FAQ
Exactly. And what many fail to see is that closed source is – in many cases
– leveraging OSS under the hood. Sometimes the vendor will be nice and make
it evident (e.g. IBM WebSphere being quite transparent in their docs about
using Apache Aries, they also contribute, etc.).

But in other cases, the end user won't come to know because the licensing
model of the 3rd party libraries is non-viral and doesn't require the
vendor to either keep the original naming, nor acknowledge the usage.

I don't have any numbers to support this, but what I've gathered throughout
many years in the industry is that most proprietary software will be
powered (to varying degrees) by OSS without upfront disclosure. At the end
of the day, as a proprietary vendor, I guess you do need a good reason to
reinvent the wheel, and quite possibly that reason doesn't exist.

In fact, one extreme case that comes to mind was the old BEA WebLogic Event
Server which, if you looked at the lib/ directory of the WAR, just turned
out to be mostly Esper [1] with a fancy GUI and some usability-related
changes. And they sold this for hundreds of thousands of EUR / CPU. (Not
intending to start a flame war nor implying generalisation. Just mentioning
an extreme case I know.)

Actually, you know what? When I get some time I'm going to download TIBCO's
product and inspect their usage of 3rd party libs... From what I remember
back, they did use stuff like Xerces, Xalan, etc. which is pretty
commonplace anyway, but I'd be curious to find out if they use further OSS.

[1] http://www.espertech.com/esper/index.php

Regards,

*Raúl Kripalani*
Apache Camel PMC Member & Committer | Enterprise Architect, Open Source
Integration specialist
http://about.me/raulkripalani | http://www.linkedin.com/in/raulkripalani
http://blog.raulkr.net | twitter: @raulvk
On Thu, Apr 23, 2015 at 6:25 AM, Claus Ibsen wrote:

Hi Raul

Did you get a chance to continue working on this?

I think for #3 its due to the openes of the source code that people
dive in and help fix those vulnerabilities as well. And as you say we
are very open and they get proper registerede with a CVE and listed in
the public. And we do put out releases with the fixes fairly soon
after its fixed.

And there is not so many after all that is caused by Apache Camel itself.

Yes if you use CXF, Spring, Jetty etc those libraries may have issues
as well, but they are also reported in the open and fixed fast. And
have communities as well, some very big like the spring community.

And those are found and fixed. For the Open Source ESB you would have
to take a look at
- CXF
- ActiveMQ
- Spring
- Jetty
etc to get the "combined picture"

http://cxf.apache.org/security-advisories.html

You can find the Apache products
http://www.cvedetails.com/product-list/vendor_id-45/Apache.html
On Fri, Apr 17, 2015 at 12:13 PM, Raul Kripalani wrote:
Just found this marketing landing page published on social networks. It's
made by TIBCO and attempts to highlight the downsides of Open Source ESBs.
You don't need to be a rocket scientist to gather what exact ESB they are
targeting (not us): just look at the images.

http://www.tibco.com/integration/open-source-ESB-alternative

Even though it's a clear exercise of FUD vs. OSS – as it provides no
quantitive measurements to their claims (whatever happened to the
scientific method...) – I was planning to write a rebuttal post in my blog,
but I haven't updated it in a long time and it needs a bit of love first.

So I thought I'd just publish my thoughts – as I wanted to get it out ASAP
– and start a qualified discussion here...

In particular I would like to dissect / take down their 4 "myths" about OSS
ESBs:

*> *Myth # 1 - Open Source ESB Software Is Free**

(Their statement: OSS ESBs are not Free.)

Well, no software has zero Total Cost of Ownership. As long as the world is
*not* entirely controlled by androids, you will need humans to operate the
software, including TIBCO's. What we need to look at are the costs of
hiring those people and their learning curves.

For Camel, any developer with Java, XML and a few other "commodity skills"
will do. And they can get started in days. Many people in this forum got
started in hours.

For TIBCO, you need a specialised consultant because their stack is
proprietary. Or you need to train them, and TIBCO training is not cheap. I
have been a TIBCO consultant and I know this for a fact. Moreover,
specialised (already trained) TIBCO consultants are not cheap either (like
with most proprietary software – think SAP, Salesforce, etc.).

