Because you require something (software) that you can't create and don't understand, you need someone to provide it for you. As you point out, trust is essential for this. In a modern world we all have to make this bargain since it's impossible for any one person to understand everything.
Trust is a great thing, but with it comes risk. The ancient adage, "trust but verify" applies. If you can verify how your factory control and system works with a third party the recipient of your trust is less likely to violate it. If the provider denies you the ability to inspect its operation, it's more likely to compromise your trust.
What's important then is not whether your factory admin and control system is open source, but whether the source is open to you. If its inner operation is not available for inspection then no method of testing can verify all of what it is (and importantly is not) doing.
While this may seem like a commercial vs. FOSS issue to you it's actually much broader than that. Imagine you have a teen daughter and you trust her to attend a slumber party. Would that trust extend to the location/time/attendance of the slumber party being unavailable information? What purpose would the unavailability of that information serve?
No, noone is going to custom build your specific application for free. If you pay someone to build it you have the option of requiring the sources and specifications in the contract. Required to provide this, the contractor may be motivated to do better work. If the contractor goes out of business (a possibility for any size business these days) you still have the work you paid for. If not, the next contractor has to start over.
Sure, your contractor may offer a discount to avoid providing the sources and specs. You should consider this like any other workman's offer to give you a discount for cash up front and uncertain delivery. Some contractors don't provide sources at all. Think of this as an offer to take your money without offering you an opportunity to have the work inspected, ever.
"Inspect what you expect" is a management key often said and seldom implemented. Certainly from your post I get the impression that you've been sold the idea that transparency is a bad thing. That cannot be more wrong. Whether you actually inspect or not is a separate issue but if you cannot inspect your trust will be breached eventually and the consequences could be disastrous for you.
The need for inspection carries not just to the product itself, but to the tools used to build it. Since you're paying for the product it just makes sense to specify a product that can be thoroughly inspected. Since open source tools are freely available and just as powerful it makes sense to require them where they apply. Any contractor who says they cannot perform the task has clearly bought into the black box loop of trust and cannot provide the transparent solution that you need.
FOSS solutions are transparent from end to end. This often results in less development time, more security and fewer bugs. Certainly a developer on a FOSS system does not have to rely on a different developer to explain some undocumented feature or spend time on hold waiting for some uneducated clerk in New Delhi to provide tech support. They should be able to just pull up the source and read it. If they can't understand the source code, you're using the wrong developer.
Sure, your developers can probably provide good reasons why this is all a bad idea, why they need some secret widget, why FOSS doesn't fazzle the fumpus or some such. They might caution you against getting important decision making information from such an unreliable source as the internet. Their arguments will be persuasive. To that I can only say
It's not me that's trying to get your money.
MS Security Chief:Highlights advances in TCI
on
Yet Another Windows Worm
·
· Score: 2, Informative
The report on MSNBC is truly insightful.
This patch for 2-month-old Windows Server 2003 "to fix a vulnerability that could let malicious sites run damaging code on the server."
Hilarious excerpt: "ALTHOUGH SECURITY EXPERTS â" even those at Microsoft itself â" had pointed to the companyâ(TM)s latest server OS as the first test of the software giantâ(TM)s massive Trustworthy Computing initiative, representatives maintained that the patch did not mean the release had been a failure in its security practices. 'It actually highlights positive progress in trustworthy computing,' said Microsoftâ(TM)s U.K. security chief, Stuart Okin, explaining that Server 2003 is significantly hardened in comparison to previous versions of Windows."
It begs some questions: if this is progress... if this is hardened... what's he smoking?
Trust is a great thing, but with it comes risk. The ancient adage, "trust but verify" applies. If you can verify how your factory control and system works with a third party the recipient of your trust is less likely to violate it. If the provider denies you the ability to inspect its operation, it's more likely to compromise your trust.
What's important then is not whether your factory admin and control system is open source, but whether the source is open to you. If its inner operation is not available for inspection then no method of testing can verify all of what it is (and importantly is not) doing.
While this may seem like a commercial vs. FOSS issue to you it's actually much broader than that. Imagine you have a teen daughter and you trust her to attend a slumber party. Would that trust extend to the location/time/attendance of the slumber party being unavailable information? What purpose would the unavailability of that information serve?
No, noone is going to custom build your specific application for free. If you pay someone to build it you have the option of requiring the sources and specifications in the contract. Required to provide this, the contractor may be motivated to do better work. If the contractor goes out of business (a possibility for any size business these days) you still have the work you paid for. If not, the next contractor has to start over.
Sure, your contractor may offer a discount to avoid providing the sources and specs. You should consider this like any other workman's offer to give you a discount for cash up front and uncertain delivery. Some contractors don't provide sources at all. Think of this as an offer to take your money without offering you an opportunity to have the work inspected, ever.
"Inspect what you expect" is a management key often said and seldom implemented. Certainly from your post I get the impression that you've been sold the idea that transparency is a bad thing. That cannot be more wrong. Whether you actually inspect or not is a separate issue but if you cannot inspect your trust will be breached eventually and the consequences could be disastrous for you.
The need for inspection carries not just to the product itself, but to the tools used to build it. Since you're paying for the product it just makes sense to specify a product that can be thoroughly inspected. Since open source tools are freely available and just as powerful it makes sense to require them where they apply. Any contractor who says they cannot perform the task has clearly bought into the black box loop of trust and cannot provide the transparent solution that you need.
FOSS solutions are transparent from end to end. This often results in less development time, more security and fewer bugs. Certainly a developer on a FOSS system does not have to rely on a different developer to explain some undocumented feature or spend time on hold waiting for some uneducated clerk in New Delhi to provide tech support. They should be able to just pull up the source and read it. If they can't understand the source code, you're using the wrong developer.
Sure, your developers can probably provide good reasons why this is all a bad idea, why they need some secret widget, why FOSS doesn't fazzle the fumpus or some such. They might caution you against getting important decision making information from such an unreliable source as the internet. Their arguments will be persuasive. To that I can only say
It's not me that's trying to get your money.
This patch for 2-month-old Windows Server 2003 "to fix a vulnerability that could let malicious sites run damaging code on the server."
Hilarious excerpt: "ALTHOUGH SECURITY EXPERTS â" even those at Microsoft itself â" had pointed to the companyâ(TM)s latest server OS as the first test of the software giantâ(TM)s massive Trustworthy Computing initiative, representatives maintained that the patch did not mean the release had been a failure in its security practices. 'It actually highlights positive progress in trustworthy computing,' said Microsoftâ(TM)s U.K. security chief, Stuart Okin, explaining that Server 2003 is significantly hardened in comparison to previous versions of Windows."
It begs some questions: if this is progress... if this is hardened... what's he smoking?