On 9/13/2022 7:11 PM, Thiemo Kellner wrote: > Am 13.09.22 um 23:55 schrieb Chuck Zmudzinski: > > On 9/13/2022 4:14 PM, Thiemo Kellner wrote: > > I think Megha is emphasizing, and possibly over-emphasizing, the fact > > that the persons > > who actually commit the code in free software projects can operate with > > little or > > no oversight when they are just volunteers not really accountable to anyone. > And I very much think she is wrong there. Being software developer > myself, unfortunately closed source mainly, I can tell that oversight is > not related to the licensing model or the pay of the developer. I would > go to the length to say that volunteers take, in general, a bigger pride > in the quality of their work, because they are not payed for it. The few > quite fruitless attempts in writing OSS, I took, failed sometimes > because I intend to create the perfect solution and thus not > progressing, whereas in the work for money I am often forced to > implement a working solution I can tell from the start, it will not be > easily maintainable or extendable. > > to think the situation might be better if either 1) open source projects > > exercised more > > oversight than they currently do over the persons who actually write the > > code and > > release the software > As I already told. In over 25 years of experience, I do not have > complaints about the oversight taken by OSS projects, where as I > regularly can complain about closed source payed for software. In the > past two weeks I was hunting down a problem we had with IBM DataStage. > One of the parallel subprocess terminated unexpectedly and all the > message DataStage cared to give was that the subprocess received a > SIGINT. We hope to have work around, because we could not find the > source. To me, one of the worst things one can do as developer not to > have proper error reporting - unless you know, you will not get bothered > when the shit starts to hit the fan. > > , or 2) free/oss software never became ubiquitous. We just cannot > > know without being able to do a time machine experiment and see how the > > software > > world would have developed if free/oss software had not become as > > ubiquitous as it is > > today. > I cannot agree with you at all on this point. Omnipresence of OSS does > not mean there are more error in the code. It just means there are more > users to detect problems, thus more possiblities for the bugs to get > fixed. Sure, if OSS developers are overloaded the will not get to fix > all the problems, just as developers on CSS (closed source software). > Much more, because the sales man can sell better new shiny features even > if useless, than stable code. The buyer expects that flaws get fixed for > free, maybe rightly so, thus the CSS company will fix as few bugs it can > get away with (exageration). > > If there was not a serious problem of malware, identity theft, ransomware, > > etc., > > I would be more inclined to question what Megha Verma wrote, but based on > > what > > I see in how free/oss projects are governed, I am not surprised that a > > world that relies > > on so much free/oss software also suffers from so much malware, ransomware, > > identity > > theft, etc. > Again, my experience with OSS is not this one. And I very much think, > that malware, ransomware usually is software on its own not built-in any > software. Maybe exploiting a backdoor a company put in their products > for ease of maintenance or just by negligence. Identity theft sounds > like social engineering or man in the middle attack. The latter not > necessarily being a problem of OSS. > > Just because *you* have not experienced malware in the software you use > > does not mean that there are no cases where free/oss software is being > > deployed > > elsewhere in a stealthy way for malicious purposes. > > I did not state that OSS was free of flaws and bugs. I am make a point > to state that in my experience there are fewer bugs therein than in CSS. > > > I am fairly sure I was a victim of > > the breach of Yahoo that affected hundreds of millions of its users. > I am sorry for you. I do not know this case, so I cannot tell whether > OSS or CSS components of their service were breached, or even a social > engineering case. > > > > I know people will reply and say it is much worse with proprietary > > software. But we > > really cannot know for sure, because free/oss is so ubiquitous now it is > > hard to > > separate free/oss software from proprietary software. > > I certainly can tell my experience comparing OSS to CSS. And there I OSS > gets better off. And for the rest, well I cannot tell it is this or the > other way around at all. > > > For example, most web > > browsers are based on chromium, a free oss project that comes in large part > > from > > Google, but some of the most-used browsers in the world based on chromium > > are proprietary, such as chrome and edge. > I am not sure that this holds true. I would be quite surprised that > chromium or edged can legally use code of a OSS browser, being CSS. But > I am not an attorney. > > I recommend everyone be very aware of the risks of using any software, > > whether > > it be proprietary software or free/oss software in today's world of so much > > malware. > > > Nice final point. > >
Thanks for your excellent observations from your own experience. I cannot dispute anything you say. The only thing I would add is that free/oss projects need to be vigilant so the poor practices of closed source software development do not creep into free/oss projects.
