Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells

Introduction: Open Source Security Risks


A number of technology analysts observed there is a pattern of adoption of a new technology. First there is a slow adoption, then after the critical mass of early adopters is achieved there is a tremendous excitement (hype phase), followed by disillusionment. Those technologies that survive the disillusionment stage might eventually become popular in their markets moving to mainstream. The hype periods usually starts with some arbitrary "event trigger", where one or a series of event generates huge publicity, exposing the technology to a wider audience. A "peak of hype" follows where great things are universally expected. As people learns more about the technology, it starts to struggle up to meet the inflated expectations. Inevitably, this leads to the disillusionment.  For solid technologies the final stage is the "plateau of productivity" when it becomes mainstream. Sometimes as was the case with Java it ends with the more realistic understanding of the limitations of the new technology and creates a new growing industry. Often a technology can be so hyped it may never meet expectations, and as we saw with the object-oriented databases. In this case the disillusionment period means shrinking number of vendors and movement of the technology off the primary scene.

We judge that open source is currently close to the peak of the "hype phase" and information about it should be accessed critically. That does not mean that open source technology is a fake: it is actually a very useful technology that already proved its value in enterprise environment. Still the expectations currently are extremely, unrealistically high.  As the central figure in Linux kernel development Linus Torvalds noted, "open source can not cure world hunger."

There's a lot of hype surrounding Linux, but the reality behind the myth is that there are numerous issues related to deploying the technology, which require considerable expertise and effort. Many people/companies use Linux, but not many are using complex configurations with clustering failover, etc. You're more likely to see simple "multiple single-server" environments.

Definition

The term "open source" is used to refer to three somewhat different phenomena:

Each represents different aspects of open source, and will be briefly discussed here as it is impossible to understand the security of Linux without understanding a broader picture of open source movement including the current level of hype.  As this is a security paper we will discuss openly problems and weak spots of open source. This does not mean that close source software is better, that just means that open source has its set unique of problems and they are quite different from the problem of closed source software, which are also many.

The typical model for software acquisition involves the purchase of closed source software solutions from the major vendors. Closed source software is any software whose source code is hidden from the public view. Under most licenses the user cannot modify the program or redistribute it. Closed source products encompass the spectrum from server operating systems, application development platforms, office productivity suites, to small yet often expensive utilities. Each of these software solutions has an initial investment cost, maintenance and/or upgrade costs.

Organizations are now starting to embrace open source solutions as a cost-effective alternative to these closed source products. Open source solutions differ from closed source in many ways, only one of them  cost. Open source solutions are typically licensed free of charge, although some companies such as Red Hat, Novell, IBM, Oracle and Hewlett Packard (HP) sell versions of open source software with related maintenance, so called commercial open source. The following features distinguish open source licenses [OSI1999]:

  1. Free Redistribution. The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale.
  2. Source Code. The program must include source code, and must allow distribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost preferably, downloading via the Internet without charge. The source code must be the preferred form in which a programmer would modify the program. Deliberately obfuscated source code is not allowed. Intermediate forms such as the output of a preprocessor or translator are not allowed.
  3. Derived Works. The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.
  4. Integrity of The Author's Source Code. The license may restrict source-code from being distributed in modified form only if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time. The license must explicitly permit distribution of software built from modified source code. The license may require derived works to carry a different name or version number from the original software.
  5. No Discrimination Against Persons or Groups. The license must not discriminate against any person or group of persons.
  6. No Discrimination Against Fields of Endeavor. The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
  7. Distribution of License. The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.
  8. License Must Not Be Specific to a Product. The rights attached to the program must not depend on the program's being part of a particular software distribution. If the program is extracted from that distribution and used or distributed within the terms of the program's license, all parties to whom the program is redistributed should have the same rights as those that are granted in conjunction with the original software distribution.
  9. License Must Not Restrict Other Software. The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software.
  10. License Must Be Technology-Neutral. No provision of the license may be predicated on any individual technology or style of interface.

