In cases of major discrepancy

it is always reality that's got it wrong.

From RFC1118

A: I consider Open Source to be an important part of the international programming fraternity, an institution organized as a virtual scientific academy that discovered many talented developers from various countries, especially Europe and Spanish speaking countries. It's great how active this fraternity is!

This "pro bono" (Latin "for the common good") development is not unique to software. Most professional codes of ethics encourage participants to donate some of their time "pro bono". I think that the healthy part of Open Source movement is in reality a "pro bono" movement that already produced a long lasting impact on software and is especially important to education, developing countries, cash-strapped startups, etc.

I consider it to be an important part of the Unix Renaissance, the most important democratic movement in software development in the XX century started by Berkeley University Free/Net BSD project( TCP/IP, Bind, sendmail, vim to name a few things) and MIT's GNU project (gcc, gdb, emacs, etc.). One very important benefit that Linux provides is that along with Free/Open BSD it's a free and open alternative to any proprietary operating system and due to the GNU license it most probably will stay that way.

At the same time the movement is still in its early stages (and not last days, as some predict) and it suffers from some "childish diseases". One of them is bad advocacy. The term "bad Linux advocacy" or Raymondism was introduced in my First Monday paper to differentiate a credible OSS advocacy from the popular brand of naive on the border of blind fold Linux chauvinism ("Linux uber alles"). The main problem with Raymondism is that with the loss of credibility comes a betrayal of trust to the intelligent readership.

Like any other type of groupthink Raymondism incorrectly assumes:

Systematically overestimate the group capabilities.

Believe in the inherent morality of the group, regardless of how immoral parts of the group behave.

Develop their own rationalization for failures.

Rely on stereotypes of adversaries (Microsoft) rather then accurate perceptions.

Suppress rather then express their doubts and reservations about the group and particular decisions.

Have an illusionary belief that the group is unanimous in its decisions when many in fact have their doubts and reservations.

Overly call upon those who do express criticism to suppress this criticism out of loyalty to the group or the "fearless leader".

What ESR and Co failed to realize is that people who are developing and using Solaris, Novell and Microsoft products are also professionals and many of them are of a caliber far superior to the author of low to middle-range open source products like EMACS editor macros, a mail utility, and like ;-). For any intelligent professional an open demonstration of arrogance naturally creates a strong negative reaction, a backlash that is damaging to the movement credibility and future.

Before I get flamed for this, please understand that a holy war, "Linux uber alles" of sorts, is a self-defeating strategy. I hope that there is a healthy "silent majority" of the open source community (that why I actually am writing this FAQ) who are just writing code as best they can, and/or submitting patches bug reports. But that does not mean that we can just ignore the ranting and raving of the zealots: the public tend to define the open source community in terms of its most outspoken members (ESR and Co) which in this particular case means zealots...

The main problem with Raymondism is that with the loss of credibility

comes a betrayal of trust to the intelligent readership.

As Jono Bacon put it in the UK Linux Group article The Good, the Bad and the Proprietary:

I mean, let's take a reality check at this early point in this discussion; Linux is software - a man made tool that serves a purpose, and we need to remember that Linux is only software, and not some godly means in life where we must cast down all those who oppose. The particular Linux users that I direct this comment to are what I would call "those users who like to express their opinion in forceful manner"; in other words, those people who get very hostile to anything that isn't Linux. Microsoft is usually a direct target when it comes to shoving some negative energy in the right direction. While I think that Microsoft does have it's flaws, everything has two sides, and Microsoft has consistently developed well designed easy to use software that lets novices get some work done.

The same problems exist with primitive anti Microsoft rhetoric like ERS's (see Slashdot ESR responds to Ed Muth for more detailed discussion:

After months of silence out of Redmond, the themes of Microsoft's coming FUD campaign against Linux are beginning to emerge like a zombie army from the fetid mists of Redmond. And who should that black-armored, axe-wielding figure riding point be but our old friend Ed "Sheriff of Nottingham" Muth, apparently recovered from leading with his chin last time around and ready for another go at Linus and his Merry Men of Sherwood.

