“Cloud vendors do not care about monetizing FOSS projects, they are about getting more workloads running on their infrastructure — hence, to be the preferred destination for such workloads,” said CloudBees’ co-founder and chief strategy officer Sacha Labourey.

Confluent created a new community license, and MongoDB announced its Server Side Public License (SSPL) to combat cloud providers. In January, Elastic announced it would move its Kibana and Elasticsearch open-source projects to a dual license under the Elastic License v2 and SSPL. 

RELATED CONTENT: Open source is a community, not a brand

However, these new licenses that companies are switching to are not considered open source by the Open Source Initiative’s standard, leaving many in the industry to wonder where these companies now stand with open source.  

“These new ‘source available’ licenses contain restrictions to prevent cloud infrastructure providers from building a service out of their code. Early efforts like the commons clause limited ‘commercial use’ broadly and users found that the license language ‘created some confusion and uncertainty.’ Recent efforts by Elastic and others are more surgical. They simply attempt to restrict users from standing up the software alone as a service. The goal of these new licenses is to continue to capitalize on the widespread availability of the software and its source code to gain future customers while shutting out competing SaaS services based on the same code,” Justin Colannino, director of developer policy and counsel at GitHub, wrote in a post. 

According to Stephen O’Grady, principal analyst and co-founder of the developer analyst firm RedMonk, while it can be upsetting, the cloud providers are not actually abusing open-source projects if they are still abiding by the rules of the open-source license. “If project owners don’t want certain parties to be able to use their software, they shouldn’t be using open-source licenses,” he said. 

MongoDB argues that under SPPL, developers are still able to access, use, modify and redistribute its code. “We adopted the SSPL license to protect our right to build an innovative business in the Cloud era. We wanted to counter the threat of hyperscale cloud vendors taking our free product and offering it as a service without giving anything back,” said Dev Ittycheria, CEO and president of MongoDB.

Tomer Levy, CEO of Logz.io, a cloud observability platform provider, argues that changing licenses shakes the entire foundation of the open-source philosophy and shows that those in control of popular projects have the ability to take these projects away from the community at any time. “We were disappointed to hear about Elastic’s decision to change to a license which is not truly open source. This is a slap in the face to the engineers that helped build the community and make the open source software the staple that it is today,” he said. 

O’Grady added that changes like these have the potential to blur the definition of what is and isn’t open source, creating more uncertainty in the space. “If these companies genuinely want to protect open source, they would actively and aggressively maintain a bright line of distinction between their source available, proprietary licenses and genuine open source alternatives.,” he said.

Elastic made the decision to no longer refer to Elasticsearch or Kibana as open source and instead refer to the project’s as free and open. “While we have chosen to avoid confusion by not using the term open source to refer to these products, we will continue to use the word ‘Open’ and ‘Free and Open.’ These are simple ways to describe the fact that the product is free to use, the source code is available, and also applies to our open and collaborative engagement model in GitHub. We remain committed to the principles of open source — transparency, collaboration, and community,” the company explained in a post. 

Red Hat’s Haff actually thinks it can be a good thing if a project is successful and popular enough that a big public cloud provider is going to try to compete with it. “There’s a saying in the open-source space that your biggest challenge isn’t to be competed with, it’s to have no one know or care what you do,” he said. 

Some ways to combat the cloud providers, other than changing your software licensing model, is to form innovation partnerships with the cloud vendor so there’s a window where they can’t just steal your functionality and hopefully during that window the project innovates and moves past the threat. 

Drupal’s Bryon thinks creating a form of Creative Commons for open source could help categorize open-source projects into projects that are free to use, projects that require attribution and so on and so forth. “That sort of thing around open-source licenses could be really interesting to explore, because it would allow the expression of what these different projects are trying to do, but through the singular lens of this organization that has proven its importance and it’s credibility within the community,” she said. 

She also suggested creating social pressures on these companies to do better. WSO2’s Newcomer thinks we are already seeing Amazon react and change. In response to Elastic, the company created OpenSearch, an open-source fork of Elasticsearch and Kibana, and it is working with the industry to support and maintain the project long-term. Additionally, New Relic recently contributed Pixie, the open-source project for Kubernetes-native observability, to the Cloud Native Computing Foundation, and expanded its relationship with Amazon to run Pixie on AWS. 

Amazon “is the lead right now in this market. They have the capability to just take a leadership position in solving new problems through collaboration and open source,” said Newcomer. “What we need is more standard ways of interacting with them, standard platforms that all cloud providers should implement to solve the problems in the way of people so they’re not in this situation of having to pick and choose, which is difficult for everyone.”

