Why Open Source is not Magic Pixie Dust, Part 284
Published 09:29, 30 September 09
One of the pivotal moments in the rise of free software was 22 January 1998, when the following statement appeared:
Netscape Communications Corporation today announced bold plans to make the source code for the next generation of its highly popular Netscape Communicator client software available for free licensing on the Internet. The company plans to post the source code beginning with the first Netscape Communicator 5.0 developer release, expected by the end of the first quarter of 1998. This aggressive move will enable Netscape to harness the creative power of thousands of programmers on the Internet by incorporating their best enhancements into future versions of Netscape's software.
Here, then, was the first – and for a while, the most successful – Internet company, giving away what many had regarded as its crown jewels. Of course, it was not a decision taken lightly, but the company had been forced to take dramatic steps in the face of its catastrophic loss of browser market share thanks to the steadily improving versions of Microsoft's Internet Explorer – and its own missteps.
The move was widely reported, and led to the ideas behind free software being introduced to many people for the first time. But the initial hopes of that announcement were not realised. Turning Netscape's Communicator program – the name used for the expanded version of Netscape Navigator, including extra functionality like email – into Mozilla, as the new code was baptised, proved much harder than expected.
One of the people most deeply involved in that process – and most disappointed in its failure to deliver an open source version within a reasonable time-frame - was Jamie Zawinski. By 1999, he found himself working for AOL, which had bought Netscape in November 1998. In the face of that failure, he decided to leave the company, and wrote an impassioned and important post entitled “resignation and post mortem” about why he was doing so. It concluded:
My biggest fear, and part of the reason I stuck it out as long as I have, is that people will look at the failures of mozilla.org as emblematic of open source in general. Let me assure you that whatever problems the Mozilla project is having are not because open source doesn't work. Open source does work, but it is most definitely not a panacea. If there's a cautionary tale here, it is that you can't take a dying project, sprinkle it with the magic pixie dust of “open source,” and have everything magically work out. Software is hard. The issues aren't that simple.
This is something that everyone in open source needs to remember. It is too easy to claim glibly that free software is a panacea, that by converting from closed to open code, all the problems go away. The difficult birth of Mozilla was perhaps the highest-profile demonstration of that, but it was by no means the last. Here's one from reddit, in an incident which took place very recently:
As many of you noticed last night, or heard this morning, we had a bug in reddit that allowed someone to start a comment bomb. Specifically, we had two bugs.
The bugs have been squashed, and it is perfectly safe to open your inboxes again.
It is important to point out here that as a site that gets all of its content from users, we take sanitization very seriously. We sanitize both input and output. In this particular case, our output sanitizer was broken in a non-obvious way. As a matter of fact, these bugs were only exploitable because we are open source. The worm author had to scour the source of our output filter to find these holes. We cannot hide behind security though obscurity, and we like it that way. We also rely on our users reporting security bugs in a responsible manner.
As this post candidly admits, “these bugs were only exploitable because we are open source”. Although many people (myself included) point out that security by obscurity is a false security – since determined crackers can always find weakness anyway – the corollary is not true: *lack* of obscurity does not mean the code is necessarily secure.
For open source code to be secure, people need to look at it carefully, and find the bugs before those wishing to exploit them do. Part of that involves users reporting bugs – again, as the post above rightly points out. For open code to realise its potential, its important that users – especially the more tech-savvy ones – do their bit, and help catch bugs that can cause problems. As Zawinksi might have put it, you can't take an insecure project, sprinkle it with the magic pixie dust of “open source,” and have everything magically work out.