Search Engine on

Jeff Spaleta jspaleta at
Fri Jul 23 17:57:58 UTC 2010

2010/7/23 Máirín Duffy <duffy at>:
> I kind of feel using non-open source code in any capacity is really bad,
> even if it has an open API, even if it is running on Linux, even if it's
> something we could practically duplicate should it disappear.
> *Especially* when there are open source alternatives (I can understand
> somewhat if there aren't.)

The practical reality for any external service where you personally
can't inspect the running system is that you can't be sure its
actually all open. Nor can you be sure that what is running is the
source code you have public access to. That's the fundamental problem
with any external service. You can't verify unless the external
service provider bends over backwards to give someone from Fedora
administrative access to do the sort of auditing we do for packages
including rebuilding the service from scratch and doing API compliance

Now I personally agree with you from an ideological standpoint.  But I
can't see how we can put that ideology into a workable policy
statement that does not effectively keep us from using any external
service for anything. The only way we can effectively have a policy
that encode this stance is to forbid pretty much all external service
providers and require that we build all our web service infrastructure
ourselves.  We couldn't even use stuff that EC2 to offload our open
virtual images because we can't verify that EC2 is a completely open
stack for managing open stacks! And on and on it goes.

Reliance on web services break the traditional guarantees of
trust/audit/verify/replicate of traditional on-premises service
deployment. We have to come to terms with that and understand what we
really need out of external web services because we give up so much
control already by relying on them at all.

Now we may get lucky and we might actually find external providers who
will let us audit their running codebase, but I'm not hopeful of that.
If we do find that external service provider that allows customers
that sort of audit ability I'll sing their praises for days on end.


More information about the advisory-board mailing list