Why trust has no bearing on open-source software

opensource.com / CC BY-SA 2.0

You may or may not have heard of open-source software ( if you haven’t please skim this), and if you have, your knowledge of the subject may vary considerably from the individual next to you. When it comes to data security and privacy, the arguments for and against the use of open-source software can be quite philosophical and at times heated.

What I want to touch on in this article, is about trust. Trust is a tricky thing, when you trust something you’re inherently giving up some control over your environment, being and “entrusting” it to someone or something else. Establishing that trust relationship varies by individual and situation. Reputation, honesty, contractual liability, are all things that can affect whether you or your company will trust someone or something with certain control over your environment and being.

Before we get into the thick of it, I want to clarify a few concepts as it can be confusing for many. Commercial software is not always closed-source, and closed-source software is not always commercial. Likewise, open-source software is not always free (as in $$). Therefore, we can have commercial software be open-source, and we can have open-source software that is commercial, contrary to the common beliefs of the opposite.

Let’s briefly talk about each of these:

Commercial closed-source

The most common situation for commercial software is for it to be closed-source, a few reasons exist for this, most commonly though:

  1. Protecting Intellectual Property
  2. Security through obscurity
  3. Hiding code that may be detrimental to trust in the software (i.e. poor, buggy code, and/or code that “spies” on the customer)

Commercial open-source

A very uncommon situation is to find commercial software open-sourced, but it does happen, and typically due to philosophical reasons of the organisation that produces the software. The benefit in this model is that you as as a consumer (and the community at large) can validate points 2 & 3 as mentioned under “Commercial closed-source” without having “trust” the software vendor.

More of the benefits, I will discuss later in this article.

Free closed-source

Another common situation is to find free software, that is closed source. The majority of the free-apps on your mobile device would fall under this category. The websites Facebook, Google, and so on, fall under this model.

Similar to the “Commercial closed-source” this is done to protect intellectual property, provide a level of security through obscurity, and hiding poor, buggy, and spyware ridden code.

When I mention spyware, this is the most common threat to you or your organisation when using free closed-source software. We constantly hear about popular free apps that spy on us. In the case of Facebook and Google this can be much more subtle, and often you agree to how they use the data when you sign-up for the service.

Facebook and Google make revenue from advertisements, they are arguably the best advertising platforms on the internet. They have achieved this success, by building extremely complex and conclusive profiles of their users as they use their platforms or as they visit other websites online to know what their users are most likely to be interested in buying, and then place relevant ads in front of you on their platform and on the internet in large.

Hence the term “ that if you use free software, you become the product” (advertisers are paying for access to your habits, your desires, and your screen).

In a nutshell, be wary of using free closed-source software, and ensure that you’re okay with the terms that come with using this type of software.

Free open-source

Lastly, free open-source software. Existing due to a huge community of developers, activists, and evangelists who at times can be very outspoken. Many people are confused as to what motivates people to develop free open-source software, as majority of the time there is no monetary reward.

People developing free and open-source software involve themselves for a potentially limitless number of reasons, most commonly:

  • Philosophical, much like libraries provide free access to knowledge or volunteers work for free.
  • Hobby, enjoy developing software and want to do it beyond their day job.
  • Build reputation, typically commercial closed-source development puts you under an NDA and you can’t show others what you’ve actually built.

In fact, this article right now is being written using a number of free open-source software technologies. A Libreboot T400, running Parabola GNU/Linux-libre, with Chromium ( see).

It’s a testament to people’s good will, and willingness to work free of monetary motivation, that we’ve seen huge successes in the free open-source world with software like the Linux kernel, GNU tool set, Firefox, and in a corporate sponsorship sense software like Android and Chromium (Chrome).

What makes people or companies choose between these types of software?

You typically see a trend of large enterprises choosing to purchase licenses to use commercial closed-source software. For a number of reasons, primarily:

  • Most enterprise grade software, is commercial closed-source.
  • Access to enterprise grade support.
  • Enterprises can transfer liability through the use of the software onto the software vendor (because they are paying for it).

