Project outline

Final report

Press coverage

related research




Security, Licensing and Funding in Free Software
Ben Laurie, Director, Apache Software Foundation, and OpenSSL Core Team member

First of all, I should make clear that I don't do any research on free software - I just write the stuff and try to help provide the organisational and legal structures to allow others to write it.

However, there are two issues that interest me in free software that seem to me to be in need of further research.

The first relates to security. It is often said that the "many eyes" that look at free software should lead to better security. However, some recent holes discovered in Apache and OpenSSL would appear to make it less clear that is actually true. Both suffered serious problems which had been in the code for years, unnoticed. Why is it that these problems could have been noticed for all that time but were not? How could the processes by which free software is written and reviewed be improved so that such faults are found sooner?

Of course, this does not mean that the security of closed software is any better - certainly the flaws in OpenSSL were discovered by examining the source - which would not have been possible if the source had not been available.

Another issue related to security is that it is often said that free software is fixed more rapidly than non-free software when problems are discovered. Although there is much empirical and anecdotal evidence to support this, I'm not aware of any good studies. In particular, there are different points at which one can claim a piece of software is fixed. Is it when the authors (or someone else) release a patch? Or when the vendors release their updated versions? Or when some percentage of users have actually installed the fixed version (for example, the recent Slapper worm used OpenSSL problems that had been fixed a month or more before).

The other question of interest to me is that of licensing and funding. It seems clear that some types of free software are written more or less spontaneously, because they are directly needed by their authors (for example, webservers and operating systems). However, there's a large class of software that seems to be taking substantially longer to materialise (for example, groupware and calendaring systems), and some that hasn't really happened at all (for example, certificate authority software). Work that is being done in the latter areas seems to be largely driven by funding rather than spontaneous interest by developers. The question is: how does funding of free software work? Are there some funding models that work better than others - for example, one that I always thought was rather exciting, but never really took off was SourceXchange - but why not?

What influence does funding have on appropriate licences used for the software? It seems that much publicly funded development seems to favour the GPL, whereas efforts partially funded by the private sector often use BSD-style licences, and ones totally privately funded seem to use more restrictive licences with asymmetric rights accruing to the original developers and later contributors. Is there anything to be said about this, and can licences and funding models be improved to help stimulate the growth of the less exciting areas of free software?