Paul’s remarks today about why companies should use open source software were met with a response from Ben about why open source should be used with caution. Not surprisingly, both make great points, but the exchange also prods me to finally write something I’ve wanted to publish for a while, going back to a conversation from last year that perpetuated a number of mistaken ideas about open source software. So here, from a Notes/Domino perspective, is the truth about the most popular myths about open source (in no particular order):
1) Myth: Open source software is poor quality. There are tens of thousands of bugs reported in Bugzilla sites for Firefox and Eclipse. The recent Heartbleed vulnerability shows that open source can’t be trusted for quality.
Truth: The quality of software has almost nothing to do whether its open source or not. The difference between Firefox and Internet Explorer, or Eclipse and Windows, is that you can see what bugs have been reported on open source software. You have no idea what bugs have been reported for proprietary software. And when a bug with the severity of Heartbleed is discovered in an open platform, there are tens of thousands of developers and organizations all over the world that can analyze it and publish a solution. When a vulnerability is discovered in Oracle Database, there is one vendor on the entire globe that can solve it.
2) Myth: Open source software isn’t well-maintained. A quick scan of checkins at SourceForge.net or OpenNTF.org shows tons of projects that have been abandoned by their authors. There’s no telling whether code that you commit to will ever see another version.
Truth: While it is certainly true that you can find open software that hasn’t been updated in a long time, there are many excellent open packages that are actively and frequently updated by the project contributors. Public open source repositories make this easy to check, especially with sites like GitHub, where you can look at frequency and size of commits on any branch and on any fork. Of course, proprietary software doesn’t afford any protection from this problem, either. In fact, entire websites like Macrumors.com have been devoted to reading the vendor tea leaves to guess when new versions will be available and what features and fixes will be included.
3) Myth: Open source software leaves us vulnerable to lawsuits. Companies that use open source get sued by proprietary software vendors because the open source code is often copied or stolen from private software companies.
Truth: If you go to SourceForge or BitBucket and just download a random project, there absolutely is a risk of finding illegally reused code. However open source groups like Apache, Eclipse, the Linux Foundation, Dojo and even OpenNTF employ specific processes and legal staff to perform “code clearance” that verifies that all contributors are legally entitled to contribute and that proprietary code is not reused in open source projects. These clearances are vital because so many proprietary vendors are also redistributing open source code and cannot leave themselves open to lawsuits. IBM spent $100 million successfully defending itself against such claims from SCO and has since set the standard for code clearance in the industry.
4) Myth: Open source software is written by students and amateurs. Professional software engineers work for big software vendors and get paid to put real innovation into proprietary platforms. Open source is what newbies do to pad their resumes.
Truth: If you’re calling John Carmack and Linus Torvalds amateurs, you need to quit your IT job and consider a career in custodial services. Most open software is written by career professionals, many of whom are employed by companies like Red Hat, Google, IBM, Oracle, SAP, Facebook, Twitter and yes, Microsoft. In the IBM Notes/Domino community, most open source is written by either IBMers or IBM Champions. And while many of them enjoy the nonstop stream of groupies and free beer that come with being open source contributors, most of them do it because they are addressing their own business needs in the process.
And yes, I’m kidding about the beer and groupies. Unless you’re providing them, in which case it is TOTALLY NORMAL AND WE ARE VERY GRATEFUL.
5) Myth: It is our policy not to use open source software.
Truth: You might think this is your policy. But if it is your policy, it has about as much to do with your business operations as The Lord of the Rings has to do with global politics. It is impossible not to use open source software in today’s IT. If you use Linux or Firefox or Java or Chrome or Android or MacOS or iOS or Oracle or any IBM product or any web server or any web site or any modern router, firewall, VPN, SIP gateway, VOIP system, or even lease a car built in the last 3 years, then you are using open source software. You can’t NOT use open software in the modern world because even the most proprietary, closed, opaque platforms include some open components in them, because these vendors understand that reusing open software maximizes their return.
6) Myth: Open source software has nefarious code from hackers, criminals and spies. They put in secret backdoors so they can break into the systems of people who don’t understand the importance of security.
Truth: It’s certainly possible that any given open source project might contain malicious code intended to compromise your systems. Of course, it’s also possible that any given proprietary software might contain similar code. In fact, as we know from whistleblowers, it’s quite certain that Microsoft, Google, Apple, Yahoo, Facebook and any other number of proprietary vendors are forced to provide backdoors to government agencies and are legally forbidden from telling anyone that they did it. The advantage of open source is that you can see for yourself when the backdoor is left open.