That being said their are some exceptions to this rule. For organisations that have a strong internal technology skill set, for instance companies like (Google, Amazon, Facebook). They often will use free open-source software, because it gives them the flexibility to fine-tune and tweak the software to work at the scales they need it to. They also do not necessarily need the access to on-going enterprise grade vendor support, as they have their own internal technical skill to troubleshoot and resolve issues.

The case for commercial open-source

We’ve gone over a lot of back story, types of software, and motivations for using each type, it’s time loop back to the original intention of this article, trust. Many would argue you can’t trust closed-source software, because you can’t validate it does what it claims to do, because you can’t get a look at the inner workings.

I’d argue the complete opposite, all you can do is trust closed-source software, you have nothing else to go on but to trust that it’s doing what the vendor says it does. In reality, when it comes to open-source software, you don’t have to trust it, you validate it. In the case of popular open-source software, you also have the added assurance that many eyes are looking at the code, and that the pressure exists on the developers to ensure the code is kept tidy, and the majority of the security flaws are discovered and corrected quickly.

When you can verify that something does exactly what it says it does, nothing more nothing less, there is no need to trust it, and arguably it’s a much better state to be in.

Why not free open-source?

Free open-source (as in $$), is a perfectly legitimate model, and chances are each and every one of us has benefited in one way or another from the existence of this type of software.

You can compare free open-source software to the non-governmental and charity organisations of the world, they are funded largely by donations and proceeds from fundraisers as well as grants. This money goes to pay for infrastructure to distribute the free software, and in some cases pays employees and developers as well.

The great thing about these organisations is that they are free from the profit motive, they can focus on their mission, and dedicate all of their resources to it. Unfortunately, it can also mean they survive precariously, and are at the risk of not balancing their budget year-over-year.

Commercial open-source a viable alternative?

I believe that commercial open-source is a fair trade-off, from an internal organisation stand-point. You’re still stuck with the profit motive, which in a closed-source model would allow poor, buggy, and flawed code to end up being released to customers while chasing deadlines. In the open-source model though, there is more pressure to release code that is of quality as your customers and the community at large can audit it themselves.

As is the case in our society, the majority of people want to increase their personal net worth (for any number of reasons, some good, some bad). This means there is much more capital available to accelerate development, hire top talent, and progress towards a companies mission with less financial stress than you might see in a free open-source project.

From a consumer, or client stand point, they don’t have to trust that your code is doing what you claim it does, nothing less, nothing more, they can audit and validate it themselves.

The only main concern that lingers, is that of the intellectual property of the vendor. What prevents someone from copying the code, and building their own business using your work? Licensing agreements and patents can provide legal protection from a party that is identifiable and operating in the same jurisdiction as you. It won’t however protect you from individuals in other countries or that choose to remain anonymous.

The reality is, this kind of theft doesn’t happen frequently, it takes a lot more work to build a viable business than simply having a product. Most of the intellectual property theft we hear about to day is happening to proprietary closed-source property that is hacked by individuals or groups in jurisdictions out of reach of intellectual property laws (China, India, etc…). Therefore, the intellectual property point is kind of mute.

Wrapping Up

Many companies have taken to open-sourcing segments of their code for specific applications in their portfolios, some interesting examples include many of the big tech companies: Open Source Should Thank These Five Companies

Recommendations for open sourcing your code to attract talent is common as well: Want To Recruit Better Engineers? Open Source Your Code

Tesla is another great example of a company (not strictly software related), that is willing to let the competition use what they’ve pioneered to help advance their mission (that is not directly profit or market share driven): All Our Patent Are Belong To You

To be clear, I’m not necessarily advocating for companies to open-source all of their code. To the extent that they can I think it is however important. At the end of the day their is certain portions of code (especially in SaaS companies) that is used to protect technical infrastructure from attack, and often that code remaining obscure is necessary. As this one Quora response by Bob Anderson says well: “Open as much as you can. Let the world in. But not to the point that it threatens your existence.

You have no choice but to trust closed-source software. Open-source software requires no trust, it can be validated.

Hopefully this article has been thought provoking, I encourage you to like, comment, and share!

Originally published at https://www.linkedin.com.

Founder at Lockdrop | CISSP | AWS-SAP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store