Open source safety - Tories vindicated ?


The most surprising thing about George Osborne's recent Open Source announcements was the lack of backlash.

That the UK's Conservative Party, possibly the next government, have endorsed a report that they comissioned, a report that recommends Open Standards, Open Procurement and Open Source as the pillars of a Conservative Government's Public Sector IT policy was, on the whole, accepted as not only inevitable, but in many parts of the IT press regarded as one of the few instances in recent times of a prominent politician talking sense on the subject of IT!

When you stop for a moment to consider the massive vested interests in the status quo, and remember that the Times recently reported £100 billion Government spending here (£19 billion over budget), you will, like me, wonder why there wasn't a bigger counter-attack!

On to the backlash...

According to an American company that sells a 'static code analyser' the UK Conservatives are both 'misguided' and 'ignoring' security risks by suggesting that the UK Public Sector may very well benefit by opening up procurement, insisting on Open Standards, and reducing the UK taxpayers multi-billion pound annual bill for closed proprietary software.

It's quite a damning pronouncement, so let's ignore the obvious accusations of drive-by PR opportunism to sell a proprietary product with FUD and political personality tail-gating. Let's take the claim seriously and examine it!

The research leading to the 'security risks' conclusion is almost a year old - the report was released last summer. The research consisted of running eleven Java packages through their own 'static code analyser'. From this they concluded that all Open Source software can be of patchy quality.

Can anyone spot the obvious holes in this?

Well for starters we've got the purely language and logic related ones - generalising from a tiny, tiny sampling, extrapolating that a major UK political party are “misguided” for not reaching the same conclusions as themselves on security, and so on.

The bigger holes come when you put the specifics of the research into context.

There are tens of thousands of Open Source projects, probably most of which are at a stage where not even the most enthusiastic Open Source advocate would suggest you should run your company, let alone country, on.

Very few of these projects are built in Java. Indeed Java itself was only “Open Sourced” relatively recently, and it's short Open Source lifespan should be compared and contrasted with, say, those of two much better knows Open Source projects like Apache or BIND (synonymous with the global DNS system which has been running the internet for decades).

Perhaps a mature Open Source project well known for being recommended for use in the Enterprise would be a better choice to generalise on? and perhaps a larger sampling of enterprise-class Open Source projects rather than some recently opened Java modules would give a better basis for a valid conclusion?

If the Tories had suggested that the UK Public Sector should be built of Java packages perhaps we should be worried, but they didn't.

They suggested that the UK taxpayer might benefit from Open Procurement, Open Standards and a bit more software that has proved secure, cost-effective and reliable for global players like Google and UK giants like Specsavers, and for that we should surely applaud them for seeking to save masses of taxpayer's money at a time when we most need it.