Among multiple open source licenses, the GPL, BSD, X Consortium, and Artistic licenses are all examples of licenses that can be considered conformant with the Open Source Definition. We will briefly discuss them later. In no way GPL is the only license for open source products. There are multiple, different (and potentially conflicting with GPL) source licenses of applications (Open Source License Hell). Experience had shown that the license for a product or its interpretation can change abruptly (as was the case with MySQL).

Illusion of open code

Openness of the "open source code" is subject to discussions. In most cases the level of openness is an exaggeration and is actually the same as for close source code that is almost always obtainable via NDA agreements. Open source mode practically operated more like a shareware model and has very little to do with openness of the source. As such it does cut distribution costs and can provide high quality software. But this advantage has very little do with open source, where "modifiability" of the code base by the end user is the defining principle.

And shareware model of development of software proved to be a viable one. Think about such shareware products as RAR, TotalCMD, FAR, etc. They beat both best open source application *and* commercial applications in their areas.

But shareware distribution model has nothing to do with open source.

Actually in case of both RHEL and Suse distributions source code is more of a marketing trick then a real asset: there are too much of it and it is very poorly documented to be useful. RHEL is essentially a private kernel based on Linux so here the situation is even more complex. Attempts to use it on source code level brings a lot of unanticipated troubles. Even recompiling applications can be a non-trivial task.

In this sense only Gentoo is loyal to the "open source" as a principle. Both Red Hat and Suse are to a certain extent deviations.

Moreover for most large open sourced components even in best case you get an "assembler code", not high level code as there are no credible attempts to document it and simplify modification of the source base by the end user. Moreover there are deliberate attempts in the opposite direction: attempts to keep the level of code as low and as poorly documented as possible to preserves the competitive  advantage. That means a open betrayal of KISS principle and that's can be a partial reason why we have all those non-maintainable C or C++ monstrous distributions and applications.  C became an assembler code of the XXI century, so calling the C-codebase open is a little bit of a stretch as it is open only for those who can spent hundreds of hours digging in this codebase. 

The real problem for Linux is how you can complete on the TCO basis with products like Windows 2003 and Solaris 10 in enterprise space. Hobbyists will always gravitate to something that can be downloaded for free and that means that they can still be loyal to Linux despite all those TCO perversions in enterprise space that we observe with Linux. But for enterprises the key issue is cost in a long run and here Linux faces real problems as Red Hat is probably the most expensive proposition out of Microsoft, RH, Sun troika.

So cutting bureaucratic red tape is a very nice feature but not enough positively differentiate open source.  And for Red Hat this existing TCO level does spell troubles in a near future when IBM's inspired marketing fag about "new Linux system" (which is actually 14 years old) will dissipate.  More and more articles about "successes" pf enterprises Linux deployments looks like plain vanilla marketing hype.  See for example "Computing: Linux Cuts Costs for Finance Firm" (LinuxToday Feb 24, 2005) for a nice example of such a story.
 

 

 

Linux as the major open source software project is different from closed source OSes (and from other open source alternatives like FreeBSD and OpenBSD) in several major aspects:

It should be noted that most large corporations that never started formal deployment of Linux already has some limited exposure.  Usually some guerilla installations can be found among IS and research staff.

GPL licensing of the Linux kernel
 and related adoption of Linux by hacker world

Linux is licensed under so called GNU General Public License (GPL) version 2. The GPL is a free software license, created by the GNU project in 1985 [Stallman1985] It is also referred to as the GNU GPL and  was developed by Richard Stallman, the creator and leader of the GNU project [Stallman1999d]

The purpose of the GPL is to grant the user almost unlimited rights to copy, modify, and redistribute programs (normally prohibited by copyright), and to ensure that those rights are preserved any derivative works [FSF1991].  In contrast, end-user licenses for proprietary software deny those rights, and usually prohibit further redistribution of software and creation of derivative works.  The main controversy around GPL is connected with the granting third parties rights to "use, modify, and redistribute the program's code or any program derived from it but only if the distribution terms are unchanged.". The GPL does not allow redistribution of private, close source modifications of the codebase. Any changes must also be distributed under the GPL (viral quality). 

