Scott Granneman, whose excellent recap of the recent Greasemonkey security flap appears here and here, was perplexed by what I wrote on the subject here and embellished here. Like me, Scott is a huge fan of Firefox, of Greasemonkey, and of the grassroots culture of transparency that sustains these and other open source efforts. So where's the disconnect? Let's start here:
Why is it that a discussion of open versus closed source software comes up every time an application vulnerability is found?I think it's because open source advocates have conditioned that reflex. Listen, for example, to Michael Tiemann at the MySQL User's Conference:
In July 2002 they [Microsoft] said they'd spend 100 million bucks improving their security. In July of 2003, they said it would be 200 million. In January 2004 they said a billion, and in March 2005 they said they were spending over 2 billion. This graph is logarithmic. If this trend continues, they will spend approximately their entire revenues on fixing security, or they'll spend what remains of their bank balance. From my perspective, this is a consequence of a failure of design. This is a failure of the shared source model. (entire 4-minute clip)Michael Tiemann is a scary smart guy, and this was a wonderful talk which I listened to twice because it's full of thought-provoking ideas. But while the trend he identifies is real, projections are always dicey. Three years ago I never would have predicted Microsoft's enthusiastic entry into the blogosphere. Nor would I have predicted the dramatic rehabilitation of the IIS web server.
Scott Granneman asks:
Which would you rather have? An open process like that practiced by Greasemonkey, or a closed process like that chosen too often by major vendors like Microsoft (and Cisco, but don't get me started on that debacle)? I know which one I prefer, and which one is ultimately better for all computer and Internet users.It's no contest. I choose the open process. But I don't believe that every innovation, effective method, or competitive advantage flows from that openness. Important initiatives can arise anywhere. Executing them may require an architecture of control along with an architecture of participation. Merging the two styles is a daunting challenge, and perhaps in the end an impossible one, but I continue to entertain the possibility.
Former URL: http://weblog.infoworld.com/udell/2005/08/10.html#a1287