Thursday 31 May 2007

Dancing with Professional Open Source

Software projects are unlike most, if not all, of other kinds of projects. The relationshipp between problem and solution is rarely clear at the start of the project, and successful outcomes are usually the result of a delicate dance between customer and vendor(s), user and provider. I believe many software projects fail because they are managed in the same way as the provision of more tangible objects. It isn't possible to mitigate against failure by including contractual penalty clauses because in general, once those penalties are invoked, the project is doomed. It's like deliberately stamping on the feet of your dancing partner.

I have long been an advocate of a form of "Vendor Relationship Management" that sometime runs contrary to the traditional hard-nosed business of software and system provision. I have watched on as cast-iron contracts are signed for cut-throat prices only to see the vendor subsequently reaching the end of his budget and fading into the background. Yes, it is possible to insist on the terms of the contract being met but I can't think of a single project I have ever worked on (as customer or vendor) where the contract includes everything eventually needed to deliver success. The goodwill of a vendor is crucial, and maintaining the goodwill creates a win/win scenario.

I recently came across a fantastic paper written by James Dixon of Pentaho discussing the concept of "Professional Open Source Software" or POSS (which I believe was originally coined by JBoss), and read it cover to cover. His analogy of POSS companies being "bee keepers" I thought extremely useful, and particularly his contrast of the "whole-product" development models in traditional commercial companies vs POSS companies.

But one observation really got my attention. In POSS projects (or even FLOSS projects), the end user (/customer) is engaged at a much earlier stage in the process, thereby ensuring that design defects and unexpected use cases are brought to surface before it is too late.

The dance begins.

What OSS (any variant) brings to the floor is an definition of what the style of the dance is, what the steps are and in what order, and importantly the means to ask one's prospective partner:

Q: Are you dancing?

A: Are you asking?

..... without fear of rejection.

The bee keeper analogy hits the spot & I would recommend the paper to anyone interested in OSS management and the gap between traditional OSS and "whole-product".

Powered by ScribeFire.

Friday 18 May 2007

Is Linux as secure as it used to be?

As a frequent train traveler I have a number of podcast sources to take along to keep me company. One of those is from IT Conversations. Along with a bizarre tendency to stray into fields like biotechnology, there are frequently fascinating podcasts. One such is an interview with Mikko Hypponen on the state of viruses and malware. It's an hour long but worth every minute.

One particularly interesting point is that the source of viruses has changed over recent years. No longer is the anti-M$ script-kiddy the primary source of malware, but instead the issue is with organised crime, building empires of bot-nets with which to extort money or influence. This is an important shift in motivation because they do not have any preconceptions of what target to attack. The only criteria is to create maximum effect, which means targeting the platforms with the greatest market share. In the desktop world, that means Microsoft. Interestingly, in the mobile technology arena, it isn't pocketPC-based devices but instead devices based on the Symbian platform.

But Microsoft's dominance in the desktop world, is of course, Ubuntu's Bug#1, which it intends to fix. With Dell offering Ubuntu to the consumer market a large step towards that fix is taken, and the question arises: how big a market share is needed to make Linux desktops attractive to the malware developers?

But of course Linux is so much more secure than the MS alternatives! Not necessarily. Certainly one prominent Linux figure contends that while the Linux kernel is pretty secure, that cannot be said for many other FLOSS projects, including, of course applications that run on the Linux platform.

But then even if malware strikes a Linux desktop, how much damage can it do? To do any real harm, malware would need elevated priviges, which requires the user to specifically authorise, which of course one would only do for known applications.

