On 9/18/06, Austin Ziegler <halostatue / gmail.com> wrote:
 > ...or that fixing all the bugs will actually cause more problems for
> your customers than they should otherwise cause. Raymond Chen -- an
> excellent read even if you don't like Microsoft -- recently had a
> piece about a bug in an embedded version of Samba that was taking
> advantage of a bad bug in previous versions of Windows. Fixing it was
> a huge problem for Microsoft, because they had customers who depended
> on this product with embedded Samba -- and they weren't the type of
> customers who could even think about upgrading the embedded software.
>
> Not all bugs are worth the cost of fixing them. Even ones that cause
> security holes may not be worth *fixing* as much as *sandboxing* if
> you have enough dependent clients.


Quite right. Another thing that we haven't stressed enough is the role
of the community in freely-licensed open-source products like Ruby
(and unlike Java). If there are serious bugs that really should be
fixed, all of the source and revision history is wide open, and anyone
with an incentive (namely, anyone who has to run a back version of
Ruby for whatever reason) can backpatch if they really need to. The
dynamic in this case favors correctness, even for back-versions. On
the other hand, with software that is encumbered by closed-source
and/or license restrictions, like Java and certainly like anything
Microsoft writes, then the decision to fix bugs, even major security
holes, is literally an economic one. The dynamics do not necessarily
favor back-compatibility. So you could argue that the risk is even
higher with corporate-sponsored products.

I know the "official" versions of Java will soon be open-source. But
they won't be available under a BSD-style license anytime soon, so far
as I am aware.