The “Free”, “Standard”, “Open” Software Heresy

There are those people that have a strong, dogmatic belief in what they call “Free” or “Standard” or “Open” software. One of those individuals is Jimmie (let’s call him Jimmie in this article) who has responded to an article about Java persistence by Marco Behler on TheServerSide.

Let me cite Jimmie’s response here:

JPA is difficult but complete. It has a learning curve, and you’ll have surprises if you try to shortcut its complexities. But they mostly are there for a reason. Difficult stuff is difficult using JPA, that’s true.

JOOQ is quick to learn. And is proprietary stuff. Not free. Only one implementation. No public review, only one body involved in its evolution. SQL-oriented, not OO (ok, they say it’s a feature).
As a serious professional, learn JPA. Fully. There is no excuse for not knowing which sql queries are generated in your production app. Replacing it with a more basic framework is no solution.

Let’s not go deeply into the concrete difference between JPA and jOOQ / SQL. That topic has been discussed already in lengths on Reddit. Let’s consider the essence of the comparison as perceived by Jimmie. Because, Jimmie would probably say exactly the same thing when comparing

  • JSF with Ext.JS or ZK
  • PostgreSQL with Oracle
  • MS Office or Google Docs (probably OK cause “gratis”) with LibreOffice
  • Linux with Windows or MacOSX (although he might perform some doublethink as a Mac user)

Software not being free

Jimmie, Is YOUR software free and “not proprietary”? If so, how do you finance it? How do you earn a living? And why are you doing it? What really motivates you? What really motivates your customers and why?

Only one implementation

How many people actually do use alternatives to Hibernate and why? Are they using EclipseLink mainly because they used to use TopLink for the last 20 years and the learning curve (or benefit) to switch to Hibernate is too high? How often do you actually switch implementations? What keeps you from implementing the jOOQ API, and open-source its implementation?

And most importantly: Do you always adhere to the JPA API, even if Hibernate has lots of awesome, proprietary extensions that just happen to work so much better / easier?

No public review

Who exactly is “public”, and what are their main interests? Did you know that one of the major driving force for the JDK is Credit Suisse, being a large customer for Oracle in the Java environment, for instance? What is your stake and relation with Credit Suisse as your “public” representative?

Only one body involved in its evolution

Do you say that to YOUR customers also, about your own software as well?

SQL-oriented vs “a serious professional”

What’s not serious about SQL? In fact, SQL is reviewed by more entities than the JLS, let alone the JPA specs. Have you ever thought about that?

More basic

Fair enough. But don’t forget: You probably replaced your sophisticated EJB 2.0 framework (still a standard!) from the early 2000’s by a more basic one, which was (at the time) proprietary, had only one implementation, had no public review, nor multiple bodies involved in its evolution. It was, at the time, called Hibernate. And let me take the opportunity to cite Gavin King (creator of Hibernate) about when to use Hibernate:

gavin-king-on-hibernate

My reply to you, Jimmie

According to you, JPA has to be learned fully. So I challenge you to also FULLY learn SQL, including all the SQL:2011 clauses, including

  • window functions
  • grouping sets
  • common table expressions
  • distinct/match/type/submultiset/unique predicates
  • time periods
  • partitioned outer joins
  • lateral joins
  • standard OFFSET pagination
  • contextually typed value specifications
  • quantified comparison predicates

… and of course all the details of interoperation between SQL and XQuery, one of the most popular aspects of the SQL:2011 standard!

And please, learn this FULLY, regardless of whether these things are part of your specific implementation. Because as a serious professional, you shall fully learn SQL. And while you’re at that, learn also everything about execution plans, and join, fetch, buffer caching, cursor caching and all other sorts of algorithms. Because there is no excuse for not knowing which SQL transformations are generated by your database’s CBO.

I know you like standards, Jimmie. But beware of the fact that there are some people out there who cannot wait for a standard to evolve to solve their problems. They may have more immediate problems. More specific problems. Simpler problems. Problems that might be solved only by proprietary software, so far. Or problems that are solved by proprietary software, that can be put into production with much less effort than your standards, Jimmie.

Lower time-to-market is what your customer might consider “professional”. Not whether this or that tech is used.

Someone always invents something proprietary at some time. It might just evolve into a standard. It might have been a bad idea and not evolve into anything. Or it might evolve into a standard and then be the worst standard ever. See again: EJB 2.0. I think we all agree on that, today.

No, Jimmie, the world isn’t black and white. It isn’t just about standards vs. proprietary. About free (libre) vs. commercial. About free (gratis) vs. “closed”. It’s about creating value for your customer.

Oh, and Jimmie. I sincerely hope you’re neither a Windows, nor a Mac user, because that wouldn’t be free, and there is only one implementation of each OS, and no public review, and only one body involved in their evolutions. And yet, the whole world runs on one of them.

Thanks for your attention, Jimmie.

Free as in Beer has caused Heartbleed (and Much More)

heartbleedHeartbleed is a bit over one month old now. A bug significant enough to have its own Wikipedia page. Today, we’re going to look into how wrong we have been in assuming that Open Source software is more secure than commercial software, because of our thinking that source code is open and that many developers are looking into it.

