Computer Software and Open Source Issues: A Primer

CRS Report for Congress
Computer Software and
Open Source Issues:
A Primer
Updated December 17, 2003
Jeffrey W. Seifert
Analyst in Information Science and Technology Policy
Resources, Science, and Industry Division


Congressional Research Service ˜ The Library of Congress

Computer Software and Open Source Issues:
A Primer
Summary
The use of open source software by the federal government has been gaining
attention as organizations continue to search for opportunities to enhance their
information technology (IT) operations while containing costs. For the federal
government and Congress, the debate over the use of open source software intersects
several other issues, including, but not limited to, the development of homeland
security and e-government initiatives, improving government information technology
management practices, strengthening computer security, and protecting intellectual
property rights. Currently, the debate over open source software often revolves
primarily around information security and intellectual property rights. However,
issues related to cost and quality are often raised as well.
Open source software refers to a computer program whose source code, or
programming instructions, is made available to the general public to be improved or
modified as the user wishes. Some examples of open source software include the
Linux operating system and Apache Web server software. In contrast, closed source,
or proprietary, programs are those whose source code is not made available and can
only be altered by the software manufacturer. In the case of closed source software,
updates to a program are usually distributed in the form of a patch or as a new
version of the program that the user can install but not alter. Some examples of
closed source software include Microsoft Word and Corel WordPerfect. The
majority of software products most commonly used, such as operating systems, word
processing programs, and databases, are closed source programs.
For proponents, open source software is often viewed as a means to reduce an
organization’s dependence on the software products of a few companies while
possibly improving the security and stability of one’s computing infrastructure. For
critics, open source software is often viewed as a threat to intellectual property rights
with unproven cost and quality benefits. So far there appear to be no systematic
analyses available that have conclusively compared closed source to open source
software on the issue of security. In practice, computer security is highly dependent
on how an application is configured, maintained, and monitored. Similarly, the costs
of implementing an open source solution are dependent upon factors such as the cost
of acquiring the hardware/software, investments in training for IT personnel and end
users, maintenance and support costs, and the resources required to convert data and
applications to work in the new computing environment. Consequently, some
computer experts suggest that it is not possible to conclude that either open source
or closed source software is inherently more secure or more cost efficient.
At this time there appears to be no centralized accounting of open source
software throughout the federal government. However, the growing emphasis on
improved information security and critical infrastructure protection overall, will
likely be an influential factor in future decisions to implement open source solutions.
The rapidly changing computer environment may also foster the use of a combination
of open source and closed source applications, rather than creating a need to choose
one option at the exclusion of another. This report will be updated as events warrant.



Contents
What is Open Source Software?......................................1
Leading Organizations in the Open Source Software Community............2
Open Source Software Issues.........................................3
Information Security...........................................3
Intellectual Property Rights......................................4
Quality ......................................................5
Cost ........................................................5
Implications for Government Use of Open Source Software................6
Use of Open Source Software By Other Governments.....................8
For Further Reading................................................9



Computer Software and Open Source
Issues: A Primer
What is Open Source Software?
Open source software refers to a computer program whose source code1 is made
available to the general public to be improved or modified as the user wishes.
Changes to such a computer program may be available freely through Web sites and
users groups dedicated to that particular program. Some examples of open source23
software include the Linux operating system and Apache Web server software. In
contrast, closed source, or proprietary, programs are those whose source code is not
made available and can only be altered by the software manufacturer. In the case of
closed source software, updates to a program are usually distributed in the form of4
a patch or as a new version of the program that the user can install but not alter.
Some examples of closed source software include Microsoft Word and Corel
WordPerfect. The majority of software products most commonly used, such as
operating systems, word processing programs, and databases, are closed source
programs.
Although open source software has been attracting renewed attention recently,
its origins date back to the development of ARPANET in the late 1960s. During this
time, the individuals and universities that composed the small network of
programmers often worked collaboratively, sharing source code as a means to build5
their knowledge base. More recently, open source software has been seen by some
observers as an alternative to the influence of a few large software companies in


