As a rule I shy away from paying for software. I’ve mentioned this before, but it might be prudent to elucidate some of my reasons.

1. I’m cheap. I’d just rather not spend money on things when I can avoid it. A lot of people are cheap, and many of them resort to pirating things rather than paying for them. I don’t do that because I usually have at least enough respect (or, occasionally, disdain) for those who provide commercial software that I choose not to¹. Besides, the right to not buy something is often neglected in contemporary American culture.
2. Free stuff is usually good enough. I feel like a lot of software (at least for my purposes) isn’t worth paying for, given what you can do with free equivalents. Besides, I’ll be damned if I can’t learn whatever it is I need to write my own software that’ll do the job myself².
3. In theory I think I’m supposed to be in favor of free (as in speech) software, but honestly, I’m more cheap than I am virtuous³.

Another reason I don’t particularly care to pay for software is that I don’t like spending money on things that will become obsolete. This is a bit of a paradox, since I am somewhat a fan of gadgets and gizmos that almost invariably become obsolete within months of purchase, if not sooner. But hardware naturally becomes obsolete—it’s not exactly something you can reasonably avoid. No such technical limitation exists for software, however: updates can be downloaded easily and cheaply. So if you’re trying to get me to buy software that isn’t marketed to professionals, I would think you’d probably need to throw in a “free updates for life” clause in there to sway me.

I understand that commercial developers need to account for things like development costs, gouging the customer⁴, etc. and that this explains the cost of software upgrades. Most software that you’d buy under such terms, in my experience, still allows you some access to free incremental upgrades. For example, if you were to buy HelloWorld 1.0⁵, you’d probably be freely entitled to a bug fix release called HelloWorld 1.0.1⁶, and possibly a major-dot release called HelloWorld 1.1⁷. Once you had 1.1, you’d almost certainly get access to security update HelloWorld 1.1a⁸. You wouldn’t, however, get a free upgrade to HelloWorld 2.0⁹.

Less understandable are those programs that offer upgrades on a timed basis: you pay for some software for some amount of time, and when the time expires, you lose access to new versions (even if you can keep using the version you already have, and redownload versions that you once had access to). I’m not talking about subscriptions, either—I’m talking about software that you download and run yourself, either on a computer or web server of your own.

What’s drawn my ire in this case is Jelsoft’s vBulletin¹⁰. vBulletin is paid forum software; you can buy a lifetime license for a fixed cost, but must pay for access to updates after the first year on a yearly basis. The main reason this is curious is one of timing: you could conceivably buy a license that gets you access to version 2.3.4 when you buy it, gets you a free upgrade to 3.0, and then ends when you’re running 3.1.0—just before a bug fix release comes out, which (of course) you’ll need to pay for.

Not having access to the latest bug fixes is normally just a nuisance—unless the latest bug fixes are also security fixes. vBulletin employs a system called “patch level” releases, which are used to fix security issues and designed to be painless to implement, relative to a typical upgrade. If you have access to a version of vBulletin that’s been superseded by a patch level release, you’re given access to the patch regardless of your upgrade status.

But ponder this: vBulletin, as of this writing, maintains two separate, stable branches of their software: 3.6 and 3.7. 3.7 is the latest, recommended version, while 3.6 is(/was) maintained for those who hadn’t yet upgraded. 3.6.10 is the most recent release of the 3.6 branch (excluding patch level releases) and has been for some time; 3.7.2 is the most recent release on the 3.7 branch (again, excluding patch level releases).

Now let’s take a message board that upgrades from 3.6 to 3.7.1, after which its access to updates expires. vBulletin’s developers discover a couple security issues in both branches, and then proceed to release patch level versions of 3.6.10 and 3.7.1. Not a problem—the site has access to 3.7.1 and thus has access to its patch level releases too. vB 3.7.2 comes out a little while later, but this message board doesn’t get access to it. Fair enough—3.7.2 just contains ordinary bug fixes.

But then additional security vulnerabilities are discovered. The developers now release new patch level versions for 3.6.10 and 3.7.2. The security vulnerabilities still exist in 3.7.1 (and 3.7.0), but since those aren’t the latest releases in any currently supported, stable branch, no patch is released for either version. The message board is stuck running a vulnerable 3.7.1 until it coughs up the money to upgrade¹¹.

Suddenly the entire situation bounds right over the “curious” barrier into “absurd” territory. As it happens, this message board could have been left running 3.6.10 and gotten access to the security patches, but there’s no way to downgrade and no way to know that a security patch is coming until it comes.¹²

Rather, the situation could just as well have been avoided had vBulletin—like so many other software products out there—used a system that required payment for major-dot updates only (e.g. 3.6 to 3.7, or 3.7 to 4.0), with minor-dot releases (e.g. 3.7.1 to 3.7.2) being made available for free. The software is already developed in a fashion that lends itself to this payment plan, given that support for any given release is essentially dropped (including, importantly, security patches) once superseded by a new minor-point release in the same branch. And even though it would be a more logical setup than what Jelsoft currently uses (and certainly better for the customer), I can think of a couple reasons that Jelsoft probably isn’t inclined to adopt it:

• Jelsoft wants you to upgrade. If they can structure their payment plan such that you’re left in the lurch without access to the latest security and bug fixes, all the better.
• vBulletin updates pretty infrequently. Guess which is more likely to happen in a 12-month period: a new major-dot release of vBulletin coming out, or your yearly license expiring? (Here’s a hint: the latter is guaranteed, while the former is more of a coin flip.)

In any event, for me it’s a helpful reminder of one reason why free stuff is often better for the job—with free software, no corporation is going to hold your security (or your data, or whatever else) hostage until you agree to pay up. And while there may not be any free software that quite matches vBulletin in terms of features, performance, etc., like I said: usually, and for most people, there’s something out there that will be good enough.

1. Movies and games aren’t really my things, and if I want to watch television I’ll almost always watch it live or record it. [↩]
2. Needless to say, if it really were that easy, someone else would’ve done it before me anyway. So it’s never really come to this. [↩]
3. I don’t have a problem releasing code I write, aside from the fact that I haven’t really written any code that’s both (1) in releasable condition and (2) appealing to people other than me. [↩]
4. This one’s more of a corporate thing, I’ve noticed. [↩]
5. A program, of course, that simply prints “hello world” and exits. [↩]
6. In which they fix the typo that caused “hello” to be printed as just “hell”. [↩]
7. In which they add the ability to say “hiya” and “howdy”. [↩]
8. In which “howdy” is removed in deference to offended cowboys. [↩]
9. In which they add multilingual support, so you can say “hola mundo,” “salut le monde,” and “世界您好” all in one program. [↩]
10. I don’t own vBulletin myself (for reasons I hope I made clear already) but I know a thing or two about it from having used, administered, and maintained it elsewhere. [↩]
11. Typically it makes sense to pay for an upgrade for vBulletin, even if it bothers me. Let’s just say that in this particular case, there were external circumstances that made it impractical to renew access to upgrades. But even if there weren’t, making people pay to patch security flaws in the original product is dangerous. [↩]
12. It also happens that 3.6.10 came out after 3.7.0, so given a slight change in timing, 3.6.10 could easily have been released after access to new updates expired. Similarly, what if 3.6.11 is suddenly released, and new security flaws are found? [↩]

Comments (0) | Geekish

Trackback this post from your own site. You can also follow any responses to this entry through the RSS 2.0 feed.

Leave a Reply