Additionally, the GPL does not allow the incorporation of licensed programs into proprietary software or any software licensed under the license that that does not grant the same rights as the GPL. For this reason GPL is often called "the incompatible license". There only one exception: software libraries that are normally distributed with the compiler or operating system may be linked with programs licensed under the GPL.

An alternate form of the GPL, the GNU General Library Public License or LGPL, allows the linking of free software libraries into proprietary executables [FSF1999a] This is a more acceptable license for private companies as this way commercial development can also benefit from free software.

Probably partially due to the anarchistic nature of the license Linux system has become the No.1 platform for hackers of all kind. That created an additional security issues for enterprise customers who deploy Linux, as in this case they need to defending their turf against the opponent who knows the system better, does not need additional resources to create a test systems and does not need to pay money to acquire the knowledge, required to use system including the knowledge of internals.  In case of Linux hackers play on the game on their own home turf.  We should not absolutize this problem as a mere volume of the code serves as a good deterrent for all, but the most motivated hackers, but still this is a factor to consider as it contributes to "ego-pleasing" stream of vulnerabilities (not only individual hackers but also some small security companies are involved). This stream created a "patching pressure" that significantly (to the level of Microsoft systems) increases the cost of maintenance.

Resent adoption of Linux by big players like IBM slightly increase the level of comfort among bog enterprise customers, but the concerns still remain. Partially due to this reason Linux is considered by security specialists the most vulnerable OS (along with Microsoft Windows) and companies do need exercise some caution in Linux deployment and carefully select the deployment target to maximize benefits and minimize risks of such deployment. 

Other Open Source Licenses and Open Source License Hell

The term "Open Source" was adopted in large part because is sounds more "enterprise friendly" and is promoted by Linux distributors such as Red Hat that sell "commercial open source" as well as because there is a multitude of  other free software licenses that are often conflict with each other creating legal problems for users. There are several related terms that the reader needs to understand: free software, public domain software, freeware and shareware.

The term "free software" is often used as an synonym of the anarchistic social ideology of "software liberation", whereas Open Source is a more commercially oriented term. For example, the Free Software Foundation advocates free software as a right, emphasizing the ethical obligations associated with software distribution [Stallman1999a]. Open Source is more commonly used to describe the business case for free software, focusing more on the development process and software quality rather than any underlying moral requirements.

Various free/open source software licenses have been developed and they often conflict with each other. All free/open source licenses disclaim all warranties. The intent is to protect the author from any liability associated with the software. Since the software is provided free of charge, this is a reasonable condition, but that issue becomes more complex for expensive commercial distributions like Red Hat were year licensing fees are compatible with the closed source software fees. 

The major open source software licenses include GPL, LGPL, BSD, and Artistic license. The following table provides a comparison of several common licenses.

Table 1. Comparison of various free software licensing practices.

License Can be linked with close source (proprietary) software Modifications can be taken private and distributed
commercially
Modified version can be distributed under a different license Contains special privileges for the original copyright holder over your modifications
GPL        
LGPL X      
BSD X X X  
Artistic X X X X
Public Domain X X X  

The GPL is a political manifesto as well as a software license, and much of the text is concerned with explaining the rationale behind the license. This has alienated many developers. For example, Larry Wall, creator of Perl and the Artistic license, says: "the FSF [Free Software Foundation] has religious aspects that I don't care for."[Lash1998].  Less strict version of GPL is called LGPL and often is used for libraries.

The X license and the related BSD and Apache licenses are more acceptable for commercial companies. They essentially codify academic ethic in a sense that they grant all right in return just for honest acknowledgment of the code source.  The most important difference is that BSD-licensed software modifications can be made closed and any BSD-licensed program can be modified and redistributed without including the source or applying the BSD-license to the modifications. Other developers have adopted the BSD license, including the developers of X widows system (X-license) and the Apache web server (Apache license). 