1Source code is the set of programming instructions written by the software developer that
allows a program to execute its functions. Source code is written at the keyboard and
appears as a set of commands in the form of words, symbols, and numbers. After a
programmer has finished writing the source code, it is compiled into a machine language
that is recognized only by computers and is represented entirely as numbers. Proprietary
software includes only the machine language code, which allows the computer to function
but cannot be altered by the user. Open source software includes the source code (and
sometimes the machine language code) so that the user can make changes to how the
software program functions.
2For more information about the Linux operating system, see [http://www.linux.org/].
3For more information about Apache software, see [http://www.apache.org/].
4 A software patch is a small piece of software that integrates itself into the larger program
and is created to fix a specific problem, such as a particular security weakness or some other
error or defect in the product.
5Jay Holander, “The Challenge of Open-Source Business Model,” Gigalaw, April 2000,
[http://www.gi ga law.com/ articles/2000-all/hollander-2000-04-all.html ].

some of the more popular user areas, such as operating systems and office
productivity suites. One of the more well known open source programs is Linux, an
operating system developed in the 1990s by Linus Torvalds, a Finnish programmer
now working for an information technology company in the United States. While
Linux holds a small share of the operating system market, compared to Microsoft
Windows, and is not widely used in the federal government, some agencies have
begun trial demonstrations in limited settings.6 For example, the National Security
Agency has been working with volunteer programmers to create a new version of
Linux called Security-Enhanced Linux (SELinux) in an attempt to develop tools and
applications that could be used to improve the security of government computer
systems.7
Leading Organizations in the Open Source Software
Community
Although the open source software community is loosely organized, two
primary organizations are identified as leaders in advocating standards and
definitions. One is the Free Software Foundation (FSF), founded in 1985, and
dedicated to “promoting computer users' right to use, study, copy, modify, and
redistribute computer programs.”8 By ‘free software,’ FSF means that the user
should be allowed to alter, improve, and/or redistribute a version of a software
program, either gratis or for a fee. Using this interpretation, FSF does not suggest
that software should necessarily be cost-free. The second major organization is the
Open Source Initiative (OSI).9 OSI is self described as a “non-profit corporation
dedicated to managing and promoting the Open Source Definition”10 through a
certification program it administers.11


6Declan McCullagh and Robert Zarate, “Super-Secure Linux, Inch by Inch ,” Wired, 11 June

2002, [http://www.wired.com/news/linux/0,1411,53004,00.html].


7For more information about NSA’s support for SELinux, see
[http://www.nsa.gov/ selinux/index.html ]
8For more information about the Free Software Foundation, see
[ ht t p: / / www.gnu.or g/ f s f / f s f .ht ml ] .
9For more information about the Open Source Initiative, see [http://www.opensource.org].
10The Open Source Definition is a set of nine criteria that a program must meet to be
certified as open source software by OSI. These criteria address issues such as right of
redistribution, availability of the source code, derived works, discrimination of use, and
licensing. Details regarding these criteria can be found at
[http://www.opensource.org/ docs/definition.php].
11For more information about the OSI certification program, see
[http://www.opensource.org/ doc s/certification_mark.php].

Open Source Software Issues
Open source software has been gaining attention as organizations continue to
search for opportunities to enhance their information technology operations while
containing costs. For the federal government and Congress, the debate over the use
of open source software intersects several other issues, including, but not limited to,
the development of homeland security and e-government initiatives, improving
government information technology management practices, strengthening computer
security, and protecting intellectual property rights. Currently, the debate over open
source software often revolves primarily around security and intellectual property
rights. However, issues related to cost and quality are often raised as well.
Information Security
Some critics of open source software suggest that it is less secure than
proprietary or closed source software because it allows a potential hacker to search
the source code to discover and exploit flaws. Some observers suggest that the
‘security through obscurity’ principle that accompanies closed source software
enhances security by making it more difficult for potential flaws to be discovered and
exploited.12 Concerns have also been raised regarding the possibility of Trojan horse
programs13 being introduced into a computing environment through the downloading
and use of open source software whose provenance may not be entirely clear.
In contrast, advocates for open source software suggest that it may be less prone
to security flaws due to the peer-review nature of open source software development.
This allows the source code to be scrutinized simultaneously by a wide audience of
individuals who bring different perspectives and may test the software under a variety
of conditions. Supporters of open source software suggest this approach can generate
a faster response to security problems and minimize the potential of Trojan horse
programs. 14
So far there appear to be no systematic analyses available that have conclusively
compared closed source to open source software on the issue of security. In practice,
computer security is highly dependent on how the user and/or administrator configures,
maintains, and monitors the application. Consequently, some computer security
experts suggest that it is not possible to conclude that either open source or closed


