Performance

9 Features of FOSS
This chapter examines the features of Free/Open--Source Software. Various aspects
of FOSS are examined including the adequacy of FOSS performance and its po-
tential for reducing costs. The nature of
vendor lock--in and the use of FOSS as a (9) Feature of FOSS
way to avoid vendor lock--in is examined.
Performance Security

Other subjects explored include the actual How is performance of

FOSS products?
Is the security of FOSS
product high or low?

security of FOSS products and the educa- Cost Educational benefits

Is it possible to reduce What is educational
tional benefits of FOSS. Later sections ex- cost by FOSS? efficiency from FOSS?

amine the importance of sustainable soft- Vendor lock-in

What is vendor lock-in?
Sustainability
Importance of
sustainable software
ware development and the positive impact How to avoid vendor
lock-in by adopting development

FOSS?

of FOSS on sustainable software develop-

ment. An Introduction to Free/Open-Source Software
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 237
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

9.1 Performance
FOSS is noted for innovative and rapid development, among its other features.
FOSS also has a general reputation for being suited to innovative development. Ac-
tual development of active FOSS projects
occurs at an extremely rapid pace. This Performance
section also examines the results of perfor-
Innovative and fast development

mance tests carried out in 2004 in Japan, FOSS is suited for innovative development

Developing speed of active FOSS project is amazingly

in which the actual performance of FOSS high

FOSS performance testing in Japan

products was evaluated. As a matter of fact, how is the performance of FOSS?

A series of performance evaluations on FOSS products

were conducted by a work group of Japan FOSS
promotion forum

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
An Introduction to Free/Open-Source Software Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 238
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

188
 Features of FOSS

9.1.1 Innovative and Fast Development

FOSS has a reputation for enabling innovative development. A large part of this
can be traced to the strong motivation of developers that support FOSS develop-
ment. The primary motivation of FOSS
development is a desire by developers to Innovative and Rapid Development

create software that they want, or to create

Reasons for innovative development

software unlike any other. Unlike many oc- Motivation of FOSS developers

Create software that developers want

cupational programmers, FOSS developers Create software unlike any other

Localization tends to be more easily implemented

are involved in development out of person- Localization undertaken by actual users that desire
localization

al desire, which is likely to produce inno- Rapid pace of development

Projects fundamentally driven by enthusiasm of

vative software. developers

Although development sometimes takes place through

business

Localization also tends to be easier to im- Desire to quickly develop software that developers want

Large projects involve worldwide developer base

plement with FOSS, because it is under- Round-the-clock development

An Introduction to Free/Open-Source Software
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 239
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

taken by the actual users that desire to

get localized software. It is important to
note that this is possible only because of FOSS.
Although FOSS development is sometimes implemented through business, projects
are fundamentally driven by the enthusiasm of developers, which leads to fast de-
velopment. This enthusiasm drives developers to rapidly develop the software that
they want. Major FOSS projects involve the participation of a worldwide developer
base, which can increase the pace of development through round--the--clock develop-
ment. This type of development is one reason why security patches to fix software
vulnerabilities are rapidly released under FOSS.

9.1.2 FOSS Performance Testing in Japan

The Japan OSS Promotion Forum’s Development Infrastructure Working Group
has tested the performance of select FOSS products. The products tested include
DBMS, PostgreSQL, JBoss and the Linux
kernel. FOSS Performance Testing in Japan

Benchmark performance of DBMS was test-

Performance evaluations implemented by working

ed using OSDL Database Test 1 (DBT-- group of Japan FOSS Promotion Forum
Results of Development Infrastructure Working Group

1), a Web--based transaction performance DBMS benchmark evaluation using OSDL DBT-1
Benefits of tuning confirmed

test that simulates the activities of Web PostgreSQL evaluation using OSDL DBT-3

JBFOSS performance and reliability evaluation using

SPECjAppServer2004

users browsing and buying items online. Performance of WebLogic surpasses JBFOSS

Evaluation and bottleneck analysis of Linux kernel using LKST

PostgreSQL was evaluated using the OS- Development of crash analysis tools and evaluation of FOSS
performance and reliability
Evaluation of Java application layer

DL DBT--3 suite for decision support work- Evaluation of database and OS layers

Members of Development Infrastructure Working Group

load. DBT--3 consists of business oriented Hitachi, SRA, NTT Data, NS Solutions, Sumisho Computer Systems, NRI,
Miracle Linux, Uniadex, NTT Comware, Nihon Unisys

An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 240
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

ad--hoc queries and concurrent data modi-

fications. The reliability and performance

189
Cost

of JBoss was evaluated using the SPECjAppServer2004 benchmark for J2EE servers.
SPECjAppServer2004 is supplied by Standard Performance Evaluation Corporation.
Evaluation and bottleneck analysis of the Linux kernel was conducted using Linux
Kernel State Tracer (LKST).
The tests found that tuning could be used to draw higher levels of performance from
FOSS products. The Working Group is also developing crash analysis tools and
evaluating FOSS performance and reliability, in order to assess Java application,
database and operating system layers. The Development Infrastructure Working
Group is made up of a consortium of 11 companies, centering on Japanese system
integrators such as Hitachi, SRA and NTT Data.

