|
||
|
||
|
||
|
||
|
 |
01.15.2003 |
Financials
First of all, Mandrake is having money troubles. For those that have been following the Linux news and in particular the Mandrake news this will not surprise you. But what might surprise you, if you haven't been closely following the details of the news, is why.
I'm sure most people in the Mandrake community read the SlashDot headline and didn't read further. And those that did very likely did not see the implications of the article. In short the details are as follows. Mandrakesoft needs 4 Million Euros to continue operating. It needs this because in 2000 new management was brought in by some investors and they decided to turn the company into an e-learning/e-support company whose products were based off of Linux. They increased operating expenses 400%. Prior to this Mandrake had been a profitable company. So what does this mean for us? It simply means that Mandrake is not appealing to us because their Linux sales have been poor. That is simply not the case. In fact they've had impressive growth in their sales. From 1998/1999 Fiscal Year to the 1999/2000 Fiscal Year they had a 424% increase in revenues. From 1999/2000 to 2000/2001 they had an 18% increase. And from 2000/2001 to 2001/2002 they've reported a 31% increase. Considering the technology and economic downturns in the US (one of Mandrake's largest markets) these are really good results. Most technology companies have not been showing any revenue growth at all.
Consider for a moment Microsoft Corporation. Between 1998 and 1999 they had a 29% increase in revenues. 1999-2000 16% increase. 2000-2001 10% increase. 2001-2002 12% increase. (Source: Microsoft's 2002 10K Annual Report) Microsoft is the darling of Wall Street when you start looking at financial results, posting absolutely amazing growth year over year. Compare that to Mandrakesoft's short history and you'll see that Mandrakesoft is doing quite well. Now all of this is only looking at revenues, and Microsoft is a profitable company and Mandrakesoft is not. I think it is clear that it is not because the Linux market has been treating them poorly. It's simply because they made poor choices and decided to expand into an entirely unrelated market. I have to wonder, but have inadequate financials from Mandrakesoft to tell for sure, if after taking out the long term contracts they say they had to sign and the expenses thereto if the Linux distribution business is not already profitable. Unfortunately I can only speculate on this; Mandrake is a French company and does not have to release nearly as detailed information as American companies do.
It is important to note where the money that Mandrakesoft wants us to send their way is going to go. They are not entirely clear, but they say it will first go to pay off the outstanding debts they incurred from the e-learning business. More than likely the vast majority of the money they manage to raise will not end up in the pockets of the developers producing Mandrake. Or for that matter even support the Mandrake products that we know and love. Most of the community has responded to the appeals Mandrake has made so far with the idea that this money was going to support Mandrake Linux not Mandrakesoft. Make no mistake about it; this is a commercial entity out to make a profit. They have large investors such as Viventures (owned by Vivendi Universal, the people who own Universal Studios, and various other media properties). Should Mandrakesoft fail they will lose their investment in the company. Ultimately our money is going to line the pockets of such investors. Not directly mind you, but indirectly. It is these investors who will benefit most from a profitable Mandrakesoft. They'll see the stock value go up and possibly even dividends. Even if Mandrakesoft fails we have not lost the software it has produced. The distribution is entirely open source software, even the software Mandrakesoft wrote (they GPL all their software).
In fact Mandrake is so unstable that The Register found it credible enough to run a vague story that Mandrake is considring filing for bankruptcy. Even if it's not true, it's certainly an indication as to their position that The Register would even consider running such a story. Newsforge has a more level headed story.
Value
The second area of problems I see for Mandrake is value. I mean value to the customer for what they give Mandrake. Now this may seem to be odd. Mandrake practically gives away its distribution. And its software is still seriously cheaper than commercial operating systems like Windows and comes with a lot more programs at that. But the fact is that price is relative. Why pay $30 for something you can download from the Internet and burn on 3 CDs that cost you $3? The printed quick startup guide you get for your $30 is included in the download edition as a PDF, also for free . So all you get for your $30 is 30 days of installation support. Now that wouldn't be too bad of a deal, if online support wasn't simply available for free (i.e. mailing lists, IRC channels, and the various web based forums). There's no guarantee that you'll get an answer, however the truth is that MandrakeExpert (how you get support from Mandrake), is for the most part support provided by the community, not Mandrake employees. As far as I know these people aren't getting anything for what they are doing. If they do get something it's likely pretty minimal, probably a VIP account on the MandrakeClub and maybe a t-shirt.
If you move up to the PowerPack, you get 7 CDs. The first 3 are identical to the Standard Edition set. Then you get a CD with some of the contrib applications that you can also download from the net for free, they won't be integrated into the install, but if you really want that you can build your own set of CDs instead of using their ISOs. But really, with urpmi, it's very easy to install contrib packages. The next CD is a sources CD. Even though I'm a developer, I've yet to ever even put this CD into my computer. I just download whatever source rpms I need. So the unique content comes down to two commercial applications cds, of which the vast majority of the content is simply trial apps or apps that you can download for free elsewhere (e.g. FlashPlayer, RealPlayer, Crossover [trial]). So now we are back to support, for this you get 1 unit of phone support and 60 days of support via MandrakeExpert. The phone support is a real bonus here. Of course it's only installation support. I have to wonder how many of their customers really call phone support, when free online support is available? Especially, considering that Mandrake as far as I can tell doesn't offer phone support separately from the boxed copy. Nowhere on their site can I find an offer to purchase phone support seperately.
