First let's talk about value, because it is relative for different audiences (and my take is obviously not canonical either). For Facebook's users, the value is primarily the network. For Facebook's partners, the value is converting sales from users engaging with advertisements.
Facebook must offer enough to the users that the network is still worth coming back to while still giving advertisers a chance at having their eyes. A major breach could cause user and partner abandonment because of security concerns. Once the genie is out, there is no putting it back in. Their stock will fall faster than they can rewrite the product.
It is unreasonable for us to expect open-source for server-side code because it exposes Facebook (and potentially it's users) to a lot of risk for only a small upside.
1) While open-source software has myriad benefits, those benefits require the public at large to audit their code as it is being continuously changed and deployed. Can we keep ahead of the criminals exploiting freshly merged and deployed commits?
2) Knowing the source code is one half the battle, the other half is knowing what is actually executing at runtime. How would users verify this to get the value of open-source?
3) Open-sourcing server side code of Facebook could have serious negative consequences for users or Facebook in the event of a breach due to intimate knowledge of the system only afforded by being privy to the source code.
Not a point, but a philosophical question:
*) Where does this stop being virtuous? Should Microsoft open-source SMB tomorrow? Would you feel comfortable with that?
Facebook must offer enough to the users that the network is still worth coming back to while still giving advertisers a chance at having their eyes. A major breach could cause user and partner abandonment because of security concerns. Once the genie is out, there is no putting it back in. Their stock will fall faster than they can rewrite the product.
It is unreasonable for us to expect open-source for server-side code because it exposes Facebook (and potentially it's users) to a lot of risk for only a small upside. 1) While open-source software has myriad benefits, those benefits require the public at large to audit their code as it is being continuously changed and deployed. Can we keep ahead of the criminals exploiting freshly merged and deployed commits? 2) Knowing the source code is one half the battle, the other half is knowing what is actually executing at runtime. How would users verify this to get the value of open-source? 3) Open-sourcing server side code of Facebook could have serious negative consequences for users or Facebook in the event of a breach due to intimate knowledge of the system only afforded by being privy to the source code.
Not a point, but a philosophical question: *) Where does this stop being virtuous? Should Microsoft open-source SMB tomorrow? Would you feel comfortable with that?
Edit: grammatical fixes