Exactly. And what many fail to see is that closed source is – in many cases – leveraging OSS under the hood. Sometimes the vendor will be nice and make it evident (e.g. IBM WebSphere being quite transparent in their docs about using Apache Aries, they also contribute, etc.).
But in other cases, the end user won't come to know because the licensing model of the 3rd party libraries is non-viral and doesn't require the vendor to either keep the original naming, nor acknowledge the usage. I don't have any numbers to support this, but what I've gathered throughout many years in the industry is that most proprietary software will be powered (to varying degrees) by OSS without upfront disclosure. At the end of the day, as a proprietary vendor, I guess you do need a good reason to reinvent the wheel, and quite possibly that reason doesn't exist. In fact, one extreme case that comes to mind was the old BEA WebLogic Event Server which, if you looked at the lib/ directory of the WAR, just turned out to be mostly Esper [1] with a fancy GUI and some usability-related changes. And they sold this for hundreds of thousands of EUR / CPU. (Not intending to start a flame war nor implying generalisation. Just mentioning an extreme case I know.) Actually, you know what? When I get some time I'm going to download TIBCO's product and inspect their usage of 3rd party libs... From what I remember back, they did use stuff like Xerces, Xalan, etc. which is pretty commonplace anyway, but I'd be curious to find out if they use further OSS. [1] http://www.espertech.com/esper/index.php Regards, *Raúl Kripalani* Apache Camel PMC Member & Committer | Enterprise Architect, Open Source Integration specialist http://about.me/raulkripalani | http://www.linkedin.com/in/raulkripalani http://blog.raulkr.net | twitter: @raulvk On Thu, Apr 23, 2015 at 6:25 AM, Claus Ibsen <claus.ib...@gmail.com> wrote: > Hi Raul > > Did you get a chance to continue working on this? > > I think for #3 its due to the openes of the source code that people > dive in and help fix those vulnerabilities as well. And as you say we > are very open and they get proper registerede with a CVE and listed in > the public. And we do put out releases with the fixes fairly soon > after its fixed. > > And there is not so many after all that is caused by Apache Camel itself. > > Yes if you use CXF, Spring, Jetty etc those libraries may have issues > as well, but they are also reported in the open and fixed fast. And > have communities as well, some very big like the spring community. > > And those are found and fixed. For the Open Source ESB you would have > to take a look at > - CXF > - ActiveMQ > - Spring > - Jetty > etc to get the "combined picture" > > http://cxf.apache.org/security-advisories.html > > You can find the Apache products > http://www.cvedetails.com/product-list/vendor_id-45/Apache.html > > On Fri, Apr 17, 2015 at 12:13 PM, Raul Kripalani <r...@evosent.com> wrote: > > Just found this marketing landing page published on social networks. It's > > made by TIBCO and attempts to highlight the downsides of Open Source > ESBs. > > You don't need to be a rocket scientist to gather what exact ESB they are > > targeting (not us): just look at the images. > > > > http://www.tibco.com/integration/open-source-ESB-alternative > > > > Even though it's a clear exercise of FUD vs. OSS – as it provides no > > quantitive measurements to their claims (whatever happened to the > > scientific method...) – I was planning to write a rebuttal post in my > blog, > > but I haven't updated it in a long time and it needs a bit of love first. > > > > So I thought I'd just publish my thoughts – as I wanted to get it out > ASAP > > – and start a qualified discussion here... > > > > In particular I would like to dissect / take down their 4 "myths" about > OSS > > ESBs: > > > > *> *Myth # 1 - Open Source ESB Software Is Free** > > > > (Their statement: OSS ESBs are not Free.) > > > > Well, no software has zero Total Cost of Ownership. As long as the world > is > > *not* entirely controlled by androids, you will need humans to operate > the > > software, including TIBCO's. What we need to look at are the costs of > > hiring those people and their learning curves. > > > > For Camel, any developer with Java, XML and a few other "commodity > skills" > > will do. And they can get started in days. Many people in this forum got > > started in hours. > > > > For TIBCO, you need a specialised consultant