By Jo Best, 28 October 2004 17:04
NEWS The Office of Government Commerce's report into the viability of using open-source software in the public sector was toned down in its praise of Linux security before release, silicon.com has discovered.
A copy of the report, seen by silicon.com with amendments still visible, shows changes were made to the government's stance on the particular advantages of Linux versus proprietary software when it comes to security. The Office of Government Commerce (OGC) is the Treasury office charged with improving public sector procurement and project management in the UK.
The pre-release version of the report read: "Linux would appear to offer numerous strengths in terms of security." In the final version this became: "There is no definitive answer on the relative security merits of open or closed-source software."
The pre-release version also described the visibility of Linux code as a boon to its security, saying: "The structure of the Linux operating system is regarded as inherently more secure than that of Microsoft Windows... The open-source code can be viewed in its entirety and in the event of a problem the worldwide Linux community can act to resolve any issue with urgency."
The final version, however, is more muted. "While some argue that many eyes lead to fewer security flaws, others argue that those wishing to exploit, or tamper with, open-source code have an easier time than with closed source code," it reads.
The idea that a greater number of code-watchers helps open-source software's security hasn't been disputed by Microsoft CEO Steve Ballmer.
He said in a recent email to customers: "Linux has often been touted as a more secure platform. In part, this is because of the 'many eyeballs' maxim of open-source software that claims a correlation between the number of developers looking at code and the number of bugs found and resolved. While this has some validity, it is not necessarily the best way to develop secure software."
A poll this year of silicon.com readers showed more support for the idea that open-source is inherently more secure. When asked: 'Why might Linux be more secure than Windows?', the majority of respondents said it was the way the operating system is maintained.
Forty-one per cent said it might be more secure because of the open-source development model, 32 per cent answered that it might be more secure because it's not as widely used and is therefore less of a target, and 27 per cent said it isn't more secure, full stop.
However, in both the pre-release and final version of the OGC report, it highlights that malware writers have yet to turn their attention properly to Linux and other open-source software. "Open-source software is less likely to be attacked by viruses than proprietary software," it said.
An OGC spokesman said the report had been "made more vanilla" in order to not give people the impression that Linux is "100 per cent secure" and that everyone should switch to open source.
Comments
There are 6 comments. Join the discussion
1. Roger Huffadine
You have to understand the pressure that individuals come under from all sorts of directions when they are working on these committees. I used to chair an international standards committee and regularly saw the effects of, for example, a world leader in proprietary software leaning on a major telecoms equipment manufacturer to remove consensus within the committee and demand that words be changed to favour the supposedly non-involved third party. I know of instances of people being in fear of their jobs over the issue of toning down perfectly accurate words.
2. Richard
What, another dodgy dossier...?
Are we seriously to believe that HM Gov't has a vested interest in maintaining the semi-monopolistic stranglehold of a particular software company merely because it is run by somebody they like so much that he was recently dubbed an honorary knight?
Is Silicon.com really suggesting our elected leaders could stoop so low as to sex dossiers up or down? And for what purpose? Are you implying that they might stand to gain from it? Shame on you!
I for one really cannot believe that any so-called favouritism (such as sexing-down this report or Gov't opposition to EU anti-competitive practice investigations) could be intended to help them secure a better licensing deal for forthcoming NHS contracts. And if I am wrong, then surely they are only guilty of trying to save the taxpayer money whilst keeping their friend happy. That's caring New Labour for you.
I imagine this was simply a case of inserting much needed balance into a somewhat unhelpful report and in no way related to the Governments habit of sucking up to useful multi-billionaires with suspect business practices.
Why, next you'll be implying that the 45-minute claim was egregiously sexed-up to bolster the weak case for war in Iraq against the advice of the security services.
William H. Gates is 49
3. Gordon Head
Gordon,
I'm sure you must have read this but if not it makes for very amusing reading!
4. anonymous
I want to see Linux take over Windows. Microsoft is deliberatly trying to fight its cause with "bla bla bla". We all know the facts. And the facts are showing the obvious in this matter. It's time for a change now. Microsoft has had its time! It's all about progress... Microsoft has shown us a great deal of advancements, sure. On the other hand, it is time that other people do the same and be recognized for their great achievements.
5. Richard Corfield
The "Its Used More" excuse for Windows insecurity doesn't apply to web servers, or even servers in general. Apache, the open source web server, easily outpaces IIS, yet has not had anything near the amount of vulnerabilities.
Code in the open has more need to be secure, because its your reputation. More people can see it and find weaknesses that a closed source supplier may just think they can sweep under the carpet. Secrets in the algorithm don't stand up in Open Source.
There has also been less desire in the Open Source world to rush to market with incomplete software. Development versions are always available for those that want to be on the leading edge, so no fear of competitors being first to release. On the other hand. proprietry vendors often seems to release incomplete software to be first to market.
6. Adrian Midgley
Missing comma supplied.
An OGC spokesman said the report had been "made more vanilla" in order to not give people the impression that Linux is "100 per cent secure", and that everyone should switch to open source.