[vikramkr]

You'll be dealing with multiple contributors making changes if you want to upgrade to the latest version, with pull requests from all over the place. Nobody has time to read the entire codebase, so you have to audit and qualify all the random open source contributors instead of just the one group writing the code. You could start with a FLOSS codebase and then just keep any additions/modifications you make proprietary/not ever upgrade, try to fix security patches and things yourself. But that can become difficult, and if you find yourself actually tapping into the benefits of open source to be able to benefit from the collaborative work of thousands of coders, you're stuck having to trust lots of random people again. An old school finance firm could use R or Python, but a lot of them use SAS because you only have to qualify one provider, and if something goes wrong, you can sue them. You dont need to have programmers on staff to evaluate the codebase, you just need programmers that can use SAS. Newer forms and firms in less regulated industries are more comfortable breaking away from these to get the competive advantage of better tools, but it's not for everyone.

[saagarjha]

So you're really making the argument between writing something yourself versus using an open source solution, instead of picking between an open source and a proprietary solution.

[vikramkr]

No, I'm comparing R and SAS for example in the above post. Same arguments apply. And again, these arent general to all cases, just a subset of highly regulated/conservative industries

[saagarjha]

In that case you're just not auditing being able to audit the closed source version, which I see as strictly worse than the situation with open source software which you could audit if you put effort into doing so.

[vikramkr]

By audit I'm referring to the people that worked on the code, not the code itself. Running background checks on a firm and having a strong contract with a firm is easier than hiring people to audit the underlying source code. It's not better. It's just easier. Based on the reaction to my post, people seem to think I'm arguing that closed source is better. I'm not. I'm providing an explanation for the thought process behind why some companies in some industries stick with closed source from personal experience. I'm not saying the reasoning is correct and leads to actual reduced security vulnerabilities/risks etc - it almost definitely doesn't. But people think it does, the legal liability is easier since you just have to sue one company, auditing is easier since you just audit one company (not the tech, the company, these are not tech savvy enough managements and firms to audit the codebase - as far as they are concerned, clear background check = code is OK to use for critical stuff). I agree with you that it's strictly worse. If you have better luck than I do convincing a conservative financial services firm that using R is better than using SAP, please do let me know how you pulled that off.