7) Myth: We can’t get support for open source software. If we use it and something goes wrong, there’s no one to hold accountable and no one to give us a fix. A bunch of kids can’t be counted on to fix bugs in a timely fashion.
Truth: Every major software vendor on the planet sells support & maintenance services on software that includes open source. Companies like Red Hat, Sencha, and Ubuntu have built global enterprises on open software. Even for relatively small projects, open source contributors are frequently willing to sell support contracts for software they maintain. And of course, using proprietary software is no guarantee that a vendor will continue to support any given product, version or feature. Customers are constantly forced by vendors to perform expensive upgrades to continue to receive support for mission critical software.
8) Myth: Using open source will invalidate our vendor support agreements. If we use OpenNTF projects on our Domino servers, when we call IBM support they will just hang up on us. We need to have full support from IBM for our systems.
Truth: This is not an open source issue. If you count on a vendor to provide support for a commercial product, that vendor will not provide support for any third-party product that they didn’t provide to you, whether open or closed. You can’t call Microsoft for support on Gimp when you’re running on Windows, but neither can you call for support on Adobe Photoshop. You can’t call Microsoft to report a problem on your Windows-based IBM Domino server. More importantly, you also can’t call for support on first-party products either. If you write your own Windows program, or your own Notes application, or your own Java application, you can’t get Microsoft or IBM or Oracle to provide you with service level agreements on your own code.
But even if you could, so what? What does support from a commercial vendor on closed software actually mean? It means that, if you can convince them to admit that the problem is indeed theirs, then they have complete discretion on whether to do anything about it. And if they choose to do something about it, then they have complete discretion on when they make the solution available to you, and whether it actually addresses your needs. And even if it’s available to you and it addresses your needs, you still have to evaluate and deploy it to your entire infrastructure. If it fails your testing, then you’re back to step 1 with your vendor. If you’re very lucky or very rich, this might only take 5 or 6 years.
9) Myth: Open sourcing some software means a vendor has forfeited ownership of it. Once a company like IBM or Google or SAP licenses some software under open source, then they no longer control it or support it and it’s left to customers to fend for themselves.
Truth: Major software vendors contribute code under open source all the time without giving up ownership. In fact, open source licenses must specifically claim ownership in order to be valid. It is only by asserting ownership that any party can say “here are the conditions for use of this code,” even if the conditions are “do whatever you want.”
Open sourcing software is a way for vendors to gain wider adoption, spread testing responsibilities, and invite customer participation in a given package. It often increases the user and revenue base of an otherwise fledgling or diminishing product. Eclipse, Android, OpenOffice, Fedora and Java are all great examples of commercial platforms that exploded in adoption and in quality when they were open sourced. Relicensing a product is simply a way of empowering users, and thus strengthening the commitment to customer success.
10) Myth: Open source is for ideologues. We run a business. The bad business practice of giving away free stuff is economically foolish and the people that do it are closet communists.
Truth: Open source is great for bottom-line ROI, provided that your business is not based on extorting customers by holding their business hostage. Since open source turns every user into a potential tester and developer, it creates enormous opportunity to spread R&D costs across entire ecosystems of adoption, rather than concentrate them in one specific firm. Since software has zero marginal cost to distribute, capital investment in fixes and features are the only real costs, so spreading those out among many firms can dramatically reduce risks. When the software is used by vendors and customers to support other commercial ventures, then the revenues from those ventures can become almost pure profit as expenses vanish. It doesn’t work for every software business model, but it does work for many of them, as the tremendous success of Twitter, Google, Red Hat and IBM have made clear.
If you think I’ve missed something, or if you think one of my truths is false, please chime in. I’m perfectly happy with this list being a living document and I invite any well-argued corrections. Please note that I am aware that in some organizations, these myths might not come from the IT department, but rather the Legal department. Russell cautioned me, “you can’t teach an attorney” and while I agree that perhaps *I* can’t, I do know that other attorneys can, so if you’re encountering objections from Legal, try to find a lawyer who’s open to reason (yeah, yeah… plenty of jokes) to champion your case for you.
Hand this list out to your colleagues, your boss, your admins, your IT management and even your legal staff. Memorize the 10 myths and be ready to pounce when you hear them advanced by the Luddites of IT world, and together we’ll drag those relics kicking and screaming into the 21st century.