Even Linus Torvalds proved to be not immune to this disease. Some of his technical judgments are very suspect. It's enough to read attentively several of his interviews to understand that he started making predictions and evaluate things about which he actually has very little real knowledge due to the specifics of his career and the best he can do is to make an educated guess. As Charles Hannan, a developer of an alternative operating system was quoted in Ottawa Citizen artilce "All in all that IPO money did to some Linux developers was make them incredibly arrogant."

Overhyping open source doesn't actually help to create a larger user base and/or sustained development of the community. We should suspect any OSS advocacy that includes the following features:

Gross oversimplifications like "open source software is good, closed source is bad", "Linux has better quality than closed source UNIXes or Free/Open BSD", that "contributors to open source projects is plentiful and contributions always has high quality", etc. Bob Young's example of a car in which you are not allowed to "look under the hood" (as if most customers know or want to know how to fine tune fuel injection or able to diagnose various malfunctions and/or install additional equipment like, say, turbo compressor) is a more subtle example of the same category.

Claming that open source software is the most economically efficient paradigm of producing software and is much better than any alternative method. This is called economism or Vulgar Marxism. See Is "Vulgar Marxism" a legitimate scientific term. Bad Linux advocacy considers commercial software developers inferior to free/open source developers. It also has fundamentalist attitude about the necessity of redistributing software code. I agree that it's nice feature and it really make the difference in many cases (especially in education, poor countries, cash-strapped startups, etc) but still the absence of the source code should not be the cause of moral indignation as Bertrand Meyer hinted in his essay.

Emphasizing volunteer development and concealment of the facts about the true economic origin of many popular open source software products including Linux. In reality a considerable part of it is not "donated", but "taxpayer-funded" (university-funded) or "commercially funded" (current versions of Linux). Even Linus Torvalds cannot be called volunteer after probably just first two years of kernel development: after that his "hobby" was financed by the University of Helsinki (which allowed Linus to do development on his university job), then Transmeta picked the bills. Later IPO stock gold rush remunerated him quite nicely, probably on the level very few leading commercial developers enjoy. I would say that Linus Torvalds probably belongs to the first dozen of the most highly paid developers in the Unix word. Without commercial developers and support of development by commercial distributors Linux in its present form would be impossible. Most significant open source products are now developed by paid developers (staff of Linux companies, IBM, Sun, etc) and in this respect are not that different from commercial products that involve cooperation of several companies. It's just a new commercial software development paradigm that can be called complexity-level based commercialization. There is nothing bad about it, we just need to understand the real picture. Actually FSF from the beginning used paid developers to develop software. That means that CatB's claim that Linus Torvalds is a volunteer developer contradicts Linus Torvalds biography. From the other hand commercial companies contributed a lot more to the Linux than Raymondism would like to accept. For example, the role of DEC in the development of Linux and Intel and IBM in funding Linux startups is ignored in CatB and similar essays.

