I saw this on twitter a few days ago. (Disclosure – @sfonplsql is my boss)
The part that caught my attention was
“easy to say “trust open source” but seems like DB mgrs and devs quite reluctant to put OS code in database.”
This attitude isn’t restricted just to databases, I’ve seen it regarding all types of software. In fact there was a time where I didn’t trust an application simply because it was open source. But then…
My thinking started to change a few years ago
(It’s been a few years. I’m making this as accurate as I can remember.)
I was working on a government contract and we were looking for some bug tracking software. We were told it had to be very inexpensive. I suggested a very popular system that also happened to be open source. The software met all of our needs, it was free at the basic level and there was paid support available if we needed it. We started moving the proposal up the approval chain (did I mention government?). Everyone agreed that it would be a great solution.
When it reached the final approval level, however, it was simply rejected. We asked for the reason and were told “It’s open source, we can’t trust it. If you want to use it, there must be a full code review looking for security issues and unknown bugs.”
I’m rarely surprised by the illogical decisions I see some managers make, but this one caught me completely by surprise. By which I mean: when was the last time we checked for security issues in a commercial package? Just because we pay for it, it doesn’t have any?
I began to research proprietary options but of course the big name applications cost a big name price (sure, some of them were worth the price, but we had a small – and unchangeable – budget already allocated for the project.) The only options that fit in our very limited budget were not-ready-for-prime-time applications by companies that just didn’t seem to be putting much effort into maintaining and enhancing their product. They also had smaller install bases and less frequent updates than the original open source solution.
We chose the two that looked most active and sent them in. We were told that either of those would be fine. No review needed.
I set up a meeting with the approval chain.
I projected the code from the open source application on the board, and clicked through a few pages. I said “Here’s the code from the first app we proposed. You can see that it’s fairly complex and it will take a significant amount of time to do the requested code review. We have some talented programmers we can put on this and I’m sure we can do a good review.”
The person who asked for the review replied: “That’s why open source is a bad idea. It would cost too much to do that.” I pointed out that the ability to review, change and even fork the code is what makes open source so valuable. I pointed out that we know next to nothing about the people behind the approved proprietary solutions, we have no way to review the code, and if they shut down we can either limp along on the current revision or migrate to another application.
At this point, I suggested we evaluate the options not based on open source vs proprietary, but how likely it is that the software would be improved moving forward, and what our options would be if the application was abandoned.
Feature wise, the open source product was far ahead already so we looked into support and update frequency.
One of the proprietary options hadn’t had a release in a couple years and the developers hadn’t responded to a forum post in months. This was a bad sign, and we decided to drop that alternative
The other option had a fairly active forum, but there were a lot of posts from users asking for help getting around problems and configuration issues. The documentation was sparse, and judging by the forum posts, had a few inaccuracies. They seemed to be releasing yearly with mostly bug fixes and some minor features. Upgrades cost a small amount each time. Not terrible overall and it would be something we could live with.
The open source product had a very active community with frequent forum posts, pull requests (made and accepted) and a nice selection of add on modules. The documentation wasn’t great, but what was there seemed accurate. It seemed to be going strong and growing.
A couple weeks later, we were using the open source solution, no code review needed (but it was an option if we wanted.)
What’s the point?
The above is what it took to shift my thinking. I’m not advocating only open source. This is not an open source vs proprietary debate. I try hard to stay away from extremes and absolutes.
The point is, ignore the labels, figure out what matters in your situation and make informed decisions.
Now what?
I’ve seen the above scenario play out a few times over the years and it usually ends the same way.
I would like to dig into why some people seem to instinctively mistrust open source. (It’s not just manager types.)
I will follow this up with a couple situations I see every now and then. I’ll also look at the specific situation of open source in the database.
Help me out.
I would like to turn this into a full discussion, so please leave comments with your experiences from either side of the situation. If you’re currently going through this and would like some help, let me know and I’ll go find us some information.