xkcd

by **Hexadecimator** » Mon Nov 19, 2007 12:59 am UTC

Bob just won the ultramegasuperamazinggargantuan lottery and now controls everything, the entire fucking planet. Every major player in the software industry is begging him to mandate open/closed source for all future applications and remove their competition.
Make your case to Dictator Bob, or he may eliminate your favored form of software... forever.
Do not give in, for you alone are on the true path to protecting creativity and excellence in software and ensuring freedom/just compensation for developers.

Alternately, you could take the middle ground and argue that choosing one above the other would be terrible. Though this position may be attacked from two sides instead of one, so be wary.

The first and last options are really just for any insanely oppressive dictators in the audience.

by **Hammer** » Mon Nov 19, 2007 1:05 am UTC

One reason to not go open source is that if you do, every programmer in the world can then make a specific and referenced list of all the things you did that they would have done differently as opposed to being limited to general sweeping statements about how irredeemably stupid all programmers are who aren't them.

by **d3adf001** » Mon Nov 19, 2007 1:21 am UTC

in this case i saw let the market decide. now lets debate security.

security through obscurity doesnt work. if it did, one of the rules for encryption wouldnt be that the algorithm is public knowledge.

by **daydalus** » Mon Nov 19, 2007 1:36 am UTC

Pure 100% open source is not feasible. While its cool to have a few technologies that run on open-source platforms, the organizations that thrive in these environments still utilize proprietary code. Take Google, for example. They use a heavily modified version of Linux OS, and of course their algorithm is secret. Say they were starting out and all their code was public - Microsoft could just duplicate their site and pour far more resources in for advertising and scaling.

Open Source is great for technologies that act to build software "infrastructure" - operating systems, web servers, databases. But the driving force behind small software startups (riding ontop of open source technology) is that they can create proprietary software and sell it.

by **photosinensis** » Mon Nov 19, 2007 2:48 am UTC

IT'S NOT OPEN SOURCE! IT'S FREE SOFTWARE! GET IT RIGHT YOU DOLTS!

No brave GNU world for you!
/rms (though I do think he has a point here)

by **Karrion** » Mon Nov 19, 2007 2:52 am UTC

Generally, encourage open source but not require it. However there are some cases where use of open source should be mandatory; primarily when you're talking about goverments rather than corporations. For example:

Software developed by government departments should be open source; the taxpayers paid for it, after all.
Scientific and mathematical software should be open source, because experiments must be repeatable.
Public records should always be kept in fully open formats; source code for a reader should be kept as well. Imagine a code change denying access to an entire country's records!
No electronic voting system should ever use a closed-source OS or software. Period.

by **EvanED** » Mon Nov 19, 2007 3:07 am UTC

photosinensis wrote:IT'S NOT OPEN SOURCE! IT'S FREE SOFTWARE! GET IT RIGHT YOU DOLTS!

No brave GNU world for you!
/rms (though I do think he has a point here)

Unless the OP actually meant open source.

Where did you get that mind-reading peripheral? That could come in handy.

Karrion wrote:Generally, encourage open source but not require it. However there are some cases where use of open source should be mandatory; primarily when you're talking about goverments rather than corporations. For example:
Software developed by government departments should be open source; the taxpayers paid for it, after all.
Scientific and mathematical software should be open source, because experiments must be repeatable.
Public records should always be kept in fully open formats; source code for a reader should be kept as well. Imagine a code change denying access to an entire country's records!
No electronic voting system should ever use a closed-source OS or software. Period.

Agreed on the first, third, and fourth, but disagreed on the second. Even ignoring my ideological objections, what is a scientific or mathematical program? Does Wolfram need to open source Mathematica? What about a closed-source version of BC? What about the Windows calculator? We had to write an n-body simulation for a class assignment a while ago, does that have to be open source? Games include physics engines, do those need to be open? What if the engine is good enough to actually be used in scientific software?

