[ISN] Sustainable Computing Consortium "foolish" if it doesn't embrace open standards

From: InfoSec News (isnat_private)
Date: Thu May 16 2002 - 00:13:02 PDT

  • Next message: InfoSec News: "[ISN] Securing The Center"

    by Tina Gasperson
    Tuesday May 14, 2002 
    Carnegie Mellon University is expected to formally announce its 
    "Sustainable Computing Consortium" on May 16th. In order to make some 
    measurable gains in software quality and security, CMU is hooking up 
    with big players in IT and software development, and NASA, to look at 
    new techniques for measuring sustainability. And ironically, all these 
    different companies are going to put their heads together to 
    brainstorm and collaborate and share ideas on some, get ready for 
    this, good old proprietary software and intellectual property that 
    they'll have to pay a licensing fee to use outside their own 
    Carnegie is the school that brings us CERT/CC, the reporting center 
    for Internet security problems. So any Carnegie-created consortium 
    dedicated to driving "order of magnitude improvements in software 
    quality, dependability, and security" has got to be all good. And it 
    probably is. But people who are used to developing in the open 
    environment fostered by major universities like Carnegie, MIT, and 
    Berkeley, cringe when they visit the front page of the SCC Web site 
    and see a quote from Bill Gates prominently displayed there: "It's 
    time for developers to think and act differently" along with a plug 
    for an InformationWeek article talking about Gates' now famous, but as 
    of yet not acted upon memo about focusing on security. And it forces 
    the question: what is this consortium really all about? 
    According to the group's authors, "Consortium members support the 
    creation of standards and specifications that allow for the 
    measurement and enhancement of software quality, dependability, and 
    security. Sustainable software encompasses technology, measurement, 
    policy, economic and market dimensions of software. The work of the 
    Consortium includes technical efforts to measure and reduce 
    software-associated risks as well as economic, legal and policy 
    efforts to manage risk within organizations, the broader markets, and 
    the national economy." 
    With recent efforts like the Carrier Grade Linux Working Group having 
    demonstrated that an Open Source project like Linux can be hardened 
    sufficiently for mission critical use by the telecommunications 
    industry, coupled with the overall good record for security that the 
    operating system already enjoys, it is natural that OSS and Free 
    Software models should be a driving force behind the Consortium. Yet, 
    leading Open Source companies who want to get involved have discovered 
    that the Sustainable Computing Consortium will operate in a 
    proprietary environment. 
    The "benefits of membership" listed by the Consortium in its FAQ lays 
    it out: "Members are entitled to a non-exclusive, internal-use license 
    for the intellectual property created by the SCC." So what benefit 
    would it be for a Free Software company to get involved in an 
    environment that prevents them from using the innovations created in 
    that environment, since the very nature of Open Source software is 
    that the source code must be offered to those who purchase software? 
    And it appears that so far, only closed-source companies like 
    Microsoft, Oracle, and others have been recruited by the SCC. 
    NASA is a big part of the Sustainable Computing Consortium, having 
    granted Carnegie's computing science department at least $23 million 
    to look into the whole topic of high-dependability software, hoping to 
    reap the benefits of the creative effort. NASA has called it a "unique 
    opportunity to develop an empirically-based science for software 
    dependability," and one that "could have a major impact on NASA's 
    ability to rely on complex software for advanced mission capability." 
    But what of projects like FlightLinux, where rocket scientist Pat 
    Stakem is developing a special distribution of Linux just for use on 
    spacecrafts? The FlightLinux project was originally funded through 
    July 2002 and probably will not continue if NASA decides to focus more 
    on closed-source models. 
    "The licensing questions at stake for the university are, I hope, 
    still open," says Eben Moglen, general counsel for the Free Software 
    Foundation, "and I look forward to CMU's reconsideration of a policy 
    that makes no sense and will render stillborn an otherwise very 
    important and productive venture of great importance." 
    Brad Kuhn, v.p. of the Free Software Foundation agrees. "It's a 
    travesty to have proprietary development happening in an academic 
    environment," since the whole point of a University is to make 
    knowledge available. 
    Bill Guttman, the former co-CEO of PrintCafe, is the director of the 
    SCC. PrintCafe, successful by most measures, makes software 
    specifically for the printing industry. Guttman grew the company to 
    500 employees and 4000 customers. He's also the director of Carnegie's 
    Software Center which, among other things, focuses on identifying new 
    software development methodologies and business models. But when he 
    took on that role, the Pittsburgh, PA Post-Gazette labeled him a "geek 
    by accident." 
    Guttman has a PhD in international business, the article says, but 
    ended up running software companies because he saw the money in it. 
    He's typical CEO material: a visionary who is always seeking a way to 
    do things better. And since the Software Center has been working on 
    finding new development methodologies, it appears the Open Source/Free 
    Software method of development didn't come in at first place in 
    Guttman's book. If it had, he'd certainly select it as the foundation 
    for the Sustainable Computing Consortium. 
    In fact, a position paper entitled "High Quality and Open Source 
    Software Practices" and written by T.J. Halloran of CMU and Bill 
    Scherlis, who is the co-director of the SCC, expresses reservations 
    about the suitability of the Open Source software development model in 
    "quality-related technology." In the conclusion of the paper, they 
    state, "...any technique or tool is not feasibly adoptable if it 
    requires a major (client-visible) overhaul of a project web portal, 
    collaboration tools, development tools, or source code base." 
    Guttman has told potential Consortium members that the SCC would very 
    much like to see the Free Software/Open Source community participate 
    in the project, and he says the group is considering a dual-licensing 
    strategy. Moglen sees the inclusion of Free Software as vital. "The 
    Consortium cannot succeed without the participation of the free 
    software community," he says, "because ours is the development model 
    that will produce high-quality code in the twenty-first century." 
    Moglen says that in fact, it is the closed method of software 
    development which has contributed heavily to the "radical 
    deterioration in average software quality over the past twenty years, 
    causing hundreds of billions of dollars of lost time every year from 
    work that disappears when personal computers crash, fail to exchange 
    data successfully because of incompatible closed formats, or are 
    disrupted by well-known unfixed security exposures." 
    Not only that, but "to attempt construction of an infrastructure that 
    does what we do without us, in an attempt to bolster the system of 
    proprietary ownership of software, would be literally foolish," he 
    says, "and I don't expect it to happen among people as smart and 
    capable as those presently forming the Consortium." 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu May 16 2002 - 03:42:06 PDT