9.2 Cost
FOSS deployment is associated with the myth of low cost. At the present time, FOSS
does not always ensure cost reductions. Although it is essential to evaluate the to-
tal cost of ownership (TCO) when deploy-
ing a system, it should be kept in mind Cost
that cost evaluations can be tailored to the
Myth of low cost

standpoint of evaluation. Cost evaluations FOSS is not almighty to reduce costs

must be performed based on a thorough Evaluating total cost of ownership (TCO)

Cost evaluation strongly depends on assessor's idea

understanding of where FOSS deployment Cost reduction factors

What items can be candidate for cost reduction factors

can reduce costs. The cost disadvantages by FOSS adoption?

Cost disadvantage of FOSS

of deploying FOSS also need to be under- What are disadvantage points in FOSS adoption?

stood.
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
An Introduction to Free/Open-Source Software Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 241
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

190
 Features of FOSS

9.2.1 Myth of Low Cost

Cost reduction is considered to be the major advantage of GNU/Linux deploy-
ment. This assumption is nearly always true when GNU/Linux is used to replace
Unix. When migrating from Unix, hard-
ware costs are likely to be driven down by Myth of Low Cost
the deployment of low cost IA (Intel Ar-
Presumed to be chief advantage of GNU/Linux

chitecture) servers. In the case of Tsu- deployment

Nearly always true when replacing Unix

taya Online, system building costs were Tsutaya Online: 1/4 to 1/5 cost reduction

Amazon.com: Saved $17 million

one--quarter to one--fifth lower due to GNU/Linux TCO gap with Windows is small and debatable

Inadequate experience and lack of thorough discussion

deployment. Amazon.com is said to have for meaningful comparison of desktops costs

Focus ends up being on maintenance costs

saved as much as $17 million from deploy- Maintenance of middleware and applications

Cost of administrative engineers

Once technology is created to easily manage multiple

ing GNU/Linux. desktops

Desktop tug-of-war between Windows and GNU/Linux

However, there is only a small gap in TCO An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 242
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

when comparing GNU/Linux and Windows.

The advantage can be tipped in favor of
either environment by changing the assumptions about how a system is used. Com-
paring costs for desktop deployment is usually meaningless due to inadequate expe-
rience with FOSS. A lack of thorough discussion also hampers any meaningful cost
comparisons involving FOSS desktops.
Cost evaluations frequently end up focusing on maintenance costs. In addition to
the cost of maintaining middleware and applications, it is necessary to factor in
the cost of administrative engineers and user training. FOSS is drawing interest
today as a way to reduce costs for desktop use, which is linked to the desktop tug--
of--war between Windows and GNU/Linux. Once technology is created to simplify
the administration of multiple desktops, maintenance costs for FOSS desktops are
expected to fall dramatically. This development will enable effective cost reduction
through FOSS desktop deployment.

191
Cost

9.2.2 Evaluating Total Cost of Ownership (TCO)

TCO evaluations are normally used as a guidepost for economic evaluations of sys-
tems. The total cost of ownership refers to the total of all costs required to main-
tain, administer, and adequately operate
systems. TCO comprises various elements Evaluating Total Cost of Ownership

such as systems deployment and operat-

TCO (Total Cost of Ownership)

ing costs. Training costs for both users Total of all costs required to maintain, administer, and
adequately operate systems

and system administrators also factor into Elements contributing to TCO

Deployment costs, operating costs, training costs, etc.
TCO. Room to calculate TCO as desired, by changing

It is important to remember that a TCO standpoint of evaluation

Microsoft’s Get the Facts campaign: How are the facts

evaluation leaves room for the results to be represented?

Various assumptions are suspect

calculated in favor of the evaluator. This is Proper evaluation of TCO requires concrete
assumptions about how system will be used

achieved by changing the standpoint of the Results will depend on the assumptions made
An Introduction to Free/Open-Source Software
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 243
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

evaluation. Microsoft’s Get the Facts cam-

paign illustrates how facts can be twisted
according to the way they are presented.
In evaluating TCO, it is important to set certain concrete assumptions concerning
how systems will be used. The results of the TCO evaluation will depend on where
these assumptions are placed. Proper evaluation of TCO requires attention to the
assumptions made when calculating the TCO.

9.2.3 Cost Reduction Factors

This section examines how FOSS can reduce costs. To begin with, FOSS can be re-
lied on to drive down initial deployment costs. Since only one copy of a GNU/Linux
distribution is needed, minimal costs are
incurred in obtaining distributions. How- Cost Reduction Factors
ever, enterprise GNU/Linux distributions
Initial deployment costs

sold to users include support costs and the Cost of acquiring distribution (only one copy needed)

Licensing costs

cost of commercial software, which are in- If proprietary software is required, only license for that
software must be purchased

cluded in the distribution. Upgrade costs

Usually very low

Licensing costs are not required for sys- Frequently expensive for proprietary software

tems built entirely using FOSS. If propri- Hardware costs

Runs adequately on older hardware for certain
applications
etary software is required, only the license Systems can be tuned to adequately run on low spec
PCs

for that software needs to be purchased. An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 244
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

