Yes, you need trust in open source as well, and no I haven’t personally audited all of the code in every OS that I write. I don’t claim that open source is inherantly more secure.

In fact this is not an open-source-is-better post.

All I’m saying is that Skype, not being open-source, cannot claim to have those properties that it has and have them verified. You have to take them on their word.

An open source product can be more easily verified. Not necessarily by me. In closed source it’s much harder, although some folks actually did reverse engineer Skype and wrote a paper about it. Moreover, even this paper is only good for the specific Skype version tested, a newer version may be more or less secure and we’ll be none the wiser. Obviously it took these guys quite a while to write this paper, and they have to do it again for a newer version. If they had the source they could just diff(1) it. Yes, I’m changing my original claim in this post, it can actually be verified if you’re determined enough.

– Arik

I’d love to hook up to your asterisk. I’m calling your cell.

However, not everyone have a friend with an Asterix around :-)

– Arik

Or you can just give me a call and I’ll hook up your X-Lite/X-Pro to my Asterisk and let you
pass calls. I have a better idea, if you want encryption, install an Asterisk box at your end,
we’ll RSA and everything via IAX back to my box and then I’ll let you make the calls. How about
that?

You know the number dude, just use it …

Nir Simionovich
http://www.net-gurus.net

http://www.voip-info.org/wiki/view/VOIP+Service+Providers+B2B

Some examples:

http://www.terravon.com/termination.html
http://www.terravon.com/asterisk.html

First, there is a difference between revealing code and putting it under the GPL license. Just revealing your code does not grant anyone the right to use it for their own commercial purposes. You can argue that someone can use their code without them being able to prove it.
This brings me to the second point:

The source code is a very small piece of what is needed to compete with Skype.
The infrastructure and brand are far harder to establish than the sorce code.
Not to mention opening up your source code strengthens your brand, and if someone
steals it, they can’t open it up as well.

There is a lot of effort involved in “stealing code”. You have to learn how it works, change it sufficiently so that it does not resemble the original software, and they you have to other keep maitaining it yourself to stay competitive or to steal every update and modify it to your interface. You may end up spending more time/money than you would writing it yourself or outsourcing to India. When you want to compete with an existing product with the clone strategy (Same product, lower price) - outsourcing is a lot more effective because you don’t need 50 product and project managers overseeing the operation. You just hire a software firm in India, tell them to develop a “Skype” clone, send a wire transfer for $50K and wait (Ok, so it’s not that easy, but point made).

I actually can’t think of very good reasons not to open their code.
People place so much importance in one’s source code as Intellectual property,
when in fact there is far more important Intellectual property to protect.

The PR advantages of opening your code are huge, not to mention you end up with
a better product.

Still, it’s a tough call. You never know what can happen when you take this leap of faith