I put neutral. The market is as good of a force as any here, except in limited areas like Karrion's gov't records examples. Mandating open source in general would be a stupid idea, because it would totally the ability to sell software for a profit. (Companies like Red Hat are often brought up as counterexamples to this assertion, but they aren't. Red Hat makes money mostly by providing support, not by selling software. It's a different business, and there shouldn't be external controls to say that the selling software business isn't viable.)

by **eds01** » Mon Nov 19, 2007 3:37 am UTC

If Bob owns everything, then he can scrap the current capitalistic scheme and put in a different one with respect to software (and other creative works) - All code is open source, and coders get paid based on the utility/amount/quality of their code, as determined by a large association to which all coders (or coders who want to be paid for their work, rather) belong to.

To determine pay, you have all of the coders donate some time to review, in decent size commitees, all the code of one person, and then decide which class of programmer he falls into. You could have a whole bunch of different classes (good programmer - bad programmer), and everyone in a class gets one wage. All of this is done anonymously (i.e. people don't know who's code their reviewing, and the reviewee doesn't know the reviewers - everyone could get a unique number that they can put on their code to tie it to them, but no names go on code. Or something.)

Doing this would be good because it would encourage the coding of things properly (if you have bad coding habits, you lose money), the coding of things that add more utility (making widely used thing less buggy, adding features to a widely used thing, or making something entirely new that fills a nitche).

The only downside would be the amount of time spent in commities figuring out wages. In order to try to make individual biases less important (i.e. Linux coders giving, say Windows programmers less money), you'd need to make the committies a decent size and give them sufficent randomization. The only problem is that each coder needs to be in as many different commities as there are people in one, unless you have professional reviewers, which has problems of its own. Depending on the time that it takes for each review and the number of times each person needs to review, the system might be unworkable. However, if you can get it so reviewing others code doesn't take up a signifigant percentage of time, then this system would probably be the best one to go with.

by **EvanED** » Mon Nov 19, 2007 3:43 am UTC

eds01 wrote:If Bob owns everything, then he can scrap the current capitalistic scheme and put in a different one with respect to software (and other creative works) - All code is open source, and coders get paid based on the utility/amount/quality of their code, as determined by a large association to which all coders (or coders who want to be paid for their work, rather) belong to.

Where does the money to pay them come from? Bob's pocket? Other people providing support?

by **Hexadecimator** » Mon Nov 19, 2007 4:05 am UTC

I have to agree with the majority here the best system here would be to let it work itself out and not get involved. A combination of both is, at the moment, the only way to to have the benefits of the open-source movement while still encouraging people to study computer science. Honestly, if I knew proprietary software would be going the way of the dinosaur, I would definitely start choosing a new career path.

EvanED wrote:
eds01 wrote:If Bob owns everything, then he can scrap the current capitalistic scheme and put in a different one with respect to software (and other creative works) - All code is open source, and coders get paid based on the utility/amount/quality of their code, as determined by a large association to which all coders (or coders who want to be paid for their work, rather) belong to.
Where does the money to pay them come from? Bob's pocket? Other people providing support?

Bob does not have the expertice to implement this. Nor does he have the patience, being a new dictator consumed with using his power for personal gain, money, sex, and all the other stuff novice dictators crave. Bob will only choose something simple and easy, which he can state in 6 words or less and leave his minions to deal with.
Unless you have a plan (so Bob can say, "we'll use eds01's plan") and very compelling reasons why yours is best, Bob is not likely to listen to vague notions that involve thought and work.

by **davean** » Mon Nov 19, 2007 6:15 am UTC

Closed source is allowed, but if any piece of software isn't maintained for 3 months, every user of that software must get an obscured copy of the source code which they are allowed to produce derivative works of and distribute freely.

At least obscured source must come with all software.

by **Karrion** » Mon Nov 19, 2007 6:57 am UTC

EvanED wrote:what is a scientific or mathematical program? Does Wolfram need to open source Mathematica? What about a closed-source version of BC? What about the Windows calculator? We had to write an n-body simulation for a class assignment a while ago, does that have to be open source? Games include physics engines, do those need to be open? What if the engine is good enough to actually be used in scientific software?

