UPDATE (03/26)
LinMin CEO Laurent Gharda responded with humor and good faith to this post (see his answer among the comments). Since it appears that the interview I reported was -to say the least- unclear, I decided to change the title of this post to something more appropriate.
Yet, I'm forced to consider quickly the 2 arguments (slowness and safety) that still stand:
Speed of open source development: If I understand well Mr. Gharda, the comparison he makes is between developing a project from scratch (or almost) either with traditional methods or with an open source model. His reasoning is that if you want to bootstrap without VC money it's easier to do it with proprietary code since waiting for an open source project to mature would require time and as such more initial investment (i.e. VC money).
I disagree since open sourcing would provide advanced developments for a lower cost (less engineers and management on board) AND since open source methods have spun notoriously fast agile development methods, I fail to see how the time and the money factor would be a negative here.
The only argument I could see would be that of control. If you bootstrap a company you need to go through intermediate steps (e.g. software/specs/releases) with instant refocus/flexibility and that might be incompatible with the intrinsic freedom of an open source project.
Safety of open source: Mr Gharda reasoning is one of likelihood versus damage. Here, we are in a special situation since the extent of damage caused by a cracker could be much wider. But this kind of reasoning fails to address why a closed approach would make the overall deployment of his product safer. On the contrary it seems to me that since caution is even more warranted here, more scrutinizing should be applied so that to decrease the likelihood of such event.
But in all honesty, whether closed or open security is better is still a matter of debate.
-----------
ORIGINAL POST
A few days ago, Milking the GNU published an account of 2 companies, one who had gone open source while the other had chosen the reverse route, closing the code. Well, it seems the trend is in closing sources.
Here is an article by Bruce Byfield (Linux.com) describing LinMin, a provider of Linux deployment/provisioning/management solution explaining why they are taking Webmin (BSD licensed project of which LinMin is sponsor) into their code and forking a proprietary version.
Of course the PR machine has spun the whole think so that the open source contribution to LBMP (their new product) is smoothly obfuscated.
From LinMin PR:
Based on proprietary Linux systems management intellectual property acquired by LinMin, LBMP is the enhanced fifth generation of a provisioning solution used by leading companies for several years. (note: LinMin acquired the IP assets of defunct OpenCountry)
Of particular interest are the reasons given by LinMIN CEO Laurent Gharda for not releasing all or part of their LBMP software as open source:
1- Developing open source is too slow: If you take a look at the majority of the better-known open source companies out there, they're all VC funded … and they have to be, because they have to sustain not generating any revenue during a long period.
2- Open source is dangerous: the article explains Mr Gharda viewpoint: However, with a tool like LBMP, which he claims can set up a physical or virtual machine in as little as 15 minutes, the potential for creating chaos is much greater -- for example, a disgruntled employee could reprovision a server farm overnight.
Mr. Gharda obviously doesn't believe in peer review. But his remark is also troublesomely funny in that it emphasizes potential problems with the product itself (sorry, the "tool" as he named it):
- Poor access control: if a disgruntled employee can break in just by looking at the source, I bet the problem is less in opening sources than in access control management.
- Poor Functionality: if it takes a night to re-provision a server farm one can only wonder what's the benefit of using an automated provisioning software.
However since open source is still an attractive milk machine, Mr. Gharda says that There may in the future be an open source aspect to our business. Sure, There may... Here is an idea:
What if LinMin decided to sponsor BSD OpenSSH and fork it proprietary to, you know, make it more secure? but without releasing it, just to stay ... safe?
Hi everyone,
I'm the Laurent Gharda in question (there aren't too many of us with that name around!)
Now that I sound like the big bad wolf, please allow me to rectify a factual error in Bruce's article (it was a complex story, I'm not faulting Bruce!) that appears to have been the basis for this rather witty posting!
I'll also attempt to respond in good humor (or at least not too defensively) to some other points...
LinMin doesn't have a single line of Webmin code in it. LinMin is not forking anything. Webmin remains as it always has been: a fantastic, open source admin tool available to all for free. LinMin has paid for enhancements to Webmin (as noted, the Bacula integration module) and given that back to the Webmin community.
LinMin Bare Metal Provisioning was written from the ground up in-house, over a period of years, without incorporating open source code (well, we use Java and bolt into a relational database). LinMin is not changing the licensing model at all: it's always been a proprietary license and remains so. Sorry if this disappoints some of you...
Speed of open source development: I never said that developing open source code was slow. I know better (I've coded for a living in a prior life). What I said was that developing a business around a brand new open source project (one that has had very limited reach) will take significant investment (read: VC funding) before any kind of meaningful revenue comes in. I think it's great that projects (monitoring, database, app server, etc.) that have been built over time by countless dedicated open source developers get the attention of a team of entrepreneurs backed by VCs and "make something out of it". Great model, and hopefully the contributing developers have paying jobs (either at the sponsoring company or elsewhere).
Peer review and access control being the mechanisms to ensure that "nothing bad" happens: in an ideal (and non-IT) world, I'd agree. What we see in IT environments is many people with root privileges that have access to everything (they need to, to do their job). So access control is de facto compromised, and is replaced by trust in individuals. This works well 99% of the time. Also, there's no formal software development going on in many shops, so no concept of peer review (come on: when you write a script, do you have someone review before unit testing it or even deploying it for others to use?) The point I was making is that if someone has keys to the kingdom, they can flip a bit (change a read to a write) or change a set of server provisioning policies with, well, not very positive results. That's all I said... Do you still disagree?
Functionality and speed to reprovision a server farm: LBMP or any tool (sorry, "product"!) will do that in less than an hour (say, 200 machines concurrently being reprovisioned from one server over the same subnet).
LinMin and future Open Source plans: we have some good things under wrap with products un-related to LBMP. Stay tuned!
A final comment, now that I've gotten somewhat bashed (and all in good humor, no offense taken): if any of you has had to install systems by hand, or have had to put together and especially maintain some type of PXE server, count the hours you've spent doing this, multiply by your labor rate, and compare that to spending 3 or 4 dollars per device (server, blade, PC, VM) per year to provision/repurpose it as often as you need.
That's what LinMin is offering: an inexpensive way of getting the job done. Not open source, not free, but it still costs a lot less than your time, so it's not all bad!
Comments (and visitors to www.linmin.com to check it out for yourselves) are welcome!
Cheers,
LKG
Posted by: Laurent Gharda | March 26, 2008 at 03:51 PM
Disclaimer: I'm not a biz-type; I'm a sw engr (~15 yrs exp).
I would suggest that
1) developing with a closed-source model allows a business to hide what's complete and incomplete, which improves the likelihood of sales. Open source is like when TV started moving to HDTV- all the ugly parts of the actors' makeup were in plain sight for the world to see. So I don't think it's about pure speed of development, but rather the speed of business; to get to the point where you can make a sale and (eventually) become profitable. Whether this is what Mr. Gharda believes/states is besides the point to me.
2) While open source and peer review in the long run do assist in producing a very secure system, I'd suggest that it takes a little while for that open source community to develop such that you can get a great peer review community established (my own experience with trying to establish os projects). In the early stages of a business, there will be many things wrong that if witnessed by the wrong people could be devastating. Due to the issues of getting revenue I stated earlier, I think that security through obscurity can definitely buy a lot of time in that regard.
In the long run, I do believe it would probably behoove Linmin to gradually open source their systems to get sufficient peer review, but I don't disagree with their approach given that they've only just started their business. I also don't think open sourcing all at once will be helpful either for similar reasons on the security front.
That said, I'd be interested in seeing more reviews of Linmin before trusting it myself.
Posted by: | July 12, 2008 at 09:42 AM