The Artistic license was originally developed for Perl, however it has since been used for other software. The terms are more loosely defined in comparison with other licensing agreements, and the license is more commercially oriented. For instance, under certain conditions modifications can be converted into closed source. Furthermore, although sale of the software is prohibited, the software can be bundled with other programs, which may or may not be commercial, and sold.

Legal Risks Due to SCO Lawsuit

On March 7, 2003, the SCO Group (formerly known as Caldera Systems) filed a $1 billion lawsuit against IBM for allegedly "devaluing" its version of the UNIX operating system due to the use of GPL for their proprietary code, including the code jointly developed for Monterey project (former joint project with IBM to developed a 64-bit enterprise Unix, a successor of AIX and UnixWare for use on Itanium CPU, the project that was later abandoned by IBM in favor of Linux).  The amount of alleged damages was later increased to $3 billion, and then to $5 billion. SCO claimed that IBM had, without authorization, contributed SCO's intellectual property to the codebase of the Linux operating system. Though IBM is the only company named in SCO's lawsuit, other Linux vendors, like Red Hat could suffer collateral damage.

Since then, the claims and counter-claims made by both sides have escalated, with both IBM and Linux distributor Red Hat starting legal action against SCO, and SCO send a threatening letter to large companies known for wide adoption of Linux.

On September 30, 2003 judge Kimball granted the SCO Group's request for a delay until February 4, 2004, "to file any amended pleadings or add parties to this action". This pushes the start of the actual lawsuit back until 2005.

Although chances of SCO winning this lawsuit seems to be slim, it is premature to dismiss their lawsuit as complete nonsense like many Linux enthusiasts do. SCO may not be very good at making a profit by selling software (last year the company lost $24.9 million on sales of $64.2 million.). But historically speaking it was a very good record at getting what it wants from other companies. And it has a tight circle of influential friends. In 1996, SCO's predecessor company, Caldera, bought the rights to a decrepit version of the DOS operating system and used it to sue Microsoft, eventually shaking a settlement believed to be about 155 million dollars. In 1997, Darl McBride, now SCO's chief executive, sued his then employer, IKON Office Solutions, and won a settlement that he says was worth multiple millions. McBride joined Caldera as chief executive in June 2002. Two months later he changed the company's name to the SCO Group, based on the name Unix on Intel vendor that Caldera had purchased in 2001 from its creator, The Santa Cruz Operation. There are some striking similarities between the 1996 DOS lawsuit against Microsoft, in the current lawsuit over Unix and Linux.

SCO is basically owned and run by the Canopy Group, a Utah firm with investments in dozens of companies. Canopy's chief executive, Ralph J. Yarro III, is chairman of SCO's board of directors and engineered the suit against Microsoft in 1996.

In action that affects large companies directly, in May 2003 SCO has sent letters to about 1,500 of the world's largest corporations warning they could be liable for using Linux. "We believe that Linux infringes on our Unix intellectual property and other rights," the letter said. "We intend to aggressively protect and enforce these rights. Legal liability that may arise from the Linux development process may also rest with the end user." [Shankland2003]

In March, 2004 SCO sued two  big Linux enterprise customers AutoZone  and DaimlerChrysler [Shankland2004b

AutoZone have responded to SCO's legal challenge by filing a motion to stay the lawsuit until SCO vs IBM, SCO vs Red Hat and SCO vs Novell have been fully litigated. A failure for SCO to prevail in any one of these cases would resolve the AutoZone lawsuit in favor of AutoZone, as according to AutoZone's motion the case depends on SCO being able to establish that SCO owns the Unix code in question, and that AutoZone has infringed that code by using Linux. These are issues to be directly resolved by other pending lawsuits.

It its lawsuit against Daimler-Chrysler SCO claimed the existence of alleged violations of its UNIX software agreement with SCO as Daimler-Chrysler is a license of SCO UnixWare.  According to the official SCO press release:

SCO's lawsuit seeks the following relief:

  • Enter an order that DaimlerChrysler has violated Section 2.05 of the Software Agreement by refusing to provide the certification of compliance with the "provisions" of that Agreement;
  • Enter an order permanently enjoining DaimlerChrysler from further violations of the DC Software Agreement; and
  • Issue a mandatory injunction requiring DaimlerChrysler to remedy the effects of its past violations of the DaimlerChrysler Software Agreement; and
  • Award damages in an amount to be determined at trial; and
  • Enter judgment in favor of Plaintiff together with costs, attorneys' fees and any such other or different relief that the Court may deem to be equitable and just.
  • The lawsuit was later dismissed by the court on the basis that Daimler-Chrysler no longer uses SCO UnixWare and thus does not need to comply with the licensing agreement.

