The State of Open Source in 2025? Honestly, it's a mess but you knew that already OpenLogic's 2025 State of Open Source Report offers a slightly different perspective on modern corporate adoption of FOSS – and it's not a reassuring one. The Perforce OpenLogic State of Open Source is an interesting read, which takes some unusual directions quite unlike the more familiar sort of glowingly optimistic industry- …
Everyone will be using Linux. Not the same distribution of course, but some flavour of it. And the vast majority of innocent users will be trying to avoid getting dragged into discussions about some weird technical crap like 'should we still be using systemd' while yearning for the simple days when 'I just used Windows and could ignore it most of the time'.
Sadly without 100% compatibility with Micros~1 via Wine or similar, this seems less and less likely these days.
After all, people continue to put up with Winders 10 and now 11...
(If Wine could be easily sandboxed it might be more popular but I really don't want it polluting my Linux or BSD boxen)
There are a lot more than two camps, and the two don't necessarily hold the same points of view that adherents argue for. I assume from your comment that you're referring to the general attitude toward proprietary code, with Stallman taking a more negative attitude to its existence than Raymond does.
Except he doesn't entirely do that. There are many who think that the existence of proprietary code is unconscionable and should be forbidden by law. Stallman isn't one of them by a wide margin. There are people who think open source code is fine, but they prefer to run mostly code that is maintained by a specific company because it means there's no link in the chain where their function has a license that disclaims liability. Raymond isn't one of them. So the spectrum, if we're using a one-dimensional one for this, goes in both directions from those two guys. There's also a place between their attitudes. I'm also curious where you'd put Bruce Perens, both the original one with all the OSI connections and the new version who is all in on the Post Open (in my opinion very close to closed) license idea. Not to mention that I, who you'd probably file near Raymond, might not be easily placed on such a scale because, while I'm fine with proprietary code, I get annoyed at people who change their licenses to make something previously open source more proprietary. They have the right to do it, but I will dislike them if they do. Neither camp is well-defined, possibly because there are more than two opinions on it, more than one thing to be debated, and we don't tend to choose our opinion by picking a representative.
I'm not sure I'd put too much weight on names given to versions unless they were specifically asked. If Angular started as Angular.js it might still be that in respondents' minds irrespective of what version they're actually running - "Oh, yes, Angular.js version 19 now you ask".
What would be interesting to know is how the various distros are used. Are they, for instance, running Ubuntu on the desktop and Debian or CentOS on the server?
One impression I get is that in many cases the Linux systems were set up by somebody else who's moved on, maybe a vendor, and have been inherited by people who just know how to keep them going. Because they just keep going, there's nobody tasked with planning replacement or even what to do in an emergency. It all Just Works so it's allowed to drift, run updates, take backups, maybe manage user IDs, It really is saving money.
I prefer things that way - just keep it up to date and working. Several projects (like gimp and audacity) THANKFULLY do this!
NO NEED to RUIN IT like they did with GNOME and FIREFOX's basic UI appearance and functionality... (you know, the 2D FLATTY/FLATSO/FLATASS, hamburger menu, "phone on a desktop", and "Adwaita" vs "what it used to be" 3D skeuomorphic)
"UP"grading [to crappy "new,shiny" interfaces, etc.] is HIGHLY overrated. Right, Poettering? Right, Micros~1? RIGHT, Gnome 3 and KDE devs?
Admittedly a few years back, I participated in a UK Parliamentary specialist group debate on "open source and open standards". Two things stood out glaringly: [1] many of the participants confused the two, assuming that open source automatically both complied with open standards and drove them, and [2] most of the user base used open source not because the source was open (they didn't look at it) but merely because it was free software. On this basis was hard to see how the original intent of open source could survive intact -- as indeed it seems not to have.
I'd argue against the fact the using no-strings open source software because it's free means that no-one is prepared to pay for it.
20 years ago it was very difficult to argue for open source software, despite the its copious existence in vendor projects. But that started to change as programmers who'd worked productively with open source software became managers and chose to use packages not just because they were cheaper, but because they were better. This meant that they understood the value proposition of whatever it was they were working on. My own experience has been that increasingly non-tech users and managers are happy to pay for support or training for software they consider to be valuable. Sure, this fails to close the financing gap for open source, but that idea presupposes that everyone wants to be paid for their software and that's not the case.