The post The battle of open-source licenses appeared first on SD Times.

As open source has become increasingly more popular, companies have begun to adopt open source for the brand, but then try to go against the purpose of open source, according to Gordon Haff, a technology evangelist at open-source company Red Hat. “I’ve definitely been on a lot of calls where one of the first things I’ll ask business leaders is why do you want to be open source, and often the answer is: because our customers seem to like that, but we don’t want Amazon to compete with us. We don’t want someone else to compete with us. We want to be able to maintain some proprietary parts of our software,” he said.   

RELATED CONTENT: The battle of open-source licenses

Open source itself has never gotten away from its meaning, according to Vicky Brasseur, author of the book “Forge Your Future with Open Source.” The problem, she said, is that people haven’t bothered to learn or understand the true meaning of open source. “They make up their own definitions of open source, or they do it via the telephone game…and so the definition they’re working under in no way relates to what it actually is,” she said. According to Brasseur, the Open Source Initiative (OSI) defined open source over 20 years ago, and that is the one true meaning there is.

The Open Source Initiative’s definition of open source

OSI’s open source definition states that open source goes beyond just accessing the source code. To be open source, the software must comply with the following 10 criteria: 

1. Free redistribution, 
2. Source code, 
3. Derived works, 
4. Integrity of the author’s source code, 
5. No discrimnation against persons or groups, 
6. No discrimination against fields of endeavor, 
7. Distribution of license, 
8. License must not be specific to a product, 
9. License must not restrict other software, 
10. And the license must be technology-neutral.

“That is the one, the only, the worldwide recognized standard,” said Vicky Brasseur, author of the book “Forge Your Future with Open Source.” “Standards are very important because otherwise we can be using the same words and mean completely different things, and from a business perspective, that can be devastating for people to be using different words or the same word open source and meaning different things. There is no other definition of open source.”

Creating a business model around open source

According to Robin Schumacher, vice president of product at open-source monitoring solution provider Netdata, the reason why open source has been so successful is because of the social aspect of it. Unlike proprietary software, it’s collaborative. It’s community-oriented and community-driven.

There are ways for a business to successfully use open source to their competitive advantage while staying true to the nature of open source, but open source shouldn’t be adopted just because it makes a company look good. “Your primary responsibility as a business owner, as a founder, as a manager of an organization, of a business, of a company, is not necessarily to open source. It is to your business,” said Brasseur. “If you are starting from open source and then trying to reverse engineer a business out of that, you’re coming at it from the wrong direction.” 

RELATED CONTENT: Making open source work for you and your business

A business should be looking at what the user needs, what the environment is they are targeting, what the trends are, whether or not they can meet those user needs or do it better than someone else, and then decide if it makes sense to use open source or release software to open source, Brasseur explained. If open source makes sense for the business goal, then companies need to put the effort into building the community around open source and understanding what the goal of releasing to open source is going to be. “If you don’t know your business goals, you won’t be able to maintain and guide that open-source project in a way that you can actually meet your business goals,” said Brasseur. 

According to Sacha Labourey, co-founder of enterprise software delivery company CloudBees, there are a number of models and tools today to make sure organizations are able to properly manage and govern the use of free and open-source software (FOSS). “We talk a lot about FOSS, but the reality is that it has been incredibly stable in how it operates and the value it provides. What has really been evolving fast are the various business models around FOSS,” he said. 

One of the best and most proven models out there is the open core model, according to Schumacher. In the open core development model, vendors open-source a portion of their software, but surround it with proprietary offerings. While it is valid from a business model perspective, Red Hat’s Haff noted that it’s important to recognize the open core model makes things a lot harder for the community to do collaborative open development.  

It takes a lot of time for people to figure out how to use the code, set it up properly and then maintain it, explained Angie Byron, core co-maintainer of the Drupal project, an open-source web content management framework. What companies like Acquia, a digital experience platform built around Drupal, and Red Hat do is provide a cloud platform that takes all the guesswork out for users and provides users with professional services and a support system. 

When projects and vendors commercialize open source, they have to understand there are various levels of commitments and contributions they are going to get from the community. It’s not always about code contributions, Schumacher said. There are other ways the community can help out;.for instance, by doing testing, quality assurance, performance testing, bug reports, feature requests, forum contributions, meetups, and sharing best practices and pitfalls.

