#119 Myths About Open Source Software

A lot of people think they understand the open source movement, but they actually believe in a lot of myths about open source software. In this episode, we're going to dispel five different myths about open source software. Um, welcome to COPEC Explain Software, the podcast where we make computing intelligible. Now, we've done prior episodes on open source software and also on the free software movement and I'm going to link to those in the show notes. But today we're specifically going to address five common myths about open source software. We assume that you know the basics of open source software, and if you don't, I recommend you first listen to those earlier episodes.

Let's dive in with myth number one. Open source means free of charge.

Yeah, this is absolutely false. Many pieces of open source software actually are commercialized. There's a difference between open source software and the term commercial software. Software can be both commercial and open source. The terms are not in opposition to one another. Commercial is something you sell. Open source has its own definition that we'll talk more about later or has also been defined in our prior episode and something can absolutely be open source and also sold. Now, the caveat here is that one of the definitions of open source is that the software has to be redistributable and that means that other people can take the source code and build it themselves and basically make their own binary versions of it. So ultimately, if a piece of software is open source and also commercial, somebody can go and recompile it and build their own version without paying the company that created it. But a lot of companies that open source parts of their product get away from this by making it very convenient to download and pay for the pre built version. And it might actually require quite a bit of effort for you to go and build all the components yourself. And of course, there's many, many pieces of software. In fact, the majority of software today includes some open source components, even if it is commercial. And it might not be fully open source, but it's still built partially out of open source software. And so those proprietary bits still might not be out there, but they're combined with open source bits to make the whole. And so most software today has some kind of open source component and there is plenty of commercial software that is fully open source, but people also pay for.

All right, let's go on to myth number two. Open source software is insecure.

When we talk about open source software in my classes and we have debates about whether something should be open sourced or not, open source. Was open source a good business strategy for this company? One of the first things students will say is, well, that could lead to security vulnerabilities. Absolutely not. A lot of studies show that competing pieces of open source software versus a proprietary piece of software in the same field is often as secure or more secure. Now, there's actually an ethos behind this, it's called Linus's Law. I wouldn't really call it a law because some people dispute it, but it was developed by Eric Raymond in his famous essay The Cathedral and the Bazaar that is foundational to kind of the open source movement. And he wrote that with enough eyeballs, all bugs are shallow. And he named the law after Linus Torvalds, the creator of the Linux kernel and git. Now this seems with common sense to basically be true, right? If more people are looking at certain pieces of some source code, they're more likely to find bugs, including security vulnerabilities. Security vulnerabilities are bugs, right? And so if enough people are reading the source code, more of those security vulnerabilities should be caught. They have to have the expertise, those people reading it to actually catch those vulnerabilities. That's a big caveat. And another caveat is that a lot of pieces of open source software don't actually have that many people reading their source code. People might create a piece of open source software, put it on GitHub, nobody ever looks at it, and then other people might use it and just build it or use binary versions of it and nobody was actually reading all of those lines. So remember, the law says with enough eyeballs, all bugs are shallow. But most pieces of open source software don't actually have a lot of eyeballs. So litus's law on its own can't assure us that open source software is secure. But there's no inherent reason why open source software should be less secure than proprietary software. Except for you might say that somebody can then go and find the vulnerabilities. It might be easier because the source is out there for somebody to find the vulnerabilities. Well, that's a form of security that we call security by obscurity. You're saying that because a piece of proprietary software does not have its source available, then because those problems are a little more hidden, it's therefore more secure. And that's a logical fallacy, of course, because people can still have all those vulnerabilities. Just because people can't see and easily find the vulnerabilities doesn't mean they don't exist. But it might be easier to exploit a piece of open source software that has vulnerabilities and that doesn't have enough eyeballs on it. So we can't definitively say that open source software will always be more secure than proprietary software. In fact, I'm sure there's many categories of software where the leading proprietary product is more secure than the leading open source product. But we also can't say what the myth says, which is that open source software is inherently insecure or less secure than proprietary software. It depends on the situation, it depends how the software is managed, and it depends on how many eyeballs are looking at the source code. And are those skilled enough eyeballs to catch those security vulnerabilities.

All right, myth number three public domain is the same as Open source.