As for freeloaders: they've always existed and always will – I remember cracking Lotus 1-2-3 35 years ago so I could work on stuff away from the office. It's usually not worth going after them but these are also often the outfits that try and skimp on everything and pay a far bigger price when their under-resourced stuff fails.
A lot of people I see use something open source, then they hit a bug, or it doesn't have a certain feature, so they modify the living hell out of it.
When the next version rolls out, they're screwed because there's now no good migration path.
Did I mention they have no clue that "diff" & "patch" even exist?
Anon b/c I've already sent all the emails to management on how stupid this is
This post has been deleted by its author
JS devs in particular flock to these frameworks like lemmings, despite the near certainty that whatever they pick will be unsupported on ten years, probably without a clear migration path.
Meanwhile, it’ perfectly possible to write complex applications in HTML+CSS+JS as they are specified, without a framework, that it will continue to work… forever, probably.
I don't know if you can do all the JS stuff without using some kind of reusable libraries, but it's certainly become a lot easier over the last ten to fifteen years. The dependency hell of server-side JS is also killing it slowly as keeping things up to date requires a lot more effort than other languages.
I had never heard of openlogic, but I laughed at that comment.
Would have been more credible if it was not coming from Roy Scheshtowitz's (sp?) site -- that guy makes all other conspiracy nuts look like the voice of reason
> Would have been more credible if it was not coming from Roy Scheshtowitz's (sp?) site -- that guy makes all other conspiracy nuts look like the voice of reason
A (pre-Reg) colleague of mine is friendly with him, but yes, Dr Roy is, um, erratic. But just occasionally, he does make valid points. I know, frequency of correctness of non-running timepieces, etc...
Real problems, yes. But I'm not sure why it's considered FOSS related.
I work in a company with huge numbers of unsupported Solaris (9, 10, 11) (yes, Solaris 11 is supported, but we ain't payin for no support, and systems haven't been patched in YEARS) and Windows systems dating back to XP (and yes, not my area, but I'd be SHOCKED if there weren't some old desktops running XP running some mission critical "server-like" task) and Oracle database systems that haven't been patched in years. All non-FOSS. Oh, and it's all running on an out-of-date, VMware system.
Oh yeah, sure...a lot of our FOSS systems are out of date, too. Easy as it would be to blame CentOS, nope, that's not the real reason. But at least our FOSS systems, it isn't a monetary issue. And those will be migrated sooner than many of our commercial systems will be. Our managers are only doing short term planning (and much of that consists of "what will look good on my resume for my NEXT job"), because that's where the rewards are.
From what I've seen, the real problem has NOTHING to do with commercial vs. FOSS, it's the fact that the low bidder gets the contract. Doing things badly beats the heck out of not doing it at all, because your customers went elsewhere. People TALK about security and recoverability, but conservative, secure designs don't sell. IF FOSS systems actually do "rot" in the data center longer (and I'm not convinced that's true), I suspect a reason might be because they worked, they require little maintenance, and the people who knew how it all worked long-ago left the company (and often because they were booted out because "job done"). "Why are you still running the old systems?" "I don't know" -- I don't know how they were set up, I don't know how they work, I don't know how to migrate to a new system, etc.
And of course, it's about "free beer". Few really care about "freedom".
> Real problems, yes. But I'm not sure why it's considered FOSS related.
There are significant differences here, among which are:
* is it sealed off and in-house only?
* is it internet-facing?
* it is able to talk to the internet on its own?
* does it require an internet connection?
* does it default to fetching stuff from the internet in normal use, which must be explicitly disabled?
* CAN internet access be disabled?
And I am not touching upon the big one...
* was it designed and meticulously assembled by trained professionals because it was expensive enterprise kit?
... or...
* was it a best-effort freebie thrown together mainly by community members, with a label slapped on it with a hand-scrawled version number?
