Is the importance of having complete control over the software an argument against using free software? Surely the best way to have control over it is to be able to read what it does and make it do what you want.
I think the interesting thing here is what I would call the tragedy of overregulation.
Most regulated businesses are big corporations with attached bureaucracies.
When they get a lawsuit because somebody was injured, what will happen is an analysis how this bug could occur.
If it is found that the problem was caused by a library or third party that could get sued, the corporation will sue them and get their money back.
If they find there's no one to sue like with FOSS, they will likely start regulating the use of FOSS.
This has the perverse effect that after a lot of iterations of this cycle the whole toolchain is designed for "sueability" not for quality, performance, or any other worthy goal. Further the toolchain becomes increasingly opaque and proprietary.
Even though the proprietary software has more bugs, and they're harder to find due to their closed source nature, the leaders of Big Corp have covered their asses. The engineers build more workarounds and spend less time improving the quality of Big Corp's code base. The quality of the product suffers. But none of it is the fault of anyone. That's what's important.
You'll be dealing with multiple contributors making changes if you want to upgrade to the latest version, with pull requests from all over the place. Nobody has time to read the entire codebase, so you have to audit and qualify all the random open source contributors instead of just the one group writing the code. You could start with a FLOSS codebase and then just keep any additions/modifications you make proprietary/not ever upgrade, try to fix security patches and things yourself. But that can become difficult, and if you find yourself actually tapping into the benefits of open source to be able to benefit from the collaborative work of thousands of coders, you're stuck having to trust lots of random people again. An old school finance firm could use R or Python, but a lot of them use SAS because you only have to qualify one provider, and if something goes wrong, you can sue them. You dont need to have programmers on staff to evaluate the codebase, you just need programmers that can use SAS. Newer forms and firms in less regulated industries are more comfortable breaking away from these to get the competive advantage of better tools, but it's not for everyone.
So you're really making the argument between writing something yourself versus using an open source solution, instead of picking between an open source and a proprietary solution.
No, I'm comparing R and SAS for example in the above post. Same arguments apply. And again, these arent general to all cases, just a subset of highly regulated/conservative industries
In that case you're just not auditing being able to audit the closed source version, which I see as strictly worse than the situation with open source software which you could audit if you put effort into doing so.
By audit I'm referring to the people that worked on the code, not the code itself. Running background checks on a firm and having a strong contract with a firm is easier than hiring people to audit the underlying source code. It's not better. It's just easier. Based on the reaction to my post, people seem to think I'm arguing that closed source is better. I'm not. I'm providing an explanation for the thought process behind why some companies in some industries stick with closed source from personal experience. I'm not saying the reasoning is correct and leads to actual reduced security vulnerabilities/risks etc - it almost definitely doesn't. But people think it does, the legal liability is easier since you just have to sue one company, auditing is easier since you just audit one company (not the tech, the company, these are not tech savvy enough managements and firms to audit the codebase - as far as they are concerned, clear background check = code is OK to use for critical stuff). I agree with you that it's strictly worse. If you have better luck than I do convincing a conservative financial services firm that using R is better than using SAP, please do let me know how you pulled that off.
