SCN: Open source
Steve
steve at advocate.net
Mon Apr 1 08:29:11 PST 2002
x-no-archive: yes
======================
Q&A with Eric Raymond, co-founder of the Open Source Initiative
by Matthew Broersma, ZDNet
Q: Red Hat's Bob Young argues that Linux will never take over the
desktop, but that it will make the desktop largely irrelevant by controlling
the Internet back-end. What are your views on the desktop debate?
A: I think Linux will take over the desktop, and I think the reason it will
doesn't have much to do with whether we clean up and polish our
interfaces or not. Linux will take over the desktop because as the price of
desktop machines drops, the Microsoft tax represents a larger and larger
piece of OEM margin. There's going to come a point at which that's not
sustainable, and at which OEMs have to bail out of the Microsoft camp in
order to continue making any money at all.
At that point, Linux wins even if the UI sucks. And frankly, the UI doesn't
suck. It's not perfect, it's got a few sharp edges and a few spikes on it, but
so does Windows.
We broke through the $1,000 floor some years back. But my threshold
figure for when Microsoft isn't viable anymore is when the average
desktop configuration drops below $350. I got that figure by looking at the
position of Microsoft in the market for PDAs and handhelds. Above $350,
Windows CE has some presence, largely because Microsoft is heavily
subsidizing it, but below $350, Microsoft is nowhere. And the reason is
very clear: if your unit price is that low, you can't pay the Microsoft tax and
make any money.
We're heading toward the point where consumer desktops are available at
that price. Some of the low-end PC integrators are already there, outfits
like E-machines and so forth.
Q: Microsoft has tried to co-opt interest in open source with its "shared
source" initiative. Is that going to work?
A: I don't see any signs that that's changing anybody's minds. I don't see
anybody in the press saying "That's wonderful! In fact it's so wonderful it
will swallow XP's license restrictions, it will swallow .Net and Passport." It
isn't happening.
Q: Is it just a PR move?
A: It goes deeper than that. Everything in Microsoft's strategic behavior for
the last two years, as far as I'm concerned, can only be accounted for by
the hypothesis that they know their packaged software business is
doomed.
They're moving from a product base where selling Windows CDs is their
major revenue stream, to where they're telling everybody where they want
to be is in a business where they're the world's biggest ASP. Now, people
haven't really thought about this, but being an ASP is harder than being in
a product business. It's more difficult: the staff requirements are more
demanding, the margins are lower. Why would Microsoft go from being in
an easy business to being in a hard business? I think the right answer is
that they know the easy business is doomed. Bill Gates said as much in
his famous 1995 e-mail saying the Internet was the future.
They have a strategic problem, which is that somehow they have to make
the transition to a Passport and .Net business model before Wall Street
figures out that their current business model is screwed. If the investors
figure that out before they've changed horses, then they're going to
discount the future value of the stock, and the whole financial pyramid that
Microsoft is built on will just collapse.
I wouldn't be sleeping too well if I was a Microsoft strategist right now,
because that's a really hard job, especially considering that they don't
even have the technology in place for the new business model yet. Even if
they had the technology in place, they would have a very hard job
persuading corporate managers to buy into this, simply because of the
control issue.
If I have all my business processes farmed out to an ASP, I don't control
them any more. It's not just a matter of being dependent on somebody
else's downtime as well as my own. How do I know that my core business
secrets are still protected?
Q: Speaking of security, the Internet Engineering Taskforce (IETF)
recently released a draft protocol for reporting security flaws in software,
which was criticized by some people as being too slanted in favor of the
software industry.
That was very good, that was very well done. I skimmed it and I didn't feel
that way. I remember reading it and thinking that they had chosen the time-
outs for reporting requirements just about right. They chose just about the
same time-outs I would.
Q: Is there a danger of software companies exercising too much control
over how and when software bugs are reported?
A: There's the obvious threat from the DMCA, if that kind of control is
written into the license, but under current software licenses they can't
control that kind of disclosure. And in fact if they tried, they'd probably run
into serious legal problems. So I don't see that as a major issue.
