This is a highly overrated issue. Almost if not every major operating system employed by the DoD has its source code licensed to third parties. Windows and Solaris are two good examples. There is nothing stopping Chinese intelligence from founding a shell company and licensing the code, then squirreling it away in some bunker in China for analysis.

Open source and closed source alike go through security testing before being employed by the USDoD, and both camps have security auditing of source code before it makes it into version control. It would take a phenominally good hack to get past OSS at either layer (original developers and then commercial vendor) or to get past Microsoft or Sun's internal auditors (who happen to be competent programmers).

Instead of repeating talking points by companies that stand to lose here if more OSS gets used, why not focus on real security threats like the ease with which Chinese intel has stolen military hardware?

Neither the DoD report, nor its reviews on Info World and Business Review Online focus on the security question, so thats not my main concern. I cited the quotes from SCO and Green Hills because the Info World and Business Review articles responded to those citations in discussing the DoD report.

My main concerns with the DoD plan are here: http://weblog.ipcentral.info/archives/2006/07/is_the_dod_prop_1.html. In my view, the DoD report spells out an implementation roadmap far broader and with more ill-consequences than necessary under its stated goals.

define "ill-consequences"?

Well, I was a mite curious about this statement: "At least both DoD study reviews cite (but do not address) notable criticisms of extensive Defense open source deployment, which readers should consider."

Besides considering them to be asinine comments made by executive officers whose businesses are threatened by such deployments, I see no reason to give them the time of day.

SCO in particular is threatened because they have terrified all of their potential customers. No one wants to buy from them anymore. As a result, SCO UNIX is as welcomed in your average UNIX shop as the collected works of Anton LaVey are in a Christian library.

Now, if there is a real security threat to consider, I'd like to hear it. However, there seems to be a dearth of material suggesting that OSS screeners are any less competent than closed source screeners. When Chinese intelligence successfully sneaks code into RedHat Enterprise Linux, then maybe it'll be something to talk about.

The DoD reviews had absolutely no analysis at all. In fact, neither mentioned that the report suggested the DoD "promulgate" source code back into the community and essentially encourage general market adoption of open source. That doesn't sound like the DoD's role to me.

The fact that the reviews included the quotes from SCO and Green Hills shows that at least they considered other perspectives rather than just those from open source. Hence, I was commending the reviews for at least posting the quotes (thats what was meant by "at least").

Regarding the security question. SCO and Green Hills point out 2 distinct security issues. But lets leave those issues for another day.

READER COMMENT: "define "ill-consequences" posted by: john at July 20, 2006

I apologize for missing your comment earlier. It got buried between my post and Mike's.

Again, the DoD study cited very little research in its proposals, which, by well over-stepping its goal of establishing an internal "software code exchange", may well result in unintended consequences.

I still wonder where the "parallel shift" to an externally facing open source policy comes from. And why would the DoD want to involve itself more into the software (open source) community?