12Although sometimes used as a derogatory term by critics of proprietary software, the
philosophy behind the concept of “security through obscurity” is that security is enhanced
if flaws are hidden from view and not publicized until a solution can be made available.
13A Trojan horse program is a destructive software program that appears as a benign
application. One example is a program that is described as an upgrade or a service pack for
a current version of a program, but is in fact designed to disable a computer’s virus scanner
and introduces new viruses to the computer.
14Drew Clark, “Defense, Cybersecurity Officials Praise ‘Open Source’ Software,”
Government Executive Magazine, 29 October 2002,
[http://207.27.3.29/dailyfed/1002/102902td2.htm] .

source software is inherently more secure.15 However, this viewpoint may change as
additional research is carried out.
Intellectual Property Rights
The implications of open source software for intellectual property rights continue
to evolve. While open source software generally provides users with greater freedoms
than closed source software,16 open source software is usually distributed with some
form of licensing agreement17 that details the conditions under which a user may use,
make changes, and redistribute the source code. Critics argue that open source
software threatens intellectual property rights because any software that incorporates
open source code must be freely redistributed at no cost. While one of the underlying
principles of open source software is the unrestricted redistribution of source code, a
distinction is made between software that incorporates open source code into its
program, and programs that work with open source software. For example, the General
Public License (GPL), drafted by the Free Software Foundation, is one open source
agreement. The GPL requires that entities using open source code must, upon further
distributing that code or subsequent modifications of that code, either provide a copy
of the source code or offer to give any third party a copy of the source code. However,
the GPL allows a user to include an open source program with a closed source program
without providing the source code for the closed source program, provided the two
programs are functionally separate,18 such as in the case of an editor program that
works with a shell program.19
In contrast to the concerns raised regarding the potential threats to intellectual
property rights, some observers suggest that the increased use of patents (as compared
to copyrights or trade secrets) by technology companies to protect online business
methods such as one-click shopping, customer referral affiliate programs, and buyer-
driven e-commerce, could hinder the future development of open source software.


15Jonathan Krim, “Open-Source Fight Flares at Pentagon,” The Washington Post, 23 May

2002, p. E1; Michelle Delio, “Did MS Pay for Open-Source Scare?,” Wired, 5 June 2002,


[http://www.wired.com/news/linux/0,1411,52973,00.html]; Dennis Fisher, “Open Source:
A False Sense of Security?,” eWeek, 30 September 2002, p. 20;
16Most notably, the ability to make changes to the source code.
17There are many open source licenses currently in use. Some are more general in nature,
designed to be easily adopted by anyone developing open source software, while others are
more specific, created by a particular company or organization. A collection of some of the
most well known licenses can be found at [http://www.opensource.org/licenses/].
18For a more complete explanation of this concept, see
[http:// www.gnu.org/li censes/gpl-faq.html #GPLInProprietarySystem].
19In this example, the editor program could be one that executes text commands to complete
tasks, while the shell program provides a graphical interface with menus to allow the user
to complete these same tasks without knowing the text commands. So, the editor program
could be a closed source program used by people with a strong knowledge of text
commands. The shell program could be an open source program developed later to help less
knowledgeable users to complete the same tasks. The editor can work independently of the
shell, and as such the editor can be distributed with the shell program without having its
source code included.