I'm thinking along the lines of, if you publish a paper, and your result/analysis/etc relys on some piece of software, then the source code of that software must be available. It's central to the scientific method that others must be able to reproduce the experiment to confirm/invalidate your results, and they can't do that if there's some closed source, black box software involved.

I'm not suggesting a calculator, or even a complex equation solver, needs to be open, because the paper would include all the information needed and a human can redo all the calculations. But there should be no magical steps.

by **EvanED** » Mon Nov 19, 2007 7:04 am UTC

Karrion wrote:I'm thinking along the lines of, if you publish a paper, and your result/analysis/etc relys on some piece of software, then the source code of that software must be available. It's central to the scientific method that others must be able to reproduce the experiment to confirm/invalidate your results, and they can't do that if there's some closed source, black box software involved.

Okay, so what counts as a "paper"? Is a technical report enough, or does it have to be refereed? And what happens if the person doing the research isn't the one who wrote the software? Is the publication prohibited, or can you force someone else to open source their program by using it for research? Or do you just compromise on that point and say "this is an exception"?

Or what if the software is deterministic? Say you're running a supposedly cycle-accurate simulation of a proposed computer system. (I have no clue if such programs are actually deterministic or not, but I could certainly see them being so.) It doesn't matter if you give someone the program, because it will produce the exact same results. Is the fact that someone else can look at the code and say "that looks reasonable" enough to force it to be open? It seems that for something like that, for repeatability, what you really want is for another team to implement the same thing without seeing the original.

I still think there are a lot of practical problems with this.

by **Notch** » Mon Nov 19, 2007 9:10 am UTC

photosinensis wrote:IT'S NOT OPEN SOURCE! IT'S FREE SOFTWARE! GET IT RIGHT YOU DOLTS!

No brave GNU world for you!
/rms (though I do think he has a point here)

rms is quite insane. Polarizing the issue by forcing developers to chose all or nothing is bad on so many levels. Forcing people to be free or die is not the same as freedom, it's a fncking crusade.

Whenever I release code, I usually just dump it into the Public "go-nuts-do-whatever-you-want-I-hope-you-can-use-any-of-it" Domain. Doesn't get much more open or free than that.

by **Matthias** » Wed Nov 21, 2007 6:48 am UTC

I think that software should function the same way American copyright law did when it first began. Back then, you were able to copyright your own work for 14 years, and if you liked could file for an extension of another 14, and that was it. You know what that did? It prevented stagnation in the arts, that's what it did. You didn't have Walt Disney studios holding onto Mickey Mouse 75 years after the artist died; how the hell does that benefit anyone? It prevents third parties from exploring the IP in new and interesting ways, and it reduces Disney's need to develop new characters.

Source code should be the same way. Sure, any given company should be able to benefit from their engineers' hard work--for a time. But after that, the people at large, and the industry at large, should have the benefit of enforced open source for any given piece of software. For one, it would allow "garage developers" to use already-established engines and code to develop software that would otherwise be far out of their reach, and therefore far out of the consumer's reach. And for another, it would force larger companies to constantly improve their own software instead of relying on re-vamped versions of outmoded source code.

Don't let us suffer the iron hammer of another Windows ME.

by **Amnesiasoft** » Sat Nov 24, 2007 10:24 pm UTC

Matthias wrote:I think that software should function the same way American copyright law did when it first began. Back then, you were able to copyright your own work for 14 years, and if you liked could file for an extension of another 14, and that was it. You know what that did? It prevented stagnation in the arts, that's what it did. You didn't have Walt Disney studios holding onto Mickey Mouse 75 years after the artist died; how the hell does that benefit anyone? It prevents third parties from exploring the IP in new and interesting ways, and it reduces Disney's need to develop new characters.

Source code should be the same way. Sure, any given company should be able to benefit from their engineers' hard work--for a time. But after that, the people at large, and the industry at large, should have the benefit of enforced open source for any given piece of software. For one, it would allow "garage developers" to use already-established engines and code to develop software that would otherwise be far out of their reach, and therefore far out of the consumer's reach. And for another, it would force larger companies to constantly improve their own software instead of relying on re-vamped versions of outmoded source code.

