In 1989 The GNU project introduced the GPL - not the first occurrence of a free software licence but arguably the most important. Yet today in 2012 we still have large sections of the computing industry which just doesn't get free software. I came across a glaring example of this today.
First a bit of background: The Anonymous group of "hackers" (using the popular definition) are well known and are probably hailed and vilified in equal measure. It appears that someone released something claiming to be an "Anonymous OS". Allegedly based on Ubuntu, it said it included a number of tools which could be used for activities such as those carried out by Anonymous.
The problem was that it was apparently riddled with malware and designed to harm the downloader's machine. Aside from that, almost immediately Anonymous themselves distanced themselves from the project. It looked to all intents and purposes to be a sham and Sourceforge (where it was being hosted) took the "download offline and suspend this project until [they] have more information that might lead [them] to think differently.". This is a sensible approach and Sourceforge are being up front about it.
My concern was with the reporting of this. The BBC did what most media companies do and spoke to representatives of software security firms. One of them, Graham Cluley of Sophos said this..
"Who would want to put their trust in a piece of unknown software written by unknown people on a webpage that they don't know is safe or not?"
Okay so this seems fine at first, but it belies a lack of understanding of free software and of Sourcefoge and Mr Cluley is not alone in this in my experience. Firstly as of July 2011 there were more than 300,000 projects on Sourceforge. Most of them uploaded by people you and I don't know. Not knowing the creator of a piece of software is not a reason for not using it -- unless you can't see what they've written. In fact if you take this line then why pay for proprietary software written by people you do not know and with who know what kind of code quality and standards.
Given the option I'd much sooner take a piece of software written by someone I don't know where I can inspect and change the source code any day. I know not everyone likes to inspect the code and not everyone does, but the fact that either you or someone you hire (or just thousands of other users) can do so is vital. In fact it is the very fact that this software is free software that means the problem was spotted so early on. If it had been proprietary how long would it have taken for others to highlight the issues?
The second problem is the "on a web page that they don't know" bit. Again a total misunderstanding of free software and Sourceforge. The web page you go to is largely irrelevant unless your particular OS and browser have a documented history of causing security issues through malware being pushed from websites. Also Sourceforge is not unknown: 300,000 projects (including well known names like Audacity and VLC and even some code from Microsoft), 13 years in existence and millions of users forming an active community which more than perhaps any other site epitomises the way free software licences work. But again I would suggest that (once you have an OS with decent security) the site you get a piece of software from only matters if you cannot inspect the source code after downloading it.
Image by Georg Bahlon and licenced under the GPL