    Some Linux distributors feel threatened by SCO lawsuit and countersued. On August 4,2004 Red Hat, Inc. filed suit for Declaratory Judgment, requesting permanent injunctions, costs, and treble damages from SCO, on the basis that there is no infringement of trade secrets or copyright by Red Hat in Linux, and that SCO is engaged in false advertising in violation of the Lanham Act, deceptive trade practices, unfair competition, and trade libel and disparagement. A Delaware district Judge on April 8, 2004 has rejected the SCO Group's request to throw out Red Hat's lawsuit against it, but stayed the case pending the result of SCO vs. IBM. Judge Robinson said it would be "a waste of judicial resources" for the case to continue while litigation between IBM and SCO continues in Utah. That case isn't due to be heard until next year.

    Novell hasn't countersued, but has made the case that SCO doesn't own what it thinks it owns - rights to System V UNIX - which completely undermines SCO case against IBM [Orlowski2004]. The SCO Group has sued Novell, claiming the born-again Linux company is interfering with SCO's right to collect money from Linux users. The 'Slander of Title' suit - which is invoked when ownership of a contested property has not yet been established by the courts -- seeks to block Novell from filing further UNIX copyrights that SCO claims are rightfully its own. On October 7, 2003 Novell produced the document that contains a summary of Novell's interpretation of the 1995 technology license agreement with SCO [Novell2003] and claim that Novell has the right to indemnify its customers under the agreement.

    Participation in SCO's licensing program appears very weak. Though Microsoft has entered into a license agreement with SCO "to respect SCO's intellectual property", the move is widely regarded as a way provide financially strapped SCO with funds to survive prolonged litigation that can indirectly benefit Microsoft weakening its major competitor IBM. 

    There are many complications involved in the case, including but not limited to:

    As of August 2004, the lawsuit is still not resolved, but generally the development favors IBM case. Still Linux enterprise customers might fear a train wreck, given that in a shrinking market the intellectual-property agendas of some of the largest IT companies appear to be on a collision course. The fast-growing popularity of Linux and other open-source products has garnered the attention of large commercial vendors, who see opportunities for building open-source communities that ultimately works similar to outsourcing, contributing to the bottom lines of their for-profit software using the free labor of computer enthusiasts that are involved in those open source projects. For instance, IBM hopes to encourage developers to write applications in Java, greasing the wheels for sales of its expensive WebSphere middleware and other commercial products.

    But the potential to run afoul of intellectual-property claims, combined with the sheer proliferation of open-source projects, means customers need to make open-source choices carefully.  One particular area of concerns is patents. Concerns about what software patents the city of Munich, Germany, might violate in moving 14,000 PCs from Windows to Linux caused city officials to delay those plans. Patent issues could be a "catastrophe" for the city's Linux effort, an official says.

    Open Source Risk Management Inc., a startup that offers insurance against open source projects patent and copyright violations released a study that cites 283 possible patent claims that might be applied against Linux. A third of the patents are owned by Linux backers, including Hewlett-Packard, IBM, Novell, and Oracle, which are unlikely to assert claims. For example IBM spokesman stressed that "IBM has no intention of ever asserting its patent portfolio against the Linux kernel unless forced to". Still a lot of patents that potentially were violated in Linux code are owned by Linux opponents like Microsoft or neutral parties that at some point can became hostile to Linux like Sun.