Licensing costs are not anticipated to take

up a significant proportion of overall costs
when deploying FOSS.
FOSS also enables the lowering of upgrade costs. Upgrades costs for GNU/Linux
distributions are typically quite low, while upgrade costs for proprietary software

192
 Features of FOSS

are often very high. The ability to lower upgrade costs is a major advantage for
systems that will be operated for an extended period while maintaining software
upgrades.
Hardware costs can also be lowered using FOSS. FOSS can adequately run on older
hardware. This is true for certain applications such as single function servers that
provide simple interaction. There is no need to go to the trouble of deploying new
hardware for these types of applications. FOSS systems can also be tuned to run
adequately on existing low spec PCs.

9.2.4 Cost Disadvantages of FOSS

FOSS also has certain cost disadvantages. These disadvantages are frequently iden-
tified during TCO comparisons with existing proprietary systems. The cost of train-
ing is considered as a major disadvantage
when migrating to a FOSS--based system Cost Disadvantages of FOSS
from a familiar existing system. In gen-
Frequently identified cost disadvantages

eral, users are extremely conservative and Training costs

will resist migrating from a familiar envi- Users are generally conservative and resist migrating from
a familiar environment to a new environment

Lack of textbooks and reference material for mastering

ronment to a new environment. Therefore, FOSS

Support costs
it is necessary to factor in the cost of train- High cost of support due to limited supply of FOSS
engineers

ing when newly deploying FOSS. Costs are going to decrease as FOSS becomes more common

Systems modification costs

A shortage of textbooks and reference ma- Servers may need to be modified

Some systems only designed to work with specific clients

terial to master FOSS also contributes to FOSS clients may not work within such systems

An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 245
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

higher training costs for FOSS. In compari-

son, books for commonly deployed systems
are widely available and can be used for self--study. The limited supply of informa-
tion for FOSS also drives up costs due to the need for customized training courses.
The same situation also exists for support costs. A limited supply of FOSS engineers
contributes to the view that support costs are still high. However, the high cost of
labor is anticipated to drop as FOSS becomes more common.
One element that can impede cost reduction from FOSS deployment is the need
for additional costs relating to system modification. This is likely to occur when
deploying FOSS for an existing system that is already running. For example, when
clients are migrated to FOSS as a way to reduce costs, the server may need to be
modified. This can lead to an actual increase in costs. The configuration of the
existing system comes into play, in terms of whether the system is designed to only
work with specific clients. Systems configured in this way may prevent FOSS clients
from working, so that modification of the overall system is required.

193
Vendor Lock--In

9.3 Vendor Lock--In

This section examines the nature of ven-
dor lock--in and the issues it causes. Ex- Vendor Lock-In
amples of vendor lock--in in other indus-
What is vendor lock-in

tries are illustrated, since vendor lock--in An environment or situation that locks in users to
products from a specific vendor

is not unique to the IT industry. In order What are the problems with vendor lock-in?

Examples of lock-in business strategies

to avoid lock--in, it is important to sepa- Vendor lock-in is found not only in IT market

rate the interface and implementation by Separation of Interface and Implementation

Promoting fair competition among implementations

adopting a standard interface. This ar- from each vendor, in conformity with standard
interfaces

rangement promotes competition via the FOSS and open standards

Reasons why fair competition requires more than

implementation. In addition, the relation- specification standards

An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 246
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

ship between FOSS and open standards

is also explored, examining why it is not
enough to standardize specifications.

9.3.1 What is Vendor Lock--In

Vendor lock--in describes an environment or situation that locks in users to prod-
ucts from a specific vendor. Vendor lock--in is used as a customer retention strategy
by vendors. Various factors can lead to
vendor lock--in, such as the need to en- What is Vendor Lock-In
sure compatibility with archival data or
Vendor lock-in

between data formats exchanged by users. Locks in user environment to specific vendor’s
products

The integrated look and feel of a user in- Type of customer retention strategy

Can lead to endless vicious circle of biased

terface can also contribute to vendor lock-- procurement

Forces users into regular version upgrades

Monopoly can invite lower quality and higher costs

in. Other contributing factors can include Need to maintain compatibility with archival assets

Eliminates participation by other vendors through use of

how a system’s features are operated or the closed specifications

Used to be an excellent business model

knowledge of that environment. Users: Buy long-term support and peace of mind

Vendors: Stable revenue and growth of market share

Vendor lock--in used to be an excellent busi- An Introduction to Free/Open-Source Software
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 247
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

ness model. Users expected vendors to

provide long--term support in a vendor lock--
in situation. In some ways, vendor lock--in provided a way for users to purchase peace
of mind. For vendors, vendor lock--in was recognized as an effective business model
that balances long--term stable revenue and growth of market share.
Eventually, enclosure by specific companies became more of an obstacle for certain
products. This became true of products like software, which rely on frequent up-
dates and are high in interdependency. In these industries, vendor lock--in becomes
an obstacle to ensuring fair competition. Vendor lock--in of software and systems
encourages an ever--widening vicious circle of biased procurement. Under this ar-
rangement, locked in users must continue to procure product lines from a specific

194
 Features of FOSS

vendor over the long term. Vendor lock--in also forces users to implement regular
version upgrades. Furthermore, a monopoly invites the possibility of lower quality
and higher costs. The need to maintain compatibility of data can also be unsoundly
used as justification to eliminate the participation of other vendors through the use
of closed specifications.