because their stack is > > proprietary. Or you need to train them, and TIBCO training is not cheap. > I > > have been a TIBCO consultant and I know this for a fact. Moreover, > > specialised (already trained) TIBCO consultants are not cheap either > (like > > with most proprietary software – think SAP, Salesforce, etc.). > > > > Furthermore, brand new customers need consultancy to get started – and > that > > is not cheap either. > > > > *> *Myth #2 - Open Source ESB Communities Innovate Faster** > > > > (Their statement: Proprietary ESB vendors innovate faster) > > > > This is plainly wrong. Just take a look at the release notes of TIBCO > > ActiveMatrix BusinessWorks. This [1] is the latest version, and there's a > > dropdown at the top to browse through past versions. > > > > To analyse this statement, we need to track two things at least: (1) > > frequency of releases, (2) new features introduced per release. > > > > About frequency of releases: > > > > TIBCO ActiveMatrix release line 6.x: 9 months between minor releases, 4 > > months between micro releases. > > > > [9 months] > > 6.1.0 (May 2014) ---> 6.2.0 (Nov 2014) > > 6.1.1 (Sep 2014) 6.2.1 (Mar 2015) > > [4 months] [4 months] > > > > Camel (analysing past 2 minor releases): less than 6 months between > minors, > > less than 3 between micros. I noticed that 2.15.1 was released quite > early, > > so I included another datapoint for one more 2.14.x micro release. > > > > [< 6 months] > > 2.14.0 (18 Sep 2014) ===> 2.15.0 (10 Mar 2015) > > 2.14.1 (16 Dec 2014) 2.15.1 (01 Apr 2015) > > [< 3 months] [< 20 days (special circumstance > > likely)] > > 2.14.2 (10 Mar 2014) > > [< 3 months] > > > > I know that analysing so few releases is not an indicative – ideally we > > would analyse the entire release history – but I don't have time right > now. > > Nevertheless, the release policy of Camel is 6 months between majors and > 3 > > months between micros (if I recall correctly). > > > > Next, let's take a look at the innovation aspect: > > * TIBCO AM BW 6.2.0 carries 22 new features [2], many of which have to do > > with their IDE, not with core functionality. > > * Camel 2.14.0 carried 38 new and noteworthy features, PLUS 15 new > > components, 1 data format, 1 new EIP (Circuit Breaker), etc. > > > > Judge for yourselves ;-) > > > > *> *Myth #3 - Access to Source Allows Reviewing Code and Deploying > Safely** > > > > (Their statement: Access to source does not uncover vulnerabilities). > > > > Well, all software has vulnerabilities and with Open Source you can > > identify them yourself and fix them. With proprietary software, you rely > > entirely on the vendor's turnaround time. > > > > Moreover, we are very transparent about this and we publish our Security > > Advisories here [3]. > > > > *> *Myth #4 - Open Source and SaaS Work Well Together** > > > > They say: "Cloud-based open-source ESBs work just like other SaaS > > applications: you typically don't have access to the code. How well will > it > > connect your on-premise applications with other SaaS services? You can't > > know." > > > > Well, that's just plain absurd. It amuses me that a closed-source vendor > is > > using the "you don't have access to the code" against an Open Source > > product :D Makes zero sense, both marketing- and technical-wise. > > > > With TIBCO, you don't have access to the source on-premises nor > cloud-based > > software. With the other vendor, you may not have access to the source of > > their iPaaS but you know it's largely based on the on-premises software, > to > > which you have access (even though it's a "gated community" in the strict > > sense...). > > > > --- > > > > Discussion open! 1, 2, 3... GO! > > > > [1] > https://docs.tibco.com/products/tibco-activematrix-businessworks-6-2-1 > > [2] > > > https://docs.tibco.com/pub/activematrix_businessworks/6.2.0/TIB_BW_6.2.0_relnotes.pdf > > [3] https://camel.apache.org/security-advisories.data > > > > Regards, > > > > *Raúl Kripalani* > > Apache Camel PMC Member & Committer | Enterprise Architect, Open Source > > Integration specialist > > http://about.me/raulkripalani | http://www.linkedin.com/in/raulkripalani > > http://blog.raulkr.net | twitter: @raulvk > > > > -- > Claus Ibsen > ----------------- > Red Hat, Inc. > Email: cib...@redhat.com > Twitter: davsclaus > Blog: http://davsclaus.com > Author of Camel in Action: http://www.manning.com/ibsen > hawtio: http://hawt.io/ > fabric8: http://fabric8.io/ >
