Saturday, July 08, 2006

Self-policing in open source

One of my OSBC partners, Brett Haskins, has started The Project, an online short film competition. (Some of the films are excellent. Take a look.)

One of my favorites - Citizen's Arrest - reminds me of open source self-policing of IP violations:

[Click on the JPEG to watch the movie.]

Actually, open source policing works much more effectively than this short video depicts. I had a prospective customer ping me the other day about open source IP safety - what's to keep some rogue developer from dropping malicious code into Alfresco, SugarCRM, Linux, or Project-of-your-choice?

Everything. I'm actually surprised this question still comes up. Here's the gist of what I told him:

  1. Transparency. This is the foundation of all open source security. If someone, somehow manages to get malicious code, or someone else's IP, into an open source project, it's very easy to spot the problem and resolve it. Before a lawsuit happens. But this will rarely happen (except in roll-your-eyes cases like SCO) because...

  2. It's simply not possible to commit code to a project without a lot of credibility on that project. IBM developers two years contributing to Linux before they were taken seriously and given "committer" status. I know few evil, rogue developers (OK, I don't actually know any) that would have the patience to invest two years in a project, just to subvert it. For lesser, but important, projects (anything from Plone to Mule) may require less time, but the principle is the same: it is not easy to get committer status on good projects.

  3. You'd have to sneak it past the marshall. Nearly all open source projects have some one person that makes the ultimate decision on whether code is accepted or not. Linus for Linux. Or a company if it's a commercial open source project. It's not the case that people can just drop code and run. Well, they can, but it won't make its way into the code base. And speaking of companies...

  4. Since when is a proprietary company more trustworthy than an open source one? Or more careful? Many of the enterprise-facing open source projects today are driven by corporations, which corporations care just as much as Microsoft et al. about security, IP integrity, etc. The fact that we choose to open source our code doesn't minimize our commitment to ensuring the code we deliver is safe. On the contrary, it probably makes us more aware of these factors and driven to remove concerns.
In sum, open source - from an IP infringement perspective - is systematically set up to be safe to us. That said, it's a fair question to ask your open source vendor if it has policies in place to ensure the integrity of its copyright ownership. Just don't be surprised when the answer is, "Of course."

Posted by Matt Asay at 11:29 AM

1 comments:

russ danner said...

Matt,

3 Questions for you:

What, in your mind, are the responsibilities of the community?

What is the roadmap to responsibility in an community?

What does the level of responsibility observed within a community indicate -- say for a commercial open source organization?

2:14 PM

Post a Comment

Subscribe to: Post Comments (Atom)