So what is open source code?

[This was originally published in issue 9 of PSU3 magazine.]

I should start by explaining “source code”. The languages that computers use internally are very different from the languages that humans use. The bridge between these languages is source code, it is something that both humans and computers can understand. The humans write their programmes in the form of source code, which a computer then translates into machine code (called compiling). It is this machine code (called binaries) that a computer actually uses when running the finished programme.

In open source development, the source code is freely available, usually anybody can download it from the Internet. The machine code version is often freely available, or you could translate it into machine code yourself using your own computer. In closed source development, there is no source code freely available, it is kept a secret by the person or organisation that developed it. Only the machine code part that is really hard for humans to understand is available, sometimes for free, but usually you have to pay for it.

If there is a problem, or you need a change, with a closed source programme, then you have to rely on the company that made it to fix it for you. They may not have the time to fix your particular problem, or they may not have the interest. The company may fix it, but not quickly enough, or not quite they way you want it. In the open source world, you have a world full of programmers that may fix it for you. If you are a programmer, you could fix it yourself. If you really needed to, you could find some random coder that will fix it your way for a fee. Some open source coders will fix it for a donation to a charity, or maybe merely for a slab of beer (actually a form of currency here in Australia). With freely available open source code, anybody with the skill can get a copy and change it. With closed, secret source code, only the few people that have the secret can change it.

Some people think that because open source code is so freely available that it is in fact a free for all, and that this is a security nightmare because any cracker or virus writer can insert dodgy code at will. It is only your local copy that you can change, it is only their local copy that the cracker can change, they can’t make you run their copy. The original source code should be well protected from naughty changes. People have to convince the owners of the original source code that their changes are worthy before they will get applied to the original copy that is freely available. The owners are quite happy when other people help to write the code, that’s why they made it open source in the first place. They are also quite careful about approving changes, and about who else they let make changes. Even if naughty code somehow makes it into the original copy, so many people are looking at the code that someone will notice and tell the owner.

Some people think that if the source code is freely available that it will make it easy for crackers to find the weak spots and make it easy for them to break into your computer. Surely secret source code is safer? Anybody in the computer security industry will tell you that security through obscurity is no security at all. It’s the equivalent of hiding your house key under a rock in the garden and thinking that no one knows which rock to look under. The naughty people are watching, and they will figure out which rock. Since open source code is freely available for everybody to see, there are a lot more people looking at the code than there are for closed source code. Most of those people are not trying to do naughty things. So it tends to be that security problems get spotted quicker, and fixed quicker. If you know everybody is watching, you can put your house key in a safe made out of bullet proof glass that is firmly attached to the front of your house, and a friendly neighbour is likely to point out that your combination is too easy to figure out, and that you should install a finger print scanner instead.

The machine code that computers use is hard for humans to understand, but not impossible. With heavily guarded, top secret, closed source code, only the people that wrote it understand it. Oh, and the cracker that goes to the trouble of translating it into human readable form. So now only a tiny group of people know about the security flaws, the programmers at the company that owns it, who are too busy creating the next new features to spend too much time on security, and the crackers that have nothing better to do with their time than use this secret information maliciously. The ordinary people that use this software are none the wiser.

The same things apply to other problems in the source code that are not security related. Many eyes looking at open source code make the bugs easy to find and fix. Many people want different features for the code, and those that are programmers will write those features even if the owner hasn’t got the time for it. The owner may think it is worthy of inclusion though.

The drawbacks are that there is not as much money in open source development. Money can be made, but it is easier for the big companies to close things up, get people hooked on their code, then charge them lots for the next upgrade to whatever the big company decides to give them. You can make money from open source, and one way is to do like Terra Soft Solutions (TSS) is doing. Pre installing Linux onto PS3 can make money. Releasing an entire operating system to the paying customers first before releasing it to the public a few weeks later can make money. Selling support can make money. Selling supercomputer services can make money. Did I mention that a variant of Yellow Dog Linux (YDL) is used by TSS to build supercomputers?

One drawback is that something like YDL can still get pirated. TSS include some of their own code and content on YDL, it’s not entirely made up of other peoples work. This TSS work is covered by the TSS license, and TSS use this as a way to make money. Each new version of YDL is released to paying costumers first, then a few weeks later it is made available to all, including source code. Source code for everything except the TSS work is available for all straight away. It has happened that pirates have grabbed the entire YDL and made it available to all comers before TSS has had it’s few weeks. This pirating eats into TSS’s profits. TSS is not a large, rich company, and they do give back to the open source community, so it’s not fair that their small profit window is closed early by the pirates. To make matters worse, some “customers” of these pirates think “It’s Linux, it must be legal to spread it this way” (I’ve seen it happen). Linux is only part of Yellow Dog Linux, it’s not legal to spread the Yellow Dog until Terra Soft Solutions says it’s legal.