Don't let us suffer the iron hammer of another Windows ME.

Get out of here, you're not allowed to use logic in a religious war. (Read: I agree)

by **zenten** » Sun Nov 25, 2007 4:16 pm UTC

davean wrote:Closed source is allowed, but if any piece of software isn't maintained for 3 months, every user of that software must get an obscured copy of the source code which they are allowed to produce derivative works of and distribute freely.

At least obscured source must come with all software.

For this purpose wouldn't the obscured code be no more useful than a binary anyway?

by **davean** » Tue Nov 27, 2007 2:11 pm UTC

zenten wrote:
davean wrote:Closed source is allowed, but if any piece of software isn't maintained for 3 months, every user of that software must get an obscured copy of the source code which they are allowed to produce derivative works of and distribute freely.

At least obscured source must come with all software.

For this purpose wouldn't the obscured code be no more useful than a binary anyway?

No, it isn't that bad to patch a small issue with obscured code or the like and recompiling. It also allows you to recompile it for an arch or lib update without much trouble. Obscured code is much more flexible then a binary without giving away the (easily usable) source. There is a long history with obscured source in higher end software or, there was.

by **zenten** » Tue Nov 27, 2007 4:06 pm UTC

davean wrote:
zenten wrote:
davean wrote:Closed source is allowed, but if any piece of software isn't maintained for 3 months, every user of that software must get an obscured copy of the source code which they are allowed to produce derivative works of and distribute freely.

At least obscured source must come with all software.

For this purpose wouldn't the obscured code be no more useful than a binary anyway?

No, it isn't that bad to patch a small issue with obscured code or the like and recompiling. It also allows you to recompile it for an arch or lib update without much trouble. Obscured code is much more flexible then a binary without giving away the (easily usable) source. There is a long history with obscured source in higher end software or, there was.

But doesn't a decompiler just output obscured source code anyway?

by **davean** » Tue Nov 27, 2007 5:03 pm UTC

zenten wrote:
davean wrote:
zenten wrote:
davean wrote:Closed source is allowed, but if any piece of software isn't maintained for 3 months, every user of that software must get an obscured copy of the source code which they are allowed to produce derivative works of and distribute freely.

At least obscured source must come with all software.

For this purpose wouldn't the obscured code be no more useful than a binary anyway?

No, it isn't that bad to patch a small issue with obscured code or the like and recompiling. It also allows you to recompile it for an arch or lib update without much trouble. Obscured code is much more flexible then a binary without giving away the (easily usable) source. There is a long history with obscured source in higher end software or, there was.

But doesn't a decompiler just output obscured source code anyway?

Um ... decompilers often can't decompiler large portions of it at all. It isn't exactly a reversible transformation. You can guess at *some* parts of it but huge chunks will just be left assembly. No, that doesn't work the same at all.

/me grumbles about people who hear about something and like to throw it around but don't actually know what it does

by **lalop** » Sat Oct 01, 2011 6:17 pm UTC

daydalus wrote:Pure 100% open source is not feasible. While its cool to have a few technologies that run on open-source platforms, the organizations that thrive in these environments still utilize proprietary code. Take Google, for example. They use a heavily modified version of Linux OS, and of course their algorithm is secret. Say they were starting out and all their code was public - Microsoft could just duplicate their site and pour far more resources in for advertising and scaling.

On the other hand, so could everyone else. This would drive down the price of the search (for instance, someone would provide it for less obtrusive ads) until it was a perfect competition. Sure, Google wouldn't be raking in the big bucks anymore, but that might not be an intrinsically bad thing. It would force companies to constantly innovate or go out of business as their competitors copy them. A "delayed open source" system, where Bob requires you to provide the source after a certain period of monopoly, might work in this regard.

And if you've innovated your area to the point where the consumers can't notice any further difference in your improvements, then it's time to move on to another area, rather than just leeching off it for an indefinite number of years. That's not bad; that's economic efficiency.

davean wrote:Closed source is allowed, but if any piece of software isn't maintained for 3 months, every user of that software must get an obscured copy of the source code which they are allowed to produce derivative works of and distribute freely.

