And how free is open source really?
There’s been a bit of a kerfuffle recently about the use of Open Source software in Government. Alongside a number of other announcements and initiatives, it’s been suggested that free Open Source software is the future, rather than horrid proprietary stuff from evil software vendors. And like many of the other announcements, I feel it’s my job to question them, and this one in particular.
Mark Ballard’s excellent blog in Computerweekly.com referred to a meeting where an MoD architect heckled Open Source types. The crux of the matter is that the MoD is a hodgepodge of systems all plumbed together, and many of these systems in my experience are not based on the most current software platforms. It’s hard enough in many cases to get the incumbent vendors to support systems, let alone move systems to new ones. And many of the systems used by the MoD are literally mission critical, so it’s not like you can take them offline over the weekend. So, if you can’t get the MoD to move to the latest version of their current software, it seems likely that they are not about to move to something new, free or otherwise.
The MoD is an extreme example, but across the public sector, organisations are struggling with similar questions. And the whole Open Source debate is still mainly of a theological bent, i.e. ‘I believe in Open Source’. It’s another one of these situations where a nice lazy ‘it’s a bit like communism’ cliché helps to get the point across. So, it’s a bit like communism. In principle, free software sounds brilliant. Free software that is subject to considerable peer review sounds even better. Free is my favourite colour, but if it was that simple we’d all be doing it, and people like me would be presenting mid-afternoon game shows on Sky.
Here’s the problem with free. If it’s free, it means nobody has spent money building it, testing it, or making it nice and easy to use. Or offering support contracts. Or doing training. And the other problem with free is that it’s not, is it? You have to develop it to fit your needs and ensure it meets open standards so it will inter-operate with those crazy fools who bought from evil software vendors.
There are some circumstances where Open Source makes huge sense (e.g. OS’s on dedicated security appliances) but Open Source is not the answer it appears to be at first glance. And from a security point of view, anything that requires lots of fiddling to make it work is unlikely to get the big tick from our friends in Cheltenham. And that’s hard enough if you ARE an evil software vendor, let alone some Open Source chappie.
So, the message is, yes look at Open Source and yes deploy where you see fit. But don’t kid yourself it’s free, and don’t kid yourself it’s secure.
Public Sector Security 