Open source is at a crossroads

10 minute read

SYNDICATED POST

By Bill Doerrfeld. Originally posted at The New Stack.

The cracks are beginning to show in this global ecosystem, as many projects lack the basic funding to sustain the software that literally runs the world.

Open source software is having a midlife crisis. Open source contributors are struggling to keep pace. Popular open source projects are making restrictive licensing changes. Backdoor threats are placing the open source supply chain in jeopardy. And, no one seems to have a clear grasp on what “open” means in the context of artificial intelligence.

This whirlwind of challenges makes for a scary prospect if left to spiral. “The effect on our lives if open source software disappeared would be incalculable,” said Ruth Suehle, an executive vice president of the Apache Software Foundation. Yet, the cracks are beginning to show in this global ecosystem, as many projects lack the basic funding to sustain the software that quite literally runs the world.

Like a brittle climate on the brink of collapse, there would be significant ripple effects if the life-giving waters of open source begin to dry up. “If one piece of the water cycle breaks, the well’s water won’t be replenished, and those who rely on it will suffer,” Suehle said.

Yet, some open source maintainers already feel they have no choice but to reposition their software licenses to stay afloat. “Open source today is at a breaking point,” said William Morgan, CEO of Buoyant. According to Morgan, a significant inequality has emerged between open source contributors and the companies using these projects, necessitating a change to the fundamental dynamics of the open source value chain.

Others view today’s inflection point as nothing new for an industry that has weathered macroeconomic uncertainties over the decades.

“These tensions pale in comparison to some of the others open source has faced in the past,” said Dan Lorenc, founder and CEO of Chainguard. Yet, he acknowledges the industry is currently at a major crossroads in how it thinks about and consumes open source. In this climate, other tech leaders question if the open source model is still a valid business strategy.

Sudden licensing changes

On top of mind for most open source users is the recent slew of restrictive licensing changes for heavily used projects, including HashiCorp’s Terraform, Redis, Elasticsearch and Bouyant’s Linkerd. “The changes of licenses in many of the large open source projects in the last year took the entire industry by surprise,” said Nir Gazit, CEO and co-founder of Traceloop.

Sudden shifts toward more restrictive licenses have users questioning the longevity of open source as a whole. “As an open source maintainer of an Apache-2.0 repository, I often hear this concern from potential users,” he said.

The move toward more restrictive source code not only affects individual developer users — it impacts businesses that build around open source projects.

Liz Rice, who is the chief open source officer for Isovalent and a board member of the Cloud Native Computing Foundation and OpenUK, also considers the trend around relicensing to be a pressing challenge for open source.

“While these companies have every right to protect their business interests, relicensing raises a number of questions and concerns across the ecosystem,” she said.

Another ill-defined area for open source licensing is determining what precisely constitutes open source in the realm of artificial intelligence. For instance, open language language models could be trained on proprietary assets, complicating ownership. “Open source licenses generally assume that software IP lies in source code,” said Neo4j’s CTO Philip Rathle. “AI shifts this upstream.”

No more free lunch

The donation jar isn’t working for open source. The big problem with the open source model is that the vast majority of organizations who freely use these projects don’t actively contribute back to them, either financially or through code commits. Instead, they are more likely to request bug fixes or extensions, putting undue pressure on maintainers to work without pay.

As Morgan described, “Open source has become, as Bruce Perens puts it, a ‘great corporate welfare program,’ where the beneficiaries are companies like Google, Microsoft, Amazon, and Apple, who get to build billion-dollar revenue streams on the backs of open source, and the charity workers are the maintainers and engineers developing the projects.”

People also don’t often realize that community management for open source projects is a full-time job, said AsyncAPI Initiative founder Fran Mendez. This encompasses tasks beyond the code, like design, technical writing, marketing, responding to disputes and upkeeping a code of conduct. Money is required to support these initiatives, but the project stewards are rarely sustainably funded.

Consider the case of Lightbend, which recently altered the open source license for Akka, an SDK for distributed applications. As Tyler Jewell, CEO of Lightbend explained, after 13 years, the team could no longer maintain the software without equitable contributions from the nearly 100,000 commercial organizations using it. “We altered our license model to enable us to better sustain the maintenance and improvement of the project while still making it freely available to the vast majority of developers.”

Economic headwinds

Struggles in open source communities undoubtedly stem from the greater economic climate. The start of the current decade saw a low interest rate environment, which Lorenc credits as ushering in a massive boom in the number of open source companies and projects. But now, we are experiencing significant realignment. “Time and money are even more scarce, making it harder for contributors or companies to allocate resources,” he said.

“Many, but not all, open source businesses are at a crossroads,” said Fermyon CEO Matt Butcher. For ages, the theory was that you built an open source tool, established a community and then figured out how to monetize it. But now, the companies in that final stage are under immense pressure to increase profit, he said. “For some, that means abandoning the open source model.”

A lack of resources to justify open source may also stem from a “plethora of riches” problem, explains Chris Aniszczyk, the chief technology officer of CNCF. With so many projects vying for attention, it’s easier than ever for innovative projects to lose out on the resources they require. “As an industry, we should consider focusing our efforts on identifying and sustaining the critical open-source projects out there,” he said.

