Is open source code bound for obsolescence?
Article By : Brian Dipert
Many open source projects are weighed down by their vulnerability to security, developers shortage and funding issues.
I was pretty shocked when I heard, a couple of months back, that the OpenOffice software suite's current "owners"—the ASF (Apache Software Foundation)—were considering retiring it. For those of you who don't (or are too young to) remember, back in the early 2000s OpenOffice was trumpeted (along with Linux) by open source advocates as the 1-2 punch that would shatter Microsoft's proprietary Office-plus-Windows dominance. OpenOffice was originally StarOffice, acquired by Sun Microsystems in 2000 and subsequently open sourced. And although it was never my primary office application suite (I always seemed to stumble across some Microsoft Office feature that OpenOffice implemented imperfectly or not at all), it enabled me to notably delay my Office for Mac acquisitions after tackling a wholesale OS platform switch a decade ago, for example.
Using LibreOffice or Microsoft Office
How times have changed, however, according to the Ars Technica coverage. OpenOffice still has plenty of users, mind you; per project statistics, it "was downloaded more than 29 million times in 2015, for a cumulative total of more than 160 million downloads since May 2012." However, per the recently published ASF memo, there are at the moment around a "half-dozen volunteers holding the project together." Of particular concern is the project's ability to respond in a timely and robust manner to discovered security vulnerabilities; one that first became known to the development team shortly before the August 2015 release of latest OpenOffice v4.1.2 took more than six months to develop a fix, and another nearly six months before it was released. Until then, the suggested workaround was apparently … to use LibreOffice or Microsoft Office instead.
Speaking of LibreOffice, it's part of the reason for OpenOffice's diminution, although due to no particular fault of its own. The fundamental reason: politics. After Sun Microsystems was sold to Oracle (not exactly an aficionado of open-source software), developers apparently fled OpenOffice in droves for the aptly named project fork. Oracle's subsequent hand-off of OpenOffice to the ASF didn't stem, far from reverse, this exodus. And further OpenOffice defections occurred when IBM stopped bankrolling developers a couple of years ago. All this reminds me of a quote from a past open source-themed post of mine:
Most open-source efforts are maintained by one or a handful of developers and "supported" by a rag-tag band of enthusiasts, all of whom do so on the side by virtue of their (other) paying "day jobs."
OpenSSL
Ironically, in that particular write-up, I specifically called out OpenOffice as an exception to that scarcity trend. No more, I guess, huh? Although as we all more recently learned via the Heartbleed vulnerability in OpenSSL, popularity doesn't necessarily translate into developer-count opulence:
You might think that OpenSSL, by virtue of its ubiquity, would be a well-funded exception to this rule. You'd think wrong. As it turns out, Stephen Henson was the only full-time OpenSSL developer, and he's by no means living in the lap of luxury. The flaw was actually created by one of a short list of part-time contributors, Robin Seggelmann, made it through Henson's review undetected and survived in the code base for more than two years before being discovered.
Another open source project, the Mozilla-backed (and Dipert-beloved) Thunderbird email client also mentioned as atypically thriving in my late-2012 blog post, is now also struggling. As is Firefox itself, which recently wound down its Firefox OS-for-smartphones efforts and is also facing browser add-on developer defections due to its embrace of Chrome-model APIs and other changes. Even mighty Linux is struggling with developer-induced bugs. Wonder if all this uncertainty is behind longstanding open-source poster child Munich, Germany's reconsideration of Microsoft products?
Don't misunderstand; I'm not an open source detractor. Quite the contrary; in general, I'm not only an open source user and beneficiary but also a longstanding advocate. But a pragmatic one. I don't assume that any project whose output I leverage will be around (to any reasonable degree of robustness, far from, at all) in the long term. And I certainly wouldn't tie my ongoing business success to fickle open source projects' fortunes. Nor, I'd strongly suggest, should you.
First published by EDN.
