Open-source is an awesome concept in software.
The appeal of open-source to developers varies – for some it’s about sharing, and ensuring their work can be reused; for others it’s about working in a community of like-minded people, and for others it’s a more fundamental political belief in freedom.
For government and other organisations open-source software has a couple of key attractions, including the ability to manage cost better and more fairly, and the freedom from restrictive licensing arrangements.
I don’t believe open-source isn’t the one-and-only-true-way for organisations to buy software, but it’s a very credible and serious part of the mix: In our business we use a mix of closed-source commercial software from vendors like Adobe, Apple and Microsoft, we use a lot of open-source software (like Apache, WordPress, Plone, Jquery, mySQL, FreeBSD and many more), and we use web-apps with smart billing models like ZohoCRM, Pingdom and Campaign Monitor. Open source is particularly good for systems that become capital assets (i.e. the organisation needs to own and operate the system for many years).
I’ll write more about the benefits of open-source for government another time; meanwhile after my baby (who is sick and a sad little man 
) woke me up at 4am this morning, I started thinking about a couple of commonly-repeated myths about open-source. As I’m still awake now at 6am, I thought I’d share them.
1. Open-source is inherently more secure than closed-source software. MYTH
This is not true. The security of any piece of software is dependent on complex choices made during the design of that software. The license meanwhile is simply a legal document detailing how the software may be used. Thought about this way, it becomes obvious that the security of any given piece of software has nothing to do with its license.
Open-source in general is therefore neither more nor less secure than closed-source software in general.
However when security flaws are found, users of closed-source software are entirely dependent on the vendor to provide a security fix. A closed-source vendor might be highly responsive to such issues, if they are motivated by quality, reputation and doing the right thing (or by punitive contract terms); or they might not be responsive, in which case users have no-one else to turn to. For open-source software, other people can provide the fix.
2. By using open-source, you’ll automatically gain an army of enthusiastic talented developers who will work on your problems for free. MYTH
This is untrue, ridiculous even. It’s been labelled the ‘pizza myth’: the idea that many government problems can be solved by getting developers in a room for a weekend and giving them pizza. Here’s a more realistic picture:
- many software developers work on open-source projects, in their own time, for free, for fun. They work on what interests them, in their own time, at their own pace.
- software development is hard, and demands specific abilities and training. It’s generally a reasonably (but not excessively) well-paid profession
- open-source projects attract the kind of developers who by nature abhor much of what government stands for. They generally loathe bureaucracy, hieararchy, risk-aversion, centralised planning and compliance with rules they don’t respect.
- developers may not always be the most outgoing and sociable people (some are, many are not), but one thing most are very good at is maths. One interesting piece of maths for a developer might go like this: “public sector spends a lot of money on a lot of things + I’m being asked to provide something valuable for free to public sector + the people asking are meanwhile getting paid to do their job + problem may not be that interesting = exploitation”.
- The addition of “but we’ll give you free pizza to work on Government’s problems” to the argument just adds an additional mild level of insult to the already unappealing proposition.
And the net result of this is…well mostly nothing. There is no terracotta army of developers, willing to work for government for free, and simply waiting for the order to march. They’re busy modding minecraft 
*Disclaimer: I think this myth has arisen because some in government have lent a willing ear to a *very* small number of developers and open-source advocates who are prepared to work for free on public problems. Being so enthusiastic for their cause, they assume lots of other people like them will be infected by the same enthusiasm. Those people won’t…they’re busy modding minecraft 
Neither of these myths mean open-source is any less useful or attractive for government, but they are unhelpful myths and don’t redeem themselves by being funny or outrageous, so it would be nice if they were taken outside and quietly dispatched with minimum fuss. And now it might just be time for tea, and a day’s work.
cheers,
Andy
–
Coda: I’ve had feedback from a couple of people who think this post was anti-open-source. It’s not. I believe Government should have a (non-exclusive) preference for open-source when spending money on software. I believe open-source is a great way to combine innovation, value for the taxpayer, and the sustainability of a tech economy.
With both of those myths, the key factor is you. It’s not that ‘other people can provide the fix’ with open source; it’s that you can (if you’re so inclined). Indeed, with open source, you have the right to decide what needs ‘fixing’ in the first place: it might not be a bug or security issue, it might just be that you wish it did something just a little differently. Likewise, if you’re looking for an army of volunteers, start with yourself.
In my experience, there’s a typical evolution pattern with open source. One of the latter stages is the realisation that you’re in control. If you don’t like it, you can change it (or get it changed). And that’s when the real power of the open source model is revealed.
One aspect you miss about security that is often mentioned is ‘With many eyes, all bugs are shallow’. ie. if the source code is open and many people are looking at it then there is less chance of bugs appearing. In reality, this varies with the type of software and in many large projects there is only one or two people actively looking at any one area. And commercial software vendors no doubt employ QA people and the likes to do the same internally. The difference is really the transparency. If you WANT to inspect the open source code you can. Not many people will want to, but the option is there. If I were a large government agency looking for some software for a security related task then I probably would want to inspect it.
As for the second point, I totally agree. The Plone Foundation board of directors (of which I am a member), recently received an email from someone saying “Why doesn’t Plone have a Job Board plug-in?!”. The sender was very insistant that as a board of directors we were stupid to be missing this opportunity and he couldn’t believe how crazy we were that a job board product doesn’t exist for Plone. And that we (the board) must do everything in our powers to convince the community to product a job board plugin. Clearly this guy doesn’t know how Open Source works. In general code is written because it is needed. It is written as someone is trying to solve a problem or is interested in writing code for some specific reason (as you say above, they like solving difficult problems). It is driven by bottom-up requirements and needs, not top-down edicts.
So in short, in order to get the best out of the Open Source community, you really do need to see what makes them tick… and no, they won’t work for free unless they really really want to
-Matt
A good little article Andy… and how you manage to think coherently when sleep deprived amazes me… our Little Monster is 6 months old and clarity of thought is a luxury of the distant past!
HELIOS is a good example of an open source project that struggles with these myths. The very good reason we went open source was down to freedom from restrictive licensing arrangement and not to do with the army of willing, zero-cost programmers. And I still keep on having to tell people that. And I’ve lost count how many times I’ve had the same experience that Matt reports: “Why doesn’t HELIOS have a Fleet management module” – simple… because you, the user base, has not found funding for it… or even described what such a module should look like.
Thanks for the interesting comments. Hoping to post more on open source soon, working on “Strangelove or: how I learned to stop worrying and love the GPL”, not sure it’s the best title, but I like it.
@Fraser – sleep: “it gets better”
(you hear that a lot about babies, but it’s broadly true)
I should add that to my “Hire Me” page. Can you openly licence the text please?
@Adrian sure – what do you fancy? GPL? CC? ‘Public domain’ apparently isn’t a valid licensing term