A holier than thou attitude, disrespect of other developers. The attacks against commercial software developers, especially Microsoft. These two communities actually are interdependent. First of all one needs to understand that development of all major open source products is currently organized on the commercial basis. Instigation of hatred of the members of the commercial community is unproductive and unethical. Often open source products are re-implementation of commercial products (Linux is a very good example here, but Ghostscript, GIMP and Samba probably can be mentioned too). Borrowing from the design of the commercial product requires respect and acknowledgement of the original product. This attitude is definitely lacking in phases like "I invented Linux" (the most generous claim possible would be "re-implemented a Unix kernel using Minix and FSF tools") and so on. This is as close to the infamous Microsoft phrase "We invented Windows" as one can get. See also Linus Torvalds cult of personality issue in Linus Torvalds biography. We will also touch this important problem below. Another example "a holier than thou" attitude is ESR's anti-Microsoft rhetoric like his discussion of Microsoft in Halloween documents (see for example Halloween V) After months of silence out of Redmond, the themes of Microsoft's coming FUD campaign against Linux are beginning to emerge like a zombie army from the fetid mists of Redmond. And who should that black-armored, axe-wielding figure riding point be but our old friend Ed "Sheriff of Nottingham" Muth, apparently recovered from leading with his chin last time around and ready for another go at Linus and his Merry Men of Sherwood. Yes, of course, Microsoft is far from being a saint, but this is simply ridiculous. Even the usual marketing suspects rarely sink so low. Jeff Lewis in his interesting paper The Cathedral and the Bizarre discussed other trick that ERS often uses ("Windows 2000 63K bugs trick"): Raymond points out that Windows 2000, which reportedly shipped with 63,000 bugs, shows that OpenSource works because under Brook's "Law", the number of bugs is roughly proportional to the square of the number of programmers. Since Linux has 40,000 developers working on it - there should be 2 billion bugs in Linux. The flaw is that he perceives Linux as a collection of small projects, but sees Win2K as a single monolithic application - much as he seems to see MacOS. In reality, Win2K and MacOS aren't monolithic. They are composed of many smaller parts which are handled by smaller teams. Much like Linux. As for comparing bug counts - at least Microsoft has a bug count. If Raymond had bothered to check the number, he'd have found that a rather large proportion of the 63,000 bugs are cosmetic - and none were considered 'showstoppers'. We don't even have a way to determine the real bug count for Linux since there's no central repository for this sort of information. Raymondism seems to be assuming that all OSes are targeted to the same market segment. This is a questionable assumption. Developer resources are not infinite and explicit or implicit priorities lead to particular strong and weak points of a particular OS. Unix in general was designed as a developer OS and naturally most developers and power users really like this OS and prefer it to others. It also a very good server OS. That does not exclude the possibility of using it by other market segments but the level of success achievable in each of them is questionable. For example Mac is popular among graphic artists, musicians and users without special computer training. One can say that it is a specialized OS for those market segments and that's why the question of consistency of user interface is so well addressed in the OS. It's a top priority for those segments. See Slashdot discussion of the The Cathedral and Bizarre for more information. Its just reinforcing the idea that there are different markets and different kinds of software and different kinds of users. No surprise that OSS fits some niches and doesn't fit others. Explicit and/or implicit personal attacks on RMS. You can disagree with political views of RMS (software anarchism) or reject GPL as a license for your software (I am far from that, LGPL seems more reasonable for me) but please do not forget that RMS was a great programmer who initiated the development and put a lot of personal efforts in GCC, GBD and Emacs. And that means that we definitely should respect him as one of the greatest contributors to open source. As Bertrand Meyer have shown RMS has its own problems in the advocacy area, but please remember that GCC complier is the cornerstone of the movement. In any case ESR and his closed Open Source Initiative is a pigmy in comparison with RMS/FSF past and present role and achievements. Paradoxically in many important aspects Raymondism is more radical than RMS' views. For example RMS never claimed that free software development is a superior model for the software development than commercial development. Nor they ever claim that everybody should use open source software only -- for him it's a personal preference that you can take or reject. In no way RMS contributed to those crazy Linux IPOs that lead to "enthusiasm led investments" from the most active people in the community -- the investments that are now at risk due to the unclear commercial perspectives of the Linux-based companies. Actually the RMS and the FSF supporters ("Free Software" or GPL community) in general have no problem with commercial software developers and selling software. In fact, the FSF generates revenue through the sale of software. Since Jan. 1998 Eric Raymond successfully promoted "open source" as a distinct and slightly anti-Stallman movement. See for example his interview with Smart Reseller Straight From The Source where Eric was called a Godfather of Linux ;-) Note how skillfully an anti-RMS stance was injected -- GPL essentially permit commercial use and might be one of the core reason of Linux popularity (FreeBSD was technically superior in many important areas until probably 2.4 kernel). Open source license is a Johnny-come-lately and as of this writing has no important products to claim: SR: Some of our readers may be confused by the "open source" movement you represent, which is significantly different from Richard Stallman's (a.k.a. RMS, founder of the Free Software Foundation and the GNU Project) "free software" statements. Open source is not the same thing as Stallman's "free software," right? Raymond: The distinction between the open-source movement and what RMS is doing is that we push utility arguments while he publishes moralistic ones. RMS's basic stance is that intellectual property is evil and, therefore, sources must be open. Ours is that we want what gives the best engineering results, and that's open source. Later ESR seems to get a pop star syndrome at some point and decided that he can safely make personal attack on RMS in order to promote his own Open Source Initiative. This "pop star syndrome" can probably explain the fact that he also have felt the need to go public about his new wealth. This was very bad move from PR perspective and just shows how arrogant ESR became; he not only managed to discredit himself both as a person and as an evangelist by attacking FSF, but also alienated those Linux developers who fail to get into this short-lived get-money-fast-and-run Linux Gold Rush (I suspect the latter category encompass most developers outside USA). There's nothing wrong with making money, even big money, but Linux doesn't benefit from crazy IPOs based on hype and manipulations by investment brokers. I suspect that "Open source rich" became rich at the expense of naive believers in the OSS phenomena, not from the day traders.

