Ask HN: Why do institutions choose buggy enterprise cms over open source ones
why is it that big time banks choose the shittiest, most expensive and buggy cms that have equally expensive talent rather than build custom ones based on open source tech (actual open source tech not half assed solutions put on git that no gives a hoot about) for less than half of the price? I've been around for a couple of RFPs(1), and the company I work for had one for a CMS recently. The way it works is: 1) Business has a crappy, very manual website/intranet/whatever. 2) Someone with the actual capability to do something (CIO, manager, whatever) decides this has to change. 3) Input is asked from people from the business and people that are nominally technical. Usually the people that actually know the requirements or are going to maintain the new system are not included. 4) Other people from security, audits, etc. chime in 5) Someone (business analyst or project manager) transforms the laundry list of requirements into an RFP. 6) Business approves the RFP. It is sent out. There are companies out there that live on RFPs. If you're lucky, they'll use open source software, but they might re-package that into their own CMS. Companies that have the CMS that ticks the most boxes in the laundry list have a leg up. It doesn't matter if it's shitty and buggy, it's VERY hard to write "non-buggy" in an RFP (if the company is wise, they'll have a trial period with competing products, but that costs $$$). So, the company ends up with proposals in the hundreds of thousands of dollars for what could have been an in-house project (be warned, a mismanaged one can run in the hundreds of thousands too, even with open source CMSs). A period of time later, company will select the CMS and will drop that info on the team that will actually implement and maintain the buggy piece of crap (or even a decent product, if you're lucky). (1) https://en.wikipedia.org/wiki/Request_for_proposal See also: https://doubleyourfreelancing.com/3-things-freelancers-know-... Because they want a support contract and someone to sue if things go badly wrong. This is the answer. It is about doing business while shifting risk to a 3rd party. A lot of answers: - OS won't pay your buddy a bonus who happens to work in b2b sales - OS won't offer you a fuctitious consulting job if your current employer gives you a sack - OS won't fill your non existent swiss bank account I imagine because most open source ones lack the features required (compliance, security, activedirectory support, audit, etc.) You know what feature open source software in general lacks, but buggy, enterprise software has lots of? Quid pro quo. I'm not talking money pre se, although I'm sure most enterprise software sales involve the CEO's "second cousin" getting a few dollars. A few games of bikini golf in the Bahamas can get a Fortune 500 company to standardize on the worst version control software in the world, or make using "cron" a firing offence. All software have security flaws, in open source it is simply easier to find these, also quality of opensource varies alot. Just take Drupal as an example, it is used ALOT, but isn't really pretty to look at codewise, also it has had its share of vulnerabilities, which are very easy to find, partly because all source code is readily available. Couldn't you then say that OSS software has more people looking for flaws to patch, so it would be more secure - not less? I suppose it does vary by project though. Its a double edged sword of course, but for the financial sector the money saved on open source would be peanuts in the grand scheme of things. A proprietary CMS may very well be holed like a swiss cheese, but it will not be as obvious / easy to find the holes when you can't look at the source code, you are basically left with fuzzers and manual/bruteforcing injection as your only viably point of entry. Many SVP/CIOs will not use a product unless there is "someone to call". Even if that choice costs them millions of dollars.
- No one gets fired for buying IBM
- The issues around compliance/security/support are/should be sorted as part of the contract
- OS projects don't invite managers for lunch
- You need to factor in the price of support if you run OS projects. You will probably need few devs and sysadmins to run an enterprise-level solution
- Documentation/training/videos for end-users