Are Standards Worth the Effort?

by Nick Stoughton
nick@usenix.org

This article is the text of the opening argument given in the panel discussion at the September LISA conference on the question of "Are Standards Worth The Effort?" Future editorials will present the counter arguments.

To answer the question, we need to look at the effort that is put into building formal standards, and the benefits that they return. It is always a subjective question . . . is it worth the effort? And the answer will always depend on your personal viewpoint. Something that is highly beneficial to you, and does not cost you much, is clearly worthwhile. Something that has marginal benefit, and costs you considerable effort and/or money is of questionable worth. I want to spend some time here looking at what the effort is in producing a formal standard, and what are the benefits. You can then decide for yourself if it is worth your effort.

To understand and measure the benefits, let's consider some history. Ten years ago, the POSIX standardization effort had but started, and the first trial use system interface standard was in the process of being published. Few people ever used that standard as such, but it was the beginning of a major effort. Its successors, the 1988 and 1990 full use standards, the latter of which is an ISO international standard, have proved to be some of the most widely adopted information technology standards ever published. I don't know how many of you remember the pre-POSIX world, the System V versus Berkeley wars. The ability to buy a UNIX system from a dozen vendors, but have to port your code for each and every one. Every other line of your source was a "#ifdef" for a different architecture.

Of course, it meant big bucks for the software houses who ported applications from one place to another. But it was bad news for the end user, who had to pay for it.

The POSIX.1 and POSIX.2 standards did a massive amount to level that playing field. True, it has been said at USENIX conferences that there's no such thing as a portable application, even with POSIX, merely an application that's been ported. The testing effort to prove how an application behaves on a different platform is still omni-present, and still scares many software vendors from offering their application on more than a small handful of platforms. But the difference between systems has now come down to specific specialist areas that allow the hardware vendors to have their USPs.

The strength of POSIX is also one of its major weaknesses; it is entirely a volunteer effort. The POSIX standards are as good as the people who write them make them. They are not employed to write standards, or at least, not by a standards development organization. Volunteers come together to write standards for areas that are perceived to be needing them. The people who perceive the weakness are the people who write the standard. There is no body sitting around saying "Hmmm . . .I think we need a standard for Print Administration in POSIX, let's see who will do one based on Palladium." Instead, a group of people come to POSIX and say "We want to write a Print Administration standard; it will be based on Palladium Will you let us call it POSIX when we are done?"

To get sponsorship within the POSIX process, that group has to follow the rules; they must be able to demonstrate the need for that standard (well, they did that by showing up); they must be able to show existing practice (POSIX is not a standardization by invention body), they must be able to show commitment to the process; and, they must follow the rules. Those rules include a ballot of the resulting document by any interested party (although in POSIX, strictly only members of the IEEE CS have binding votes), and they must achieve a 75% approval of the returned ballots (which in turn must be at least 75% of the ballot group).

So if standards sometimes seem to be at odds with what you expect, then it is because you did nothing to stop it being so. Anybody can be a member of a POSIX working group. Anybody can join the ballot group. OK, if we get 500 people in the ballot group, we might only concentrate on the C members, but that doesn't happen often, and it isn't really very expensive to become a member of the premier professional body (besides SAGE) for your profession! This openness of process is POSIX's major strength. Currently, all POSIX standards are produced by individuals, not corporations. This has its failings, as we shall consider, but in general, is a Good Thing. I always thought of POSIX as being produced by a group of very special people, and I was unworthy to be part of it. But that simply isn't so.

Formal standards do have a lot of effort go into them. Sometimes, it feels like not enough; some standards take forever to come out. That is mainly through the lack of investment by the participants. The cost of membership is perhaps too low companies that spend $1,000,000 joining X/Open (each year) feel they need to put a lot of effort in making sure their investment is worthwhile. POSIX costs only perhaps $10,000, plus 5-6 weeks worth of time per year. This is so insignificant that many organizations begrudge the time to their employees, and the only place and time work happens is at the meetings.

