that vendor lock was better because if you use MS Office then you can "guarantee" Microsoft won't suddenly decide "I can't be bothered with this app any more" where as you can't "guarantee" the same from say the OpenOffice team (ignoring OOo being a bad example because of the corporate funding it gets from Sun and the like).
The point I was trying to make was that the GP wants yearly fees and vendor lock-in, which results in people getting lumbered with completely new interfaces like MS Office 2007 with no 'choice', where as if you use an open source solution then the file formats are open and so if your chosen app does run out of steam then you may still spend some time/effort learning something new, but it'll be a choice.
(Note: Some of the quoted words above shouldn't be taken literally - it's all about the interpretation of the "must use proprietary" people).
what does it compare to? Are these stats BETTER Than closed source? As it is, just based on the cracking numbers alone, MS and closed source loses BIG time.
And the distros will also do it as well. You have to pay for that.
I prefer the "u" in honour as it seems to be missing these days.
1998 called, it wants its anti-open-source arguments back.
STFU about slashdot bias.
I have worked on UK Government networks as a security auditor and have never seen any evidence that "bulk licensing terms ensure security fixes". [emphasis mine] We get the same security fixes at the same time as everyone else.
Plus the usual issue of having to fork out £200 to get MS support for a problem and only being reimbursed if we can prove that the problem is caused by a fault with MS software.
We are also using a large number of Solaris and Red Hat servers. Oddly enough we have far fewer problems with these. Especially when it comes to integrating updates.
Just my £0.02
"Life is pain Highness. Anyone who says otherwise is selling something"
Westly, The Princess Bride
I know nobody reads Party manifestos, but this is bad even by /. standards.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
You didn't cite any reference to where the UK Government had slammed the Tories open source suggestion.
A quick google of "uk government + open source" produces a wealth of information of how open source is welcomed.
Open Source Policy statement
http://www.govtalk.gov.uk/policydocs/policydocs_document.asp?docnum=905
SUN shines on Whitehall:
http://www.ogc.gov.uk/7023_4190.asp
Open Source Trial report:
http://www.ogc.gov.uk/documents/CP0041OpenSourceSoftwareTrialReport.pdf
That this is the best evidence so far that Microsoft's new carey, sharey nice image is basically what many people have assumed it to be, i.e. bullshit.
The scenario is nothing new. Bring in a friendly company, get them to slate the competition and then brag about how an "independent" analyst has found something meaningful. Similarly, as usual, the people who don't care still won't care, the whole thing will be forgotten and FOSS will continue to gain ground as those who know its true value will continue to use and propagate it.
The important thing is to remember that we're still dealing with the same selfish, power hungry, lying, money grabbing, unethical, amoral, shower of shites that we were 5 years ago.
Hmmmmmm..... Deep fried and look like Squirrel.
I suspected as much but didn't have time to do more than the basic research before I had to scoot off to class. As soon as I read the summary I had a "Balmer, I knew I recognized your stench when they brought me on board" moment.
The world you experience is only a close approximation of reality.
such security fixes could dry up overnight on a OSS project.
Wow, really? You're really trying that line of reasoning here? Do you even understand what Open Source Software means?
Look, if you're using open source software and the security fixes "dry up overnight" and you're the UK government, you know what you do? You hire a couple of programmers to download the source and start providing fixes. If you're using Microsoft and Redmond decides they need to lay off 5000 people including the team that is working on the bug fixes for the product you're using.... you sit around and wait and send angry letters and make angry phone calls and hope that Redmond decides to provide some customer service, and scream and stomp your foot and both of you realize you can't do anything because all your data is tied up in propriatary formats.
Wow, that was hard to reason out, now wasn't it?
The world you experience is only a close approximation of reality.
I must point out that considering this is a Grammar Nazi sentence, it doesn't entirely make sense. Yes, I understand what it means, but something's not right. Perhaps the grammar?
Follow me
Dear God, I fucking hope not. And will NOT be voting towards that outcome.
No tyrant thrives when every subject says no.
ROFL, 5 years is missing out the other 15 that they been selling crap.
However, they have brought one HUGE innovation, but it isn't a positive one: MS have actually developed the Scientology method of selling.
The process is as follows. Once they have forced, bullied or bought an appointment with the management of a company or, say, people in charge of a military department (which is where I witnessed this) they will call a meeting at a nice venue.
If this meeting is for 50 people you will find management at the front, and the rest of the room is approx 50% MS staff. They have one job, and one job only: blocking any interruption to the sales flow up font. This means any member of the audience who innocently objects to the *cough* "facts" on display (by asking for source, or pointing out discrepancies) is immediately engaged in local whispered discussion, thus allowing the front to keep management in the glazed status that all this make-believe creates.
During break time, the protocol is to ensure any disturbances are removed before the management is escorted out, and they are held strictly separate from anyone who dissented during the morning, or whoever looks like he/she knows what he/she's talking about. And people wearing sandals. Normally a separate "lunch" (more a banquet) is laid on, just to ensure the segregation is maintained and the gloss/glaze can't come off.
After lunch, more of the same. Copies of presentations are promised, at military level usually contained by "confidentiality" ("we're in the club", nod nod wink wink) but are held back so long that major decisions will be taken before the facts get near anyone competent enough to expose them for the frauds they are.