Attempts to contribute to Linus Torvalds' "cult of personality". Often this is done via blatant exaggerations in the best style of North Korea press, but sometimes more subtle ways are used too. For example calling him a "true pragmatist" and contrasting his with an "idealist" RMS (who, by the way is the principal author of GPL license -- the license that proved to be instrumental to the success of Linux and along with BSD license was widely adopted in project all over the globe. The GNU Project was around long before Linux. But it's not a stretch to suggest that GNU was a relatively obscure phenomenon before Linux brought its benefits front and center to the computing mainstream. Stallman's belief that it is better to have poor-quality free software than high-quality proprietary stuff might have forever kept the GNU world view as a niche had Torvalds' pragmatism not brought it out. From this point of view GPL proved to be a very "pragmatic" license. Moreover FSF was well known/respected well before Linux. For example, here is a stance by Evan Leibovitch in his essay In the middle lies sanity See cult of personality for additional quotes.



Claiming that open source software has intrinsic higher quality than closed source commercially developed software. This statement is an article of faith among some open source advocates, but until I see an objective, empirical study that substantiates it, it shouldn't be stated as fact. Actually there are badly designed, insecure and quite popular open source products (Sendmail might be one example). Some open source products might use algorithms that are no longer on the cutting edge of technology, development might be slow, but they still play the role of the standard de-facto in the open source world (compare, for example, speed of development and the level of interface refinement of gzip and rar). The issue of the quality of algorithms is often ignored, but IMHO algorithms used are often far more important that other issues and make the difference between bad and good software.

Blah-blah-blah about word domination. Linux domination would be a bad thing. We need to respect BeOS, Inferno, VMWare. VM/Linux (derivative of older VM/CMS -- IBM's two layer approach to the OS design in which simper OS (Linux) run on the top of complex (and proprietary) virtual machine monitor that hides a lot of complexity from the upper level and that provide virtual cluster or network and as such is different from plain-vanilla Linux on a single machine) and other free Unixes (Free/OpenBSD/Net BSD). Pluralism in OSes is as important as in other spheres of life and one of the greatest achievement of Linux is that it helps to overcome Microsoft dominance in the PC world. The Microsoft dominance already badly influenced people and there should be no new "Mongol oppression". It's really important that people chose a right tool for the job (best tool for the job, if you have enough money). That will never always be Linux or Unix. No single OS can do everything well. Actually Linux on a desktop is far from being a paradise and probably will never be due to its server-centric architecture. It's pretty attractive to power users mainly because they actually need and can productively use a server as a desktop. But you need to want to be your own sysadmin ;-).



The other side of this "word domination" drive is the attempts to represent Linux kernel as the best available Unix kernel implementation strengthen an impression about Linux movement as a high-tech cult. The kernel is pretty good and I like and use it but in many respects its not the best and never will be.

