Many people have heard that Linux is a safe and secure operating system. It is. It has always had some fundamental features of security as a part of it, simply because it comes from Unix. That's not to say that Unix itself is extremely safe, although it can be. It is more due to the fact that it can be very secure if locked down properly and it takes some very good skills and knowledge of Unix / Linux to even begin to break it.
But there's an even more important reason why Linux is as safe and secure as it is. It is called the "million eyes" phenomenon. It means that the more people who are working on it, the more people who are likely to find problems and fix them.
Could that really mean that other Open Source software and even the products of Open Source origin might actually be more secure, safer, and even of better quality than proprietary products?
The short answer to that is, "theoretically, Yes."
The longer answer is, there is a strong likelyhood that eventually an open source product will be safer, more secure, more stable, and better than a proprietary product. But it does also mean that people have to understand what stage a product is at, in its development.
For people who use any software that has not been released by a large, commercial company, they have likely heard of the term "beta". What that means on the surface, is that the product is undergoing final, and generally public testing, prior to being released as a final, stable release.
To understand what that really means, which is quite likely that the software is perfectly safe and functional, one has to understand the life cycle of software and the desire for developers to limit their liabilities.
In a traditional, commercial software shop, a product goes through a number of phases or stages during its development which are generally:
- R&D / design / prototyping / pre-alpha
- many, many alpha revisions
- testing / beta phase
- final, for public sale / stable release
The general idea and belief is, the software is built, checked, and double and triple checked, to ensure it is of the highest quality before customers buy and use it. Of course, we often find that is far from the reality, not just with software and operating systems, but with other products, whether they be technology like phones or cars or even the food, clothing, and other items we get from the store.
People involved in certain aspects of any successful business know this, very well. For that very reason, they adjust their prices accordingly, to offset the costs of marketing and distribution, but also potential recalls and product failures and support and even legal costs that might be caused by product failure. In a very strange and surreal way, we pay companies to legally protect themselves if their product fails and we sue them.
It is often for legal reasons, that many stable, saleable software never ends up as a stable release, even though it could be. Being in beta means that the developer is implicitly stating that the software may not work perfectly, thus it is a "buyer" beware use.
While we generally do not see this type of stage declaration in other open source industries, we likely will begin to see this happen. It is, in many ways, a desirable announcement. Although we can probably assume as a buyer, that if the product has NOT been sold to us, it is, at best in beta, and it may not work perfectly nor safely, nor would we have any legal recourse. But again, keeping that in mind, if the only reason we buy something is so that we can sue the product maker if it fails, then we might want to look closer at how and why we make "buy decisions".
It is important to understand that generally, people are motivated to not be associated with poor quality, or even dangerous, products and services. It is a fairly reliable rule of thumb that, if a product is good, people might tell their friends, but if a product is bad, people are likely to tell at least ten friends. Being associated with this "bad press" means that buyers might question the next product these people are involved with. Of course this goes against the belief that any press, even bad press, is good press. But that is really just a rational based on brand awareness with an end clause of ensuring the next product is much better.
So what does this mean about the safety and security of an Open Source product?
Well first, users of open source should acknowledge that even commercial products are not 100% safe or secure. That does not mean they should assume the worst in an open source product, rather to understand that open source is no different than commercial products. Also, if a product is sold, whether commercial or open source, it falls under the same legal guidelines. If you buy something, you have the right to sue for damages if it fails under normal use.
With that in mind, it is important to look at a number of things, including the size and scope of the product, its development team, time the product has been developed and indication of what stage of development the product is at and for how long, and finally, any consumer reports, taken with a grain of salt, of both negative AND positive reviews.
Open Source is even more of a trust based industry than commercial businesses in traditional development and distribution endeavours. What is really great about open source is the ability to get involved with the development of the product and potentially the development team, at large. Developing a relationship with and getting to know the product team will make a big difference in the expectations of the product as well as helping make the product better, safer and more secure.
No comments:
Post a Comment