    Linux Indemnification Issues

    Indemnity is when one party holds another party harmless in the event that, as a result of a contract that exists between the two, a third party brings a claim against one or both of the original two parties. When you offer someone indemnity, you are acting as if you are the insurer with respect to third party claims. If SCO is that third party and it sues you, the company that's holding you harmless will stand between you and SCO as a shield,  covers legal costs and absorbing any damages you sustain as a result of entering this contract [Rosenbaum2004].

    It's worth stating that there is a way to avoid getting sued altogether, that SCO essentially wants to enforce.  This might be a good option for any image-conscious company that wants to avoids the legal limelight. One is to simply to pay SCO $699 per server for a perpetual license of their intellectual property. According to SCO's Stowell, "The license that we are offering to commercial end users of Linux is called the SCO Intellectual Property License. The end user is provided with a license that allows them to run SCO's intellectual property as it is found in Linux in binary form only. This license is meant to apply to any version of Linux (based on the 2.2 kernel and later) that is being run in a commercial environment."[SCO2004] A major advantage of going this route is that it is Linux distribution neutral.

    Another option to minimize the chances of being sued is to run open source software on another operating system, one that includes indemnification (Solaris, HP-UX). Of the four major commercial Unixes (AIX, HP-UX, Solaris and Linux) the AIX is the most risky from the intellectual property standpoint and will be harmed in an unlikely case if SCO succeed because of SCO's revocation of IBM's Unix license. Until SCO lawsuit is resolved, IBM's AIX should be considered as the most vulnerable Unix flavor.  Also only Solaris and Linux are available on the Intel architecture. As far as HP-UX is concerned, Intel's recent announcement regarding its AMD64-compatible Nacona hybrid puts a question mark over the future of all of HP's operating systems and makes for them Linux as the only viable choice.

    Currently three companies provide Linux indemnification for their customers: HP, Novell and Sun. In all three cases only distributions supported by respective companies are covered: 

    IBM was the first and largest company to be sued by SCO, but it has yet offer indemnification of any kind to customers. But it did took some steps in this direction. In addition to its contribution to the OSDL defense fund (see below), IBM helped bankroll Novell's acquisition of Suse, a move that amounts to an indirect indemnification play. Meanwhile, Red Hat, the most popular distributor of Linux, has promised to replace any source code that's found to be infringing on a copyright. The company has earmarked a recent $1 million contribution to the Open Source Now Fund to help defray the legal costs of open source developers and academic institutions that become entangled in SCO's legal web [Shankland&Kanellos2003]

    Open Source Development Lab (OSDL), created by IBM, Intel and several other large companies) and the current employer of Linux kernel original developer Linus Torvalds has established a separate legal defense fund with the intention of helping some Linux customers that come under litigation from SCO" [Shankland2004a ]

    For Linux customers, the highly fractured response has resulted in more questions than answers. How can companies like HP, which don't have their own distributions of Linux, offer indemnification? Even stranger, how is it that HP can offer indemnification on a version of Linux that even its distributor (Red Hat) won't indemnify? This raises the question of what happens when an HP customer running Novell's Suse Linux must invoke its rights to indemnification. Which of the two indemnification agreements takes precedence in addressing the customer's needs?

    Finally, does IBM's and Red Hat's failure to offer indemnification amount to a lack of confidence in their legal standing versus SCO that enterprises must take seriously when selecting Linux distributions and solution providers. Or, is it a sign that real indemnification is impossible to achieve, therefore rendering the three existing programs as less than they're cracked up to be? Or, is it as they have maintained in their public statements, that the SCO claims are baseless and don't warrant extraordinary indemnification measures?

    Other Major Open Source Projects

    It is important to understand that Linux is just one example of open source project and there are many others that the company can benefit from. There are literally thousands of open-source projects in existence. These projects include operating systems, programming languages, utilities, Internet applications and many more. Most of them are not interesting and cannot compete with the commercial application; also quality and the level of security  varies with a lot of project never achieving the magic version 1.0 (relatively debugged version). The following 12 projects are notable for their influence, longevity, the size of the codebase (in the second column in thousand of source lines (KLOS)), and the level of success:

