Open Source .NET Development [Electronic resources] نسخه متنی

Open Source, Free Software, and Shared Source. Oh MY!

Free Software

Free means many different things to different people. Free is such a simple term that you may not think it needs any clarification. We use this term rather loosely; for example, a free world, free enterprise, and of course a free lunch. Well, all I can say is that you better be very sure what is meant when someone refers to "free" software. To clarify matters, the Free Software Foundation (http://www.gnu.org/philosophy/free-swl) has defined "Free Software":

"Free software is a matter of the users' freedom to run, copy, distribute, study, change, and improve the software. More precisely, it refers to four kinds of freedom, for the users of the software:

• The freedom to run the program, for any purpose (freedom 0).

• The freedom to study how the program works, and adapt it to your needs (freedom 1). Access to the source code is a precondition for this.

• The freedom to redistribute copies so you can help your neighbor (freedom 2).

• The freedom to improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3). Access to the source code is a precondition for this."

In this context, free then refers to "not suppressing the use of" rather than "reducing the price of" something. Figure 1-1 shows the relationship between Open Source and Free Software. Note that these terms are not interchangeable but are overlapping somewhat.

Shared Source

Shared Source is somewhat close to freedom level 1 but is not considered Free Software at all because you cannot adapt it to your needs. You can look at the source, and that is about it. Microsoft uses a modified version of Shared Source in their release of the System.Security.Cryptography Code (http://www.gotdotnet.com/team/clr/samples/eula_clr_cryptosrc.aspx). As the name implies, Microsoft's Shared Source Common Language Infrastructure (SSCLI) is also under this license. These are great learning tools, but you cannot use them or modified versions of these products in your product. For instance, you cannot use the SSCLI, which runs on Windows XP, FreeBSD, and Mac OS X to enable your clients to run your .NET applications on multiple platforms in a commercial setting.

Open Source Software

The term "Open Source" was created by a group of people who thought that Free Software was too radical a concept to market to most corporations. Obviously, this book focuses on Open Source and freedom levels that allow you access to the source code. This is typically what is meant when referring to "Open Source." Bruce Perens has written a wonderful definition of Open Source on his Open Source Initiative (OSI) Web site (http://opensource.org/docs/def_print.php). In his definition, he outlines ten criteria for Open Source:

I will not elaborate on these criteria since Bruce puts it so succinctly on the OSI Web site. It is worth noting, however, that Open Source is a development philosophy or methodology. As such, it is not operating system- or programming language-specific.

Open Source Licenses

The OSI Web site lists the accepted Open Source Licenses shown in Table 1.2. As listed in the definition of Open Source, the license must be distributed with the code. It is safest to only use code that uses one of these licenses.

Table 1.2. Open Source Licenses

You can obtain the licenses by visiting the OSI Web site. Using code that contains a license that someone has just made up is dangerous. A modification of one of the above licenses may be acceptable but would require in-depth inspection.

Open Source "Free-ness"

The FSF has coined a term called Copyleft, which obviously is a play on the word "Copyright," to refer to software that fits their definition of Free Software Freedom Level 3. This means that you are free to use, modify, and distribute code as you see fit, as long as you do not deny this same freedom to the code from someone else. In Figure 1-1 you can see that there is an overlap of Open Source and Free Software. That implies that the FSF does not view all Open Source as free. Of course Open Source software does imply Freedom Level 1 and 2. FSF's Web site categorizes the overlap (see http://www.fsf.org/licenses/license-listl):

Copyleft Compatible Licenses

• GNU GPL

• GNU LGPL

• modified BSD License

• zlib

• W3C License

• Python License

• Zope Public License v2.0

• Eiffel Forum License v2.0

Non-Copyleft Compatible Licenses

• Apache

• origional BSD License

• Open Software License

• Zope Public License v1.0

• Nokia Open Source License

• Qt Public License (QPL)

• Jabber Open Source License

Keep in mind that it is fine to use an Open Source Licensed product that is not considered Free Software in your products. You just have to understand the license requirements as well as the goals of your product.

Open Source Myths

I have found that there are a lot of unjustified claims about Open Source. As I have already mentioned, this topic leans somewhat toward advocacy. Open Source is a hotly debated topic with substantial firepower existing on both sides. Here I will do my best to take an objective look at Open Source so that you can make an informed decision in your Open Source policy, which all companies should have.

Open Source Code Is More Stable

More eyes do not equal better code. More educated and experienced eyes do mean better code. Cryptography best-practices suggest opening your code for public review. Most often, counterintuitively, this results in more secure code. On the other hand, I will say that with Open Source, most developers want to look good in the eyes of their peers and refine their code to the best of their abilities before releasing it to the public. Recently, Reasoning Inc. (http://www.reasoning.com) compared a few products to promote their Code Inspection Solutions for C and C++. While C and C++ code inspection tools are becoming more and more commonplace, the results of the study are interesting on two levels. First, most of the coding problems found were variable initialization and null pointer problems. These problems are all but eliminated in C#. Secondly, the results in a nutshell are that not all Open Source products are more stable; it just depends on the product. Sorry, no silver bullet here. The first study from Reasoning is comparing the Linux TCP/IP stack against five commercial equivalents. Their findings were that the Linux implementation's bug density is much smaller than even the best of the commercial products. So this proves that Open Source is more stable, right? Not so fast. The same company conducted a study of Apache 2.0 source code. It might shock you to find out that the density of defects in Apache was quite a bit higher than most commercial Web servers. But before you get too hard on Apache, realize that according to Netcraft (http://www.netcraft.com), the first version of their product pretty much runs the Internet (see Figure 1-2).

Open Source Code Is More Secure

The CERT Coordination Center (http://www.cert.org) tracks computer security incidents and vulnerabilities and publishes security alerts based on this information to the general public. The rate of increase of security incidents is astounding (see Figure 1-3).

As you can see, to say that the security incidents have grown rapidly in the last few years is an understatement. For this reason, I have taken all the CERT incidents from 2000 to 2002 and categorized them based on whether they are proprietary products or Open Source. The results are found in Figure 1-4.

Appendix E. This data is not conclusive and comprehensive by any means. There are many security incidents that are never reported to any organization, but CERT is definitely the authority in this area. My personal view on security is that the higher the reward, the more incentive for a hacker. In other words, a hacker may not have as much incentive to hack an Open Source product as a proprietary product because he will not get as much recognition. So there are subtle things to consider when interpreting security incidents.

Open Source Code Is Cheaper

Cost is the most controversial subject when it comes to Open Source. Even when you are given something, there are always costs associated with it. If given a free car, you must evaluate if the maintenance costs of that car are reasonable so that you can justify taking it. However, if given a house, you usually cannot go wrong in taking it unless it is in a bad location. These examples are decisions that are somehow easier for most people to make than when it comes down to software. Only time will tell if Open Source and its proponents will outperform proprietary software companies. Just as with cars and houses, Open Source software decisionmaking is going to be unique to every organization. For instance, I accepted cars in high school that I would be embarrassed to drive today. The same is true with software. A struggling startup company might find Mandrake Linux (http://www.mandrake.com) and Open Office (www.openofffice.org) wonderful solutions, whereas a middle-size or larger company may feel safer using a product that has commercial technical support such as Windows and Microsoft Office.

NOTE

This does not imply that Linux (and other Open Source products) do not have commercial technical support available because most of them do. Nor does this imply that Open Source products are only suitable for small companies, for there are several large companies that depend on Open Source.