Yeah, there's a very formal definition of open source software. It starts from the earlier definition of Free Software, and if you want to know about how the Open Source movement splintered off from the Free Software Movement, you can listen to our prior episodes that are linked to in the Show Notes. But the Free Software Movement defines Free Software based on four criteria. One is that the software needs to have its source available. One is that people need to be able to run it however they want. The next is that people need to be able to redistribute copies of the software as much as they want. And the fourth is that people need to be able to modify that software however they want to modify it. Those are called the four Freedoms and were defined by Richard Stallman, the founder of the Free Software Movement. Open Source Software has its own definition, and that definition is not maintained by Richard Stallman. It's maintained by the open source initiative. The Open Source Initiative has actually more criteria than the Free Software definition, and there's actually a total of ten criteria that you can read on the Open Source Initiative's website, which I will link to in the Show Notes. We don't need to go through all ten of them right now, but there's several of these criteria that are different from public domain software. Public domain software is software that's just out there that anybody can do literally whatever they want with. If something's in the public domain, it means there's no IP restrictions on something, and that would be any kind of work that's in the public domain. Not just software or source code. But actually a lot of open source software licenses come with all kinds of restrictions. And on our prior episode about open source software, we talked specifically about licenses and the differences between them, and we're probably going to do a mini episode in the future going more into that. But needless to say, most open source software licenses actually come with restrictions. For example, almost all open source software licenses say you need to give credit to the original authors somewhere in your version of your software that uses that open source library or module. So, for example, I create a piece of software that I release on the Mac App Store, but it includes an open source library released under the MIT license. The MIT license requires that folks who use that library give credit to the library somewhere in their software. So I actually, in my belt box, have to write, well, you know what, this software includes this library, and here's its original license. You actually have to republish license as well in the MIT license. So what I'm saying is you can't just go and take a piece of open source software, use it, and not worry about anything. You got to go know what the license is and how it restricts you. Some are much more restrictive than that. For example, copy left licenses like the GPL license require that if you use a GPL component and you use it in a particular way where it's really merged into your project, you need to then release your source code as well. That's very restrictive. That's saying you can't make a proprietary version of your own software because it uses its TPL components. So open source licenses, most of them come with restrictions, and so they are not the same as public domain.

Okay, myth number four anything with source code available is open source.

Yeah, this is kind of the inverse of that last myth. So just because something has its source code available doesn't mean it follows the open source definition. Let me give you a very specific set of rules in the open Source definition that cause some proprietary pieces of software to not be open source even though they have their source code available. Rule number five no discrimination against persons or groups. Rule number six no discrimination against fields of endeavor. What does that mean? It means you can't say this person can use this software and this person can't, or this person can use this software to do this thing, and this person can't use this software to do this different thing. I'll give you a very specific example. There's database software MongoDB, I'm a shareholder, full disclosure in MongoDB. But MongoDB used to use a license that was open source under the Open Source Initiatives definition. But because of these clauses, their current license, which they switched to, is no longer considered fully open source because they restrict some other database providers, cloud database providers, and they have their own cloud database service from using their software off the shelf. So they're saying you can't just use this for your particular business endeavor because you're competing with us. So therefore their software no longer falls under the formal Open Source Initiative definition. There are again ten criteria of the Open Source Initiative definition of open source. And so if you violate any of those ten criteria, your software might technically have its source code available, which just means that other people can see the source code, but it might, by this definition, not technically be open source.

And our last myth, last but not least, open source is the same as Free software.

Yeah, there's a great essay by Richard Stallman delineating the differences between open source software and Free Software, and I will link to that in the show notes, and we also did a prior episode on the Free Software movement and how it's splintered from the open source movement. So I won't go into it in a lot of detail here, but I did already mention the core of it, which is that there's a ten point definition of open source software from the Open Source Initiative, and there's a four point definition of free software from the Free Software Movement. And those two definitions have some slight differences. The Open Source definition is actually a little more detailed. As a result, there are some pieces of software that are technically Free Software but not Open Source software. However, the vast, vast majority of Open Source software is also Free Software, and all of the standard licenses are understood as both Open Source licenses and Free Software licenses. So all the most popular licenses the MIT license, the Apache license, the GPL, the LGPL, they are all both Free Software licenses and Open Source Software licenses. But there are some rare pieces of software that meet one definition but don't meet the other. So technically, they are not the same thing. But in practice, the vast, vast majority of software that is open source is also Free Software. Sorry about my voice today. I had kind of a cold. But thanks for listening to us. Rebecca how do people get in touch with us on Twitter?

We're at Copeck explains K-O-P-E-C-E-X-P-L-A-I-N-S. Don't forget.

To like us on your podcast player of choice. Follow us, subscribe to us. Leave us a five star review that helps other people find the show, and we'll see you in two weeks. Bye.