Re: CRIME better computing for oregon using open source

From: Crispin Cowan (crispin@private)
Date: Tue Sep 24 2002 - 23:55:22 PDT

  • Next message: Andrew Plato: "RE: CRIME Computers vulnerable at Oregon department"

    Shaun Savage wrote:
    
    > Crispin Cowan wrote:
    >
    >> Shaun Savage wrote:
    >>
    >>>     1A+ "competition inceases software quality"
    >>
    >> Does not follow. A vendor that has a monopoly on a narrow niche may 
    >> be able to devote sufficient resources to supporting a complex 
    >> application, where as two competing vendors trying to live in the 
    >> same niche may find themselves with insufficent revenue to properly 
    >> support their applications.
    >
    > If two companies make "chairs" and if one company chair is softer, 
    > last longer, and cost the same, the other company will need to make 
    > better chairs in order to sell chairs.  The niche example is an 
    > exception not the rule.
    
    If there are exceptions, then it is not a rule. This is particularly 
    true if we use strong language like "axioms."
    
    >>>     1A- "shorter development time reduces software quality"
    >>
    >> Does not follow. Good design can lead to shorter development and 
    >> better software quality. And this does not appear to have anything to 
    >> do with monopolies.
    >
    > Correct it does not relate to monopolies, but on average it is true. 
    > When a project reaches a large size, the good design will only help so 
    > much.  On average, if competition forces the release of a project 
    > before it is ready, the software quality will be reduced. The more 
    > "man years" put into software the better the software ON AVERAGE.
    
    All other things being equal, shorter development time reduces quality. 
    But there are lots of things you can do that simultaneously reduce 
    development time and improve quality, so it makes a very poor rule.
    
    >>> 2> "proper software development inceases software quality"
    >>
    >> Er, yes, but "proper" is so ill-defined that this statement is a 
    >> tautology.
    >>
    > Yes, the word proper is ill-defined. That is what I would like to see 
    > this group define.  If this group can define what is "proper" then the 
    > group can help the state.
    
    You seem to be trying to define principles of good software engineering. 
    That is a large and complex task. It is not special to CRIME, Portland, 
    or even security (although it is closely related to security). You might 
    want to check out the International Conference on Software Engineering 
    <http://www.cs.orst.edu/icse2003/>, which will be in Portland in 2003. 
    But the core problem here is that the principles of good software 
    engineering are actually still unknown to science, and good software 
    engineering remains a black art.
    
    > The concept of "people are more important than business" is that the 
    > term "business" means the enity of, not the verb.  I see Enron, 
    > Harken, Tyco making shady deals and stealing from people. I see 
    > companies getting bailed out by the US goverment, I see companies 
    > selling something then telling you you can't use it.
    >
    > To me this is business being more important.  That is why I say 
    > "people are more important".
    
    Those examples are not "business more important than people."  Quite the 
    opposite: that was individual people (executives) setting themselves up 
    as more important than the business (the shareholders) and robbing them 
    blind by betraying their fiduciary duties to the business.
    
    Those are examples of exactly why business is more important than the 
    wants of *individual* people.
    
    > I keep hearing about companies giving away IP if they move to open 
    > source.  I keep hearing about what is the motivation is write open 
    > source software?
    > If the state pays for a custom software, does not the state owns that 
    > custom software?
    
    That depends on the coontract. The state is in a position to mandate 
    that kind of thing, but AFAIK, has not done so.
    
    >>    * The State should *consider* open source solutions when procuring
    >>      commodity systems, but should not be required to choose open
    >>      source for any particular application. This is because open source
    >>      is *sometimes* the best solution (e.g. Apache is the most
    >>      cost-effective web server) and sometimes not (AbiWord and Star
    >>      Office are simply not viable competition for MS Office. Yet :)
    >
    > OK, BUT all protocols and file formats should be OPEN and published.  
    > By  requiring open protocols and file formats, that allows prevents 
    > monopoly on software and locking user into poor software.
    
    I agree with this philosophically, but IMHO the State of Oregon is not 
    in a position to enforce such a thing. Oregon state government is too 
    small a market to ever hope to influence core Microsoft policies, and if 
    such a mandate goes through without forcing Microsoft to comply, then it 
    becomes VERY expensive.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    
    
    
    



    This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 00:51:12 PDT