Furthermore, brand new customers need consultancy to get started – and that
is not cheap either.

*> *Myth #2 - Open Source ESB Communities Innovate Faster**

(Their statement: Proprietary ESB vendors innovate faster)

This is plainly wrong. Just take a look at the release notes of TIBCO
ActiveMatrix BusinessWorks. This [1] is the latest version, and there's a
dropdown at the top to browse through past versions.

To analyse this statement, we need to track two things at least: (1)
frequency of releases, (2) new features introduced per release.

About frequency of releases:

TIBCO ActiveMatrix release line 6.x: 9 months between minor releases, 4
months between micro releases.

[9 months]
6.1.0 (May 2014) ---> 6.2.0 (Nov 2014)
6.1.1 (Sep 2014) 6.2.1 (Mar 2015)
[4 months] [4 months]

Camel (analysing past 2 minor releases): less than 6 months between minors,
less than 3 between micros. I noticed that 2.15.1 was released quite early,
so I included another datapoint for one more 2.14.x micro release.

[< 6 months]
2.14.0 (18 Sep 2014) ===> 2.15.0 (10 Mar 2015)
2.14.1 (16 Dec 2014) 2.15.1 (01 Apr 2015)
[< 3 months] [< 20 days (special circumstance
likely)]
2.14.2 (10 Mar 2014)
[< 3 months]

I know that analysing so few releases is not an indicative – ideally we
would analyse the entire release history – but I don't have time right now.
Nevertheless, the release policy of Camel is 6 months between majors and 3
months between micros (if I recall correctly).

Next, let's take a look at the innovation aspect:
* TIBCO AM BW 6.2.0 carries 22 new features [2], many of which have to do
with their IDE, not with core functionality.
* Camel 2.14.0 carried 38 new and noteworthy features, PLUS 15 new
components, 1 data format, 1 new EIP (Circuit Breaker), etc.

Judge for yourselves ;-)

*> *Myth #3 - Access to Source Allows Reviewing Code and Deploying Safely**
(Their statement: Access to source does not uncover vulnerabilities).

Well, all software has vulnerabilities and with Open Source you can
identify them yourself and fix them. With proprietary software, you rely
entirely on the vendor's turnaround time.

Moreover, we are very transparent about this and we publish our Security
Advisories here [3].

*> *Myth #4 - Open Source and SaaS Work Well Together**

They say: "Cloud-based open-source ESBs work just like other SaaS
applications: you typically don't have access to the code. How well will it
connect your on-premise applications with other SaaS services? You can't
know."

Well, that's just plain absurd. It amuses me that a closed-source vendor is
using the "you don't have access to the code" against an Open Source
product :D Makes zero sense, both marketing- and technical-wise.

With TIBCO, you don't have access to the source on-premises nor
cloud-based
software. With the other vendor, you may not have access to the source of
their iPaaS but you know it's largely based on the on-premises software, to
which you have access (even though it's a "gated community" in the strict
sense...).

---

Discussion open! 1, 2, 3... GO!

[1]
https://docs.tibco.com/products/tibco-activematrix-businessworks-6-2-1
[2]
https://docs.tibco.com/pub/activematrix_businessworks/6.2.0/TIB_BW_6.2.0_relnotes.pdf
[3] https://camel.apache.org/security-advisories.data

Regards,

*Raúl Kripalani*
Apache Camel PMC Member & Committer | Enterprise Architect, Open Source
Integration specialist
http://about.me/raulkripalani | http://www.linkedin.com/in/raulkripalani
http://blog.raulkr.net | twitter: @raulvk


--
Claus Ibsen
-----------------
Red Hat, Inc.
Email: cibsen@redhat.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen
hawtio: http://hawt.io/
fabric8: http://fabric8.io/

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 4 of 5 | next ›
Discussion Overview
groupusers @
categoriescamel
postedApr 17, '15 at 10:14a
activeApr 27, '15 at 4:56a
posts5
users3
websitecamel.apache.org

People

Translate

site design / logo © 2021 Grokbase