And so it goes. The management takes decisions based on, well, vapour, staff gets to implement a complete dog, consultancies involved know better than to speak up (they won't get the work otherwise, and MS work means a LOT more consulting time before it all works - and guess who sells time when it works badly) so the whole farce keeps itself alive.
Until they ruined it with Vista. That was SO bad even management noticed.
However, fear not - that's what consultancies are for. They will soon get the execs back on track. The MS track. And that's why, for instance, everything continues to fail spectacularly in the UK.
In a way it's art. A sort of Damien Hirst I-do-something-totally-daft-and-call-it-art kind of art. Not for sane people, no use whatsoever and an unabashed waste of money.
Just that in the case of government, it's YOUR money wasted.
Insert
OSS introduces a unique security problem. To properly secure for government use, they would have to have in-house auditing of every single line of code in a project that comes in from a non-government source.
I've always wondered if there is a potential security risk in open source where contributors to a project could get malicious code into the software. It is possible, although difficult to have code that reads as perfectly innocent, appears to do something else however takes malicious action. At very least introduce a vulnerability
The reason I bring this up is I have heard of cases where a backdoor was written into software, and the offending code never found in a line-by-line audit. This happened in a previous workplace of mine, was kept rather hush-hush so we don't know what happened eventually. After having seen coding competitions where the object was to make innocent code do something malicious - and seen some very creative submissions.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Doesn't matter if it involves IT, their sex lives or what they eat for breakfast.
Unfortunately with some MPs it may involve all three.
Or maybe you are thinking of BBC Eastender's actor Leslie Grantham? Who used his IT skills to enable fans to have their own very personal TV show over their breakfast as he showed his Dirty Den....
Note: I'm posting anonymously as he's already killed at least one person...!
Has anyone noticed how very little criticism there is of the 'lowest bid' government policy, right up until the lowest bid is 'free'?
Then suddenly all the stuff they have ignored as companies took government money for software that was insecure and didn't work - that's all important!
Purely aside from the fact that Open source software has a better history of security than closed source software, the sheer fact that non of these industry mouth-pieces *cared* until it turned out the government didn't *have* to use one or another of their clients just *pisses* *me* *off*!
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
No, no, Bob was put out by MS in the 1990s. It's not up on Sourceforge.
who are you going to trust this to, some guy called bob on sourceforge, or a multi billion dollar company with resources to get you out of the shit?
Bob. At least I know his name, and can actually talk to him, the developer, before making a decision. Megacorp may have lots of resources, but they aren't my resources. They have an interest in getting me out of the shit only if they can profit from it and even then only if they can profit from it more than they can by expending those resources elsewhere. More likely in this situation their resources are going to be directed into their legal department to get them out of the shit. Bob, on the other hand, really wants his software to work well as a point of pride, and will be positively giddy to take the relatively small amount of money, compared to Megacorp's support contract, that we will offer him to fix his code right frickin now. Bob and 10 of his best buddies will be living on caffeine and sugar until they get a patch out the door because this is the brass ring, getting paid to work on code you otherwise would work on for free. Bob, because if he screws me then I and my large organization can crush him and his buddies like bugs. I'm not in a dominant position when doing business with Megacorp, I am with Bob, so from a very Machiavellian standpoint I'm better off doing business with Bob.
Extraordinary, given the pig's ear the present lot have made of it, but people still don't trust the Tories.
That, and Cameron being equal parts smug and vapid. (Well, imho at least).
What Osbourne said is sensible: "government needs to stop thinking that when it comes to procuring IT systems, big is always beautiful...We need to move in the direction of what are known as âoeopen standardsâ...We're not saying that government should not use traditional licensed software - simply that open source should be used where it makes sense and can deliver better value for money" When my taxes are being wasted by big business - the £100 billion that the Government spends on IT is running nearly £19 billion over budget - then let's get real. Not every government project needs to be a mega system; small projects and incremental gains generally get their faster and with more ownership and so security.
Minds are like parachutes. They only function when they are open.
Ahh, a government security auditor, my condolences...
You will find that security fixes get rolled out very very slowly, because they are waiting for the patches to pass through various accreditation schemes... It can often take months before a patch is approved to be installed, because installing a non accredited patch removes accreditation from the rest of the system. The accreditation system is claimed to improve security, but all it really does is allow people to shift blame.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
People very rarely do proper risk assessments when it comes to software, the regular rules just get thrown out the window... Otherwise, who would buy proprietary software at all? Software from a single source, with no backup? In any other market, big business and government wouldn't touch something like that at all.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Or we can simply look at http://www.fortify.com and see that they are served by Apache/2.2.4 (Linux/SUSE)
Those open source projects are a security nightmare!!!
I call BS. I worked for a state government that bought a piece of license management software for a handful of millions of dollars. The company announced they were ending support for the project almost as soon as it went live, leaving our IS people with barely functional software and a mess of poorly documented code.
Another company I worked for purchased accounting software and support for it from a company that was gobbled up my Microsoft, then suddenly found that their support dried up, leaving my company's one IS guy with barely functional software. You may have heard of it, it was called Great Plains when they bought it.
Nothing prevents a company selling closed-source proprietary software from going belly-up tomorrow, or simply deciding that breach of contract is easier than software maintenance. On the other hand, all you need if the code is open is a few people interested in the project, or barring that you can always hire a coder to make fixes as their needed if you have something obscure enough that the foss movement isn't already doing it.