9.3.2 Examples of Lock--In Business Strategies

This section provides examples of enclosure in business that translate into vendor
lock--in. Although there are many examples of enclosure in business, it is rare
for strong vendor lock--in to be achieved
through technology. Examples of Lock-In Business
Strategies
The customer loyalty or rewards program
Rewards programs Mobile phone carriers and ISPs

is a leading example of a lock--in business Leading examples

Credit card companies

Frequently introduce new
models and services

strategy. Primary examples of rewards pro- Frequent flier programs

Mail order companies and

Users do not wish to change
mobile numbers and e-mail
addresses
grams include those used by credit card mass merchandisers

Everyday examples Introduction of mobile number

portability may reduce lock-in
Frequent buyer cards

companies, mail order companies and mass from retailers

Restaurant coupons
advantage

MNP: Mobile Number Portability

merchandisers. Frequent flyer programs Car dealers

Preferential trade-in
Worst case of vendor lock-in
“One yen bid”

used by airlines also fall into this catego- programs for car brands
from same manufacturer
Bid on first year at low cost

Gain highly profitable private

contracts in after the second

ry. Everyday examples include frequent Frequent model changes

An Introduction to Free/Open-Source Software

year

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 248
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

buyer cards from retailers and restaurant

coupons.
Another type of vendor lock--in strategy is the preferential trade--in program offered
by some car dealers in Japan. This type of program applies to trade--ins of a car
brand from the same manufacturer. Car manufacturers also introduce frequent
model changes to encourage customers to upgrade to a new vehicle. This business
strategy is similar to the regular introduction of version upgrades for software.
Mobile phone companies and ISPs also rely on business models with similar elements.
By continually introducing new models and services, users are encouraged to upgrade
their equipment or purchase new services. At the same time, users tend to resist
changing their mobile phone number or e--mail address (ID), so that they are locked
into their assigned ID. However, the introduction of mobile number portability across
telecommunication carriers is expected to reduce the lock--in advantage for mobile
phone companies.
In Japan, the most unfair example of vendor lock--in is the “one yen bid,” which
undermines the very purpose of bidding as a way to reduce costs. The one yen
bid takes advantage of Japanese business customs and the complexity of system
building. Under this strategy, the vendor places an ultra--low bid on the first year
of a contract. After building the system at a loss, the vendor gains private contracts
after the second year and beyond, based on its established record as the system

195
Vendor Lock--In

builder. These contracts enable the vendor to take on highly profitable contracts
for systems operation and continued development.

9.3.3 Separation of Interface and Implementation

Interfaces should be clearly defined and standardized for the purpose of avoiding
vendor lock--in and promoting fair procurement. Separating the interface from the
implementation achieves fair competition
within a standard interface. The follow- Separation of Interface and
Implementation
ing steps are used to separate the imple- Separate from implementation to achieve

mentation, which will ideally result in fair competition

1. Derive necessary functions and separate into modules.

competition: 2. For each module, separate the interface and implementation.

3. Define the interface and establish it as a standard.

Separation of implementation ideally results in fair

competition

1. Derive the necessary functions and sep- From de facto standards to open standards
Conventional de facto standards

arate into modules. Implementation also treated as part of standard

Open standards

Standards formulation process also handled openly

Implementation left to each vendor

2. For each module, separate the interface Interface is specified to a standard, and implementation
is interchangeable

and implementation. An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved.
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.
249

3. Define the interface and establish it as a standard.

Due to the importance of interface standardization, the trend among IT vendors

today is to emphasize open standards as vendors move away from de facto standards.
Conventional de facto standards were treated that way due to the large market share
of certain software. Under this arrangement, the interface is also treated as part of
the de facto standard.
In contrast with the de facto standard, which treats an existing implementation as
the standard, the de jure standard is based on a previously formulated standard.
Implementations are made to be compliant with the de jure standard. Sometimes
the decision--making process used in formulating the standard is entirely open. This
is referred to as an open standard. Under an open standard, only the interface is
standardized. Implementation is left to each vendor.