Free as in Beer

One of the core principles of Open Source software is, well, that it is open and that this openness is free in one way or another. This allows us developers to browse source code of third-party software and libraries for various reasons:

  • To learn from it
  • To copy it (under the terms of the respective license)
  • To modify it (under the terms of the respective license)
  • To verify it

Proprietary software often does not have the above attributes in exchange for warranties. When you read through the millions of lines of unintelligible legal Microsoft text, for instance, you will see that Microsoft gives a couple of guarantees, also with respect to security and how security flaws are remedied.

The warranty that is legally shouted at you by OpenSSL is this one:

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

In fact, you don’t have any warranties. Specifically, there is no liability for direct or indirect loss of data, as has happened because of Heartbleed.

Obviuous, right? Because it’s free as in beer, any consequences resulting from the Heartbleed bug are entirely your own fault, if you’re using OpenSSL, or any other open source software that includes OpenSSL under similar terms.

Yes. You should have known that you were vulnerable, because you actually could verify it. Did you? Of course not. Did we? No way we’re delving through all that C code. Did our “suppliers”? We don’t even know. We’re using WinSCP extensively, and check this out, WinSCP was affected by Heartbleed! The developers over at WinSCP have been nice enough to fix this issue quickly and release a new version. They didn’t have to do this. You know what? Let’s hit that donate button, right now to thank them.

“They” should pay

OK, but again, wasn’t Heartbleed supposed to never even happen? Isn’t this Open Source? Doesn’t anyone (read: “they”. Because, I don’t have time) review such code, especially if it’s that widely used? Isn’t Open Source security much better than closed source security, which is essentially security through obscurity?

Eberhard Wolff, a well-known German freelance consultant and trainer recently replied this to me:

Yes, I’m sorry, Eberhard. But that’s just the case. Security is often neglected in many pieces of software, both commercial and open source. It’s not that the openness helps anyone discover things, security issues are very hard to discover per se. Also in commercial software. Remember GOTO fail? GOTO fail also affected SSL, but only in Apple software.

The issue lies elsewhere, though. Because Microsoft somehow manages to patch all security issues in virtually no time. They fix things so fast that users get frustrated about the sheer frequency of fixes ;-)

Cartoon by http://www.stickycomics.com/computer-update/
Cartoon by www.stickycomics.com

But Microsoft has a lot to lose. Pretty much 90% of desktop OS market share, that’s what they’ve got to lose. They’re paying a high amount of insurance money, invested in security teams that are penetration testing their own software to look for leaks. Yes. The vendor themselves are doing this. And yes, it costs money. And yes, you’ve already paid that when you bought Windows (or Office for that matter).

Money that OpenSSL never had. Read this frustrated section in the following public letter by Steve Marquess:

Thanks to that publicity there has been an outpouring of grassroots support from the OpenSSL user community, roughly two hundred donations this past week[3] along with many messages of support and encouragement[4]. Most were for $5 or $10 and, judging from the E-mail addresses and names, were from all around the world. I haven’t finished entering all of them to get an exact total, but all those donations together come to about US$9,000. Even if those donations continue to arrive at the same rate indefinitely (they won’t), and even though every penny of those funds goes directly to OpenSSL team members, it is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product. While OpenSSL does “belong to the people” it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support. The ones who should be contributing real resources are the commercial companies[5] and governments[6] who use OpenSSL extensively and take it for granted.

I can feel with Steve. US$9,000 to improve OpenSSL, a software that has added so much value to all of our servers and clients. That’s hardly enough for even 2-3 bug fixes, depending on whose salaries you’re paying.

But Steve tells off the “commercial companies” and “governments” to not have paid enough. But who are these “commercial companies”?

Meanwhile, at Data Geekery

We know similar stories, of course. When we have transitioned from completely Open Source to dual-licensed, we heard a lot of complaints by users that we have never heard of up to that moment. Users who have never donated or contributed code, bug reports, manual improvements or anything. This is OK. We were giving jOOQ away for free under the terms of the ASL 2.0 as part of a extended market analysis. We didn’t expect donations.

Of course, we have also disappointed one or two people who were hoping that jOOQ would remain “free as in freedom”, who have contributed, who have participated, and who now felt deceived. And we’re genuinely sorry about that. But participation doesn’t pay for our bills, money does. So we reached out for money (luckily, we always owned the code as we paid contributors of larger contributions, and had them all sign a CLA, so we could actually do this step, from a legal perspective).

But let’s again focus on the people looking for free beer. No contributions. No feedback. Free rides. And then, when asked for money, they’re pissed (even 8 months later!).

Fair enough. Our price has risen for that particular user. From free to something. They, too, have a right to be frustrated about this change, which they might not have expected. But they, too, have taken “free” for granted without proper reason. Without verifying.