At least obscured source must come with all software.

As a twist on this idea, every closed source is required to be accompanied by the encrypted source code, the keys to which must be given to neutral parties who analyze whether bugfixes are still being implemented (hey, I never said it was practical..) . If not, then future generations are guaranteed the opportunity to make the fixes themselves.

Something like this is pretty badly needed, though the implementation details are naturally up to question.

by **Iranon** » Sun Oct 02, 2011 5:30 am UTC

Mandate source availability after a period of time for adequate exploitation, if something useful can be enforced without too many contortions.

by **Meem1029** » Sun Oct 02, 2011 7:45 am UTC

Of course if you have a certain amount of time after which source is open, you run into problems defining exactly when to count time from. When the code was first written? When the last revision of the code was made? Do they have to do a rolling release of source corresponding to when each part was written?

by **Iranon** » Sun Oct 02, 2011 9:50 am UTC

There are many problems with the concept of mandated open source, time-delayed or not. "We lost a bet and had to write it in a dialect of malbolge, honest!"

by **songandsilence** » Fri Mar 09, 2012 4:15 am UTC

Time mandated OSS code would be a good thing, especially considering that (for example) MS doesn't make a goddamned dime off of Win 9x anymore, and never will again. Opening (or, even better, libre-ing [is that even a word? I'm sure there's a better one, but I cba to think of it right now]) the source code for fucking ancient (read: 10+ years/no longer useful to the general public/etc) software should be released to the world. Keeping with my MS example, the Wine project would benefit greatly from old 9x/NT 4.x code (and possibly in a year or two, XP code).

I see no reason why any project that a company no longer supports or even profits from (Seriously, who's [minus the small sect of people who are still installing 98 for some old-ass game/nostalgia/they own a computer that's 15 years old with extreme sentimental value {most of them are on the xkcd fora already, so... well, you guys/gals}] out buying something that goddamn old to begin with?)

Use the old code to enhance new code. Maybe your long-lost bugfix is buried in code that's as old as your dog?

If nothing else, we'd (eventually) get to see exactly why ME failed so hard, line by line.

by **EvanED** » Fri Mar 09, 2012 5:11 am UTC

songandsilence wrote:Time mandated OSS code would be a good thing, especially considering that (for example) MS doesn't make a goddamned dime off of Win 9x anymore, and never will again. Opening (or, even better, libre-ing [is that even a word? I'm sure there's a better one, but I cba to think of it right now]) the source code for fucking ancient (read: 10+ years/no longer useful to the general public/etc) software should be released to the world. Keeping with my MS example, the Wine project would benefit greatly from old 9x/NT 4.x code (and possibly in a year or two, XP code).

IMO you're being contradictory here, at least to the extent you believe (and I do) that at least to some extent, Wine's gain is MS's loss.

As you point out, having the source to old versions of Windows would likely greatly advance the state of Windows-compatibility on Linux. (Even though old versions of Windows are missing important APIs needed now, it would still give the Wine folks a very good base to start from of course.) And that would come at a detriment to MS.

Imagine XP being open sourced now. With the OSS world's efforts brought to bear on bringing it up to date, how many people would go with "XP 2012" instead of Win8? (Well, maybe it would take a few years to get up to speed. But that argument would apply in a couple release cycles.)

MS's profit from Win 95 being closed and still under copyright may be indirect, but that doesn't mean they aren't profiting from it.

Even the original copyright terms (including renewal) would only be seeing the first versions of MS-DOS entering public domain now. In my opinion proposals like yours are absurd. The CS world moves fast, but that doesn't mean that old things become worthless from a copyright standpoint (i.e. protect a person or company's investment), or that old software isn't continuing to have an indirect effect on today's profits.