196
 Features of FOSS

9.3.4 Free/Open--Source Software and Open Standards

Open standards are an effective strategy to avoid vendor lock--in. Open standards
are open in all phases of the standardization process and its application: e.g. partici-
pation on the standardization committees,
access to the standardization documents, Free/Open-Source Software and Open
Standards
and implementation of the standard. By
Avoid vendor lock-in

making specifications open, it is possible to Make specifications open to maintain competition

Open specifications alone are insufficient


maintain competition. However, it is wide- Also need to release source code

Enables other vendors to participate in system upgrades

User has upper hand for price negotiations

ly believed that open specifications alone Why open standards alone are inadequate
Vendors will always emerge to seek differentiation through

are not enough to maintain fair compe- proprietary means

Example of HTML

tition. According to this view, releasing Standard specifications decided by W3C

Browser war: Browser incompatibilities due to proprietary tag

extensions

source code as FOSS is the first step to- Example of tying applications into OS
Proprietary performance enhancements using unpublished APIs

ward complete avoidance of vendor lock-- Vendor gave itself unique advantage as OS developer

An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 250
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

in.
Systems that comply with open standards
provide for interchangeability of the implementation. This is said to enable other
vendors to participate in system upgrades and gives users the upper hand in price
negotiations. However, FOSS proponents argue that this only works in theory.
Open standards alone are viewed as being inadequate, due to the rule of thumb that
vendors will always emerge seeking differentiation through proprietary means.
The example of HTML or HyperText Markup Language illustrates this view. The
standard specifications for HTML are decided by the World Wide Web Consor-
tium (W3C). However, browsers have introduced proprietary extensions to HTML
tags in competing for market share. This has led to an uneven history of browser
incompatibilities.
Further illustrating this point is the example of a certain OS vendor accused of tying
in applications to its own operating system. The vendor had created unpublished
APIs for its OS. These APIs were exclusively used by the vendor’s own applications
to deliver performance enhancements of a proprietary nature. The arrangement
enabled the OS vendor to give itself a unique advantage. The incident is also one of
the reasons why users remain locked into that OS today.
Yet another argument in favor of this view are the recent incidents surrounding the
standardization of OOXML. One of the many criticisms against this standard claims
that a FOSS implementation is not possible since OOXML implicitly relies on (not
yet standardized) proprietary software.

197
Security

9.4 Security
This section examines the issue of security in software and whether FOSS is inherent-
ly more or less secure. Although there are arguments for both sides, a quantitative
evaluation of FOSS security has yet to be
conducted, making it a matter for future Security
discussion. FOSS security tools are also
Security of Software

examined. What is secure software? From whom do we have to

protect our software?

Is FOSS really more secure?

Opinions from two sides: “More Secure” vs “Less
Secure”

“Many eyes” of developers

The reason why FOSS is more secure
Naked implementation
The reason why FOSS is less secure
FOSS Security Tools
There are many security tools released as FOSS

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
An Introduction to Free/Open-Source Software Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 251
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

9.4.1 Security of Software

By definition, the security of software provides a measure of whether software can be
anticipated to continue running. Obstacles to security include outside threats such
as unauthorized access and interception of
communications. Unauthorized manipu- Security of Software
lation of data such as falsification is also Security is the ability to keep software operating as

a threat to security. Additional obstacles expected

Obstacles to security
to security include defects in the software Outside factors
Unauthorized access: Unexpected manipulation by third party

itself and vulnerabilities in the design of Interception and falsification: Incidents relating to transmission
path for privileged data

software. Interception: Unexpected leakage of data

Falsification: Transmission of insidiously modified data

Internal factors

Unauthorized access involves unexpected Software defect: Unexpected operation due to fault in software

Vulnerability: Fault or specification issue that could be used by

third party to take over system or leak data, etc.

manipulation by a third party. Intercep- Raises the issue

tion and falsification are examples of unau- Can FOSS improve security against these threats?

An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 252
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

thorized manipulation of privileged data

streamed over a transmission path. Both
problems can result in unexpected circulation of tampered data.
A software defect occurs when software operates in an unexpected way due to a fault
with the software. Software and system vulnerabilities occur when there is a system
fault or problem with specifications. These problems could enable a third party
to take over the system, or take advantage of the vulnerability to leak confidential
data. The next section examines whether FOSS can be used to improve security
against such threats.

198
 Features of FOSS

9.4.2 Is FOSS Really More Secure?

There are two widely divergent views on
the impact of FOSS on security. One ar- Is FOSS Really More Secure?
gument holds that FOSS offers greater se-
Widely divergent views

curity due to its transparency and active FOSS is more secure due to transparency and active
developer base

developer base. The opposing argument Proprietary software from major vendors affords
greater chance of ensuring security

claims that proprietary software from ma- Reality of the situation

Servers

jor vendors affords greater opportunities to Unauthorized access and security accidents occur on all
platforms including Unix, GNU/Linux and Windows

ensure security. Desktops

Viruses and worms targeted at FOSS are extremely rare

Low probability due to small number of FOSS desktops to begin

The reality for servers is that unauthorized with?

Depends on system design principles; operating systems

designed for convenience are comparatively more vulnerable

access and security accidents occur on all An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 253
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

platforms including Unix, GNU/Linux and

Windows. The rate of problems depends
on the popularity of the platform.
The situation is slightly different for desktops. Viruses and worms targeted at FOSS
are extremely rare and almost non--existent today, although the number of FOSS
desktops is relatively low to begin with. However, it is hard to imagine that viruses
will become rampant on FOSS desktops as they are today, even with the spread
of FOSS desktops. This reasoning is due to the system design principles employed
for Free/Open--Source operating systems. The trade--off that exists between conve-
nience and security. Operating systems that are designed for greater convenience
have comparatively more vulnerabilities. As Unix--based systems, FOSS desktops
place an emphasis on security.

