Comment What the DoD objects to (Score 2, Insightful) 165
#include <std_disclaimer.h>
Good lord, I actually have something to contribute!
In a nutshell, the DoD *really* doesn't like that they don't know who wrote the software, and they also don't like the lack of a central point of contact. They'd rather hire, say, $defense_contractor to write a similar piece of software, because they get a couple of reassuring beliefs (we will not attempt to discuss the VALIDITY of these beliefs, please):
1) that $defense_contractor is using properly trained, vetted programmers, with security clearances if need be; and
2) that if anything goes wrong, they can sue the tar out of $defense_contractor.
These two factors are VERY important to the DoD. Now, you can probably see the utility if the DoD has requested, say, software for their Death Ray [1], but isn't that overkill if they're trying to buy a web browser? Yes it is--but they can't help it. The DoD has LOTS of finicky aquisition rules, and they're pretty much the same whether you're buying Death Ray Guidance Software or a web browser.
In my day job, I am, among other things, involved with the government's Common Criteria Evaluation and Validation Scheme (CCEVS). Due to the DoD's acquisitions rules (DoD Instruction 8500.2), in almost all cases all Commercial Off-The-Shelf (COTS) software must have undergone a CCEVS evaluation. As you might imagine--we are after all dealing with the government--CCEVS evaluation is really REALLY expensive and takes frickin' forever.
Now, this is no barrier to Microsoft, which has had enough money and time to get Windows {2000, 2000 Server, XP, XP Pro, 2003 Server} evaluated. But, as you might imagine, it's a pretty damn big barrier to open source products. Those that have been evaluated (SuSE, Red Hat) have been lucky enough to have some heavyweight patrons (IBM and Red Hat, respectively) on their sides.
Nor is a CCEVS certificate the end of the game. DoD agencies typically must justify why they've chosen solution X over solution Y; and, while cost is a factor, it's far from the most important one. Open source products tend to come with a list of disclaimers as long as your arm (OpenSSL's FIPS 140-2 certificate, for example, says that the certificate is only good for THIS version of the source code, compiled with THAT version of gcc, THESE SPECIFIC static libraries compiled in, etc., etc.), and the guy writing up the justification paper is probably an overworked lieutenant prone to thinking "Fsck this. No one got fired recommending Microsoft."
[1] The notion of a DoD "Death Ray" is entirely a fabrication of my own fertile (if perhaps deranged) imagination. Any similarity to any actual research, prototypes, and/or super-double-secret weapon is entirely coincidental. Please don't put me in GITMO. Thanks.
Good lord, I actually have something to contribute!
In a nutshell, the DoD *really* doesn't like that they don't know who wrote the software, and they also don't like the lack of a central point of contact. They'd rather hire, say, $defense_contractor to write a similar piece of software, because they get a couple of reassuring beliefs (we will not attempt to discuss the VALIDITY of these beliefs, please):
1) that $defense_contractor is using properly trained, vetted programmers, with security clearances if need be; and
2) that if anything goes wrong, they can sue the tar out of $defense_contractor.
These two factors are VERY important to the DoD. Now, you can probably see the utility if the DoD has requested, say, software for their Death Ray [1], but isn't that overkill if they're trying to buy a web browser? Yes it is--but they can't help it. The DoD has LOTS of finicky aquisition rules, and they're pretty much the same whether you're buying Death Ray Guidance Software or a web browser.
In my day job, I am, among other things, involved with the government's Common Criteria Evaluation and Validation Scheme (CCEVS). Due to the DoD's acquisitions rules (DoD Instruction 8500.2), in almost all cases all Commercial Off-The-Shelf (COTS) software must have undergone a CCEVS evaluation. As you might imagine--we are after all dealing with the government--CCEVS evaluation is really REALLY expensive and takes frickin' forever.
Now, this is no barrier to Microsoft, which has had enough money and time to get Windows {2000, 2000 Server, XP, XP Pro, 2003 Server} evaluated. But, as you might imagine, it's a pretty damn big barrier to open source products. Those that have been evaluated (SuSE, Red Hat) have been lucky enough to have some heavyweight patrons (IBM and Red Hat, respectively) on their sides.
Nor is a CCEVS certificate the end of the game. DoD agencies typically must justify why they've chosen solution X over solution Y; and, while cost is a factor, it's far from the most important one. Open source products tend to come with a list of disclaimers as long as your arm (OpenSSL's FIPS 140-2 certificate, for example, says that the certificate is only good for THIS version of the source code, compiled with THAT version of gcc, THESE SPECIFIC static libraries compiled in, etc., etc.), and the guy writing up the justification paper is probably an overworked lieutenant prone to thinking "Fsck this. No one got fired recommending Microsoft."
[1] The notion of a DoD "Death Ray" is entirely a fabrication of my own fertile (if perhaps deranged) imagination. Any similarity to any actual research, prototypes, and/or super-double-secret weapon is entirely coincidental. Please don't put me in GITMO. Thanks.
