Open source developers provide 'glimmer of hope'

James Coplien, a software design expert who currently works as an object architect at US-based software company DAFCA, said in an interview at the ACCU conference in Oxford, that unless consumers start demanding better quality software, the software industry is unlikely to change.

"There's a pressure that unless you're one of the first three players in the market you don't have a chance," said Coplien. "Quality is suffering for time -- people pay money for the first, not the best. It comes down to the fact that consumers are willing to put up with crap systems that crash all the time."

Coplien said the only area of the industry where people still take pride in the quality of the software they deliver is the open source community.

"The one glimmer of hope is the people who've said, 'Screw the industry, we're going to write excellent software and give it away', in other words, the open source movement," said Coplien. "I take off my hat to these people. Linux is one of the highest quality pieces of software out there."

There are various reasons why open source software is of better quality than proprietary software, according to Coplien. He claimed the collaborative effort of open source contributors, combined with a core group of developers, is the best way to build a secure IT system.

"Security is a system concern -- it is a complex system," said Coplien. "How does nature deal with complex systems? Each cell does its own thing. The complementary, independent, selfless acts of thousands of individuals [in the open source community] can address system problems â€" there are thousands of people making the system stronger. If it was uncoordinated it wouldn't work, but there is a core of developers at the centre."

But other industry experts at the ACCU conference disagreed that open source code is superior to closed source code. Bjarne Stroustrup, who currently works as a professor at Texas A&M University and is the creator of C++, said that the quality of open source software is not necessarily any better.

"Open source is a good idea, but not all open source code is good," said Stroustrup. "Some of the best code in the world is not open source."

"For example, I would dearly love to have a good look at the [proprietary] code running in the Mars Rover. It has to be good -- it's been running on Mars for 15 months and has to be debuggable remotely."

Coplien argues that open source software is better tested than closed source software as there are "more eyes" looking at it, and people are encouraged to find bugs. "If I can find a bug in Linux, it's a lifetime accomplishment," said Coplien. "In the Linux community it is a badge of honour to find a bug," he said, adding that open source developers are under pressure to write superior code because they know it will be seen by many other coders.

But the security of open source software is a controversial issue. Linux kernel co-maintainer Andrew Morton said this week that a lack of 'credit or money or anything' for those who test the open source OS could threaten its long-term stability.

And speaking at the ACCU conference, Ross Anderson, professor of security engineering at Cambridge University, said that open source software is not inherently more secure than closed source software, as although users can find and fix vulnerabilities more easily when the code is available, this will also help those attacking the software.

But, if asymmetry is introduced, which gives attackers or defenders an additional advantage, this will affect the relative security of open and closed source software, according to Anderson. Factors that could reduce the relative security of closed source software include commercial influences, where a company does not fix a bug due to the cost, or PR influences, where a company tries to hide information on a bug to prevent negative publicity, said Anderson.

Anderson's research on this issue is available as a PDF file from the Cambridge University Web site.

ZDNet UK's Ingrid Marson reported from London. For more coverage from ZDNet UK, click here.