The ProSuite isn't much better. You do get a full manual (which is a free download), an all inclusive DVD, and an additional CD (8) that you don't receive with the PowerPack. While the DVD is a nice addition, I'm guessing the extra CD is yet more commercial software. Since I do not own a PowerPack I can't say for sure. Additionally it comes with 5 units of phone support for stuff like servers, as opposed to just installation. However, the price has now been cranked up to $199. The real value, not just the extra stuff thrown in, is 1 DVD and 1 CD. Again I really doubt a lot of customers end up using the tech support.
So as you can see there's not a lot of value over what you can get for free in their products. Ultimately what Mandrake is selling is a way for the community to support Mandrakesoft. In response to criticisms like this and to help raise much needed additional cash, Mandrake responded with the Club. Providing a way for the community to get something from them. Let's go over what the club really offers.
The first thing that they say they provide is access to the club, "a place where your voice will be heard." Getting heard is nice, but getting action is what you really want. If you want action, your best place to get it is on the cooker list. No it's not particularly friendly for end users, but it's where things get done related to Mandrake. Deno (the employee who runs the club) can say whatever he wants. I've yet to see proof that the club really gives people more influence over what Mandrake does. In fact the club ran a poll asking club members how they felt about 700 MB ISOs. 20% said they disliked or couldn't use them. Mandrake is still producing 700 MB ISOs, despite some very loud complaints from contributors. Even still, non-members can post messages to the forum in some areas. They've added multi-lingual functionality recently and I guess that's nice. I really don't see it being of great value. The forums do not appear to be very popular either.
You also get the ability to download the commercial software they normally only place on the CDs. The truth is that most of this software is simply demos and what is actually useful is already available elsewhere as I've already explained above. Plus, not all of it is even available. Anything they have to pay royalties on isn't available, with the exception of Star Office. In order to download Star Office, you have to be a Silver or higher member. Silver membership costs you $120.00. You can get a single user license for $75.95 from Sun, so you might be getting a little bit of a discount, assuming that the club is actually of real value to you.
Then there is the voting system, where you can vote for new RPMS. The truth is, all of these packages are built by volunteers. And the volunteers are under no obligation to build what they don't want to build. So what ends up getting built is not necessarily the most popular packages; but rather whatever is the whim of the volunteer. Even if you're not a club member you still have access to these RPMS as long as they are free (and as far as I remember there has only been a handful of volunteer produced packages that aren't "free"). On top of that there are a number of independent people who already make packages that run on Mandrake. Texstar is a notable example, though I have to admit I'm not always happy with the quality of his packages. But Texstar almost always has a package for the newest programs.
You also apparently get discounts for access to MandrakeOnline. I don't know of anyone who is actually using this service. Everyone I know simply uses urpmi or MandrakeUpdate/rpmdrake to keep their system up to date. Plus, you can get update notifications by simply signing up for the security announcement mailing list.
Then there are the benefits related to their stock. They advertise access to the "direct-trading program." This is the same program they've been pushing to try and get people to buy their stock for the past 6 months. I'm not sure this was ever really restricted to club members. Their recent appeals certainly haven't said it was. Then they mention real time trading info. That might be useful, but their stock is halted on the EuroNext exchange (see the bottom of the linked page). It hasn't traded a single share since December 17th. So there's nothing to look at there.
Finally they've added a list of "better" mirrors. The fact is that these are not special mirrors for club members. Mandrake doesn't publish them on their main site. But they are indeed public mirrors. If you go to club you'll see an amazing number of .edu and .gov mirrors for the US ones. I guess now the US Government and the US States are subsidizing Mandrake Club.
Security
If you care about security, which you had better anymore, Mandrake has serious issues. There is exactly one person doing the updates (Vincent Danen). He had a helper for a brief period of time who was let go due to the budget crunch. So their financial issues are clearly an issue for us in other areas. When you consider how they keep putting out products (SNF, MNF, etc...) without adding the requisite staff to handle doing the updates for them it's really concerning. Especially concerning is the fact that MNF is a security product. So what happens when you have an understaffed security department?
Things slip through the cracks. A known vulnerability to Mozilla (the most popular web browser in the Linux world) was allowed to sit in the queue for 6 months. Why you ask? Because Vincent didn't have the expertise to do a Mozilla update (Mozilla updates require that you update programs like Galeon and Nautalius which depend upon it too). The maintainer of the Mozilla package was too busy with cooker to bother to do anything about it. Eventually the package got updated.
Part of the problem with security is Mandrake's attitude about it. The priority is on the current version and on cooker. Not on updates. The maintainers for the packages don't maintain their packages. They toss them up there and forget about them once the version releases for the most part. No matter how dire the security threat, developers never put the priority on those updates. Nor does the Quality Assurance department.
