Tweet
This is one of those topics that I have discussed in many formats, and even discussed here before this thread.
Summary of things I remember:
Open Source advantages/Disadvantages:
* OpenSource Source Code is cleaner / Not necessarily
* Source code is available for audit / "bad people" can also audit it
* "Nothing ever dies, it just changes maintainers" / Sometimes nobody maintains it
* People do it for the love of it / People also have real jobs, and unfunded OpenSource developers still have to eat.
* Many little parts built by many different people follow the *NIX way / even if every part is assumed to be secure, border cases can exist that are not examined in detail where security is lost based on assumptions or poor documentation of APIs
* One person is in charge / in charge of volunteers who may or may not agree to the plans and direction of the maintainer -- risk to forking exist.
Closed Source advantages disadvantages
* Closed Source Source code is cleaner / Not necessarily
* There is one ultimate source for security issues for any product / Kind of but not really. Interoperability issues still exist, but generally fewer parts from dissimilar sources.
* There is better tech support / Some products do, some products don't, and some support is expensive.
* As a customer, I have better legal defense to sue / Not really. EULA often mean loss of rights
* I get updates in a timmely manner / not with all applications, and when a product is EoL, you may be SOL unless you upgrade. If you have other products that depend on an older version, they you are SOL when a hole is discovered, and not fixed by the vendor
* It is harder for people to find and exploit security holes / Yes and no. The skills required are different, but this is an example of "Security by Obscurity"
* Closed Source has fewer bugs / not proven, and not easily proven from just bug reports and security fixes. Bugs may still exist, but not be exposed to "many eyes."
There are bad programmers in both camps.
There are good programmers in both camps.
Where I work, we have a mix of proprietary, commercial, closed source applications and OpenSource applications.
We are still running EoL products, because other products required by (for example) PeopleSoft need these "current" products, which force us to run EoL products to make them work. There are issues where there are apps that need Oracle 8*, even though we want to standardize on Oracle 10. We actually have Oracle 8, 9 and 10 here.
From a security perspective, it really sucks. We buy or build filtering systems, or "application proxys" that perform sanity checks of data before passing it through. to the commercial applications.
Some would say, "Just dump the company that is not supporting its product!" Nice idea, but re-educating users to new and different product is very costly, and something that the decision makers do not wish to include in a budget.
We have and use OpenSource, and I am glad it exists. I like OpenSource. We have Proprietary, Commercial software, and I am glad that we use certain applications that are closed source, considering the equivalent OpenSource products. Though it would be nice to have an OpenSource product that is as stable, reliable, and well supported as some of these commercial ones, there aren't, and my Zealotry ends where work begins.
Given two products that are equal in all ways except for one being OpenSource, and the other being closed source, I would choose the OpenSource-- even if both products go EoL, we can still hire someone to upgrade and patch the OpenSource version, or do it ourselves if we have time.
Summary of things I remember:
Open Source advantages/Disadvantages:
* OpenSource Source Code is cleaner / Not necessarily
* Source code is available for audit / "bad people" can also audit it
* "Nothing ever dies, it just changes maintainers" / Sometimes nobody maintains it
* People do it for the love of it / People also have real jobs, and unfunded OpenSource developers still have to eat.
* Many little parts built by many different people follow the *NIX way / even if every part is assumed to be secure, border cases can exist that are not examined in detail where security is lost based on assumptions or poor documentation of APIs
* One person is in charge / in charge of volunteers who may or may not agree to the plans and direction of the maintainer -- risk to forking exist.
Closed Source advantages disadvantages
* Closed Source Source code is cleaner / Not necessarily
* There is one ultimate source for security issues for any product / Kind of but not really. Interoperability issues still exist, but generally fewer parts from dissimilar sources.
* There is better tech support / Some products do, some products don't, and some support is expensive.
* As a customer, I have better legal defense to sue / Not really. EULA often mean loss of rights
* I get updates in a timmely manner / not with all applications, and when a product is EoL, you may be SOL unless you upgrade. If you have other products that depend on an older version, they you are SOL when a hole is discovered, and not fixed by the vendor
* It is harder for people to find and exploit security holes / Yes and no. The skills required are different, but this is an example of "Security by Obscurity"
* Closed Source has fewer bugs / not proven, and not easily proven from just bug reports and security fixes. Bugs may still exist, but not be exposed to "many eyes."
There are bad programmers in both camps.
There are good programmers in both camps.
Where I work, we have a mix of proprietary, commercial, closed source applications and OpenSource applications.
We are still running EoL products, because other products required by (for example) PeopleSoft need these "current" products, which force us to run EoL products to make them work. There are issues where there are apps that need Oracle 8*, even though we want to standardize on Oracle 10. We actually have Oracle 8, 9 and 10 here.
From a security perspective, it really sucks. We buy or build filtering systems, or "application proxys" that perform sanity checks of data before passing it through. to the commercial applications.
Some would say, "Just dump the company that is not supporting its product!" Nice idea, but re-educating users to new and different product is very costly, and something that the decision makers do not wish to include in a budget.
We have and use OpenSource, and I am glad it exists. I like OpenSource. We have Proprietary, Commercial software, and I am glad that we use certain applications that are closed source, considering the equivalent OpenSource products. Though it would be nice to have an OpenSource product that is as stable, reliable, and well supported as some of these commercial ones, there aren't, and my Zealotry ends where work begins.
Given two products that are equal in all ways except for one being OpenSource, and the other being closed source, I would choose the OpenSource-- even if both products go EoL, we can still hire someone to upgrade and patch the OpenSource version, or do it ourselves if we have time.
Comment