A Tough Decision About Our CMS (Updated)
Update: Mark brought up some interesting points in his comment (see below), and while the overarching message of this post still stands, I didn’t intend to discourage the use of open source software throughout a credit union. Mark and I will be discussing this issue tomorrow (Friday the 27th) from 3 to 5 EST in the chat with the ceo chat room if you’d like to drop by!
For the past six months our team has been hard at work rewriting the content management system that runs all of the websites we produce. While we still have quite a few improvements in store for our CMS, we’ve launched several sites on it in the past couple of months and are finally ready to wean ourselves off of the Red Bull.
Unfortunately, during the rewrite it became clear that we’re not ready to open source the CMS as we had promised earlier. A few of our clients have raised legitimate concerns about the vulnerability of a system whose source code is exposed to the public, particularly one without the developer base of software such as Linux or MySQL, and we certainly don’t want to put those clients at risk in any way.
While we have decided not to release our source code, we do plan to share snippets of code that we’ve found helpful and perhaps release some plugins that other developers can use in their Rails projects. We’re also happy to answer any Rails questions you may have, either via email at development@trabian.com or in a Campfire chat with your development team.
If you have any questions about this decision, please feel free to email me at matt@trabian.com or meet me in my daily Campfire chat between 3 and 4 pm EST on weekdays.
Thanks for your understanding!
Mark McSpadden on June 26
Matt and Trabian,
I hope you receive the following comments with the high level of respect I have for you. You have done so much to influence this industry and me personally, and no single decision could ever dilute those contributions. I applaud your continual transparent and conversational attitude and it’s in that spirit that I reply to your tough decision with a tough comment.
I am disappointed in the reasoning behind the turn around on open sourcing your CMS. I understand that you are a company and need to make money, and to do that you need clients. And if, after financial analysis, you came to the conclusion that you an open source business model was not one that could make money, I don’t think I’d be writing this response.
However, to turn on that initiative due to security concerns of open source code seems to be a decision that lacks the innovative spirit Trabian usually brings to this industry.
I understand that there may have been pressure by clients that were fearful of an open source CMS. While I say I understand it, I find it tough to digest that with all the complaining CUs do about regulations, that there are CUs willing draw conclusions that even regulating bodies don’t in regard to open source software. From the FFIEC via the NCUA (FOSS = Free and Open Source Software):
Now, if your clients did not want to take on the “unique” risk management associated with an open source CMS, that is understandable, but to contend that it is less risky just by sharing the source is beyond even what the FFIEC concludes. I know you “don’t want to put those clients at risk in any way” but the truth is that everything a CU does has risk associated with it.
Allowing CUs to pretend that proprietary software is somehow fundamentally less risky than open source software is hurtful to the CU industry and to open source software in general.
I encourage you to reconsider the motivations behind your decision.
Matt Dean on June 26
Mark, I certainly appreciate your comment and realize that I should have expanded on this post a bit more.
As I alluded to with my mention of Linux and MySQL above, there are several well-known open source projects that have done phenomenally well using an open source model. Linus’s Law holds true—“given enough eyeballs, all bugs are shallow.” We love Ruby, Rails, MySQL, Linux, and other well-known open source projects and use them to drive our product, so it would be hypocritical to say that open source projects didn’t create value.
So yes—given enough time and resources on our part to both support and manage the code contributions of a community surrounding an open CMS project, we could end up with both a more robust and more secure system. That was the original plan, but the reality is that currently doesn’t make sense for us to devote the resources to push an open source project to the point where “enough eyeballs” compensates for the loss of the layer of security through obscurity (however thin it is).
If we were producing a CMS for other industries then I would have been passing out a link to our source code repository months ago. But as Shari Storm at Verity CU can tell you, a hacked website can mean bad news for members (their online banking login was hacked and members were submitting their usernames and passwords to someone overseas—this wasn’t a Trabian site, by the way, and Shari posted about it on their blog when it happened so I’m not sharing any secrets here).
I would love to open source a system that was used for less risky and mission-critical purposes within a CU, and hopefully we’ll get a chance to do so in the future (nothing specific in mind for now).
What I failed to make clear in my post is that this is an issue of where Trabian is right now and where we’re willing to focus our efforts, but I realize now that I painted too broad of a picture. So here’s what I’d like to do: let’s chat about this over Campfire and talk about both sides of the issue. For now, I’ll put an update at the top of the post expanding on it briefly, then after the chat I’ll add any thoughts from the conversation. The overarching message still stands though—the security concerns of our clients are valid given the potential harm a hacker can inflict (particularly with online banking logins on their site), and it doesn’t make financial sense for us to devote the time to oversight of community-submitted code.
