Re: [Fsfe-uk] Questions about open-source from e-govt blog

[Simon Waters]

James Heald wrote:
> 
> It may not be in my
> best interests, as government, to put the code that I've modified back into
> the public domain, especially not in the security features. If I do, then
> people know (far, far better than they know today) what we're doing and can
> look for ways to exploit it.

I seriously doubt it is "better than they do today" - it's a safe bet
most of the desktops in government run a proprietary OS from a monopoly
provider on which you can obtain all sorts of utilities and information
on abusing from any Internet search engine. Heck even popular TV series
are talking about Back Orifice these days.

If it is source code there is a big step from this to working products -
there are compiler options and environment and architecture decisions.

Yes it's easier to spot a buffer overflow with the soure code, at least
if you have a copy you can assess yourself if it is bad code.

> If I don't, then next time there's an upgrade
> (based on work of all the people who do put their work back, I've got to do
> lots of integration testing, regression testing and so on. So ... do I put
> the enhancements in the public domain or not?

A clear gain against a vaguely possible downside - no brainer distribute
updates.

Better yet discuss proposed updates with the original authors they may
tell you better ways to do it, or if the change is likely to be
accepted. Or eve hirethe original authors.

> Let's then say that using the software I create a product - like a DIS box
> that connects departments (and local authorities etc.) to the Gateway. The
> software that I develop will need to be installed around dozens or even
> hundreds of departments. Now, I don't do that ... commercial organisations
> do that and they handle the integration and whatnot too. But how do they do
> that if I've built the open source version of a DIS? 

Non issue - how do I write a contract to have someone install some software?

> Do I just give it to
> them, can I sell it to them to recoup the costs that I have incurred in
> putting the thing together in the first place? 

If they'll buy it - sell it. Normally if you contract someone to install
or integrate systems for you, you are expected to supply the software or
the money for procuring it.

> What about if it's not me
> that puts the DIS together, but a commercial organisation ... how do they
> recover their costs?

They'll charge you for the time it takes to write or modifying the
software. The radical idea you pay bespoke software developers for
developing software, rather than publishing software. Has this guy ever
contracted to buy bespoke software before?

> And I mean on a scale, commercial, fully performant basis
> here. I know that this site runs on linux - and that's a part of open source
> but I don't think it's the big part. For me it's the packages and
> integration of systems that are going to be important - how do you take
> JBOSS and some open source content system and an open source caching
> software and piece them all together to deliver a fully functional portal
> with no commercial software in it? When it's built, how do you keep it
> current, add functions and capability, block security holes, deliver
> scheduled releases with fully tested feature sets and so on. Is it just too
> early in the programme to expect this?

Urm you employ a system administrator, you hold a maintenance budget.
This guy seems to think there is something magically different about
Open Source (free?) software - it is just software - it is only that the
profit is not made from publishing.

pgpw6cvW4tllq.pgp
Description: PGP signature