Open Source Security: Still a Myth
Subject:   Does the author really knows about open source software?
Date:   2004-09-21 04:37:42
From:   lozano
The author says:

In the meantime, plenty of commercial and governmental organizations are still concerned that open source software is usually less secure than proprietary software. They are worried that open source developers are too much "hacker" and too little "engineer," cobbling together solutions without going through a structured software engineering process (such as requirements, specification, and analysis).

My experience with commercial software development, in-house development, and contributing to open-source projects is the opposite of this. Open Source projects tends to have a more formal and complete software engineering than most commercial projects.

They need to have, because if not they cannot manage a large and disperse developer community. But closed, proprietary software projects, may not have, simply because you'll never know if they really do what they say.

Most software houses I've worked for doesn't even have basic things like version control and configuration managenent in-place. Having the feature on the "enterprise ide" they brought is not the same as using them. Most of Them use CASE tools to reverse engineer the code (after it is "done") so the customer get the fine UML documentation for the system which is very different from doing requirements, specification, and analysis.

Telling open source projects in general are too much "hacker" is just echoing FUD. That's not the way most well known (and not so well known) FSOSS projects are actually done.

So, if you compare "comercial" software versus FSOSS (which is already a mistake, the distintion should be proprietary x FOSS as there are lots of comercial open source software) on a software engineering process and quality control standpoint, most of the time FSOSS proves stronger.

It's funny when I do consulting on companies willing to adopt FSOSS development tools I spend most of the time teaching about sound software engineering practices (like formal unit testing) than about FSOSS philosophy or the tools per se.

The author also seems to ignore the level to which "comercial" software packages today depends on FSOSS software, like IBM and Oracle app servers using Apache or Java IS using jakarta-commons. They wouldn't to this if they were not properly engineered.

1 to 1 of 1
  1. Does the author really knows about open source software?
    2005-01-18 20:56:44  musnat [View]

1 to 1 of 1