Subject: Legacy burden of closed-source
From: Alex <xela@MIT.EDU>
Date: Wed, 13 Jun 2001 10:37:06 -0400

An new argument in favor of open source software occurred to me
the other day.  At least it's new to me; I'm hoping that someone
here can point me to a well-stated articulation of the argument.

A little background (skip to the last paragraph if you only want
the nickel summary):  we (the sysadmin group I run) recently got
handed a bunch of websites developed by nontechnical researchers,
built on NT with O'Reilly Website, Microsoft SQL server or Access,
and Cold Fusion.  Our database-backed-website consultant (a very
smart guy; I respect his work) recommended we migrate to Apache
and PostgreSQL, but stick with Cold Fusion (largely because our
developers already know it, and it's a pretty reasonable language
for non-programmers).

My concern about this is the future burden of a legacy system.
Once we build a site, we expect to leave it up for at least five
years --- but with essentially no funding for site maintenance.
If we build sites in cold fusion 4, there is no reason to expect
that same code to still work in cold fusion 9 --- indeed, good
reason not to.  So fine, we build the system and leave it alone;
there's no reason an unpatched 5-year-old unix box can't keep
doing its job just fine.  Oh, except for that security thing.

What happens when a security hole that we dare not leave unmended
is found in the OS?  There's a significant chance the old version
of cold fusion won't work with the new version of the OS.  Or if a
hole is found in the old version of cold fusion for which the
manufacturer's only suggestion is upgrade to the newer version?
In both cases, we're stuck either leaving an insecure system up,
or somehow funding migration of the site to the new version of
cold fusion.  And let's not even discuss what happens if its
manufacturer goes bust and cold fusion becomes yet another
orphaned commercial software package.

In short, with commercial software you run significant risks of
ending up with a legacy system that you need to upgrade for
security reasons, and having no upgrade path that does not break
compatibility for the applications you've developed using the
legacy system, resulting in an expensive migration process just to
maintain functionality while patching the security problem.  In
contrast, with open-source software, given an adequate description
of the security problem (e.g. a patch to the current version), you
can fix the security hole in the legacy code without otherwise
affecting its functionality --- a comparatively much cheaper
process.  So again, can someone point me to a good articulation
of this argument?

Thanks in advance,

---Alex
xela@mit.edu