David A. Wheeler's Blog

Thu, 12 Apr 2007

April 2007 release of “Why OSS/FS? Look at the Numbers!”

Finally, I’ve released a new version of “Why Open Source Software / Free Software (OSS/FS, FLOSS, FOSS)? Look at the Numbers!” This paper continues to provide “quantitative data that, in many cases, using open source software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a reasonable or even superior approach to using their proprietary competition according to various measures. This paper’s goal is to show that you should consider using OSS/FS when acquiring software.”

It’s been a while; my last release was November 14, 2005. The ChangeLog has all the details, but here are some of the highlights:

  1. Updated webserver stats, and noted issues with the Go Daddy change and lighttpd.
  2. Noted Kenneth van Wyk’s article about Linux security
  3. Added quotes from Microsoft’s Bill Hilf, from “Cracking Open the Door to Open Source” by Carolyn A. April, “Redmond” magazine, March 2007, pp. 26-36.
  4. Added link to Andy Tanenbaum’s article about Ken Brown and ADTI.
  5. Added a link to an approved European Parliament resolution, A5-0264/2001, which calls “on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes [and calls] on the Commission to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the ‘least reliable’ category” (5 September, 2001; 367 votes for, 159 against and 39 abstentions).
  6. Added a reference to the Forrester report “Open Source Becoming Mission-Critical In North America And Europe” by Michael Goulde that says “Firms Should Consider Open Source Options For Mission-Critical Applications”.
  7. Added references to a major new European Commission-sponsored study, “Study on the Economic impact of open source software on innovation and the competitiveness of the Information and Communication Technologies (ICT) sector in the EU”, November 20, 2006. This is a major new study; “Our findings show that, in almost all the cases, a transition toward open source reports of savings on the long term”. There is LOTS of quantitative information here.
  8. Added reference to Communications of the ACM (CACM) Jan. 2007, “Increased Security through Open Source” It doesn’t say anything new, and it omits the many quantitative studies cited here, but it’s a prestigious journal that says it.
  9. Added reference to mail server market survey: Sendmail and Postfix and #1 and #2 in the market.
  10. Added references to defectivebydesign.org and to Raymond/Landley’s “World Domination 201” into desktop section.
  11. IE vs. Firefox unsafe days in 2006. Eek… it’s scary.
  12. Added Survey - Linux use on mission-critical systems
  13. Added Danish cities demand more openness
  14. Added “The war is over and Linux won” (Server war)
  15. Added Evergreen, an open source, enterprise-class library management developed by the Georgia Public Library Service.
  16. Added reference to TCO savings on OSS/FS databases, from “Open source databases ‘60 percent cheaper’” article
  17. Added info Firefox use which keeps growing. See http://marketshare.hitslink.com/report.aspx?qprid=3 and http://www.techweb.com/wire/security/193104314
  18. Added reference to IDC survey
  19. Referenced “Trusting Trust” attack. Here’s the text: “An Air Force evaluation by Karger and Schell first publicly described this very nasty computer attack, which Ken Thompson ably demonstrated and described in his classic 1984 paper “Reflections on Trusting Trust”. Thompson showed that because we use software to create other software, if an attacker subverts the software-creating programs, no amount of auditing any program can help you - the subverted programs can hide whatever they want to! This has been called the “uncounterable attack”, and some have said that it’s impossible to secure computers simply because this attack is possible. Some have even said that all those security audits of OSS/FS are worthless, because subverted tools could insert attacks the auditors couldn’t see. But it turns out that the trusting trust attack can be countered. My 2005 paper Countering Trusting Trust through Diverse Double-Compiling (DDC), published by ACSAC, shows how the “uncounterable” trusting trust attack can be countered. But there’s a catch: the DDC defense only works if you can get the source code for your software creation tools, including the operating system, compiler, and so on. That kind of information is typically only available for OSS/FS programs! Thus, even in the case of the dangerous “trusting trust” attack, OSS/FS has a security advantage.”
  20. Added a note about Symphony OS (innovative user interface).
  21. Added quote from Bellovin to history section. OSS was the norm in many communities before the mid-1970s.
  22. Added stats from onestat.com re: Firefox usage
  23. Added EMA study
  24. Added Spyware stats, IE vs. Firefox, from University of Washington.
  25. Added new reports on security flaw fixing time: http://blogs.washingtonpost.com/securityfix/2006/02/a_time_to_patch.html and http://www.heinz.cmu.edu/%7Ertelang/disclosure_jan_06.pdf.
  26. Added “Deliverable D3: Results and policy paper from survey of government authorities”. There’s lots of other good stuff there.
  27. Added reference to another paper on innovation.
  28. Added reference to “Why open source projects are not publicised” by Ingrid Marson, ZDNet UK, November 25, 2005.

As I mentioned earlier, I wish I’d used the term “FLOSS” (Free-Libre / Open Source Software) as my all-encompassing term in this paper. FLOSS is much easier to say than some of the alternatives, and the term “Free Software” is widely misunderstood as being “no cost”. However, I’ve used the term OSS/FS all over in the paper, and it’s awkward to change now (and people might not find the document they were looking for), so I haven’t changed it here.


path: /oss | Current Weblog | permanent link to this entry