News item: as reported on the securityfocus Web site, after two years of operation, a government-funded research project intended to carry out open-source security auditing is shutting down. So, open sources critics must be right: Theres never a free lunch. It would be best for everyone to head back, chastened, to the arms of big commercial software vendors, right? Before we do that, it would be instructive to take a closer look at what happened.
Bankrolled by a grant from DARPA, the Sardonix initiative (www.sardonix.org) was to replace the loosely structured Linux security review process with a public Web site that would meticulously track the auditing of code for security holes. Auditors would be ranked by the amount of code they examined and the number of security holes they found, and they would lose points if another auditor subsequently found bugs they missed.
Despite the inducement to gain a favorable reputation among a small circle of security cognoscenti, not enough volunteer auditors signed up. “I got a great deal of participation from people who had opinions on how the studliness ranking should work and then squat from anybody actually reviewing code,” SecurityFocus.com quoted Crispin Cowan, chief research scientist at WireX Communications, who organized the project.
While open sources opponents belittle the phenomenon, open sources proponents have sometimes put too much stock in the model, believing, in effect, that its enough to turn writing and debugging software into a game. Neither viewpoint is correct.
The Sardonix site is not proof of the bankruptcy of the open-source model, but it does shed light on what motivates the development and debugging of software. Open source works when, like anything else, there is a clear incentive for those working on it. Financial reward is one kind of incentive and can be relied on to keep the commercial software industry humming. The incentive to work on open source is less obvious but nonetheless real.
The idle quest of programmers for glory in a tiny peer group is not what makes the open-source model work. The better code that can be made is a real incentive of the open-source movement. Better code, in turn, delivers greater value in running information systems because it has few bugs, runs faster and requires less support. This improves the competitiveness of enterprises that use open-source software. Lower cost is an added inducement but an often-debatable one. Another key incentive is choice. IT buyers are increasingly placing priority on preserving freedom of choice by avoiding vendor lock-in, a criterion on which open source has a convincing message.
Quality code and freedom to choose, not contrived auditing games, will propel open source as far as it can go, and the end of the journey is not yet near.
eWEEK is interested in your views. Send them to [email protected].