Giving back to the open-source community

Technology giants like Google, Red Hat and others have been the most successful in the open-source world because they embrace the developer. “The love of the developer, the understanding that the developer is the set of ground troops that takes the technology into a particular enterprise, ingrains it into the lines of business, then it begins to bubble up to the higher-ups who see the benefits of what’s going on or just the proliferation of this software, and have no choice but then to make a commitment to it,” said Netdata’s Schumacher. 

A successful open-source vendor will provide a very smart and qualified developer relations staff, he explained. “You are going to need people who understand the spirit, mindset and everything of the developer community, of open source in general…” he said. 

Schumacher has three pillars for a successful developer relations staff:

1. Community managers who are active in the industry and evangelizing the software, participating and scheduling meetups and events, are present on social media, and are broadcasting the benefits of projects to the open-source community
2. Skilled technical members who are responsible for helping the community implement the open-source software and providing best practices, jump-starts, sample apps, and code contributions
3. Lastly, you need an educational aspect that goes beyond how to use the software and talks about the next steps in terms of how to utilize the software to the user’s advantage. This area should include videos, written content and other resources to provide users with a pass to success. 

“The developer relations staff is absolutely critical for any vendor that wishes to work with open-source software, commercialize and be successful,” said Schumacher.

However, author Brasseur warns that while developer relations and open-source program offices can be beneficial, you have to make sure you are hiring the right or qualified people. “There are great people out there for this, but there aren’t nearly as many experienced people for this.” You can’t just hire internally because a developer contributed to an open-source project once, she explained. 

Other ways organizations can give back or get involved in the community include getting involved in industry initiatives or open-source foundations. Organizations “have to change their mindset from, we’re just going to develop what we think we need to be competitive to let’s help develop what the industry needs,” said Eric Newcomer, CTO at WSO2, an API management company. “One of the reasons open source is so successful is because people can collaborate on a shared vision of a common problem that everybody has.”

It’s not as easy as telling organizations to give back though, Drupal’s Byron explained. She said you have to incentivize companies to give back.

At Drupal, the project created a contribution record where contributors and committers can show how they are helping to sustain the project and the Drupal Association. “Hammering on that is probably the best way to do it because companies are probably not going to contribute out of the kindness of their heart. They need to have an incentive that matches with their return on investment,” Byron said.

She also explained that contributing to open source not only helps solidify an organization as an expert in their field, but it helps gain and retain talent because many developers want to work for companies that make time for open source. Contribution credits can help weed out the true open-source experts from the pretenders. “If you are selling yourself as an AWS vendor, but you have no record of ever contributing to anything around the AWS ecosystem, it’s sort of like, well did you just take a test and now you’re calling yourself an expert versus if you can see the trail of this person making contributions, writing blog posts and such, it’s easy to choose between the two. One is literally establishing themselves as an expert,” Bryon added.

The challenges facing open source today

Vicky Brasseur, author of the book “Forge Your Future with Open Source,” sees three main issues plaguing the open source landscape today. 

1. The influx of open-source projects: According to Brasseur, there has been a flood of new projects being released. While that can be a good thing, it can also be problematic if organizations are just releasing things into open source to be trendy. She explained it makes the signal-to-noise ratio off-balance and makes it difficult to find useful projects. “It’s contributing to this age-old problem of reinventing the wheel, rather than perhaps contributing back to the existing wheel that’s already there,” she said. It’s tempting to want to release something rather than contribute to something, but you don’t necessarily have to start everything from scratch. Support what’s already out there, fork it, or take it into a different direction, according to Brasseur. 
2. Lack of knowledge: Knowledge should go beyond just the definition of open source and free software. Businesses and developers need to understand the copyright and licensing details that go behind open source. Developers that “play fast and loose” with the laws, Brasseur said, make it difficult for companies to use their software because they have to take the time to figure out what the license is and how they can use the software. Too many hours are wasted just talking about and chasing down licensing information.
3. Monocultures: Brasseur sees a number of monocultures plaguing the open-source ecosystem through fiscal sponsors, tooling and foundations. “These monocultures are a problem. All you need to do is watch Twitter on any day when GitHub is down. All of open source screeches to a halt. That is a huge problem. People equating open source with GitHub, that is a problem… I like GitHub, they do good things, but from an ecosystem point of view, that’s a problem. Projects that assume the only place I can go to have somebody support me from a foundational level is the Linux Foundation, that is a problem. There are lots of different options. The Linux Foundation does a very good job in many ways, but it’s not the be-all and end-all. Companies that think in order to participate in open source, I have to pay to become a member of a foundation, that is a problem,” she explained.  — Christina Cardoza

Open-source software in the enterprise

Red Hat’s 2021 State of Enterprise Open Source report found 90% of IT leaders are using open source in the enterprise, and 79% expect their use of enterprise open-source software for emerging technologies (edge, IoT, AI and ML) to increase over the next couple of years. The main drivers for adopting open source are infrastructure modernization, digital transformation, higher quality software, access to latest innovations, and better security. 

