Steven J. Vaughan-Nichols
Best Argument: Yes
Audience Favored: No (65%)
Time for a change
My opponent’s faith in Open Source is admirable. But you can’t run the global Internet as a faith-based organization.
The problem that caused the Heartbleed security nightmare is directly attributable to missing management infrastructure, which costs money. You can’t just ask a couple developers and an intern to audit code. You need a formal security review process and an honest-to-God QA department.
In his rebuttal answers, my opponent admits over and over again that the current Open Source development model is broken. That’s why the Core Infrastructure Initiative is being rushed into existence. But will it get enough funding to do an effective job? Unlikely.
He says, “If your company depends on a certain open-source program for its livelihood you darn well better have someone on staff who does know the code.” Seriously? Tens of thousands of companies use OpenSSL, which consists of “hundreds of thousands of lines of very complex code.” Customers can’t be expected to review every line of code they use.
Unfortunately, Heartbleed probably wasn’t an isolated example. As long as Open Source projects are run on inadequate resources with insufficient management, they’ll happen again. It’s past time for a change.
- Coverity finds open source software quality better than proprietary code
- Mistaken Heartbleed clean-up efforts accidentally leaving thousands of servers vulnerable
- In Heartbleed's wake, let's not forget many open-source apps remain vulnerable to attacks
- Internet slowed by Heartbleed identity crisis
- Many sites reusing Heartbleed-compromised private keys
- Heartbleed: Open source's worst hour
Open Source for the win
Steven J. Vaughan-Nichols
Ed and I can argue about the fine details, but at day's end we both agree that if developers use open-source programming methodology correctly you can produce great software. I also believe that proprietary software methods can produce fine programs as well. I just believe that the odds are better you'll end up with high-quality, secure programs if you follow an open-source roadmap for your project.
Successful pure open-source companies such as Red Hat, SugarCRM, and Alfresco, an enterprise content management provider, use all the same software development managements that proprietary software vendors use. Other companies that you may not think of as open source development houses such as Dell with OpenStack and Facebook with Open Compute use both open source and "corporate" development methods.
In short, when done right, open-source combines both open source's virtues with so-called "proprietary" methodologies. It's only in those corner cases, like OpenSSL with Heartbleed, where a program is both popular and under-funded that there exists the real possibility of a major security problem. Now that Heartbleed has made people aware of this and efforts such as the Core Infrastructure Initiative will help prevent major security holes.
So, as far as I'm concerned, open-source is still the best way to develop secure, safe software.
A close race
I must admit, this one was tricky, but I'm going with Mr. Bott. While Mr. Vaughan-Nichols made some good points, I found many of his responses avoided the particular issue in hand — the practical problems with open-source's development approach.
Mr. Vaughan-Nichols nevertheless made some deep-rooted arguments about the open-source development model, notably comparing and contrasting the so-far "one-off" Heartbleed flaw with one of the buggiest closed-source applications on the market, Internet Explorer. And, yes, his argument that large companies that use open-source software should invest in the community they rely on so much almost won me over.
But what clinched it for me was the core of the subject. Mr. Bott's killer closer put the icing on the debate cake. Yes, flaws exist in major proprietary code and closed-source apps. But while sometimes thousands of contributors may help build a better functioning product, the security implications in a world with insufficient management and resources probably won't prevent another Heartbleed from existing.
It was a close race, make no mistake — and the audience agreed by a large majority with Mr. Vaughan-Nichols. But I think Mr. Bott has to take the win in this case.