Robert Accettura's
Fun With Wordage

This really isn’t very accurate. I don’t know the details of the vulnerability or even if there actually is one, but I question the marketing around the Zero Day Initiatives vulnerability report. The big news seems to be “only 5 hours” after the release.

This isn’t really accurate if you think about it. It would be if Firefox 3 were a tightly controlled product that nobody could see a final version of. Reality is that the entire source code lives in CVS, there are nightly builds, and formal release candidates posted. Could someone have downloaded it after release and found a security issue? Absolutely. Is the timing a little suspicious considering everything was done out in the open? Yes.

It wouldn’t have made any waves if a vulnerability was found in a release candidate. It would have just been patched and a new candidate posted.

The advantage to the open source development process is the transparency through the entire process. The code in the release build isn’t remotely new or surprising. Many people had been running it for days prior to the actual release.

Again, it’s possible it all happened in 5 hours. But I doubt someone discovered a security hole, documented it, then it was verified and confirmed in just 5 hours. Especially considering the open nature of the development process and how easy it is to check things out in advance.

Facebook today released the code behind their application platform. What that entails:

This release includes the API infrastructure, the FQL parser, the FBML parser, and FBJS, as well as implementations of many common methods and tags. We’ve included samples and some dummy data to help you get started fast.

It’s mostly licensed under Common Public Attribution License (CPAL), with the exception of the FBML stuff, which is MPL. It’s actually Mozilla code, and seems to be based on Firefox 2.0.0.4. I wonder if they plan to upgrade to Firefox 3? Some enhancements that would presumably give would be JavaScript 1.8 support and native JSON encode/decode. Or at least the latest Firefox 2 release… but I digress.

Before releasing their API last year, Facebook bought Parakey, founded by Blake Ross and Joe Hewitt of Firefox fame. I don’t know if this code is actually derived from the unreleased Parakey, or even written by them. For all I know it could have been written by Facebook developers well before they were even acquired. Though if I had to place a bet, I’d guess this is code from Parakey. The code all looks pretty well scrubbed of anything that might give away Facebook secrets.

Big Buck Bunny, the new open movie made using Blender is out. It’s rather good, and impressive when you realize it’s made with open source products, meaning the only barrier to making one yourself (assuming you’ve got a rendering farm, or the patience to let your workstation churn out the pixels) is your skills. You can download it from the website (h.264 available) or watch on YouTube. I’d recommend the download so you can appreciate the HD quality. Some more screenshots can be found on Wikimedia Commons.

The first open movie was Elephants Dream back in 2007. Elephants dream used proprietary audio software. As far as I can tell, Big Buck Bunny didn’t.

Between the two I think I like Elephants Dream more. It was a little darker, but struck me as a little more entertaining. That’s my personal opinion though. It will be interesting to see what the next one is.

Sun was initially thinking of a commercial fork for MySQL with some enhanced things like encryption and compression backup for commercial users. Obviously this created some outcry. It appears they’ve now reconsidered and those features will be open source. To quote Kaj Arnö:

…expect Sun/MySQL to continue experimenting with the business model, and with what’s offered for the community and what’s offered commercial-only. We won’t always know the right answer from the beginning, but we want MySQL to be the most popular database for both paying and non-paying users.

The willingness to listen to community feedback, and look for a balance means Sun may not prove to be a bad thing for MySQL, of course time is the ultimate test. More than once a product has been written off after an acquisition only blossomed, or has failed when success seemed certain.

Balancing open source in business is no easy matter, both from producing and from consuming. It forces many people into new rolls, developers, visionaries into lawyers, and lawyers into tech savvy computer elitists. There’s no standard model for everyone to follow as every project and every company is unique. Striking a balance in such a dynamic and evolving environment is tough, when there’s no simple formula to help model business plans, it’s even more complicated.

Given open source adoption in the enterprise is on the rise, and corporate backing of open source seems to be following that, I suspect there will be some innovation in this field in the next few years as some of the more clever individuals find new ways to strike that magic balance.

Does that title accurately describe open source? Via Valleywag I found this blog post from Psychology Today which I’d recommend reading. This is really the most interesting part:

First, there’s street cred: People want to garner approval from their peers and build their reputation. Second, there’s self-actualization: Working on these projects is enjoyable in and of itself, and it also provides the opportunities to practice your skills, collect feedback, and grow as a geek. Third, there’s pure altruism: Let’s save the world, one squashed bug or “[citation needed]” at a time.

Interesting stuff. I definitely fall in the “practice your skills, collect feedback, and grow as a geek” category.

Also noteworthy: 97.8 percent of open source programmers are male. Like there was any surprise that it’s somewhat of a sausage fest on #developers. Anyone ever check the ratio on about:credits? Come up with an automated way to do that’s licensed under MPL/GPL/LGPL and you’ll earn some serious street cred not to mention save the world and practice your text analysis skills.

I guess this is even more extreme than the Dave-to-Girl ratio.