Operational immaturity

It’s not just business sustainability qualms that threaten open source — immature software supply chain management practices do as well. “Wildly adopting projects without care or thought on how to maintain or secure them just delays the inevitable pain, and we’re facing that today,” explains Lorenc.

For instance, cyberthreats are exposing the vulnerabilities inherent in modern software solutions, which the Linux Foundation estimates are comprised of 70%-90% free and open source software. One recent damming exploit involved attackers contributing malicious commits to xz Utils, a ubiquitous open source compression tool in Linux.

What open source needs to survive

Open source foundations

First and foremost, experts agree that open source foundation bodies like The Linux Foundation and the Apache Software Foundation will play a pivotal role in stabilizing the future of open source. “The path we take from this crossroads is likely to involve more projects contributed to foundations,” said Rice. Such bodies can guide open governance and set rules to prohibit relicensing, giving developers more reassurance in integrating projects into their software.

More equitable ecosystems

Secondly, open source software maintainers will require more support in terms of funding and active contributions to sustain their projects. “Much of what we need now is not a technical solution, it’s collaboration,” Suehle said, “especially from organizations that rely on open source.”

According to Aniszczyk, this collaboration must go beyond GitHub sponsors and donation platforms, which effectively turn maintainers into gig economy workers. Mendez proposes a future model wherein Open Collective enables more of a Stripe-like checkout experience for certain add-on features.

Intentional business strategies

Not everything needs to be open sourced. As such, a more sustainable open source ecosystem will hinge on carefully determining what should be free and open and what deserves to be premium. For Butcher, a good rule of thumb is to open source the technologies individual developers need while gating premium features that are useful only for large deployments or organizations.

New frameworks

The traditional open source definition doesn’t mesh well with the rapidly evolving world of AI. “We need a new framework that accommodates all of these nuances,” said Rathle. He highlights the work of GenAI Commons and the importance of new licenses that gauge the openness of all components within an AI model, such as the foundational datasets, preprocessing code, model architecture and model parameters.

Doubling down on security

“Security can’t be an afterthought anywhere in the industry, but this applies particularly strongly to open source, where fragmented communities of paid contributors and volunteers alike operate autonomously,” said Lorenc. Memory-safe languages and secure-by-default settings can go a long way toward eliminating the bulk of bugs and attack vectors, he said. Better inventory management using SBOMs and vulnerability scanners will also be key to safeguarding open source software.

Case study: AsyncAPI initiative

One example of a community-led and sustainable open source initiative is AsyncAPI. AsyncAPI was founded in 2016 to define an open standard specification for messaging APIs. As Mendez describes, AsyncAPI became more than a side project when he realized Slack was actively implementing it in production. As adoption and community support for AsyncAPI grew, corporations tried to buy up the intellectual property.

Yet, in 2021, the community donated the project to the Linux Foundation, safeguarding the technology and its governance as a vendor-neutral initiative.

Mendez then got a job at Postman, which has been funding his full-time work on AsyncAPI with no strings attached. “We are fricking lucky,” he said. Such a situation is rare, which is why he believes more companies should invest in employing people to support open source full time.

Case study: Linkerd

However, not all open source projects can source equitable funding this way, especially when a single company is at the helm of nearly all development. Consider the recent evolution around Linkerd, the popular lightweight cloud native service mesh. “We made a decision earlier this year with Linkerd to stop building open source stable release artifacts, and to start charging money for proprietary stable release artifacts instead,” describes Bouyant’s Morgan.

Interestingly, the move is in line with the rules for CNCF-graduated projects, as they do not mandate stewards to issue new builds. Although the decision to gate stable releases for premium payers sparked outrage among some open source zealots, Morgan says it was necessary to strike a healthier balance. “As a result, Linkerd has been healthier and faster-growing than ever, and our ability to reinvest in the project has increased exponentially.”

Times are a-changin’

Although budgetary struggles are a top challenge in the open source ecosystem, they are not exclusive to this area, as belt-tightening and layoffs have been playing out throughout the tech industry in recent years. Organizations are also facing rising cloud native costs and an urge to streamline developer productivity to cut costs. “The overall software industry is facing a set of challenges I liken to a ‘hangover’ after years of carefree adoption,” added Lorenc.

But, given how pervasive open source software is, fractures in this ecosystem are cause for concern. If more projects fall off the wayside, it could have detrimental effects across the board. As such, companies should be aware of the open source they are using and consider how they can give back. “Collaboration in open source across our projects, foundations, nationalities, and employers is critical to the entire world, whether it’s contributions of time, money, skills, or other resources,” Suehle said.

The thing is, many maintainers have made calls for collaboration, yet they still lack an equitable exchange with consumers. This situation could stifle early-stage innovators, forcing many to rethink the open source software model entirely. As Rice said, “Startups may struggle to develop and protect their own intellectual property as a competitive edge in an environment where everyone looks less favorably on non-foundation open source projects.”

That said, the open source software ecosystem is vast, and certain areas are experiencing positive growth. “Open source is thriving in both letter and spirit,” said Rathle, who points to the excitement around open source AI. Such excitement and development could inspire a new age of open source creators — hopefully, with the support they deserve.

Stay Responsive
to Change.