Just last week I was thinking about a particular library that has become an important part of almost every project I use: Bouncy Castle. I don’t think I’m alone in this experience, the first time I heard this project’s name I thought it was a joke. It was 2002, and I was working at a company that managed sensitive
data: migrating financial data for international banks – serious business. We were a serious business, with serious executives, working on serious projects, employing rooms of serious sales people distributing serious looking whitepapers.
Since all of our coders had to submit code to an architecture review board, I remember asking what we were using for cryptography…
“We’re using what?”, I asked.
“The Legion of the Bouncy Castle, I’d rather use that
than the JCE. or that vendor crap we always use.”
“Right, but what’s with that name? We’ve got to get this
through the review board and those guys hate open source.”
Even though I was deep into open source culture at the time and I understood the cultural quirkiness of OSS, the organization was very skeptical. I remember
sitting in meetings with the CTO at the time, “The Legion of the
Bouncy Castle? What’s going on here? We moved from a commercial
vendor to this silliness? Is someone drinking on the job?”
No one was drinking on the job. In fact, Bouncy Castle was the right choice to make. The issue wasn’t the software for these people it was that this serious component had a silly name.
Remember, in 2002 the world of corporate IT was a totally different place. Using open source
wasn’t an assumption. In fact, more than half of this company was a Microsoft shop, and I remember a great deal of vicious political infighting surrounding open source in general. There was intense pushback at the idea of “risking the company” to open source. They ultimately decided to not use this component based on the name alone. I can’t remember the reasoning, but it involved a bunch of backslapping corporate types all having a good laugh at the developer for even proposing this component.
They went with a vendor’s $50k solution instead (really, just to encrypt data), and the vendor very quickly evaporated on them. Nine years out, I remember what it was like to try to convince corporations to pay attention to open source, and I remember how difficult it was to convince people that you could get something of higher quality for free.
The kicker is that the guy who ultimately made the decision was this totally shifty Microsoft guy who kept on teasing me by saying: “Open Source and Free Software, you get what you pay for.”