This year, the company decided to ask respondents whether or not they look to see if a vendor contributes back to open source when looking to implement a new solution. Surprisingly, the report found that IT leaders not only care, but they are much more likely to choose a vendor who contributes. “That means the IT leaders are starting to appreciate the virtuous cycles that you have in open-source development,” said Gordon Haff, a technology evangelist at open source company Red Hat.

But barriers still remain with respondents citing level of support, compatibility, and lack of internal skills as top challenges to adopting open source. 

Software solutions provider Perforce, which recently released a report on open-source opportunities with Forrester Research, believes that while open source has cemented its role as a critical agenda driver in the enterprise, not enough organizations are taking the necessary steps to optimize their OSS strategies. 

“Without comprehensive and optimized strategies that govern the critical pillars of running OSS, organizations risk missing out on the benefits it can deliver, including greater flexibility and better efficiency, time to market for products, customer and employee experiences, and more,” the report stated. 

While free and open, open source can be complex and require expertise to maintain, support and operate. According to the Perforce report, it’s important to partner with industry leaders to maximize open-source success through migration help, ongoing management and support. Additionally, an open-source strategy that can clarify the open source initiatives, governance, role of internal resources and external support can help pave the way for open source in the enterprise. 

“Finding success with open-source software as an enterprise organization requires a fully formed strategy – especially as it applies to critical areas like support,” said Rod Cope, CTO at Perforce Software

The post Open source is a community, not a brand appeared first on SD Times.

But it is not because contributors find there is no need for security. When asked what would be the most beneficial contribution to their FOSS projects from external sources, they responded bug/security fixes, free security audits, and easier ways to integrate security tools into their CI pipelines. “This indicates that there is a clear need for these efforts, but existing contributors are not interested in dedicating substantial additional time to it,” the 2020 FOSS Contributor Survey, which was conducted by the Linux Foundation and Laboratory for Innovation at Harvard, stated. 

As a result, the report found that open-source projects need an alternative method for incentivizing security-related efforts. These methods can include improving security practices through more secure development training, badging programs, mentoring programs, and security and automation tools. 

In addition, organizations that pay employees to contribute to FOSS can help by redirecting those efforts to identify and address known security issues. According to the report, almost half of respondents are paid to contribute to FOSS. Organizations need to find a balance between corporate and project interests. For instance, while paid contribution efforts could help improve the stability and sustainability in FOSS, there are concerns that the organization will push contributions in a direction that is best for the company and not the project users. Other concerns are that if the organization decides it is no longer cost-effective to contribute to the project, it will lose most of its contributors. 

To create a balance, the report suggests companies be clear about their commitment and long-term support of specific projects, incentivize paid contributors to mentor new volunteers, and transfer projects to a foundation with neutral governance. 

The report also stresses the need for companies to provide clear FOSS policies. About 17% of respondents stated their companies have unclear policies and about 6% reported they were unaware of any policies. 

When looking at what motivates contributors to work on FOSS projects, they cited the “enjoyment of learning, “the need for a feature or fix,” and “the need for creative expression.” To continue that motivation, the report suggests companies recognize the value of contributing to FOSS, support the learning process, balance the mundane and creative tasks, and consider other support options other than payment to contributors. 

“In the end, free and open source software is, and always has been, a community-driven effort that has led to the development of some of the most critical building blocks of the modern economy. This survey highlights the importance of the security of this important dynamic asset. Likewise, it will take a community-driven effort, including individuals, companies, and institutions, to ensure FOSS is secure and sustainable for future generations,” the report stated. 

The post Report highlights the need for new ways to secure free and open-source software appeared first on SD Times.

While this year marks the 20th anniversary of open source, it is hard to imagine a time before open-source software. Today, it’s difficult to find a solution or piece of software that was created without some open-source components.

According to Behlendorf, the largest companies out there including Amazon, Google and Facebook, would not be possible if it wasn’t for open source, or if it was possible, their solutions would be much more expensive.

“Today, open source is the assumed default for any new software development,” said Simon Phipps, president of the Open Source Initiative (OSI). “Having the freedom to meet your own needs with software collaboratively with a community is the best way of dealing with large complex systems in large complex stacks, and consequently everyone is doing that. Everyone would rather work in a open source environment then try to replicate the attributes of the open-source environment in a proprietary space.”