Ok, I promise to slow down on the use of X vs. Y on this blog, but after this post. CNet has an interesting blog post by Stephen Shankland essentially asking is public domain software open source? A very interesting question.

This little bit of information from Richard Hipp, founder of SQLite, I found to be particularly interesting:

“…The consensus there seems to be that ‘public domain’ is valid and is a proper subset of ‘open source’–except in France and Germany where the concept of ‘public domain’ is not recognized…”

In my opinion, as long as the project stipulates that all contributions be released as public domain (defined as intellectual property not owned or controlled by anyone, and available for use by anyone for any purpose without restriction) for perpetuity, I think that in itself is an open source license. It’s also the cleanest and most easy to read.

Vlad wrote about his work on improving Mac OS X performance (which is awesome by the way), and his findings from looking at WebKit code. To summarize WebKit utilizes some undocumented API’s (ironically from the same company that makes Mac OS X ) that give it an advantage over other software which can’t use them. This is pretty anti-competitive, and Microsoft-like in behavior. For a company that built it’s modern OS on an open source core, and it’s flagship browser (which is key to their mobile initiative) on an open source rendering engine (KHTML), you would think they would be a little more understanding about crippling platforms. Then again, look at the iPhone controversy regarding it being a closed platform (though that’s supposed to change next week, and I’ll be sure to blog about that).

Robert O’Callahan’s got a got a great blog post on some of his observations of things Mozilla would likely make good use of. He also mentions one thing worth quoting:

It’s worth reflecting that if Microsoft was doing this, they’d likely be hauled before a judge, in the EU if not the US. In fact I can’t recall Microsoft ever pulling off an undocumented-API-fest of this magnitude.

This is a very valid point which I 100% agree with. Microsoft wouldn’t get away with this.

Safari developer David Hyatt (former Mozilla developer from when Lizards roamed the earth) commented about this issue. Essentially he justifies the decision based on it not being a good practice to use some of these methods, and other aren’t even used anymore. This of course raises the question: Should Apple be deciding what other software developers can do, when they themselves can’t follow the same standards? I’d say that if WebKit feels it has to use it, there’s likely others out there in the same situation regardless of “best practice”.

See, I’m not too much of an Apple fanboy to criticize them .

So Microsoft will open up with information on many protocols/formats, and provide a “covenant” not to sue open source developers. Note the exception. Microsoft reserves the right to sue companies who commercially distribute such implementations. They need to get a license. As Microsoft put it in their principles:

Open Source Compatibility. Microsoft will covenant not to sue open source developers for development and non-commercial distribution of implementations of these Open Protocols.

As far as everyones reaction to this, Arstechnica wins with the best quote:

“Instead of offering a patent license for its protocol information on the basis of licensing arrangements it knows are incompatible with the GPL—the world’s most widely used open source software license.”

It may settle some curiosity in regards to how close certain reverse engineered implementations are to the actual protocol, but beyond that I don’t think it will make any difference. I think this caveat would limit most projects ability to utilize the information. I don’t think any major project is willing to utilize code subject to that limitation.

For example I mentioned just the other day that Exchange compatibility would bring about the most corporate adoption to Mozilla Thunderbird. Well this could potentially help make that a reality, except Mozilla’s commercial arm would be subject to trouble come release time. Not to mention any downstream commercial distribution that includes it (including many Linux distributions) unless they include a version without this code.

It may however be possible for a company to sell a product and offer a GPL licensed open source “plugin” or “addon” that adds the functionality. So for example Thunderbird would ship as usual via Mozilla Messaging and various Linux distributions. If you wanted exchange compatibility you would need to go to mozilla.org and download the addon for it. Similar to the current process for the provider for Google Calendar. However this adds a nasty extra step for users. It’s far from ideal.

The other notable thing in my mind is this part of their principles:

Industry Standard Formats. Microsoft supports many data formats promulgated by standards bodies in its products today. We will apply Principle II with respect to any standards-based data formats in our high-volume products. We will incorporate customer advice from our Interoperability Executive Customer Council and our ongoing community and customer engagement efforts to give us guidance to prioritize which standards we support in any given product release.

We want OpenDocument.

So despite all the media attention, I don’t think open source gained much today. There’s potential (OpenDocument getting priority would be nice), but really no big win. I just don’t see projects giving up GPL, and I’m pretty sure this agreement would violate GPL.

There’s an interesting blog post on Open Source and recessions worth reading. Essentially the question is this: Does a recession have a negative impact on open source?

I’d say the answer is somewhat more complex than a simple yes/no. There are many different types of projects out there with entirely different circumstances. However I suspect a projects impact could be gaged on a few key aspects of it’s operation:

Purpose - The purpose of the project is likely the most critical aspect. For example, I don’t think there would be any significant impact on projects like the Linux kernel which is essential to many products out there including server infrastructure that powers much of the web and many companies computer systems. Then you have consumer products like TiVo, Google Android etc. Because it’s purpose is so broad there are enough people with a financial interest in seeing development continue. WebKit, Mozilla, Apache, are good examples of this. They have broad usage by many. Something specific to a more obscure task would have more trouble due to it’s more limited market.