9.4.3 “Many Eyes” of Developers

The “many eyes” of developers is cited as one reason why FOSS offers greater se-
curity. The notion refers to the many eyes of developers that inspect source code
to identify any issues with code. This view
holds that continuous round--the--clock de- “Many Eyes” of Developers
velopment by a worldwide developer base
Possible reasons for greater security of FOSS

enables rapid response to defects. This in Rapid response to defects

Continuous round-the-clock development by worldwide

turn enables relatively fast response when developer base

Relatively fast response when critical vulnerabilities or

security holes are identified

critical vulnerabilities or security holes are Applies to actively developed FOSS projects

“Trojan horse” measures

identified. Although the notion of “many Difficult to slip unauthorized code into source code
circulated as FOSS

eyes” applies to actively developed FOSS Based on notion of improved security through
vigilance of many developers
projects, it does not necessarily apply to
FOSS projects developed under a small de- An Introduction to Free/Open-Source Software
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 254
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

velopment structure.

199
Security

FOSS is also claimed to be effective for

countering the “Trojan horse” program. This view holds that it is difficult to slip
unauthorized code into source code that is published as FOSS. Both the “Trojan
horse” measures and the notion that FOSS offers rapid response to defects are based
on the idea that security is improved through the vigilance of many developers.

9.4.4 Naked Implementation

FOSS is also claimed to reduce security, based on the argument that releasing
source code gives crackers enough information to attack FOSS. This view holds that
FOSS makes it easier to find errors or secu-
rity holes in the implementation or design Naked Implementation
of software, resulting in reduced security.
Reasons FOSS is thought to reduce security

However, the “many eyes” notion offers a Releasing source code provides crackers with enough
information to do harm

counter--argument to this view. Since in- Easier to find errors or security holes in
implementation

formation about FOSS is released, devel- Counter-argument: Release of source code enables
immediate response if security holes are discovered

opers can respond immediately when a se- Concern about structure for security measures
by software provider

curity hole is discovered. Major vendors are putting resources into security
measures

Lack of trust in volunteer development of FOSS

One frequent concern about FOSS is the projects

Risk is higher for less active FOSS projects

structure for security measures on the part An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 255
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

of the software provider. Major vendors of

existing proprietary software are putting
adequate resources today into security measures. However, there is a lack of trust in
the security measures of FOSS projects, which are implemented through volunteer
development. The security risk is thought to be higher for FOSS projects that are
not particularly active.

200
 Features of FOSS

9.4.5 FOSS Security Tools

This section introduces FOSS security tools as part of the subject of FOSS security.

FOSS Security Tools

GNU Privacy Guard (GPG)

PGP encryption tool from GNU

Many MUAs work with GPG

Snort, CodeSeeker
FOSS Intrusion Detection Systems (IDS)

OpenSSH
FOSS implementation of Secure Shell (SSH) protocol

Commonly used today in place of Telnet and remote

shell (rsh)

OpenSSL, GNU TLS

FOSS implementations of SSL (Secure Socket Layer)
protocol

Other tools: OpenVPN, Tripwire (system integrity

check tool), etc.
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
An Introduction to Free/Open-Source Software Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 256
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

9.4.5.1 GNU Privacy Guard

GNU Privacy Guard (GPG) is a tool for PGP encryption of e--mail. Developed by
GNU, GPC is considered the standard tool for PGP encryption. Many MUAs have
been developed to work with GPG.

9.4.5.2 Snort, CodeSeeker

Snort and CodeSeeker are FOSS implementations of Intrusion Detection Systems
(IDS).

9.4.5.3 OpenSSH
OpenSSH is a FOSS implementation of the Secure Shell (SSH) protocol, which
provides for encryption of communication paths. SSH is increasingly common as a
replacement for Telnet and remote shell (rsh) to connect to remote hosts.

9.4.5.4 OpenSSL, GNU TLS, Etc.

OpenSSL and GNU TLS are FOSS implementations of the SSL (Secure Socket
Layer) protocol used for secure communications. These technologies are frequently
incorporated into network software. Other major FOSS security tools include Open-
VPN for building virtual private networks (VPN) and Tripwire, a system integrity
checker.

201
Educational Benefits

9.5 Educational Benefits

This section examines the educational ben-
efits of FOSS. The ability to learn from the Educational Benefits
precedence of released source code is high-
Source code as an example

ly effective as an education tool. Well-- Learn from the precedence of released source code

Leading source code is equivalent to an excellent text

written source is the best textbook, while book

Using a debugger to verify that source code runs

sloppy source code sets a negative example Important issue is that the source code is really
runnable

for learning. In order to use a debugger to Low cost of development environments and

see how code works, it is critical to use resources

Low entry levels to start learning

source code that actually runs rather than Educational benefits of communities
We have much from communities

just sample code. With FOSS, it is possi- An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 257
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

ble to prepare a development environment

and obtain development resources at low
cost. This means that the barriers to beginning study are low. Information ex-
change through the FOSS community also provides practical benefits for education
that cannot be ignored.