Thanks again for being willing to comment. I saw your Twitter post about writing a comment to a blog post and thought this one might have been the target! That’s what this blog is for – expanding on ideas.
Mark McSpadden on June 27
Matt,
Our campfire chat today really helped to clear some things up for me.
I now better understand that your primary concern is to provide a consistently secure CMS for your clients. From the conversation I agree simply releasing your code into the wild would cause an initial dip in the overall security of the CMS for a season. I understand that it’s a dip that your clients can ill afford and one that Trabian cannot focus the resources on to combat. In fact, it’s a dip that is just unacceptable in the financial industry.
This doesn’t mean that mature open source software can’t have a home (and be secure) in financial institutions. However, the current path to a mature open source app is not one that keeps security at a high enough level to pursue in some mission critical financial applications.
My thoughts are best summarized by the following statement from todays chat:
I believe that a mature open source CMS (or any FI software) can be every bit as secure (if not more secure) than a proprietary one. However, the process of opening that source, can provide a season of lessened security and increased administrative strain on the original proprietor of the code.
I am interested in discussing ways the community can help lessen the security drop off and administrative woes for companies that would consider open sourcing their code.
I’m glad you guys have been so willing to discuss your thoughts and feelings during this process. I understand the motivations behind your decision and wish continued success with your CMS.
I’ve followed up with some thoughts on my own blog with ideas on how the community and industry can make the open sourcing process more secure and less painful and I would love any additional insight you have on the matter.
More thoughts on Open Sourcing your Software in the Financial Industry
Thanks again for the great discussion.
PS. Blogs work. :)
Robbie Wright on July 01
Tough call man. Having paying clients saying no is pretty hard not to listen to. The whole hacker to contributor ratio thing will always play a big part of open source FI projects. The payoff for hackers to hit relatively little known OSS in use at FI’s is very large, much more so then most other OSS projects. We need to figure out a cost effective way to build up an OSS project securely for use in CU’s. That might consist of like minded individuals and companies being collaborative to start a project, some type of limited-release, invitation-only phase, followed up by massive third party security audits and then maybe general public release. But who knows. We’re in a little bit of uncharted territory here.
cheap Alexander McQueen on December 09
discount Christian Louboutin
cheap Christian Louboutin
Jimmy Choo Handbags on sale
discount Yves Saint Laurent Shoes
Christian Louboutin Boot
discount Jimmy Choo Shoes
rolex daytona
Rolex Day Date watches replica
jyq47309028 on December 09
watches replica
replica Burberry
replica ebel
Rolex Datejust II replica
Rolex GMT watch for sale
jimmychoo handbags
replica omega watches
Christian Louboutin Pumps on sale on December 27
Rolex Day-Date II watch for sale
Rolex Air-King replica
Rolex Sea-Dweller watches
IWC watches
Rolex Sea-Dweller watch for sale
ugg boots on December 27
ugg boots sale
Warm ugg boots for all the family remain at the heart of our collection,find your favorite UGGs from stunning designsugg boots uk. ugg bailey button ugg bailey button UGG Nightfall Boots sale UGG Nightfall Boots salesilimaoyi on January 13
cheap replica watches
Omega watches
Breitling replica
replica Louis Vuitton watches
Vacheron Constantin watch for sale
chi flat iron on January 18
Michael Jordan Shoes ,Chi flat iron ,chi hair straightener and chi hair tool on sale,100% Quality Guarantee!
Air-King watch for sale on January 23
cheap replica watches
Vacheron Constantin watches
replica U-boat
Louis Vuitton watches
Longines replica
Bvlgari watches on January 26
cheap Christian louboutin
replica puma watches
discount Tiffany Accessories
Nomos watches for sale
cheap gevril watches
Tiffany 1837 Charm bracelet
Bvlgari watches on January 26
discount Tiffany jewelry
fake burberry watches
fake ebel watches
replica marc jacobs handbags
fake Longines watches
lastmiss
ugg boots sale on January 29
I also think so,Do you think the best ugg boots sale in the webnet too? there were a good web for uggs on sale, you don’t like, Never mind, much more: cheap uggs, uggs on sale, ugg boots sale, if you like, you can see: gucci handbags, mbt shoes
ugg boots sale on February 04
Thank you for your sharing. Looking For discount mbt shoes? The store online sells the gucci shoes. Welcome to visit and buy gucci handbags. ugg boots sale, ugg boots sale
mvp on February 06
great website. Essay Writing Service Essay Service Essay Topics UK Essay
shaun on February 06
nice info. Buy Research Paper Research Papers UK Research Paper Buy Term Paper Online Term Paper
mark on February 06
online pharmacy. Kamagra wholesale kamagra supplier buy tadalafil buy viagra online cheap Viagra Kamagra Wholesale suppliers
ealham on February 06
great service. Seo consultants web designer
alex on February 06
good hosting. hosting unlimited bandwidth server hosting buy web hosting
HDTV Plasma TVs on February 13
I found your blog post while searching Google. Very relevant especially as this is not an issue which a lot of peaople know that well?
