Open-Source Quality: Job One, Or Job None?

Last month, I explained why I think Firefox is not ready for enterprises, governments, or schools. I heard from several readers who agreed with me and a lot of others who disagreed. I also realized that I made certain assumptions about what readers know about these institutions that I shouldn't have made, and I upset a lot of people by stating that I like the new Netscape browser, which admittedly is still in beta and rather buggy.

Since many other readers probably have similar views and concerns, I'm using this month's column to address some of the most common points all of you have raised about my position on Firefox.

Give Web Developers A Voice
I heard from a number of people who explained how hard it is to develop Web content for Internet Explorer, how badly IE deals with frames, and why it is vastly easier to create Web pages for Firefox. I honestly don't know how widely held that opinion is, although I do know that FrontPage isn't popular with the designers I use.

While I appreciate all, of the feedback and the education readers have shared with me about Web tools, the fact remains that Web designers have to build sites that meet their customers' requirements. For years, analysts have recommended that organizations not create Web sites designed for a specific browser--and our clients have always disregarded this advice with extreme prejudice If a customer uses Internet Explorer, and apparently 90 percent of the market still does, then the designer's hands are tied.

Do Web designers get to vote for what kind of software goes on the corporate desktop? Virtually never: Desktop software decisions are typically driven by users or by organizations' IT departments. Certainly for internal sites, this fact makes sense, but it also tends to make change more difficult--especially when it's the type of change that may involve rewriting hundreds, if not thousands, of Web pages. If the organization that is responsible for doing a job either lacks the resources to do it or fundamentally disagrees with the reasoning behind it, I think they deserve to have a say in the decision-making process.

Everyone's Job Is No One's Job
Many people believe that open-source software such as Firefox is naturally more reliable than proprietary software. They assume that when a large number of people are able to look at the code, they're also able to ensure the quality of the product. These people have clearly not read The Tipping Point or done any real software quality assurance work.

The Tipping Point tells a story about a woman who was murdered in front of 35 people--none of whom called 911. In a subsequent research study, test subjects almost always helped an individual who appeared to be in severe distress when the subjects believed they were the only people within earshot, but they almost never helped when they believed other people were also able to provide help.

The U.S. automotive industry learned this lesson in the 1970s, when the Japanese automakers schooled them on quality. The Japanese companies made a single employee responsible for the quality of a particular product and also made sure everyone knew who "owned" this responsibility. I personally saw something similar happen at IBM, when the company's software group decided its quality control organization was redundant and made quality "everyone's" responsibility. Bugs jumped dramatically, and quality dropped off a cliff--apparently, if quality is "everyone's" responsibility, it is no one's responsibility.

More importantly, without a system of checks and balances, people who should report problems will tend to cover them up. At IBM, for example, we assigned severity levels to software bugs. "Severity One" problems compromised mission-critical systems at large clients: IBM measured its response to these problems in minutes, and at the time I looked into this, corrected virtually all of them in less than 30 minutes (any longer and the problem escalated to a named executive).

Imagine my surprise when I discovered that an IBM client, a major national bank, had reported three Severity One problems nine months earlier--and the problems were still unresolved. It turned out that the reporting process included an intermediate step where a call center employee could designate any problem as "under discussion," signifying a dispute over the issue and excluding it from the tracking process. In fact, all Severity One problems went into this bucket until they were resolved, resulting in these unbelievably positive statistics.

People want to see this type of information, and no one questioned it: Only after I became aware of the problem did the company investigate it and dismiss the employees responsible for the practice.

Problems With Firefox?
If we looked more closely at the quality assurance process for Firefox, would we find indications of similar problems? I didn't have to look for long before I found some things that deserve a closer investigation. And before people start chanting "FUD, FUD, FUD," again, shouldn't each of you look at the evidence and decide for yourselves, even if the outcome isn't what you expected or wanted to see?

The first question to ask is whether there are major problems with Firefox that most users don't know about. Well, how about a patch process that delivered Linux and Mac patches to Windows versions of the product? Evidently that's what happened, as captured (assuming the log item is still online) here: http://weblogs.mozillazine.org/asa/.

It's true that someone reported this problem, of course, even if most users probably didn't know about it. Did you know, however, that there were two Firefox 1.0.1 releases? The third item listed at http://www.mozilla.org/products/firefox/releases/ refers to a possible 1.0.1 release that didn't happen, apparently with no apparent discussion of what changed in the 48 hours between this version and the actual 1.0.1 release. Since this is an open-source product, wouldn't you expect one of its "quality volunteers" to speak up about this?.

In addition, a recent InfoWorld article quotes a security expert who says Firefox 1.0 includes thousands of bugs that simply are not reported, since it's assumed that users will fix the problem by upgrading their browsers. Is this really a case of quality control by cover-up?

The New Netscape Browser
You can pick the browser you use personally, and I can pick the one I use personally. And although I love my Acer Ferrari notebook computer, and I particularly love the new Dell XPS notebook, I wouldn't recommend either for large companies.

I'm incredibly concerned with phishing attacks, and I think the new Netscape product does the best job of mitigating this threat. Here, too, however, I would not recommend this product for large companies. The Netscape browser is in beta, and it is buggy; since the beta process is supposed to identify and correct bugs, this shouldn't be a surprise. The new Netscape release also uses both the Internet Explorer and the Mozilla engines: Several people said I was lying about this until I sent them a shot of the configuration screen. They stopped writing to me.

I did find yet another browser I like a lot, called IRIDER (http://www.irider.com/irider/), which does some really great things to vastly improve navigation speed. As a research tool, it could be invaluable, and I thought it was well worth paying the $26 shareware fee.

Whose Choice?
You see, I'm pro-choice--I'm just pro-smart choice. I believe in acquiring the information I need to make an informed decision, and then I make it, instead of making a decision and then furiously looking for information to support what I have already done.

I concluded that Firefox isn't a corporate level product, and it may never get to that level--although your individual choices are up to you, just as mine are up to me. I believe companies should stay with Internet Explorer for now. Yet I also believe each of you should make your own decisions, based on your own research, just as your assumptions about the quality of open-source code should rely on your own review of the code and not on what someone else tells you to believe.

Rob Enderle is an analyst specializing in emerging personal technologies. He heads the Enderle Group and has been an IT analyst since 1994. He spends his free time building computers and playing with personal technology prototypes. He can be reached at [email protected].