What has to happen to make a formal, POSIX standard? As I said, the first step is for a group of people to decide that there's a need for a standard, some starting point or points, and a desire to do something about it. This group, often augmented by others once the project is sponsored, writes a document. That document is then sent out for formal ballot to the interested parties. This is the point at which real work actually starts. Many think that the step of writing the first draft is the hard part . . . but in reality that's the easy bit! Once you have a first draft, and several hundred or thousand comments, ranging from "please add a comma at the end of line 42" to "this standard is ill-conceived and based on entirely the wrong technology; you should start again," then the hard work starts. Get 75% of these people to say "Good job . . . I have no further objection."

So much for the cost of the effort. How many of you have reaped some benefit from formal standards? Well, how many of you have worked on systems from more than one supplier -say an HP and a Sun, or Silicon Graphics and IBM.All of you have benefited from POSIX. Didn't realize it? Well, RTFM some day! Your jobs are more secure because of POSIX. Your skills are more portable, as well as your applications. With no standards, or just proprietary ones, your skills would be tied to those systems you had direct experience of. But perhaps the POSIX process is so imperfect that we should abandon it forthwith and start anew. How else could we organize things so that the results are more useful, more timely, more worthwhile? Actually, these questions have been taxing the governing body of POSIX this year. Is there something we can do to be more relevant? Are we missing the boat in some way? That particular debate is focusing on two areas: should the scope of POSIX be widened, and, should the process be altered in some way. The scope issue was initially thought to be the more relevant, but exactly no one showed up to talk about it at the meeting convened for the purpose last POSIX meeting. The process issue did attract many more. And yes, there are things we are considering very actively for changing the process; probably the biggest of which is corporate rather than individual membership for some projects. You feel kind of mean saying the reason that this standard is late is because Joe Soap was slow getting his actions done. But being able to say this standard is late because Sun Microsystems (naming no names) didn't fulfil their actions is a lot less personal (unless you work for Sun).

I have been fortunate enough to experience the way some other groups develop standards. The one I have been most active in is POSIX, but do other groups have a better way of working? Many ISO standards are developed by groups of people who represent not themselves, as in POSIX, or their company, but their country. All sorts of problems are introduced by this way of thinking. Huge compromises have to be made because people don't really want to create international incidents over something minor in a standard.

X/Open produces UNIX specifications, but charges the groups who participate (all companies or organizations) a large fee. Small players and individuals cannot participate. Could you afford $25,000 to join one working group? Plus the cost of travel, your time, and other incidental costs? No, but your employer might. Of course, if you want to have real influence on the specification, you have to pay the full fee, a cool $1,000,000. That thins the crowd a bit.

The IETF have a low cost of membership, and do produce lots of informal standards as output. But that's the trouble. Their standards, Requests for Comment, are informal to a degree that is pretty nearly unenforceable. Is that really useful? Well, many could argue that the Internet is built on these informal standards and yes, it is pretty useful. It does seem that the IETF has something; some sort of sex appeal that makes people want to play their game. There is no denying that right now, the Internet is sexy. People will do things not to get a tick in the box for federal government approval (as is the case for POSIX), but to build something that people are going to use.

Which is more sexy: a very informal procedure about what you should do if you think someone is attacking your site through the Internet, or, a formal standard about how printers should be administered? Clearly the first. Which is actually more useful to you? Now that's a bit harder. They are both useful to almost everyone in this room, provided they don't mean everything you've done and set up, outside those standards, over the past few years, should be immediately abandoned. How many people have contributed to the Incident reporting standard? Perhaps 50-60. How many to the print administration? Well, because the process is different, it is harder to measure like for like. But one measurement (the working group plus the ballot group) actually has the same sort of number. The IETF produce lots of small, informal standards each year. POSIX produces very few, big thick formal standards each year. Page for page, POSIX is only slightly behind the IETF. But because they are concentrated on a few areas, it looks like POSIX is producing substantially less than the IETF.

Both the IETF and POSIX are Open processes; anyone can help form that standard. X/Open, and to a lesser extent ISO, are essentially closed processes; you have to pay or be invited to join. If you're not a member, the only way you can object is to not adopt their standard.

To sum up, POSIX may not be perfect, but it does serve a useful purpose, and is in my opinion, worth 10 times the effort that is put into it.