The places I have worked have used all of these, plus SUSE, Fedora, and Arch (a little), and no one of them has used fewer than two. Sometimes, it can be nice to use a single distro on every machine, but it doesn't always work. Some machines don't change a lot, and they're often running Debian or RHEL so they don't need to be but there's still maintenance. Ubuntu has been a middle ground, now making changes moving it in a longer-term direction if you use LTS versions. Cent OS, Fedora, Ubuntu and you use all the versions, and Arch update faster, which may be useful for some situations where you want to be able to use newer tools that those older distros don't include because they weren't around at the time, and then you've used one and you want to deploy it, so instead of the existing older server images, you make a new one based on a newer version of something that'll get support and now that's one of your servers too. After a couple years of that, you don't have a monoculture anymore and it's less work in the short term to keep those running rather than migrate everything to one thing. Eventually, you have to make some maintenance decision, but that's how you get there.
We can all ava laff about Linux on the Desktop
For my little firm, I have settled on Kubuntu LTS as a distro but if you fancy it why not try the intermediates? I've run Gentoo and Arch as a daily driver for well over a decade (wifey still has Arch on her Facebook device)
That gets me Secure Boot, AV via ESET, and encrypted at rest - ticks the Cyber Essentials plus and ISO27000000001 boxes. I also run up auditd with a PCI-DSS profile and easily ship to aggregation and analysis.
Samba and SSSSSSSSD does the Windows integration. I used to use winbind but it isn't the best these days.
Evolution is phenomenally quick compared to all the Outlook variants and is able to log intelligibly (or at all) and it isn't artificially hamstrung for ... reasons.
LibreOffice does the office job for me. I used to teach people how to use spreadsheets, WP and the rest for a living. If you are going to try to tell me that Excel and co are better than LO, you had better have a really good argument. I will also point out that I once wrote a Finite (yes finite) Capacity Model in Excel for a food factory (think make/bake/wrap). I also deal with massive docs, indices and so on.
So, I suggest that LO is quite happy doing the Office job.
The problem is the amazingly complex things ordinary users do with EXCEL because asking the IT department to do it is a pain in the proverbial. Many of these just die or render unreadably when run in Libre. It just needs one or two of these “applications” in an organisation to veto any move of windows.
My job used to be automation of market research. Much fun.
Eventually, the company has continued what seems to be a self-destructive path of being rather anal about data integrity.
Nobody seems to know, and even fewer to care.
Clients don't appreciate much the added cost of quality.
har har, just like FOSS implementation, as explained in the article and comments.
It would seem that most US markets (and politics) survey responses come from Mindanao, or perhaps somewhere in India.
Whatever.
The point is, the "I don't know" response, did it come from open-ends? (good), or from choosing in a list (15% means zilch).
Unfortunately, a lot of open source software was originally written as a proof of concept or as someones master degree project.
There was no one checking for security vulnerabilities, and then others started building on this vulnerable base.
Reliance on the community to fix securiity issues is nowhere as popular as adding new features.
I come from the educational field and to see the number of security vulnerabilities in learning management systems (eg. Moodle) over the years, i would not run most of these programs on any external facing servers.
You can look at other examples such as wordpress, drupal, etc. and see the same thing - bad input checking.
It is prevalent all over the place. A security vulnerability just waiting to be found.
I author open source software, and we do not let any code out until it meets our stringent input checking.
We started with a secure base, so moving forward we just keep doing what we had from the beginning.
Trying to go back and fix something that was bad to begin with is practically impossible.
We state on our website that our software is secure (you don't see many offerings stating that), because we are the only ones that add to it.
We accept feature requests, but we do not accept code from anyone. You can fork our project (it is under GPL v2) if you really want to change it.
The many eyes on the code will produce better software is a joke.
Of course we are retired, so have all the time we need to make sure our software is secure.
It's worse than that sometimes.
I recall someone refusing point blank to accept that temporarily changing the global locale of the entire process from within a library was a bad idea - despite the language documentation explicitly saying not to do that.
They insisted it was fine because they "put it back" before returning - and it wasn't an issue in their proof-of-concept single thread application. They couldn't comprehend that multi threaded applications exist.
Now imagine if that was a closed source library?
JS is still entirely single-thread of course, and Python is ... a bit weird. So there is a lot of pain coming because the "free lunch" of ever increasing single thread performance is over.
There are so many things to discuss here.
You appear to concentrate on input checks, this is extremely important but it is not the only source of security problems.