The updates that get produced are supposed to be reviewed by QA. Often QA is slow or flat out too busy working on cooker to bother with security updates. Often updates get pushed out without QA approval because they've simply waited far too long and really need to be released. Even if QA does do any testing, they severely slow down the update release cycle. Opening more of a window for crackers to gain access to your machine running Mandrake.
Fortunately, there is a group of volunteers that do some testing, the Mandrake Security Team. So at least your updates are usually well tested. Again it is the community picking up the slack and doing the hard work to get updates done.
It's not just producing the updates themselves. Mandrake makes available downloads of ISOs. The ISOs contain the public keys that are used to validate the security updates that you download. Unfortunately, those ISOs are not signed with any key. So the ISOs that you download from all of the mirrors, which Mandrake does not control, could have modified versions of the ISO with an extra key. If someone can modify an ISO they can add an extra package. So now every Mandrake user who downloads ISOs is at risk for a trojan horse update. After pointing this out to Mandrake on many occsions, it's still not been corrected. The MNF ISO does have its md5sum signed, but most users wouldn't even be aware it was there. Mandrake has made no attempt to educate their users as to proper verification techniques for ensuring the ISOs have not been tampered with. Further, signing the MD5 sum means you are relying on the security of the MD5 hash. Which has already been shown to be vulnerable to attack in the past.
Finally, Mandrake has produced MNF and appears to be hinting that they will be charging for security updates for it. That's right folks. They will be charging you for updates to a firewall. This is exactly the type "security for sale" policy that Vincent complained about on his website with regards to ISC's BIND (the DNS server that most everyone runs). Yet here is Mandrake engaging in it. This is terribly unfortunate. Attempts to clarify this issue were simply ignored.
I want to stress this however: this is not a problem with Vincent. This is an issue with management and priorities. Vincent does the best he can with the resources he has. It was his idea to put together a group of volunteers to try and fill the holes in the resources he had. All Mandrake users should give him their thanks for the long hours that he puts in getting what needs to be done done.
Conclusions
Ultimately, I like Mandrake's product. It's a good distribution that is generally up to date and fairly easy to use. At the same time I think that we, as a community, have the ability to produce the same high quality distribution on our own. Many things in Mandrake are already handled by volunteers. Why not make donations to a non-profit organization that would pay employees for what is needed? It certainly would put our money towards a much better thing than simply bailing some company out. If we put the same amount of money into a non-profit, we could get far better mileage as far as quality of product and improvement of Linux in general than we ever will out of a for-profit organization.
Additionally, a non-profit organization could create an ideal value proposition for users. People could buy priority access to mirrors (real priority access on mirrors really run by the non-profit). Being a non-profit would never stop us from making relationships with commercial organizations that could sell boxed copies of the product, putting money back into the organization, but keeping the production out of a for-profit situation. Excess funds could be used to fund developers working on projects like the kernel, KDE or Gnome.
As a non-profit, we would own the product. We the community would truly have a say in its direction. Contributors of money, time, etc... would receive a vote into how things are done. There would be no fear of Mandrake going bankrupt hanging over our heads.
So, Mandrake community, what is it that you will do? Will you pay to fix a company's management mistakes, or will you pay to produce and support a quality product? Will you pay for a vague promise of influence, or will you put your money and effort into an organization that will guarantee you a vote as part of its bylaws? Will you give charity to a commercial organization and its large shareholders, or charity to a non-profit organization? Will you pay for real value, or will you pay for the idea that you are supporting Linux? Will you risk the security of your personal information on their financial situation?
If you want any of these things that I think a non-profit run fork of Mandrake could deliver, I would like to hear from you! Let's get this community organized to produce something good for itself.
Disclosure
I can foresee that some people will say that I just have some beef with Mandrake, or that I simply do not like their distro. This is just not true. I have been a loyal Mandrake user since 1999. I've owned a boxed copy of every release since 7.0. Only one I didn't pay for because Vincent Danen provided me the boxed copy in exchange for some help I gave him. I have donated money and time to the PPC port. I've hosted various extras for the PPC people on my mirror, including packages that didn't fit on the ISOs and cooker boot ISOs. I've submitted numerous bug fixes and packages over time (running
rpm -qa --changelog | grep -i reser | grep -v reservon any Mandrake box will prove that). I've packaged programs as a volunteer for the club. I've been a member of the security team since its initial formation and am a VIP Club member as a result. Further, I'm a shareholder in the company. I've promoted their products, even convincing friends and colleagues to switch and send them money.
If I have any beefs with the company besides what I've already explained in this document, it's that I've been given the run around on when I am to receive the share certificates for the stock I purchased. It's now been about 6 months since I paid and have yet to receive the certificates. Furthermore, I've been disappointed with the rude responses that employees sometime give to contributors.
Honestly, this document was written in the hope of inspiring a better future for the Mandrake community. If I seem harsh it's because I care about the future of this community and this distribution. Even at the expense of the company, the community comes first. At the same time I don't expect to get something for nothing. That's why I've contributed and given as much as I have to Mandrake to date. I dearly hope for the best future that we can get!