Overrating open source security. The problem is not finding people, but finding quality people to audit software and that's much more difficult than ESR assumes. On April 14th 2000 reports began to appear of a apparently deliberate back-door in Microsoft FrontPage services. The reports specified that the back-door password was "Netscape engineers are weenies!". ESR fell over himself. After his Halloween success this was the news item he was waiting for! But here the result was quite opposite. A real fiasco occurred. In his note Designed for Uncertainty Matt Michie wrote: Eric Raymond wrote an article where he stated, "It's pretty clear. Anybody who trusts their security to closed-source software is begging to have a back door slipped on to their system -- with or without the knowledge of the people who shipped the code and theoretically stand behind it. ... Apache has never had an exploit like this, and never will. Nor will Linux...". Of course the next day, after some background and fact checking, it was revealed that the Microsoft back-door wasn't as bad as was originally reported. Further, ten days later a security firm found a what could be considered a back door in Red Hat Linux. Ironically, the bug was in a piece of web software. The security advisory states, "The GUI portion of Piranha may allow any remote attacker to execute commands on the server. This may lead to remote compromise of the server, as well as exposure or defacement of the website." Wait a minute. Doesn't Red Hat "theoretically" stand behind the code they ship? How could this back door have been inserted into Open Source code? Didn't Mr. Raymond say that this couldn't happen to Linux? What do all the pundits who were railing against Microsoft's security holes have to say about this? Is there a double standard when it comes to reporting Microsoft? In this situation, the Linux press, such as Slashdot, are looking more like a sick imitation of what ZDNet used to be. Why is it "evil" when Microsoft FUDs Linux, but "advocacy" when Linux sites FUD Microsoft? Is it too much to expect unbiased reporting in the media? But the problem is deeper. Here is an opinion of John Viega, a Senior Research Associate in the Software Security Group at Reliable Software Technologies, an Adjunct Professor of Computer Science at the Virginia Polytechnic Institute, the author of Mailman, the open source GNU Mailing List Manager, and ITS4, a tool for finding security vulnerabilities in C and C++ code. He has authored over 30 technical publications in the areas of software security and testing, and is responsible for finding several well-publicized security vulnerabilities in major network and e-commerce products, including a recent break in Netscape's security. In his recent paper open source resources at open source it The Myth of Open Source Security he wrote: ...Even if you get the right kind of people doing the right kinds of things, you may have problems that you never hear about. Security problems are often incredibly subtle, and may span large parts of a source tree. It is not uncommon to have two or three features spread throughout a program, none of which constitutes a security problem alone, but which can be used together to perform a security breach. For example, two buffer overflows recently found in Kerberos version 5 could only be exploited when used in conjunction with each other. As a result, doing security reviews of source code tends to be complex and boring, since you generally have to look at a lot of code, and understand it pretty well. Even many experts don't like to do these kinds of reviews. And even the experts can miss things. Consider the case of the popular open source FTP server wu-ftpd. In the past two years, several very subtle buffer overflow problems have been found in the code. Almost all of these problems had been in the code for years, despite the fact that the program had been examined many times by both hackers and security auditors. If any of them had discovered the problems, they didn't announce it publicly. In fact, the wu-ftpd has been used as a case study for vulnerability detection techniques that never identified these problems as definite flaws. One tool was able to identify one of the problems as potentially exploitable, but researchers examined the code thoroughly for a couple of days, and came to the conclusion that there was no way that the problem identified by their tool could actually be exploited. Over a year later, they learned that they were wrong, when an expert audit finally did turn up the problem. In code with any reasonable complexity, it can be very difficult to find bugs. The wu-ftpd is less than 8000 lines of code long, but it was easy for several bugs to remain hidden in that small space over long periods of time. To compound the problem, even when people know about security holes, they may not get fixed, at least not right away. Even when identified, the security problems in Mailman took many months to fix, because security was not the core development team's most immediate concern. In fact, the team believes one problem still persists in the code, but only in a configuration that we suspect doesn't get used. An army in my belly The single most pernicious problem in computer security today is the buffer overflow. While the availability of source code has clearly reduced the number of buffer overflow problems in open source programs, according to several sources, including CERT, buffer overflows still account for at least a quarter of all security advisories, year after year. Open source proponents sometimes claim that the "many eyeballs" phenomenon prevents Trojan horses from being introduced in open source software. The speed with which the TCP wrappers Trojan was discovered in early 1999 is sometimes cited as supporting evidence. This too can lull the open source movement into a false sense of security, however, since the TCP wrappers Trojan is not a good example of a truly stealthy Trojan horse: the code was glaringly out of place and obviously put there for malicious purposes only. It was as if the original Trojan horse had been wheeled into Troy with a sign attached that said, "I've got an army in my belly!" ...Currently, however, the benefits open source provides in terms of security are vastly overrated, because there isn't as much high-quality auditing as people believe, and because many security problems are much more difficult to find than people realize. Open source programs which appeal to a limited audience are particularly at risk, because of the smaller number of eyeballs looking at the code. But all open source software is vulnerable, and the open source movement can only benefit by paying more attention to security.