How To on February 13
Good Evening,Came across this site a few weeks ago and I must say that I have gained some awesome points so far.Keep
teayneverdie on February 13
Shopping Articles Reviews Cheap Samsung LCD TVs Shopping Online Free Download Games PC Online Cheap LCD TVs Social Bookmarks Technology Computer Download Games cheap digital cameras usa Free Download Games PC Online best cheap eyeglasses cheap lcd tvusa Cheap Computer Parts Games Flash
hanlyone on February 21
Excellent post,interesting article,thanks for sharing. Gucci Handbags Gucci Gucci shop Gucci bags Gucci shoes gucci replica handbags men gucci shoes Gucci men sneakers Gucci men moccasins gucci women sneakers gucci women boots Gucci men boots Thanks!
zwy on February 22
2.
Good post! Thanks for your information! MBT Shoes are physiological footwear.MBT sale Here You can enjoy MBT Sale on any item with Free Shipping, MBT UK No Tax, US/UK Delivery.MBT Fitness Shoes MBT have a positive effect on the entire body. MBT Lami shoes They have been highlighted for the principle of natural instability. MBT M.Walk shoes So (Discount) MBT Sport Shoes improves posture and gait, activates the whole body, MBT and reduces stress on joint and back.
GHD is an international design consulting company. GHD Currently has more than 6,000 employees, distribution in Australia,GHD IV MK4 Kiss New Zealand, Asia, Middle East, GHD IV MK4 Gold America and Britain’s agency in the network. GHD IV MK4 Pink More than $3.9 billion annual turnover for engineering and construction,GHD IV MK4 Pink the global top 30. Companies established in 1928
When you shop for used Tiffany Necklace, Tiffany uk make sure that it is a real Tiffany and not a fake. Some small shops,Tiffany Sets flea markets and online retailers will try to sell you a copy of a Tiffanys design. Tiffany Rings Research the jewelry and examine pieces carefully to make sure that you are buying a quality ring. Only purchase jewelry from reputable jewelers and antique dealers.
abercrombie and fitch on February 22
Nothing is able to fulfill, as long as confidence.Snow boots originated in Australia ugg boots sale about Australia cheap ugg boots leather boots date back to 1978, called a young Australian winter boots surfing Brian Smith took part of a sheep leather discount ugg boots to America. In the past years, the Australian cheap uggs used in New Zealand the uggs on sale, however, sewing sheep with business mind is the young man bold attempt to the Australian australia ugg boots traditional products to the United States.At that time, he took a few double ugg boots 2010 sheep with full of passion. “Gucci Bags” by discount gucci handbags was founded in 30 BC. In Florence, he opened the first store to launch a series of iconic products, including the famous bamboo bag. gucci shoulder bag from renowned international fashion industry. As time goes by, this well-known clothing store has been given a luxurious, sexy, modern qualitygucci purses. It is the ultimate in modern luxury of making. In 1970, the brand began to getinvolved gucci bags discount industry. Since then, it is introduced, such as: Envy perfume, Eau De Toilette, Gucci Handbags Sale, and later introduced Envy me2 perfume sexy, charismatic fragrance. Tiffany is one of the most copied designs in the world. They are copied and imitated for two reasons, the first Tiffany jewellery being to try and trick people. A slightly more innocent use is to be sold to people which cannot afford to buy the real thing Tiffany Charms. Imitation Tiffany Bracelet can still look the part but doesn?t have the heavy price tag. Tiffany Rings is considered as the best jewelry designer around which is why many celebrities are proud to be seen wearing beautiful pieces of tiffany jewelry. Actually there are quite a few tiffany silver jewelry knock offs around.