    Table 2. Major open-source projects

    Project Size of the code|
    base (KLOC)
    License Application Domain
    Apache 100 BSD-style The most popular HTTP server on the Internet. Used by many large companies along with the commercial web servers.
    Linux 800 GPL Operating system
    BIND 150 BSD Dominant DNS server. Used by most large companies
    KDE 250 GPL and LGPL Desktop environment. Often used with Suse Linux
    GNOME 150 GPL Desktop environment. Along with Linux is used in Solaris 8 and 9 workstations. Supported by Sun.
    Sendmail 200 BSD Dominant mailservers on the Internet. Widely used for enterprise mailservers (especially external, Internet-facing mailservers)
    Perl 150 Artistic and GPL Dominant scripting language. Widely used for Unix scripting and in  in production systems. Installed by default in Solaris
    PHP 150 BSD-style Popular in WEB applications scripting language (often used with MySql). Widely used in large corporations (Yahoo)
    Python 160 BSD-style Scripting language that competes with Java
    Samba 150 GPL Microsoft compatible file server protocol implementation
    MySql 250 GPL Relational database for web applications. Popular in ecommerce applications. Used by Yahoo. Often used with PHP
    Postgress 300 BSD Powerful relational database. Often used with Perl

    Security Risks Inherent in the Open Source Development Process

    From management perspective open source development can be considered as a special kind of outsourcing. Like in any outsourcing, the potential weaknesses in open-source software development are many and almost all of them affect security [Bezroukov1999a, Bezroukov1999b].  Of course, the problem outlined below are not limited to open source projects, the nature of open source development just make them more acute in comparison with close source projects. But the ability to resolve those problem in open source projects almost completely depends on the personality of the leader of the project, who often acts as a benevolent dictator:

    Some Recent Deployment Statistics and Industry Trends

    As Linux introduces another OS into the current stable of existing OSes it is very important to develop integration strategy that does not increase the complexity of the current infrastructure and thus weaken overall security of the environment due to the staff spreading too thin between multiple different OSes. That means that businesses should be very cautious with the deployment decisions and try to synchronize Linux deployment which the reduction of the variety of existing OSes, the move that is probably possible with Netware and HP-UX and that will be discussed later in this whitepaper. There is growing understanding that fashion-based Linux deployments are not cost effective. In his paper Switching to Linux picks up steam published on ZDNet on August 31, 2004 David Becker  wrote:

    In a report on total cost of ownership for the Linux, Unix and Microsoft Windows operating systems, research company The Yankee Group found that only 4 percent of businesses planned to migrate Unix servers to Linux within the next two years. A total of 11% intended to move Windows servers to Linux, while 21% proposed to add Linux servers to a predominantly Windows environment.

    On the desktop, 36% of businesses expected to have a few Linux PCs in their business, but only 5% planned a total migration to Linux. A majority--57% --planned no changes for Windows on the desktop.

    The main problem is that while moving to Intel-based servers is definitely a very cost effective move,  move to Linux is only one of the possible ways to achieve that as open source software can be deployment on other flavors of Unix and in some cases even under Windows:

    "All of the firms would like to reduce the amount of up-front capital expenditure dollars they spend on expensive Windows and Unix software licenses," the report found. "However, they also recognize that in certain instances, a wholesale or significant switch to Linux might reduce up-front costs but result in higher overall costs."

    Factors to consider in such a cost analysis range from interoperability with existing applications to the relative scarcity of trained Linux support personnel. "The establishments that have or are seriously considering Linux bemoaned the present dearth and high cost of skilled Linux administrators, even as they praised the open-source operating system's ease of use," the report stated.

    Such concerns may loom larger if a company is governed by a central IT strategy, which would discourage a piecemeal approach to technology adoption, Yankee analyst Dana Gardner said.

    "The position companies need to look at is whether there's a tactical or strategic role for Linux and open source," Gardner said. "They're looking at what would be a strategic platform that's fully integrated and supported."



    Etc

    Society

    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

    Quotes

    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

    Bulletin:

    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

    History:

    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


    Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

    Disclaimer:

    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

    The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Created May 1, 2004; Last modified: September 12, 2017