You have developed a threat model and you check your code against this security model, this is much better than most of us but have you got a third party to review your security model to see if there are attack surfaces that you had not thought of? Has your code been subject to a security audit?
If you use a compiled language have you checked for Compiler Introduced Security Bugs (CISB)? Your compiler may optimise your security related code away.
If you use an interpreted language how do you ensure that the interpreter on the end user's system is secure?
Bruce Schneier said years ago “Security is a process, not a product.”
Could you provide links to your website so interested parties can look at your product to confirm that it is secure?
Here are links that you may find interesting.
Source of the Bruce Schneier quote https://www.schneier.com/books/secrets-and-lies-pref/
Short USENIX talk on CISB https://www.youtube.com/watch?v=ZLPwy9bnov8
Example of CISB in True Crypt from "Security Now". There are lots of
> We also talked about, and VeraCrypt had fixed and these auditors verified - and you'll remember this one, Leo, where - TrueCrypt is written in C. And the authors were using the memset function, which basically allows - memset is a C function or a library function which allows you to say "Set the following block of memory to this value." And typically it's zero. And so you want to zero out or null a block of sensitive data like the password, or like the master key or something. I mean, and so secure systems are often having to have transient, highly sensitive data, and they're often allocating it dynamically. So you say, "give me a buffer." You ask the operating system for a block of memory. And it says, okay, here's a pointer to the block of the size you requested. You're then able to use that until you free it, that is, you essentially tell the operating system, "I'm done using that block of memory, thank you very much."
> So what the programmers of TrueCrypt did was they were careful, because they don't know what the operating system is going to do with the memory that they give back to it, they were careful to zero it, to write zeroes across the buffer, then return it to the operating system so that memory that might have had something sensitive didn't just go floating around and may be available to somebody else. The C compiler, though, as one of its optimization strategies, is looking for things that don't do anything. And some clever programmer somewhere said, oh, look. This memory is being zeroed and then immediately returned to the operating system. Well, so there's no purpose to zeroing it. That must have just been a mistake. And so the C compiler optimized out.
> Leo: They didn't want to do that.
> Steve: Yeah, that serves no purpose. You've zeroed the memory and given it away.
> Leo: Isn't that a funny error. Wow. Too helpful.
> Steve: Yeah. So there is a secure zero memory function which doesn't have this problem. And so one of the early things that VeraCrypt did was to switch over wherever memset was being used to this secure zero memory function which doesn't risk being optimized to nothing by the compiler.
> And there were too many subtle TrueCrypt kernel driver problems fixed to mention that were fixed by VeraCrypt since it inherited TrueCrypt. And I won't go through them all. I mean, there were just a collection of little subtle things. But the takeaway is these guys, the auditors, really did a nice job. There's no way you could come away from this thinking, wow, this hasn't been scrutinized deeply.
https://www.grc.com/sn/sn-582.htm
The security audit of Vera Crypt from 2020 https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Veracrypt/Veracrypt.pdf
XKDC on perceived and real threat models "Encryption" - https://xkcd.com/538
" it's a mess but you knew that already.." It is perhaps news for those living in the dark Stalinistic dictatorships of commercial software providers: Free societies tend to be more messy than centralized dictatorships, which seem clean on the outside, but as soon someone scratches the thin layer of varnish, corruption, hidden failures and mass graves stare one in the face.
In the world of commercial software the manufacturer always respects the wishes of the customer, it would never discontinue software packages overnight, never increase prices, never get bought by a white shark company which overnight changes everything. A good example is Microsoft, a mere 70% of the PC's worldwide runs windows 10. Forcing a large part of those users to buy a new PC when they do not have this magic security chip is really a Nobel Prize winning idea. The world is lucky to have great minds succeeding Balmer and Gates coming up with these ideas.
In my experience as a product manager at Initech Business Machines, a great many of our customers were using Debian in production and Ubuntu in develop/test/deploy. Similarly, RHEL in production and CentOS (before... well, you know).
Officially we supported our product on Debian and RHEL, not Ubuntu nor CentOS, and if somebody found an issue on the latter we would take it seriously but reserved the right to ask them to reproduce it on a supported distro if we couldn't. FWIW, in the ten years I had that gig, it happened twice that a bug in CentOS did not reproduce in RHEL, so overall it was a sound strategy for both us and our customers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
