Predictably, my post from last Friday dealing with the readiness of some open-source advocates to take the hard road to solving common problems has drawn some fire. I expect more of the same from today's topic, which calls into question the value of source code in general.

It's prompted by an article on CIO.com titled "Source Code Escrow: Are You Just Following the Herd?" The article, by two attorneys who commonly deal with IP transactions, points out some of the many flaws in the source-code escrow arrangements that many large businesses have with software vendors. Citing figures provided by Iron Mountain, one of the larger escrow agents commonly used in such transactions, the authors demonstrate that such arrangements are rarely exercised, and that when they are they often result in protracted legal wrangling, for code that turns out to be incomplete or defective (some of the findings presented are so damning of the escrow system that you have to wonder why Iron Mountain, which makes good money in the business, publishes them in the first place).

This is the sort of thing that open-source advocates eat right up; had the business relied on open-source software originally, then the source would be available by default, in as good a working order as it had ever been, and entirely open to periodic inspection.

The other findings in the article, however, question whether or not any of that makes a real difference in the first place.

The reason is that most of the businesses who might exercise such a code escrow agreement are not software companies, and do not have or do not know how to locate the expertise which would be required to make any use of the source code. As the authors point out, "In most cases, source code has been escrowed because customers are licensing software from a vendor that is providing technology and expertise the customer does not possess internally. Thus, once the software is released from escrow, the customer often is in no position to properly implement the software, train its employees on maintaining and supporting the software, or purchase the necessary hardware and third-party software."

As I have long argued, the "openness" in open source may be a wonderful boon to programmers and IT folk, but it is of limited or no value to the average user. As well make their cars "open engine." Most will still have to call a mechanic when they break down. Arguments can be made about the quality and process of the mechanic resulting from OSS, and while they may or may not be valid, they tend to apply to the software development environment in general rather than to any project in particular. So in most cases, what is true of escrowed code is also true of open source code.

Any casual reader who has progressed this far will probably assume that I am anti-open-source and anti-escrow. The truth is more complicated; frankly, I believe that anyone who comes down entirely on one side or the other is a zealot whose judgement can't be entirely trusted in most business contexts, but in the main I am in favor of using open-source software in business. Moreover, I am in favor, in some cases, of source code escrow for proprietary software. The difference between myself and the advocates on the one hand, and the CIO.com article on the other, is primarily in the reasoning.

What the article leaves out is the big negative number associated with critical software going out of service and being unsupported at an innoportune moment. I believe the critical, proprietary line of business software is a good candidate for code escrow if the vendor is relatively small or unstable and if the software is necessary to the business. The costs and complications of code escrow are all as the article says; what they leave out are the steep costs of the alternative scenarios. Like any security decision, this one requires you to multiply cost by probability... and like any other security decision, it can require that you spend money on something that probably will never be used.

Open source can fill this requirement as well as escrow arrangements, but I don't think it's the primary reason to use open-source in most cases. Instead, I think the value of open-source is generally in the licensing; a factor, and a vulnerability in most proprietary software, frequently overlooked in corporate IT today. OSS licensing is usually free, and typically less restrictive. As closed-source companies turn the screws even tighter, this advantage becomes more significant.

In either case, there is no blanket argument for one or the other, only the careful analysis of the specific situation your business faces which may militate in one direction more strongly than the other.