David A. Wheeler's Blog

Wed, 12 Apr 2006

Open standards, open source, and security too — LinuxWorld 2006 and a mystery

As I had previously threatened, I gave my talk on “Open Standards and Security” on April 4, 2006, at LinuxWorld’s “Government Day” focusing on open standards. My talk’s main message was that open standards are necessary (in the long run) for security, and I gave various reasons why I believe that. I also tried to show how important open standards are in general. In the process, a mystery was revealed, but first let me talk about the NewsForge article about my talk.

Unbeknownst to me, there was a reporter from NewsForge in the audience, who wrote the article Why open standards matter — and it specifically discussed my talk! Which was pretty neat, especially since the article was very accurate and complimentary. I used several stories in my talk, which the reporter called “parables”. I didn’t use that word, but I wish I had, because that’s exactly what they were. For example, I talked about a (hypothetical) magic food, that cost only $1 the first year and you wouldn’t need to eat anything else for a year… but it would make all other foods poisonous to you, and there was only one manufacturer of magic food. I created this parable to show that complete dependency on someone else is a serious security problem… if you’re so dependent that you cannot switch suppliers (practically), you already have a serious security problem. I was especially delighted that she included my key comment that my “magic food” parable wasn’t about any particular supplier (Microsoft or Red Hat or anyone else)… we need suppliers, the problem comes when we allow ourselves to become dependent on a supplier. I also discussed the 1904 Baltimore fire (where incompatible firehose couplings were a real problem), and the railroad gauge incompatibilities in the mid-1860s in the southern U.S. (this was a contributing factor to the Confederacy’s loss in the U.S. Civil War).

I did find one nitnoid about the article, which doesn’t change anything really but is great for showing how messy and complicated real history is. The article says that in the 1904 Baltimore fire, none of the firetrucks from other cities could connect. I said something almost like that, but not quite. What I actually said was that firetrucks from other cities had firehose couplings that were incompatible with Baltimore’s hydrants. I read a lot more about this event than I could mention in my presentation, which is why I said what I said in that funny way. It turns out that a few firefighters did manage to jerry-rig “connections” between some of the incompatible couplings, by wrapping lots of hoses around the hydrants and couplings. This is a perfect example of a “correction” nitnoid that just doesn’t matter, because you can probably guess the result — the jerry-rigged connections had lots of water on the ground (around the hydrant), and disturbingly little on the fire. So while technically there were some “connections” to hydrants by the firetrucks from other cities, they weren’t effective enough, and the bottom line is just as the article indicated: Baltimore burned. In short, the firehose incompatibilities between cities resulted in over 2,500 buildings being lost, almost all of them unnecessarily. I’m not sure what it says about me that I note this weird little issue, which isn’t important at all, but I’m sure that correcting it will require a lot of therapy.

So if you haven’t taken a look at it, take a peek at the “Open Standards and Security” presentation. I hope to eventually get an audio file posted; look for it. When I gave the presentation I had several props to make it more interesting, which you’ll just have to imagine:

Now, on to the mystery.

One of the people at my talk made the claim that, “today, every successful open standard is implemented by FLOSS.” That should be easy to disprove — all I need is a counter-example. Except that counter-examples seem to be hard to find; I can’t find even one, and even if I eventually find one, this difficulty suggests that there’s something deeper going on.

So as a result of thinking about this mystery, I wrote a new essay, titled Open Standards, Open Source. It discusses how open standards aid free-libre / open source software (FLOSS) projects, how FLOSS aids open standards, and then examines this mystery. It appears that it is true — today, essentially every successful open standard really is implemented by FLOSS. I consider why that is, and what it means if this is predictive. In particular, this observation suggests that an open standard without a FLOSS implementation is probably too risky for users to require, and that developers of open standards should encourage the development of at least one FLOSS implementation.

path: /oss | Current Weblog | permanent link to this entry