David A. Wheeler's Blog
Thu, 12 Apr 2007
April 2007 release of “Why OSS/FS? Look at the Numbers!”
Finally, I’ve released a new version of
“Why Open Source Software /
Free Software (OSS/FS, FLOSS, FOSS)? Look at the Numbers!”
This paper continues to provide
“quantitative data that, in many cases, using open source
software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a
reasonable or even superior approach to using their proprietary competition
according to various measures. This paper’s goal is to show that you should
consider using OSS/FS when acquiring software.”
It’s been a while; my last release was November 14, 2005.
has all the details, but here are some of the highlights:
Updated webserver stats, and noted issues with the Go Daddy change
Noted Kenneth van Wyk’s article about Linux security
Added quotes from Microsoft’s Bill Hilf, from
“Cracking Open the Door to Open Source” by Carolyn A. April,
“Redmond” magazine, March 2007, pp. 26-36.
Added link to Andy Tanenbaum’s article about Ken Brown and ADTI.
Added a link to an
approved European Parliament resolution,
A5-0264/2001, which calls “on the Commission and Member States to promote software projects
whose source text is made public (open-source software), as this is the only
way of guaranteeing that no backdoors are built into programmes [and calls] on
the Commission to lay down a standard for the level of security of e-mail
software packages, placing those packages whose source code has not been made
public in the ‘least reliable’ category” (5 September, 2001; 367 votes
for, 159 against and 39 abstentions).
Added a reference to the Forrester report “Open Source Becoming
Mission-Critical In North America And Europe” by Michael Goulde
that says “Firms Should Consider Open Source Options
For Mission-Critical Applications”.
Added references to a
major new European Commission-sponsored study,
“Study on the Economic impact of open source software
on innovation and the competitiveness of the
Information and Communication Technologies (ICT) sector in the EU”,
November 20, 2006. This is a major new study;
“Our findings show that, in almost all the cases,
a transition toward open source reports of savings
on the long term”. There is LOTS of quantitative information here.
Added reference to Communications of the ACM (CACM) Jan. 2007,
“Increased Security through Open Source”
It doesn’t say anything new, and it omits the many quantitative studies
cited here, but it’s a prestigious journal that says it.
Added reference to mail server market survey:
Sendmail and Postfix and #1 and #2 in the market.
Added references to
and to Raymond/Landley’s “World Domination 201” into desktop section.
IE vs. Firefox unsafe days in 2006. Eek… it’s scary.
Survey - Linux use on mission-critical systems
Danish cities demand more openness
“The war is over and Linux won” (Server war)
Evergreen, an open source, enterprise-class library management
developed by the Georgia Public Library Service.
Added reference to TCO savings on OSS/FS databases, from
“Open source databases ‘60 percent cheaper’” article
Added info Firefox use which keeps growing. See
reference to IDC survey
Referenced “Trusting Trust” attack.
Here’s the text:
“An Air Force evaluation by Karger and Schell first publicly described
this very nasty computer attack, which Ken Thompson ably demonstrated
and described in his classic 1984 paper “Reflections on Trusting
Trust”. Thompson showed that because we use software to create other
software, if an attacker subverts the software-creating programs, no
amount of auditing any program can help you - the subverted programs
can hide whatever they want to! This has been called the
“uncounterable attack”, and some have said that it’s impossible to
secure computers simply because this attack is possible. Some have
even said that all those security audits of OSS/FS are worthless,
because subverted tools could insert attacks the auditors couldn’t
see. But it turns out that the trusting trust attack can be countered.
My 2005 paper Countering Trusting Trust through Diverse
Double-Compiling (DDC), published by ACSAC, shows how the
“uncounterable” trusting trust attack can be countered. But there’s a
catch: the DDC defense only works if you can get the source code for
your software creation tools, including the operating system,
compiler, and so on. That kind of information is typically only
available for OSS/FS programs! Thus, even in the case of the dangerous
“trusting trust” attack, OSS/FS has a security advantage.”
Added a note about Symphony OS (innovative user interface).
Added quote from Bellovin to history section. OSS was the
norm in many communities before the mid-1970s.
stats from onestat.com re: Firefox usage
Spyware stats, IE vs. Firefox, from University of Washington.
Added new reports on security flaw fixing time:
“Deliverable D3: Results and policy paper from survey of
There’s lots of other good stuff there.
Added reference to
another paper on innovation.
Added reference to
“Why open source projects are not publicised” by Ingrid Marson,
ZDNet UK, November 25, 2005.
As I mentioned earlier,
I wish I’d used the term “FLOSS”
(Free-Libre / Open Source Software) as my all-encompassing term in this paper.
FLOSS is much easier to say than some of the alternatives, and
the term “Free Software” is widely misunderstood as being “no cost”.
However, I’ve used the term OSS/FS all over in the paper,
and it’s awkward to change now
(and people might not find the document they were looking for), so
I haven’t changed it here.
path: /oss | Current Weblog | permanent link to this entry