LinMin CEO Laurent Gharda responded with humor and good faith to this post (see his answer among the comments). Since it appears that the interview I reported was -to say the least- unclear, I decided to change the title of this post to something more appropriate.
Yet, I'm forced to consider quickly the 2 arguments (slowness and safety) that still stand:
Speed of open source development: If I understand well Mr. Gharda, the comparison he makes is between developing a project from scratch (or almost) either with traditional methods or with an open source model. His reasoning is that if you want to bootstrap without VC money it's easier to do it with proprietary code since waiting for an open source project to mature would require time and as such more initial investment (i.e. VC money).
I disagree since open sourcing would provide advanced developments for a lower cost (less engineers and management on board) AND since open source methods have spun notoriously fast agile development methods, I fail to see how the time and the money factor would be a negative here.
The only argument I could see would be that of control. If you bootstrap a company you need to go through intermediate steps (e.g. software/specs/releases) with instant refocus/flexibility and that might be incompatible with the intrinsic freedom of an open source project.
Safety of open source: Mr Gharda reasoning is one of likelihood versus damage. Here, we are in a special situation since the extent of damage caused by a cracker could be much wider. But this kind of reasoning fails to address why a closed approach would make the overall deployment of his product safer. On the contrary it seems to me that since caution is even more warranted here, more scrutinizing should be applied so that to decrease the likelihood of such event.
But in all honesty, whether closed or open security is better is still a matter of debate.
A few days ago, Milking the GNU published an account of 2 companies, one who had gone open source while the other had chosen the reverse route, closing the code. Well, it seems the trend is in closing sources.
Here is an article by Bruce Byfield (Linux.com) describing LinMin, a provider of Linux deployment/provisioning/management solution explaining why they are taking Webmin (BSD licensed project of which LinMin is sponsor) into their code and forking a proprietary version.
Of course the PR machine has spun the whole think so that the open source contribution to LBMP (their new product) is smoothly obfuscated.
From LinMin PR:
Based on proprietary Linux systems management intellectual property acquired by LinMin, LBMP is the enhanced fifth generation of a provisioning solution used by leading companies for several years. (note: LinMin acquired the IP assets of defunct OpenCountry)
Of particular interest are the reasons given by LinMIN CEO Laurent Gharda for not releasing all or part of their LBMP software as open source:
1- Developing open source is too slow: If you take a look at the majority of the better-known open source companies out there, they're all VC funded … and they have to be, because they have to sustain not generating any revenue during a long period.
2- Open source is dangerous: the article explains Mr Gharda viewpoint: However, with a tool like LBMP, which he claims can set up a physical or virtual machine in as little as 15 minutes, the potential for creating chaos is much greater -- for example, a disgruntled employee could reprovision a server farm overnight.
Mr. Gharda obviously doesn't believe in peer review. But his remark is also troublesomely funny in that it emphasizes potential problems with the product itself (sorry, the "tool" as he named it):
- Poor access control: if a disgruntled employee can break in just by looking at the source, I bet the problem is less in opening sources than in access control management.
- Poor Functionality: if it takes a night to re-provision a server farm one can only wonder what's the benefit of using an automated provisioning software.
However since open source is still an attractive milk machine, Mr. Gharda says that There may in the future be an open source aspect to our business. Sure, There may... Here is an idea:
What if LinMin decided to sponsor BSD OpenSSH and fork it proprietary to, you know, make it more secure? but without releasing it, just to stay ... safe?