Under this scenario, technology companies could choose to license patented business
methods and technologies only to organizations for use in closed source software.
This, in turn, could affect the type of software that could effectively be developed as
an open source product as compared to a closed source product.
Quality
Related to the issue of security, some supporters of open source software argue
that the potentially large number of programmers contributing to the development of
an open source program can contribute to a higher quality product with fewer ‘bugs’
because it is more likely an error will be discovered before it becomes a major problem.
In addition, some observers suggest that open source organizations generally react
quickly when a problem is discovered, and use small software ‘patches’ to fix a
specific problem, potentially limiting unanticipated side effects. These observers
contrast this approach with that of software companies, who may wish to wait and
release multiple patches together in a single service pack.20 While the use of service
packs can be more convenient and efficient than having to install numerous patches
individually, service packs can sometimes cause new problems due to the simultaneous
introduction of several uncoordinated changes to the software program.21
In contrast, some critics cite the lack of formal vendor or technical support for
open source software that is not commercially distributed. Since open source software
is developed by a community of users, it often does not have a dedicated technical
support team that will respond to troubleshooting inquiries on a fixed schedule. Where
a company or agency relies on the proper functioning of the software to carry out
mission critical tasks, vendor support can play an important role in the event of a
mishap. Related to the technical support concerns, some observers suggest that open
source software is not as reliable as the closed source or commercial alternatives
because there is no identifiable company or organization whose profits and/or
reputation is dependent upon the proper functioning of the software.22 As with
security, there does not seem to be any conclusive study comparing quality. Moreover,
with both types of software continually evolving, and quality being a somewhat
subjective measure, no firm conclusion may be possible.
Cost
The costs associated with using open source software compared to proprietary
software is dependent upon a number of factors, including the cost of acquiring the


20A service pack is an update to a software version that fixes an existing problem, such as
a bug, or provides enhancements that will appear in the next version of the product.
21Jim Rapoza, “eWeek Labs: Open Source Quicker at Fixing Flaws,” eWeek, 30 September

2002, [http://www.eweek.com/article2/0,3959,562226,00.asp].


22In recent years as interest in open source software has become more widespread, some
software vendors have begun to sell commercial versions of popular open source programs,
such as Linux, which can include access to vendor provided support and service. Two
examples of such companies include Red Hat [http://www/redhat.com] and The SCO Group
(formerly known as Caldera International) [http://www.sco.com].

necessary hardware and software,23 investments in training for information technology
personnel and end users, maintenance and support costs, and the resources required
to convert data and applications to work in the new computing environment.
Calculating these costs, also referred to as the total cost of ownership (TCO), is unique
to each organization and application.
Some observers suggest that by utilizing the community of unpaid programmers
and users that grows around a particular product, open source software carries lower
costs than closed source software by potentially decreasing the number of in-house
information technology professionals needed to support the software and by
eliminating the need for costly service contracts offered by proprietary software
developers. The availability of community support may also offer the flexibility of
allowing the adopting organization to decide if and when it will upgrade to a new
version of a particular software program. In contrast, commercial software vendors
usually discontinue support of older programs some time after new versions are
introduced, which leaves organizations to decide whether or not to continue using
unsupported software, or to incur the costs of upgrading to a new version.
On the other hand, organizations that adopt open source software, in part due to
the ability to customize the software for their particular needs, will still need to either
maintain an adequate level of internal information technology personnel, or outsource
these responsibilities on a contract basis. Similarly, many of the most popularly used
programs in business and government, such as word processing, spreadsheets,
databases, and e-mail, are designed to work with a particular operating system, such
as Windows. So, if an organization decides to switch to an alternative operating
system, such as Linux, it may also have to adopt other new programs, requiring
additional employee training and support.
Implications for Government Use of Open Source
Software
Although there is increasing interest in federal government use of open source
software, the extent to which the use of these applications will continue to grow
remains to be seen. In an October 2000 report on the use of open source software for
high performance computing, the President’s Information Technology Advisory
Committee (PITAC) recommended that the federal government “should aggressively
encourage the development of open source software for high end computing.” The
report also recommended that the federal government examine its procurement
processes as they relate to open source software. In addition, the report suggested that
there was a need to analyze open source licensing agreements, “with an ultimate goal
of agreeing upon a single common licensing agreement for open source software
applications.”24


23 While many open source software programs can be acquired for free, commercially
distributed versions of these programs are also sometimes available.
24President’s Information Technology Advisory Committee, Panel on Open Source
(continued...)