“They”

We don’t believe that “THEY” should pay for our licenses. We don’t think that “THEY” should pay for enterprise support. There is no “THEY” in free software, there’s only all of us, because who decides which project is really important enough to deserve some funding from “THEM” and which one isn’t? All attempts of “fairly” distributing money will inevitably lead to corruption, misuse, abuse, and eventually, to a lack of innovation. We’ve known that from other industries.

So, let’s simply establish two facts:

  • Free software is lying around in the streets. It is publicly acclaimed to be AS IS software. If we’re using it, it is our own risk. And if it goes wrong, it is our own fault. No one else’s. Not the big companies’ (who are already investing tons of money in Open Source software), and not the governments’ (same thing there). Stop pretending that FOSS is in any way better or less of a legal risk than commercial software. That’s just not true.
  • In fact, there is no such thing as free software. “Free” is a price we’re paying as a down payment (or non-payment). The costs will or might arise later. If we’re lucky, the thing will remain “free”. But if we’re professionals, then we’ll insure ourselves against any risk arising from free “AS IS” software. This means that we’ll give back (= “pay”) in another way. Through donations, through bug fixes, through verification.

Further reading

Bruno Borges from Oracle has expressed his very interesting views and counter measures to the current state and meaning of Open Source software in this blog post.

Oracle GlassFish, or Why You Should Think About Open Source Again

Oracle’s recent announcement about the discontinuation of commercial services for JEE’s reference implementation GlassFish has caused many reactions in the community involved with JEE. The reactions reach from:

This event seems to have a big impact on the whole Java ecosystem as many of the above people are key players and influencers in our community, and they neither agree nor know what this step by Oracle means for the future of JEE.

The most interesting point of view among all of the above, in my opinion, is tomitribe’s, looking at things from a mere business point of view with respect to Open Source. They’re saying:

Open Source Isn’t Free

Or in other words, “There ain’t no such thing as a free lunch”. And to quote tomitribe even more, a very interesting thought they’re setting out is this:

What this says to me is that we as an industry still do not fully understand Open Source.

We most certainly do not understand Open Source. I’m an Open Source software vendor myself. I believe that Open Source is:

An excellent marketing tool

People look at Open Source as something “generally good”. When I talked about jOOQ at conferences and when it was an all-Open-Source piece of software (not yet dual-licensed), I got lots of opportunity to do free advertising. This has rapidly changed, now that I am offering an alternative commercial license.

A good tool enabler

I get free access to

The same here. As I’m now a “commercial” software vendor, some tools are no longer accessible to me.

The truth is: Open Source is a business strategy

It really is. And it seemed to have worked well for RedHat or Pivotal in the past. Has it worked for anyone else? We don’t know yet, as most other larger companies have such huge amounts of revenue in “classic” fields that they can simply “afford” Open Source. In fact, they’re so good at investing manpower and innovation into Open Source, it keeps the commercial competition in check, as it is hard to write a better and more complete JEE implementation than Weblogic or Websphere.

Apparently, even Larry Ellison is said to agree that the future of data centers lies within using commodity machines. At the same time, RedHat suggests “trying free” to Oracle.

No matter what the impact of the commercial unsupport of GlassFish on JEE will be, we’re only at the beginning of fully understanding what kind of impact this large scale “freemium” model will have on our world. This isn’t just about the software industry. The whole Internet has brought us “free” stuff. We get:

  • “Free” standards (compare W3C, IETF standards to ISO standards!)
  • “Free” Facebook and Twitter and GMail accounts
  • “Free” newspapers
  • “Free” music and films
  • “Free” commodity services for all sorts of work
  • “Free” work force as we can offshore anything to low-wage countries

This has been picked up recently by Tim Kreider, the author of “We Learn Nothing”, where he depicts how writing “free stuff” for the New York Times helps building “exposure”, and how that’s just nonsense as all this hard journalist work doesn’t pay anymore.

Does building “exposure” ring a bell?

Yes, I can build “exposure” by writing free Open Source on GitHub, and by answering complex questions for free on Stack Overflow. I personally use both tools to advertise jOOQ, no doubt. So I get a service (advertising) for a service (content). My deal appears fair to me. But loads of GitHub and Stack Overflow users contribute … just for the sake of contributing. To whom? To GitHub and Stack Overflow. And why? I don’t know.

So, should you contribute to GlassFish, if Oracle starts decreasing support and loosening interest as they have before with MySQL, Hudson, and other products inherited from Sun?

Let’s remember that Karl Marx has already taught us that our idea of capitalism will inevitably lead us to (citing from Wikipedia):

  • technological progress
  • increased productivity
  • growth
  • rationality
  • scientific revolution

Absolutely! There’s no way that productivity can get any better than by having loads of software developers world wide produce better and better tools (growth, progress) for nothing more than … for free!

So, don’t be a pawn of others’ Open Source strategies

So, instead of contemplating what Oracle’s move away from supporting the Open Source reference implementation of JEE means, become active yourself! Don’t just blindly consume Open Source, make it an option like any other option by consciously deciding in favour of Open Source or commercial software, depending on your specific needs.

Stop advertising their cool products for free at conferences, unless you pull out your own advantage from such an advertisement. Open Source is just yet another business model.