Behlendorf recalls first being attracted to the open-source space because he didn’t really trust his own coding abilities, and the idea that there were other developers out there willing to read his code and help him fix it was a “godsend.” “For many people who became programmers after the ‘90s, working publicly, pulling down open-source code, sharing improvements back if you made any or even taking your work and releasing it pubilicy became the default. It was what was expected,” he said.

However, being able to share and collaborate openly on software wasn’t always possible. OSI’s vice president VM Brasseur describes the early days as the “wild west” where programmers were building tools for programmers, driven by the philosophical belief that “sharing is good and right.”

According to Brian Fox, CTO of Sonatype, there were no campfires in the beginning. There were no places for developers to come together except for forums, and even with forums it was really hard to share code. It took the release of solutions like SourceForge, and later GitHub, to really make open-source software more accessible, Fox explained. “GitHub has made it super easy for people to fork your stuff and contribute your code back in pull requests. That was one of the major innovations GitHub provided,” he said. “Prior to that, it was a lot of work for a committer to be able to take a patch from someone else and merge it into the codebase.”

The start of “open source” began around 1998, when OSI’s Phipps says the company Netscape came along with plans to release its browser code under a free software license. Instead of going for the GPL, the company created a new license, which became known as the Mozilla project license. “It became obvious that there was a big slice of this software freedom movement that was unrepresented. Tied up with that was a difficulty in talking about it because the words the movement used to talk about it up to that point were confusing. When you hear the world free, you assume it doesn’t cost anything,” he said.

So, in 1998, a group of people got together and decided to reframe the software freedom movement in a way that would allow people to quickly understand what it was about, and would allow businesses to embrace it without needing to engage in a complicated debate about ethics, Phipps explained. Out of that, came the decision to use the term open source.

“The introduction of the term ‘open-source software’ was a deliberate effort to make this field of endeavor more understandable to newcomers and to business, which was viewed as necessary to its spread to a broader community of users,” Christine Peterson, who is known for coining the term open source, wrote in a February blog post retelling the story. According to OSI’s Phipps, the term open source had already been commonly used in the industry at that point, but really took off when Peterson and Todd Anderson began using the term at a meeting at VA Research. Weeks later, the term was picked up by Tim O’Reilly, who renamed his Freeware Summit to Open Source Summit, and was also started to be used by Netscape.

“For the name to succeed, it was necessary, or at least highly desirable, that Tim O’Reilly agree and actively use it in his many projects on behalf of the community. Also helpful would be use of the term in the upcoming official release of the Netscape Navigator code. By late February, both O’Reilly & Associates and Netscape had started to use the term,” Peterson wrote.

As the months went by, open source’s popularly only continued to grow to a world where we can’t imagine not using the term — or the code.

“A quick Google search indicates that ‘open source’ appears more often than ‘free software,’ but there still is substantial use of the free software term, which remains useful and should be included when communicating with audiences who prefer it,” Peterson wrote.

After the term was coined, the industry felt there needed to be an organization put in place that would act as a steward of the term, and thus the Open Source Initiative was formed. “The Open Source Initiative (OSI) is a non-profit corporation with global scope formed to educate about and advocate for the benefits of open source and to build bridges among different constituencies in the open source community,” the OSI wrote on its website. “Open source enables a development method for software that harnesses the power of distributed peer review and transparency of process. The promise of open source is higher quality, better reliability, greater flexibility, lower cost, and an end to predatory vendor lock-in.”

Open-source software vs free software
According to OSI’s Phipps, the history of software freedom dates back a lot further than 20 years ago, and Richard Stallman was one of the first people who started the free software movement with the GNU project in 1983, which resulted in the GNU public license.

“Without the genius insight of Richard Stallman (aka RMS) that existing copyright and licensing mechanisms could be leveraged to enable the distribution and sharing of software—freely and openly—none of us would be here talking about this today. There would have been no open source software history without the work of GNU, FSF, GNOME, and others. All of software development owes them a huge debt,” said OSI’s Brasseur.

Today, Stallman is the president of the Free Software Foundation, and while he is a significant figure in this space, Stallman does not agree with the term open-source software. According to Stallman, open source is a term that was adopted in 1998 by people who reject the free software movement’s philosophy.

“When we call software ‘free,’ we mean that it respects the users’ essential freedoms: the freedom to run it, to study and change it, and to redistribute copies with or without changes. This is a matter of freedom, not price, so think of ‘free speech,’ not ‘free beer,’” Stallman wrote in a post.

He explained that the term open source “misses the point.” While open source was created as a marketing campaign for free software, along the way the meaning has transformed.