In a July 2001 report on the use of open source software for military applications,
the MITRE Corporation suggested that a business case could be made for the
implementation of open source software solutions for server and embedded systems,
based on potential cost, reliability, and support advantages. However, the report
emphasized the need for program mangers to consider several factors when selecting
a strategy for a specific set of circumstances. These include assessing the size, talent,
and organization of the supporting community, examining the market demand for the
open source product in question, conducting a risk/benefit analysis, and comparing the
long term costs of available options.25
In an October 2002 MITRE report on the use of open source software in the
Department of Defense (DoD) concluded that free and open source software “plays a
more critical role in the DoD than has generally been recognized.” It identified 115
open source applications and 251 examples of their use within the DoD. The report
stated that open source software plays an especially significant role in the areas of
infrastructure support, software development, security, and research. The report’s
authors made three recommendation regarding DoD policies toward open source
software. They included: creating a “Generally Recognized As Safe” open source
software list (as it regards information security and reliability), developing generic
infrastructure, development, security, and research policies to promote the broader and
effective use of open source software, and encouraging the use of open source software
to promote product diversity (to reduce the dependence on a single software product).26
In addition to defense-related purposes, it has been widely reported that other
agencies making some use of open source applications include National Aeronautics
and Space Administration (NASA), the Department of Agriculture, the Federal
Aviation Administration, and the Department of Energy.27 Currently, one of more
common applications is the use of Apache, one of the leading open source server
programs, to run government Web sites.28 There is also some use of Linux for federal


24(...continued)
Software for High End Computing. October 2000. Developing Open Source Software to
Advance High End Computing. [http://www.ccic.gov/pubs/pitac/pres-oss-11sep00.pdf].
25Carolyn A. Kenwood. July 2001. A Business Case Study of Open Source Software. The
MITRE Corporation.
[ ht t p: / / www.mi t r e.or g/ suppor t / paper s/ t e ch_paper s _01/ ke nwood_sof t war e/ ] .
26Terry Bollinger. 28 October 2002. Use of Free and Open-Source Software (FOSS) in the
U.S. Department of Defense. The MITRE Corporation.
[ ht t p: / / www.egovos.or g/ pdf / dodf oss.pdf ] .
27Peter Galli. “German Gov’t Moves to Linux,” eWeek, 3 June 2002,
[ ht t p: / / www.eweek.com/ ar t i c l e 2/ 0,3959,4279,00.asp] .
28Drew Clark, “Defense, Cybersecurity Officials Praise ‘Open Source’ Software,”
Government Executive Magazine, 29 October 2002,
[http://207.27.3.29/dailyfed/1002/102902td2.htm]; Jonathan Krim, “Open-Source Fight
Flares at Pentagon,” The Washington Post, 23 May 2002, p. E1.