I'm not worried about that for two reasons. One is that there are very
articulate and capable people who have press exposure and credibility in
the security community, who are prepared to go out there and say, "full
disclosure is the only way you can get decent security." I'm thinking for
example of Bruce Schneier at Counterpane (Internet Security). He's done
an excellent job of educating the trade press on this, and there are other
people who are almost as capable as he is in that way. So I think they'll
keep that issue alive.
Also, one of the reasons I'm happy about that RFC (request for comment)
you just mentioned is because anyone who comes under corporate
pressure not to report bugs, can point at that RFC and say, hey, this is
Internet best practice here, so get off my back.
Q: Would the IETF proposal make any difference?
A: In that political sense, yes. I don't think that draft RFC does anything
more than just slightly formalize the unwritten guidelines that already exist,
as witnessed by the fact that they chose the same time-outs that I would
have. Managers have a superstitious respect for documentation and
procedures, so being able to point at a document does help.
Q: How is the open-source movement different today than, say, 1999?
A: I think we're more sober now than we used to be. There was a period
during the dot-com boom in '99 when I think a lot of people were in some
danger of getting distracted by the prospect of lots of easy money. And of
course that prospect has gone away now, which is all right if that has the
effect of re-concentrating us on the work.
I think also we have a lot more credibility in the global 1,000 and the
business press than we had in '99. We've gotten more success stories
under our belt. We've got more people who've considered the pro-open-
source argument carefully and decided they agree with it. As witnessed by
what happened last year when there was some danger that Microsoft was
going to go into a full-bore propaganda campaign against us.
If they had done that in mid 1998, just after the Mozilla disclosure, they
might have buried us. I was worried about that. I was seriously worried that
that was a possibility, that they would turn on the hype machine before we
had enough success stories and enough corporate backing to be able to
counter that.
What happened in early 2001 demonstrated that we had already achieved
enough mainstream credibility and recruited enough backers inside the
establishment, as it were, that when Microsoft tried it it just bounced. And
that's a significant difference from '99.
Q: Mainstream credibility is important to you and the OSI, isn't it?
A: The thing that I've always kept in mind, and the reason I founded the
OSI in the first place is this: if you want to change the world, you have to
co-opt the people who write the checks.
Maybe it sounds pretentious to say this, but most of the people who do
this mostly care about art, not about money. If that weren't the case they'd
be off doing something else. Mind you, I'm not saying that it's necessarily
better to care about art than about money, I'm just making an observation
about the motivations of the people who do this.
Q: What's the future for the "bazaar" open-source model?
A: I see that continuing to succeed, in a way that's separate from the
debate about business models. The reason I'm very sure that will be the
case is because of the scaling problems that software development is
having as machines grow more capable and software grows more
complex.
The fundamental problem here is that machines roughly double in
capability every eighteen months, and as you know, the size of the
average software project in lines of code tends to be double that. That's a
real problem, because bugs generally arise from unanticipated interactions
between different pieces of code in a project. And that means that the
number of bugs in the project tends to rise with the square of the number
of lines of code. That means that as projects get larger, and their bug
density increases, the verification problem gets worse, and it doesn't get
worse linearly, it gets worse quadratically.
The reason I'm confident that the bazaar model, the open-source model,
will continue to thrive and claim new territory, is because all of the other
verification models have run out of steam. It's not that open sourcing is
perfect, it's not that the many-eyeballs effect is in some theoretical sense
necessarily the best possible way to do things, the problem is that we
don't know anything that works as well. And the scale of problems with
other methods of QA (quality assurance) is actually increasing in severity
as the size of projects goes up.
On the other hand, open-source development, open-source verification,
the many-eyeballs effect, seems to scale pretty well. And in fact it works
better as your development community gets larger.
Q: If you want to go to a really fundamental analysis, what we're
perpetually rediscovering on a scale of complexity is that centralization
doesn't work. Centralization doesn't scale, and when you push any human
endeavor to a certain threshold of complexity you rediscover that.
A: That recalls the argument of a few weeks ago about whether Linus
Torvalds should get an assistant. That's another illustration of the
problem. Centralization doesn't scale even when the center is Linus.
Copyright 2002 CNET Networks Inc.
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list