I'm not opposed to substantial copyright reform (including drastically cutting down the time span) and wouldn't even necessarily be opposed to something like a "source code escrow" provision with some means for dealing with true abondonware. However, I am much further toward the "pro-IP" side of the scale than it seems a lot of techies are, and I think that 10 years is way too short. If anything, in that time scale it's more important in our world than it is in, say, music and movies.

by **Choscura** » Sat Mar 31, 2012 8:37 pm UTC

There have been a few 'mandate open source' points that all seem to end up forcing code to be revealed once it is (or should be) obsolete. Brilliant plan; enforce conformity that benefits no one.

Encouraging open source is the only viable way to do things. There are things that should be closed source (eg, your bank's website), even if they use open source components (eg, encryption/hashing algorithms or APIs). There are probably things that should never be open sourced, because being able to reverse engineer them would mean they would cease being effective at accomplishing critical goals (example: Paypal's "Igor" tool). Everything else should be built around an open and freely available standard, so that everybody knows (or can easily find out) what has to be accomplished, why, and how it is currently being done.

by **hotaru** » Mon Apr 02, 2012 8:34 pm UTC

Choscura wrote:There are things that should be closed source (eg, your bank's website), even if they use open source components (eg, encryption/hashing algorithms or APIs). There are probably things that should never be open sourced, because being able to reverse engineer them would mean they would cease being effective at accomplishing critical goals (example: Paypal's "Igor" tool).

Because we don't want security vulnerabilities in banking software to be reported and fixed, right? If anything, this is the kind of software that absolutely must be open source. Security through obscurity is no security at all, and relying on it for banking is just idiotic.

by **Jplus** » Mon Apr 02, 2012 9:52 pm UTC

Actually open-sourcing software doesn't necessarily improve its security either. The only way to get something as secure as possible is to design it with security in mind and keep checking and double-checking it really really well. Open-sourcing is a way to facilitate the checking, but it's neither sufficient nor required to make something secure.

by **troyp** » Wed Apr 04, 2012 5:52 pm UTC

Jplus wrote:Actually open-sourcing software doesn't necessarily improve its security either. The only way to get something as secure as possible is to design it with security in mind and keep checking and double-checking it really really well. Open-sourcing is a way to facilitate the checking, but it's neither sufficient nor required to make something secure.

This just seems pointlessly pedantic to me. You pretty much concede Hotaru's point (offhandedly), but insist that open-sourcing is neither necessary nor sufficient for security.

I mean, I don't think anyone thinks releasing software under a BSD license somehow magically corrects security holes. The point is, it does facilitate the discovery (and disclosure) of vulnerabilities, whereas close-sourced* software does the opposite.

* Technically, I guess we're talking about source-availability rather than licensing, but mostly it ends up being the same thing. And actual free software is likely to have more (friendly) eyes on it, anyway.

by **Jplus** » Wed Apr 04, 2012 8:27 pm UTC

I don't agree with hotaru that banking software should necessarily be open source, so I don't see how I'm conceding their point. Count to ten before calling someone pedantic, please.

There are many ways to discover vulnerabilities. You can also pay people to do it.

by **troyp** » Wed Apr 04, 2012 11:02 pm UTC

Jplus wrote:I don't agree with hotaru that banking software should necessarily be open source, so I don't see how I'm conceding their point. Count to ten before calling someone pedantic, please.

Fair enough, I didn't realize you were disputing that point.

There are many ways to discover vulnerabilities. You can also pay people to do it.

You think that's sufficient? How are the bank's customers going to pay someone to do it when the auditor has no access to the source code? Why would anyone have confidence in this software that's being hidden from view? And if this bureaucratically-determined security person is actually competent and finds vulnerabilities that have existed for some time, do you think the public is ever going to learn of them?

by **Jplus** » Thu Apr 05, 2012 10:35 am UTC

troyp wrote:
There are many ways to discover vulnerabilities. You can also pay people to do it.

You think that's sufficient? How are the bank's customers going to pay someone to do it when the auditor has no access to the source code? Why would anyone have confidence in this software that's being hidden from view? And if this bureaucratically-determined security person is actually competent and finds vulnerabilities that have existed for some time, do you think the public is ever going to learn of them?