But that is a process which Vista has also incorporated. And it can be attacked, and in a way which is easily applied to a Linux desktop. In standard Ubuntu (as an example I tested myself), it is possible for a non-elevated process to replace a menu item in the System...Administration menu with an arbitrary launcher, with an icon to make it look like the original item. If this launcher (lets say one that looked like the "Shared Folders" launcher were to ask for elevated privileges, few (if anyone) would smell a rat or rodent of any description for that matter. After doing some dirty on the system, the malware puts back the original launcher and runs the real "Shared Folders" app. Nobody would know anything was amiss. So once any vulnerability is identified (lets say in one of the desktop games that offer network play mode), and malware is delivered, even in user-mode, the game (as it were) is up.

In this case I'm sure the issue (if there truly is one) will be fixed, probably in Linux distros before it is in Vista, but an attack vector that works so similarly in Windows and Linux is scary.

The day when complacency becomes an issue is close. ClamAV is generally optional in distros - desktop or otherwise. Likewise, IPtables is ineffective without configuration (manually or with a tool like the excellent GuardDog. As it stands, and particularly with many users believing themselves to be in a position of strength, like the song says, there may be trouble ahead. The tools are there, but should be included (and configured) by default for folks who won't (or can't) do that for themselves.

Powered by ScribeFire.

Wednesday 16 May 2007

What was I worried about?

Over the last year or so I been asking myself questions about FLOSS, some of them documented in these notes. While the undocumented questions cover a broader range, so far those in these notes have largely revolved around the readiness (or not) of Linux as a desktop. I have looked on as a number of FLOSS projects are driven by their respective communities - communities by and large comprising and led by developers and/or enthusiasts. My question (for good reasons) is: Can FLOSS, with such communities and leaders, make the leap to expand into the wider non-enthusiast communities? As I've said before, enthusiasts and tech-savvy individuals are exactly the wrong people to judge what priorities the regular Joe Public has. Therein lies the mistake I made. Just because I hadn't seen it in the FLOSS projects I'd had exposure to doesn't mean there is no 'proper' marketing function taking place.

As one would expect from Mark Shuttleworth, Ubuntu has a significant community-based marketing operation. While it seems to a passing eye still a little experimental in process, it is clearly an extensive element of the Ubuntu community, and has been for some time. Perhaps more interestingly, in a project one would not consider to be as commercially focussed, John Williams - who clearly knows about marketing - has posted part one of an article and part two and, indeed, the gnome site itself has much marketing focus.

John Williams' pair of articles describes expertly what marketing is and how it relates to open source projects - in his case, GNOME. But there is one big difference between FLOSS and traditional commercial software. Ubuntu gives us an example:

I use the two applications delivered with Ubuntu for managing my mp3/OGG library. I use RhythmBox to manage and play my library, and SoundJuicer to rip to the library. Let's look at a fairly simple idea - when I rip a CD, I'd like it to appear in my library. Surprisingly, that's why I ripped it in the first place. Currently, I need to manually import each folder (as long as I've used a folder structure for SoundJuicer - if I haven't it creates more problems). To do this transparently means the two applications communicating somehow (probably a mod to SoundJuicer to insert entries into the Rhythmbox database). So somebody like Canonical, who aims to meet those kind of requirements must either:

  • Persuade the SounderJuicer team to implement the change.
  • Have a Canonical staff member with commit rights to the SJ repository.
Hmmmm. Not sure how that is going to work with all of the apps on the supported list, and all downstream dependencies.

Powered by ScribeFire.

Wednesday 9 May 2007

A good note and a bad one.

On the negative side, I'm increasingly coming across people having bad experiences with the latest & greatest (Ubuntu), even without looking for them (example). But on a net-positive day, I made a sweet discovery.

I was trying to install VMWare server onto my Ubuntu FF workstation. I tried obvious choices - the binary packages available for download, and alien'ing the rpm package. In both cases, when running the config utility, the vmware found it needed to recompile a module & fell over. In serious doubt that I had enough motivation to drill down the dependency tree, I came across the feisty-commercial software repository, where a vmware native deb package resides (possibly only for the last 10 days or so. I wonder why that might be?)

Add the repository (deb feisty-commercial main) into sources and apt-get install vmware-server. Done. That easy.