“The term ‘open source’ quickly became associated with ideas and arguments based only on practical values, such as making or having powerful, reliable software. Most of the supporters of open source have come to it since then, and they make the same association,” he wrote. “The two terms describe almost the same category of software, but they stand for views based on fundamentally different values. Open source is a development methodology; free software is a social movement. For the free software movement, free software is an ethical imperative, essential respect for the users’ freedom. By contrast, the philosophy of open source considers issues in terms of how to make software ‘better’—in a practical sense only. It says that nonfree software is an inferior solution to the practical problem at hand.”

OSI’s Phipps believes open-source software and free software have the same meaning or purpose, they are just articulated in different ways according to the preference of the organization and the people who are articulating it. Phipps explained that the term open source was only created as a marketing program for free software. “A discussion about a philosophy doesn’t often get very far with a business, so people who are talking about open source tend to lead with the benefits of having the freedoms,” he said.

But Stallman disagrees. According to Stallman, the term open source was meant to remove the ethical language because it made businesses and people “uneasy.”

“When open source proponents talk about anything deeper than that, it is usually the idea of making a ‘gift’ of source code to humanity. Presenting this as a special good deed, beyond what is morally required, presumes that distributing proprietary software without source code is morally legitimate,” he wrote. “The philosophy of open source, with its purely practical values, impedes understanding of the deeper ideas of free software; it brings many people into our community, but does not teach them to defend it. That is good, as far as it goes, but it is not enough to make freedom secure. Attracting users to free software takes them just part of the way to becoming defenders of their own freedom.”

OSI believes open source means more than just access to source code. In order to be considered as open source, it must comply with 10 criterias:

1. Free redistribution
2. Source code
3. Derived works
4. Integrity of the author’s source code
5. No discrimination against persons or groups
6. No discrimination against fields of endeavor
7. Distribution of license
8. License must not be specific to a product
9. License must not restrict other software
10. License must be technology-neutral.

The tipping point for enterprise adoption
The coining of the term open source was meant to pave the path for businesses to adopt free and open-source software, but businesses didn’t travel there overnight.

In 2001, Steve Ballmer, CEO of Microsoft at the time, described the open-source operating system Linux as a cancer. “Linux is a cancer that attaches itself in an intellectual property sense to everything it touches,” he said in 2001. Of course, since then Ballmer has changed his stance now that he no longer sees Linux as a threat. Microsoft has also  embraced open source, and is now one of its biggest contributors. The company recently announced the acquisition of GitHub for US$7.5 billion.

“Open source has gone from something that was almost anti-company to something that really got embraced by businesses. Open source really set the standard for how you can more effectively work together, and companies are now embracing that way of working as well,” said Sid Sijbrandij, CEO of GitLab. “Overtime, all the concerns with licenses and how to work together with the community got better, and as a result it got more popular.”

In spite of that, OSI’s Brasseur thinks most businesses still haven’t realized the importance of open source.

“I’ve seen companies shut down their open-source programs. I’ve seen companies swear they don’t use any open-source software and then seen the stunned looks on their faces when they’re shown how much of their stack is free and open-source software. I’ve seen companies release faux open source, either by throwing unlicensed and unsupported projects over the wall and calling them ‘open source’ or by releasing them under proprietary licenses and claiming they’re ‘open source’ when at best they may be ‘source available,’ ” she said.

She does admit that there has been an explosion of corporate involvement, contribution and sponsorship.

For Hyperledger’s Behlendorf, the tipping point for businesses to realize the benefits was in the late ‘90s when the Netcraft web server service conducted a survey asking about the web servers businesses were running. “That survey was this compelling visual indication of the prominence of the Apache Web Server,” he said. “It is still the main web server running on the majority of active websites on the Internet today.” Behlendorf explained that this was the first time the non-technical audience could visualize that there was something important happening here.

In addition, Behlendorf said he was approached by IBM in the late ‘90s. IBM said it recognized something was happening in the Apache world, and wanted to be a part of it. This interest was borne from a survey IBM reportedly conducted amongst their Fortune 100 customers. The company asked the CIOs of each of those companies how many were using Linux or other open-source software in their infrastructure. While only a handful of CIOs reported they were using it, when the company repeated the same question to technical managers and system admins at a lower level who worked closer to the code, a majority reported using Linux or open-source technologies. “It was a indicator that there was commercial opportunity, not just interesting curiosity,” Behlendorf said.