The customers pay the bank, and they are entitled to expect that the bank takes care of the security. The bank should thence be paying professionals to look for vulnerabilities and report them to the developers of the software. The professionals that look for vulnerabilities may also get access to the source code, even if the source is not open to the public. "Closed source" doesn't mean "nobody gets to see it", it means "the owner decides who gets to see it". I assume that most banking companies are wise enough to actually put their software to testing and inspection.

Note that

for a banking company, publishing the source of their software might boil down to helping their competitors;
AFAICT, all banking companies on the world use proprietary banking software;
customers generally do feel entitled to expect that the software is secure;
most of the customers would never be able to verify that the code is secure by themselves, even if they had access to it;
for the customers, there is no added value in learning about a specific vulnerability after it's fixed;
it's in the banking company's interest to warn customers about vulnerabilities if no immediate fix is available.

by **hotaru** » Thu Apr 05, 2012 4:54 pm UTC

Jplus wrote:
for the customers, there is no added value in learning about a specific vulnerability after it's fixed;

i don't know about you, but i would certainly like to know if someone might have accessed my personal data or made changes to my account.

also, after seeing at least one bank's attitude toward physical security of their computers¹, i'm not very confident that they'd even consider the possibility that there could be vulnerabilities in their software.

1.

Spoiler:

by **annarose** » Fri Apr 06, 2012 1:59 am UTC

What about a Creative Commons type approach? Make most things open source so that people could learn from them and adapt them for their personal needs, but if they use it to make money then they would owe a percentage of their profits to the original author.

by **lorb** » Fri Apr 06, 2012 10:15 pm UTC

Jplus wrote:it's in the banking company's interest to warn customers about vulnerabilities if no immediate fix is available.

It's also in the banking company's interest to look like there are no vulnerabilities. (also if there is no (immediate) fix, warning the customers is also giving a hint to possible attackers)

by **troyp** » Sun Apr 08, 2012 12:52 am UTC

Jplus wrote:The customers pay the bank, and they are entitled to expect that the bank takes care of the security.

Well, I agree with that, but I'm not inclined to just trust banks to do the right thing.

"Closed source" doesn't mean "nobody gets to see it", it means "the owner decides who gets to see it".

My point was that the bank's customers have no way to verify whether the code is secure...or indeed anything about the software whatsoever (for instance, if a consumer organization wanted to compare the software used by several major banks, they could not do so)

for a banking company, publishing the source of their software might boil down to helping their competitors

It would amount to the various banks helping each other. They could collaborate in developing and testing a shared platform. Certainly companies have shown an ability to cooperate when it comes to, say, price-fixing. I'm sure they could do it here as well.

for the customers, there is no added value in learning about a specific vulnerability after it's fixed

That's like saying a car insurer gets no value in knowing about a driver's past collisions. The bank's customers certainly have an interest in the bank's track record of security (which is also why the bank has an interest in hiding it).

it's in the banking company's interest to warn customers about vulnerabilities if no immediate fix is available.

Only if they feel it's too risky to keep silent. If they think they can get away with it, they'll cover it up and hope nothing happens until they patch it.

by **lynkyn** » Mon Apr 30, 2012 11:08 pm UTC

If you voted anything but "Encourage open-source", you can expect to wake up in a very unhappy place tomorrow morning.

by **Jplus** » Tue May 01, 2012 10:10 am UTC

lynkyn wrote:If you voted anything but "Encourage open-source", you can expect to wake up in a very unhappy place tomorrow morning.

That's what I did, but still I don't see exactly what you mean (except for the extremes). Care to elaborate?

by **lynkyn** » Tue May 01, 2012 12:29 pm UTC

Jplus wrote:
lynkyn wrote:If you voted anything but "Encourage open-source", you can expect to wake up in a very unhappy place tomorrow morning.

That's what I did, but still I don't see exactly what you mean (except for the extremes). Care to elaborate?

Mandating open/closed is just insane. Encouraging closed sends people in the wrong direction. And just leaving it alone will make people forget, and eventually revert to closed.

Insist that Dictator Bob must:

Who is online