supercomputer applications.29 However, at this time there appears to be no centralized
accounting of open source software throughout the federal government.
The growing emphasis on improved information security and critical
infrastructure protection overall, as well as the interest in developing governmentwide,
data intensive applications for homeland security and e-government, will likely be an
influential factor in future decisions on implementing open source solutions. The
rapidly changing computer environment may also foster the use of a combination of
open source and closed source applications, rather than creating a need to choose one
option at the exclusion of another. In addition, as the largest buyer of information
technology products and services in the world, the choices made by the federal
government could have a larger impact on the future growth or decline of open source
software overall.30
Use of Open Source Software By Other Governments
The use of open source software by government agencies is a growing issue in
other countries as well. In some countries, governments have been taking an active
role in encouraging the growth of open source software. Such initiatives have included
proposals to either require the consideration, or even mandate the purchase of open
source software solutions for government technology projects. The rationale for such
proposals can vary widely. In some countries, open source software is seen as an
inexpensive alternative for promoting IT projects on limited budgets. For example, in
Brazil, President Luiz Inacio Lula da Silva’s administration has suggested that the
licensing fees associated with proprietary software are “unsustainable economically”
for its government to develop its technological infrastructure while also dedicating
resources to improve its economic situation.31 In Thailand, the government supported
the development of Linux TLE, a Thai-language version of Linux, as part of its effort
to increase citizen ownership of “people’s notebook” computers.32 In other cases, pro-
open source software policies are viewed as a means to promote the development of
a domestic software industry and reduce dependence on foreign companies for both
economic and national security reasons. For example, in September 2003 the
governments of China, South Korea, and Japan agreed to collaborate on a joint open
source software development project. This was followed by an announcement in
November 2003 that the three major IT industry associations of their respective


29Randall Edwards, “NASA Installs Linux Supercomputer,” Federal Computer Week, 18
November 2003, [http://www.fcw.com/fcw/articles/2003/1117/web-super-11-18-03.asp];
Patricia Daukantas, “Army Lab Puts Linux Cluster into Service,” Government Computer
News, 3 December 2003, [http://www.gcn.com/vol1_no1/daily-updates/24323-1.html].
30Patrick Thibodeau, “Could Feds Foil Microsoft with IT Spending?,” Computerworld, 10
June 2002,
[ h t t p : / / www.comput er wor l d.com/ gover nment t o p i c s / g o v e r n me n t / p o l i c y/ s t o r y/ 0,10801,71

851,00.html].


31“Brazil Gives Nod to Open Source,” Wired, 16 November 2003,
[ h t t p : / / www.wi r e d.com/ n ews/ i n f o st r u ct ur e/ 0,1377,61257,00.ht ml ]
32“Dell May Join HP in Linux Laptop Drive,” CNet News.com, 23 May 2003,
[http://news.com.com/ 2100-1044_3-1009546.html ].

countries was forming an organization tentatively named the Japan-China-Korea Open
Source Software (OSS) Promotion Partnership.33
For Further Reading
Bollinger, Terry. Use of Free and Open-Source Software (FOSS) in the U.S.
Department of Defense. The MITRE Corporation. 28 October 2002.
[ h ttp://www.egovos.org/ pdf/dodfoss.pdf] .
Brown, Kenneth. Opening the Open Source Debate: A White Paper. Alexis de
Tocqueville Institution. June 2002.
[ http://www.adti.net/html_files/defense/opensource _debate.html] .
Danish Board of Technology. Open Source Software in E-Government. October 2002.
[ h ttp://www.tekno.dk/pdf/projekter/ p03_opensource_paper_english.pdf] .
Hahn, Robert W. (ed.). Government Policy Toward Open Source Software. AEI-
Brookings Joint Center for Regulatory Studies. December 2002.
[ h ttp://aei-brookings.org/ admin/pdffiles/phpJ 6.pdf] .
Kenwood, Carolyn A. A Business Case Study of Open Source Software. The MITRE
Corporation. July 2001.
[ h ttp://www.mitre.org/ support/papers /tech_papers_01/kenwood_software/] .
President’s Information Technology Advisory Committee, Panel on Open Source
Software for High End Computing. Developing Open Source Software to
Advance High End Computing. October 2000.
[ h ttp://www.ccic.gov/pubs/pitac/pres-oss-11sep00.pdf] .
Reasoning. How Open-Source and Commercial Software Compare: A Quantitative
Analysis of TCP/IP Implementations in Commercial Software and in the Linux
Kernel. 2003. [http://www.reasoning.com/downloads/opensource.html].


33Martyn Williams, “Major Asian IT Groups to Collaborate on Open Source,” InfoWorld,

14 November 2003,


[ ht t p: / / www.i nf owor l d.com/ a r t i c l e / 03/ 11/ 14/ HNasi ani t gr oups_1.ht ml ?pl a t f or ms ] .