GitLab’s Sijbrandij agreed with Behlendorf that IBM’s embrace of the Apache Web Server was momentous at the time. “It was one of the most respected brands, and they were adopting this open-source project,” he said. Sijbrandij also gives Oracle’s acquisition of MySQL and Google’s release of Kubernetes credit to bringing the open-source movement to enterprises.

Sonatype’s Fox believes the tipping point happened when build systems made it possible to consume open source.

However OSI’s Phipps says the transition for enterprise adoption has been more gradient rather than a tipping point. “I think people gradually understood the value of using software where many people are collaborating around it.” he said. “What tends to swing things for people is when they realize that open source isn’t about giving everything away, but actually it is an alternative way of investing your intellectual property.”

The state of open source
Today, you would be hard-pressed to find a solution that doesn’t contain some form of open-source software. Forrester and Gartner have reported 80 to 90 percent of commercial software developers use open-source components within their solutions.

“Nowadays, if you started a project, it would be unthinkable for you to decide you were going to build everything from the ground up and start with that massive investment,” said OSI’s Phipps.

Open source is everywhere, Behlendorf stated. It is about empowerment and giving the community the tools to create economic value. “Proprietary code still has a place, but it now has to justify its existence rather than the other way around,” he said.

Closed-source software is starting to become frustrating, according to GitLab’s Sijbrandij. If you find a bug in closed-source software, you can’t solve it. You don’t have a way to access it. “It is like driving a car where you can’t open the hood. That is super frustrating because if you want to fix a bug or add new wiper fluid, and you can’t if it is closed. No one would accept a car like that, and developers are starting to reject software that is made like that,” he said.

What we are seeing now is that collaborative innovation is working, said OSI’s Phipps. “We have seen Google and Facebook bring themselves into existence with layers of open source. We have see millions of startups being able to get going because they are able to install Linux, run Apache Server, run Apache Tomcat and use open source to their advantage.”

Now that it is the default, the next question to ask is where is it going. “We have all the freedom we need in place, so now we have the luxury of being able to ask meta questions about governance, continuous improvement, safety and so on,” said Phipps.

Despite all the progress the open-source space has made, OSI’s Brasseur explained there is still plenty of room to grow.. While the approach of  “by programmers for programmers” has gotten open-source software this far, to keep the momentum going, Brasseur said we need to shift to the idea of “by programmers for others.” “The usability, accessibility, and documentation of most FOSS projects are in such a state as to be entirely out of reach of people who don’t spend their lives steeped in technology and software development. We’re not going to further the missions of free and open source software if we can’t start developing software that reaches out to a new market of users and, most importantly, meets them where they are rather than expecting them to read code, edit config files, or open up a terminal just to perform basic tasks,” she said.

Brasseur says we are moving to FOSS v3.0, where free and open source has evolved into “Business As Usual.” Version 2.0 was the launch of the open-source definition, and version 1.0 was the dawn of free software, she explained. As we move towards version 3.0, we have to be mindful of how open-source software communities are going to work with corporations, and not lose sight of the open source’s mission and bigger picture, Brasseur explained.

Open source: It’s a matter of trust, and concern
One of the biggest concerns in the open-source world is whether or not users can trust the security of the project. Over the years, the dedication of developers, companies and organizations like the Core Infrastructure Initiative looking to support projects has dissipated this fear, but concerns still remain.

GitHub’s 2017 Open Source Survey revealed 86 percent of respondents find security a top concern.

While public open-source typically implies there are more eyes looking at the code, it doesn’t imply that it is more secure, according to Guy Podjarny, CEO of Snyk. The open-source projects backed by foundations or corporations tend to be very good from a security perspective, but there are still smaller open-source projects out there backed by individuals or a group of developers who aren’t as well-equipped to maintain security.

In Snyk’s 2017 State of Open Source Security report, the company found open-source library vulnerabilities increased by 53.8 percent in 2016, the mean time from disclosure to a fix being released is 16 days, 79.5 percent of maintainers don’t have a public-facing disclosure policy in place, and of 433,000 sites tested, 77 percent have at least one client-side JavaScript library with a known security vulnerability. “The open source landscape is massive and only getting more diverse. The overall security of open source is an important measuring stick. We need to know where we stand today to know what we can do better,” the report stated.

Forty-three percent of Snyk respondents stated they never audit their code, and 75 percent of vulnerabilities are not discovered by the maintainer.

According to the report, the lifecycle of open-source security should include: discovering vulnerabilities, releasing fixes, notifying users and adopting published fixes. “It’s clear we have some room for improvement, but it’s also clear we have a lot of opportunities to do so. It’s easy to see that maintainers are eager to make their projects more secure and that users want to make security a priority in their open-source consumption. It’s just a matter of ironing out the wrinkles a bit,” the report stated.