That's why in my first paper I raised a heretical question: "Is the global free software/open source movement suffering from a special type of bad advocacy?". For those who read the paper it's clear that my answer is yes. Bad Linux advocacy for me is the name of an Linux-based open source fundamentalism -- the dominant type of bad advocacy that adopts the simplistic and badly thought out arguments in a spirit of an obscure cult (see also Lysenkoism). I’ve often wondered why it’s so difficult to avoid hyperbole when discussing Linux. After all it's just one of several free Unix kernels and technically even not the best one. Actually dramatic overstatement is not confined only to those who are most closely associated with Linux evangelism (sometimes called slashdot crowd), it also spread to those who are developing and implementing Linux. In his DaveNet The Sixth Sense Dave Winer aptly stated (bold italics are mine):

What does open source have in common with Java?



Both are former panaceas. Like object oriented programming in the late 80s, if adopted, they would supposedly lead to magic synergies known only to the promoters, and breathlessly replayed by reporters looking for an easy story to repeat over and over and over.



Java was (and is) Pascal reincarnated. A virtual machine that ran on real machines. Good idea. Been done before. Open source is a tradition that dates back at least thirty years, if not longer. If you learned how to program in the 70s your teacher was quite possibly the source code for Unix (that's how I learned).



Fodder for the hype machine, these "trends" make some people rich, and take the focus off what's really happening, which is still the Web. Then they fade out, to be replaced by the next vaccuous trend, and in the meantime, most developers work hard, outside the spotlight, to make their users happy. (That includes open source developers, btw.)



The thing that's truly offensive about these panaceas is that they are so exclusive and disrespectful of other developers. Until Sun embraced SOAP, the only Sun-endorsed way to communicate with Java apps was to convert your whole program to Java. The Java evangelists would cheerfully and seriously tell you to do this. Same with open source. Unless you shipped all your source on their terms the wall was insurmountable. These are outages of the first order.



When will we learn the lesson, that predates even the Internet, that all outages in software are eventually routed around. Try to control and you lose your place. The time-of-control is shortening all the time. IBM had a 20 year run. DEC was the leader for 10 years. Microsoft, for four, at most. Java had an even more brief run and it was over before Java could actually do anything that anyone wanted to do. If you're a student of technology history, the long-shot bet of being dominant looks worse and worse. Even if you manage to attain dominance, briefly, who wants to be the trend of last year?



Thankfully the open source rage is on its last legs. If you're honest and made a bet on open source, and want to get help from the press and investors, here's some open source (free) advice. Play it down.

Actually open source software can be better than closed source it can be worse, it's just different class of software with its own strengths and weaknesses and to claim that its superior by definition is kind of naive. I think that RMS is right that the main advantage here is freedom, not quality or other real or perceived attributes per se. Actual benefits depend on the personality of developer. Only talented people can produce top quality software be it open or proprietary. And quality documentation about algorithms used is often as important (or more important) as the availability of the source code. I often will prefer more simple and probably not that well written open source program to the closed source one, but I would prefer a closed source program with carefully documented algorithms and clean interface to a large undocumented open source program. For non-trivial programs algorithms are of crucial importance.

I would not go that far as to claim that extremist open source advocacy is a new type of religious fundamentalism although raymondism does share some features with a high demand cult.

Religious fundamentalism is extraordinarily dangerous. Open source fundamentalism, at best, is annoying. It's just an example of what's happening when a movement based on particular principles is repackaged and sold to companies as a new and effective means, i.e. a better way to turn a profit.

It's interesting that RMS is now typically criticized by ESR for being past his time, etc. There's a predictable pattern to many social movements of this sort: they begin with prophetic characters with a radical moral-ethical agenda (RMS), and then gradually become co-opted and assimilated to serve corporations and the market by opportunists like ESR. But in reality FSF approach "free as a principle" approach is close to the idea of "pro bono" and might be the most democratic approach. Yes, there are problems with GPL, and I would prefer BDS-style license in most (but not all) cases, but that's a completely different story.

Society

Quotes

Bulletin:

History:

Classic books:

Most popular humor pages:

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D