That is the way it should be done. That one gem of a repository - one which recognises the need for commercial software - is the answer to almost all of my reticence. Curious, I snatched a peek at the respository itself to see what else might be there (I have a few things on my shopping list). Actually, just VMWare. It doesn't seem to be used at all. The equivalent repositories for Dapper and Edgy were not much better - a small (very) handful of apps (opera being an example).

If Canonical can expand that repository and make it a standard way to find commercial software, Ubuntu will have crossed the street into the sunshine.

Powered by ScribeFire.

Thursday 3 May 2007

The Dell decision

So Dell picked Ubuntu. No great surprise there. But I would be a little cautious about what that means. I'm not sure there is a particularly significant market there now other than those folks who were happy to install the OS themselves. There are other skeptics.

Of course, it may be a positional move at this point, putting channels in place ready for when the 'ordinary' punter starts to appreciate there is a choice available.

Powered by ScribeFire.

Can Open Source Sweeten the lemon out of the market?

I just came across a very interesting article here comparing computer security products (hardware and software) to 'Lemon markets' and it rang bells all around the place. Now I didn't know a lemon market from a lemon meringue before it prompted me to go and read up, but by God those bells have gotten louder and louder.

For those in a similar position to myself, allow me to describe, as concisely as I can (or at least quote from the venerable Wikipedia), what a lemon market is, why I find it particularly interesting, and why Open Source software may well help to sweeten the taste.

/* Quote

The paper by Akerlof describes how the interaction between quality heterogeneity and asymmetrical information can lead to the disappearance of a market where guarantees are indefinite. In this model, as quality is indistinguishable beforehand by the buyer (due to the asymmetry of information), incentives exist for the seller to pass off a low-quality good as a higher-quality one.

*/ Unquote

Currently my day job is in a biggish hospital (well, biggish by Irish standards anyway). Buying decisions in this environment are led more by end users than in any other industry I've worked in - particularly in the health-specific areas - clinical, nursing laboratory, etc. While I and my colleagues in IT have a degree of input, the primary decision makers are the end users. Don't get me wrong - I'm not complaining. I happen to think that's the right way to do it. However it is not uncommon for a clinician to return from a conference with a CD under the arm for the latest 'fantastic' app written in MS Access by a couple of guys in their spare time. That makes for a classic lemon market. The end users making the decisions have no idea what software quality is, how it is achieved or how it is measured. The vendors do. Therein lies asymmetric information, and an explanation why sometimes poor software in Healthcare always seems to cost so much. I've used healthcare here as an example because I know a little about the current situation, but I believe this principle applies to software generally.

And the cost helps to perpetuate the lemony smell. There are a number of ways to estimate the quality of software, none of which are perfect. Comparison with a specification doesn't say much about quality. Conformance to quality processes (ISO, CMM etc) is better but really says only that a vendor is capable of a certain level of quality. The fallback is always reputation and reference. Go and talk to existing customers and hear what they have to say about the product. But with many software systems in the healthcare arena costing several hundreds of thousands (euros, dollars, whatever) or more, how many organisations are going to be totally honest about buying a lemon.

Can Open Source help? Perhaps it can. Having access to code (and related artifacts) means that adherence and not just conformance to quality processes can actually be measured, in many instances by automated processes (an example I recently came across directed at open source projects is here and other examples here and here).

There is plenty of scope to extend this model. If test scripts and records are included in the source repository then the degree to which (serious) unit, regression and system testing is performed can be measured, and speaking as a developer who has worked in and with a number of software houses, that would be a metric that would sort the men from the boys.

Open source competition in healthcare is still maturing. Arguably led by the WorldVista project originally developed by the VA healthcare organisation in the States, the open source market in this traditionally conservative sector is stable but still has some growing to do before putting pressure on closed-source vendors. I for one will do what I can to help it along.

Powered by ScribeFire.