Development Team - Of course for a project to succeed it needs one or more developers. During a recession one could theorize that many would be less inclined to participate. This may not necessarily so. First of all, quite a bit of open source development is loosely sponsored. Several projects have actual staff, paid employees who write open source code. For example Apple employees people to work on WebKit. Mozilla has staff working on Firefox. There are people paid to work on Linux (Red Hat, IBM, Novell, etc.) and many other open source projects. There are also companies who contribute some code that would be of strategic value to them. There’s also those who are simply willing to sponsor some work they want to see happen. All of which fund developers of larger open source projects. But would developers who aren’t sponsored or employed to code still participate? I theorize most still would as they don’t depend on it for income during good times, presumably a job during a recession wouldn’t generally prohibit participation and more than a job during years of economic growth. There’s also the impact of college students who participate partially for the educational aspect. The early 2000’s was a recession and still showed a fair amount of growth of open source. In fact many of todays stars really started to take shape during that period. For example:

• WordPress (2003)
• Apache2 (2002)
• BitTorrent (original client) (2002)
• VLC (2001)
• OpenOffice (released as open source in 2000)
• Pidgin (formerly GAIM) (1998, though really grew up between 2003-2004)
• Filezilla (2001)
• 7-Zip (2000)
• Wikipedia (2001)

Funding - Somewhat obvious: Funding is key. Who pays the developers (partially the last aspect I discussed)? Who pays for the projects needs (servers, etc.)? Many of the more popular projects (almost all of the above) have either an organization of for-profit company around built around it. That company often sponsors the needs of the project. Unless the needs of that companies product/service is no longer needed during the recession, funding likely remains. That’s partially the first aspect I discussed.

It’s my belief the larger and more popular open source projects would feel a minimal impact during a recession. I think history has shown this, and common sense agrees. They are mostly low development cost, adequately funded (often from diverse sources), stable, and have a broad team of developers. The projects that are in trouble are the ones who have very few or only 1 developer, even worse if they share the same sponsor, even worse if there is little community around the project. Most projects would generally experience a slight slowdown in development the degree would depend on the above. A few may go dormant for a period of time. Thanks to things like GPL licensing, another developer can pick up should there be a market in the open source ecosystem.

Overall I don’t think open source would be nearly as impacted as most businesses during a recession. The model is very different. Open source when successful has a community and many different sponsors. The diversity allows the project to survive even when recession causes some sponsors to need to reduce or eliminate involvement. Open Source also by definition is used to this type of environment. It’s used to developing on a budget, soliciting sponsors to help cover costs, etc.

The interesting thing about recession is that it impacts everyone, but the degree to which someone is impacted varies. For example construction and housing are generally harder hit than other industries. People tend to cut back on new home purchases before they cut back on other things. Each of those industries has computing needs, sometimes met by open source. This all feeds into the open source ecosystem.

I’d suggest that all of the projects I have mentioned here will do ok during a recession. Many with a slowdown, but all will still continue as long as they provide value. A notable situation is Mozilla’s income comes largely from Google which is based on ad revenue. During a recession and bubble bursting this would likely dramatically reduce the revenue brought in. This isn’t being ignored. As the 2006 Financial FAQ states:

First, the cash reserve is of course a form of insurance against the loss of income. We will continue to maintain enough of a reserve to allow us flexibility in making product decisions….

It seems that an open source project with a diverse stream of funding from individuals and companies of various industries, as well as developers in different situations is in the best position to survive.

It’s an interesting topic.

Anyone with an interest in file systems, data management, large scale storage, and security has been keeping an eye on Sun’s ZFS for a while now. Apple looks like it will ship the first consumer-targeted OS to feature workable ZFS support. It’s in Leopard, but read only. Apple has now released binaries and source. It’s still not ready for prime time (not even bootable, and has some serious bugs), but it’s progressing.

While not in Apple’s implementation yet (it is however planned), ZFS supports things like compression and encryption. ZFS is also a 128bit filesystem, so for the foreseeable future, it’s enough storage for anyone. Dynamic striping and Snapshots are also extremely interesting. I’m curious to know how snapshots in ZFS will integrate into Mac OS X 10.5 Leopard with Time Machine. I wonder if complete ZFS support will make a 10.5 revision or if it will be read-only until 10.6.

I am however curious if they have given any thought to solid state storage. It’s pretty clear that’s where the future is headed. While ZFS targets size rather than performance (meaning the two won’t collide for some time as solid state storage won’t be practical for large storage arrays for a few more years), I wonder if ZFS would be able to do things like wear-leveling. So far I haven’t seen any documentation to hint that the feature exists (I’d presume it doesn’t). No idea if it would be something that could be added or if it’s nearly impossible.