9.5.1 Source Code as an Example

FOSS excels as a source of training material for IT engineers, by providing con-
crete examples for learning about software design techniques and working pro-
gramming technology. FOSS offers a way
to learn from actual examples rather than Source Code as an Example
just sample programs. Since FOSS pro-
Study concrete examples

vides actual running source code, it is pos- Software design methodologies

Programming techniques

sible to learn step--by--step how a program Actual programming samples

runs. This is accomplished by inserting de- Learn step-by-step how a program runs

Look up similar code

bug print routine or using a debugger. Source code as a textbook

Publications relating to FOSS such as Code Reading

Another major educational advantage of and Lions' Commentary on UNIX 6th Edition with
Source Code are published

FOSS is the ability to look up similar code.

The code can then be incorporated into An Introduction to Free/Open-Source Software
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 258
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

your own code as long as it is permitted

under the licensing. Publications relating
to FOSS such as Code Reading and Lions’ Commentary on UNIX 6th Edition with
Source Code have long been published. These practical books are popular and
widely reprinted.

202
 Features of FOSS

9.5.2 Using a Debugger to Verify how Source Code Runs

FOSS makes it possible to obtain, modify and check source code. It is impor-
tant to study source code that actually runs and to use a debugger that enables
you to see how a program runs. This ar-
rangement makes it possible to study prac- Using a Debugger to Verify that
Source Code Runs
tical techniques beyond theory. By study-
FOSS makes it possible to:

ing real code from actual programs, you Obtain source code

Modify source code

can learn about current technology trends Check source code

Source code that actually

and gain a broad understanding of soft- runs

ware design techniques beyond fundamen- Important to verify using

debugger

tal theory and technique. Verify operating logic

Learn through practical

experience

Enables study using real

code

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
An Introduction to Free/Open-Source Software Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 259
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

9.5.3 Low Cost of Development Environments and Resources

Proprietary software often involves tall barriers to participating in development,
primarily in terms of cost. These barriers include the need to purchase devel-
opment tools and receive fee--based train-
ing to learn about development technolo- Low Cost Development Environment
and Development Resources
gy. Although much of the information nec-
Proprietary software involves tall barriers to

essary for development is available online, participation

Purchase of development tools

essential information may need to be ob- Purchase of development information

Fee-based training

tained from vendors for a fee. Development resources comparatively lower

cost for FOSS

In comparison, resources for FOSS tend to Distributions include development tools

Information available online

be available at a comparatively low cost. Training largely fee-based

Risks for software technology acquisition under

Distributions come with development tools, FOSS

Time and effort

while information necessary for develop- Ability to control risks yourself is where FOSS excels in

An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 260
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

ment is almost always available online. How-

ever, there is still a shortage of textbooks
and reference books for beginners, and training courses are largely fee--based.
FOSS offers lower financial risks for investment in software technology acquisition.
Beyond that, there are only minor risks associated with the amount of time invested
in training and the effort you invest. FOSS--based training makes it possible to
control these risks yourself, which is where FOSS excels compared with training
that uses existing proprietary software.

203
Educational Benefits

9.5.4 Educational Benefits of Communities

FOSS communities also offer educational
benefits, based on the approach that users Educational Benefits of Communities

can learn how to use software from the

Approach that users can learn how to use

community without learning by users them- software from the community without learning
by users themselves

selves. The underlying purpose of user com- User communities as cooperative organizations

munities is to facilitate mutual assistance Ask questions through mailing lists and message
boards

for FOSS projects, which tend to be short Rules of communities

Give-and-take of information

information authorized by a developer com- Observe netiquette

Prevent flame wars from occurring

munity. Many FOSS communities normal- Development communities must also make an
effort to provide accessible information

ly conduct their virtual activities online. An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 261
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

As part of FOSS communities, user com-

munities play a major role to facilitating
information exchange through mailing lists and message boards.
The rule of communication in FOSS communities is to exchange information on a
give--and--take principle. Observance of netiquette and respectful interaction are
also emphasized. In the faceless world of online communication, flaming can erupt
when participants fail to observe these rules of conduct. Flaming is undesirable and
has even caused some famous projects to split or stop completely.
Developer communities should also make an effort to provide ready access to rel-
evant information and user manuals. Projects with a good flow of feedback from
user communities as well as information from developer communities can expect to
achieve a positive cycle of growth. This leads to faster development and growth of
the user base and community.

204
 Features of FOSS

9.6 Sustainability
Many software projects feature ongoing development in order to respond to defects
or provide support for diverse platforms. This section examines why sustainable
software development is necessary and the
reasons that FOSS is effective for achiev- Sustainability
ing sustainable software development. Al-
Necessity of sustainable software development

so examined are the reasons for the analo- Why sustainability of software development is so
important?

gy drawn between the advancement of soft- The key is adaptation to various kind of platforms

Realizing sustainable software development

ware and scientific progress. The freedom Why FOSS enables us to realize sustainable software
development?

of software is also essential to the advance- Scientific progress and advancement of software

ment of software science and software engi- Similarities between scientific progress and
advancement of software

neering, and to producing better software. For the advancement of software

To produce better software products

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
An Introduction to Free/Open-Source Software Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 262
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

9.6.1 Necessity of Sustainable Software Development

Sustainability of software development is desirable as long as there are users for
the software. This is due to the increasingly complex environment that surrounds
software today, which makes it difficult for
software to be flawless. Defects in soft- Necessity of Sustainable Software
Development
ware are continually discovered on a dai- Sustainable software development is necessary as long

ly basis. These defects can include securi- as users wish to use software
Defects in software discovered on daily basis

ty holes that can inconvenience others and Security holes cause problems for others

OK to end development of tried-and-tested software*?

eventually develop into a social problem. *Tried-and-tested software: Software in which almost all bugs
have been worked out

Tried--and--tested software is software that Are there any issues with suspending software
development?
 Yes, there are

has had almost all of the defects worked Reasons

Changes in surrounding environment including OS, dependent

out of it. Although it might seem accept- libraries, etc.

Software must be adapted to support to these changes

able to suspend the development of tried-- FOSS capable of being adapted to diverse platforms

An Introduction to Free/Open-Source Software

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 263
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

and--tested software, this is frequently not

the case. Maintenance is often needed due
to the continually changing environment that surrounds software, both in terms of
operating systems and dependent libraries. Even tried--and--tested software must
be adapted to support these changes, as long as there are users that wish to use the
software in such environments.
Since FOSS enables modification and redistribution of source code, it can be easily
adapted to support diverse platforms. Consequently, FOSS simplifies the implemen-
tation of sustainable software development.

205
Sustainability

9.6.2 Realizing Sustainable Software Development

With proprietary software, there is a risk
of software development ending for what- Realizing Sustainable Software
Development
ever reason. For example, development
For proprietary software

projects are frequently suspended due to Risk of software development ending for some reason

poor sales. In extreme cases, development

of software may collapse due to the de-
veloper firm going out of business. When
this happens, the rights to the software are
sometimes transferred to another company
to carry on development, if the software An Introduction to Free/Open-Source Software
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 264
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

has some merit to keep the development

going.
In the case of FOSS, development is sustained even if the core development com-
pany pulls out of development or developers leave due to individual circumstances.
Development is carried on as long as there are users that wish to see it continue,
and other engineers to take over development. Under FOSS, all information includ-
ing necessary resources for development is published, which makes it possible to
implement sustainable software development.

9.6.3 Scientific Progress and Advancement of Software

There are fundamental similarities between the advancement of software and the
notion of scientific progress. These similarities are evident from the comparison be-
low. With FOSS, advancement of software
occurs when software grows or is expanded Scientific Progress and Advancement
of Software
under the following criteria:
Advancement of software and scientific progress
fundamentally similar

1. Implementation is shared and extended Compare the following points

Advancement of software (under FOSS)

through the release of source code. Implementation shared and extended through release
of source code

Source code must run properly. Avoid reinventing the

2. Source code must run properly. wheel

Scientific progress

3. Reinventing the wheel should be avoid- Knowledge shared and expanded through publication
of papers

Test theory through use of corroborative experiments

ed. Pointless to conduct the same research afterwards

Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
An Introduction to Free/Open-Source Software Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved. 265
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.

The notion of scientific progress shares the

following characteristics, which can be compared with the above points:
1. Knowledge is shared and expanded through publication of papers.
2. Theory must be correct and verifiable through corroborative experiments.
3. Pointless to conduct the same research afterwards.

206
 Features of FOSS

The similarities between the two sets of criteria show how the advancement of soft-
ware shares common characteristics with the notion of scientific progress.

9.6.4 For the Advancement of Software

FOSS projects are supported by the notion of freedom. The freedom of Free Soft-
ware is prescribed by the Free Software Foundation in the four points shown below.
Copyleft is the abstract expression of the
four kinds of freedom, which GPL express- For the Advancement of Software

es as a concrete license.
Freedom of FOSS
The freedom to run the program, for any purpose

· The freedom to run the program, for The freedom to study how the program works, and adapt it
to your needs

The freedom to redistribute copies so you can help your

any purpose. neighbor

The freedom to improve the program, and release your

improvements to the public, so that the whole community
benefits

·
Above four kinds of freedoms prescribed by FSF’s The Free

The freedom to study how the program Software Definition

Copyleft is abstract expression of four kinds of freedom

works, and adapt it to your needs. GPL expresses four kinds of freedom as concrete license

Leads to implementation of sustainable software

development

Should lead to advancement of software

· The freedom to redistribute copies so An Introduction to Free/Open-Source Software
Copyright © 2005,2006, Center of the International Cooperation for Computerization (CICC) All Rights Reserved.
Copyright © 2005,2006, Mitsubishi Research Institute, Inc. All Rights Reserved.
Copyright © 2008, University of Puerto Rico at Mayaguez. All Rights Reserved.
266

you can help your neighbor.

· The freedom to improve the program, and release your improvements to the
public, so that the whole community benefits.

The sustainability of software development is maintained by guaranteeing the four

kinds of freedom. Sustainable software development in turn accelerates the advance-
ment of software. Without sustainable software development, software cannot be
advanced in an effective way.

207