Some tips on maintaining and improving the security of open-source code include having a public-facing disclosure policy, running regular audits and security checks, and making it clear to users that you care about security. If you use open-source code, Snyk says you should check for any known vulnerabilities in third-party components, contribute back to the community, and report vulnerabilities as responsible as possible.

“Security is a complicated beast, and developers are not security experts. Open source is a very high-scale problem. We need the tooling and ecosystem to better cater to the open-source community,” said Podjarny

In addition, Brian Fox, CTO of Sonatype, says users need to be aware that the bar to producing open-source software has been significantly reduce as well as the bar of people paying attention. The next generation of publishers need to think about how their choices are going to potentially impact consumers. “There is a magnifying effect that you can write something and people can use it, and that is awesome, but what is not awesome is if you write something and everyone gets hacked or in extreme cases people potentially die because systems crash because of a careless developer.”

“Most of them aren’t setting out to do it on purpose, but they are equally not thinking about the unintended consequences of the things they do,” he added.

When developing open-source software, Fox suggests developers think about their choices as if they are protecting millions of people, because as a producer of open-source software that is essentially what is happening.

“Generally, it is good that we are able to share and reuse work without having to keep solving the same problem over and over again. I think we just have to get more mature in how we manage it. Then we will be able to really recognize the benefits of it without unmitigated downside,” he said.

When corporates swoops in
The enterprise is not only embracing open source, but it is  becoming more involved in the community today. Every day you see companies either releasing open-source software, contributing to a project, or even taking over a project. But you also see companies acquiring or starting to work on a project to benefit their own solutions and vision.

For instance, Microsoft recently announced it acquired GitHub, the web-based hosting service that is home to many open-source software projects. While GitHub itelf isn’t a open-source software project, there are fears that come along when a corporate company buys an open-source related company. Some fear that “they merge that into an existing solution from them, caring more about what their corporate customers want, rather than the open source community in general,” said Martin Gontovnikas, vice president of marketing and growth at Auth0.

Gontovnikas says as long as Microsoft keeps GitHub separate, there should not be anything to worry about. “Microsoft’s decision to keep Github separate with Xamarin’s CEO as the new CEO is a very smart idea. They’re showing from the get-go that they won’t ‘corporatize’ Github, or at least it doesn’t seem so,” he added.

Jim Zemlin, executive director at the Linux Foundation, believes Microsoft’s acquisition of GitHub is good news for the open-source world, and should be celebrated. “Should the open source community be concerned? Probably not. Buying GitHub does not mean Microsoft has engaged in some sinister plot to ‘own’ the more than 70 million open-source projects on GitHub. Most of the important projects on GitHub are licensed under an open-source license, which addresses intellectual property ownership. The trademark and other IP assets are often owned by a non-profit like the Linux Foundation… And let’s be quite clear –  the hearts and minds of developers are not something one ‘buys’ – they are something one ‘earns,’ ” Zemlin wrote in a post.

OSI’s president Simon Phipps believes the fear developers have of corporate takeover of open-source projects is more of a conspiracy theory. “Obviously a company is not going to harm themselves. There are benefits that accrue to them, and that’s shared maintenance and external innovation,” he said.

When a corporate company steps into an open-source project, it is important that it remains transparent about future plans and goals, according to Mik Kersten, CEO and co-founder of Tasktop.

“In my experience the effect of a corporate entity taking over an open-source project depends most on the business model of an entity. If there is a high degree of alignment with continuing the project and supporting its community, it can work. Typically this means the business can monetize the open-source user base either directly or indirectly. If there is a lack of alignment, the project can quickly see staff cut from it and start to decline. I’ve lived examples of both, and the best suggestion I have is to be clear to the community about where the project is headed and why,” Kersten said.

It’s not just being transparent about the code, Sid Sijbrandij, CEO of GitLab, added. It is about being transparent about the decision process, the roadmap, what is going well, and what isn’t going well.

Tasktop’s Kersten created the open-source Eclipse Mylyn project, a task and ALM framework for Eclipse. According to Kersten, one of the reasons he made Mylyn open source was to make it easier to get contributions from the community. Kersten decided to move Mylyn to the Eclipse Foundation because he believed it could help him have a bigger impact on developer productivity.

According to Kersten, when corporate takes over, developers need to look at how the open-source project is going to be structured going forward, what the governance model for the project looks like, and the licenses and contributor license agreement. “Once a company or even an individual gets more serious about embracing an open-source project, it becomes very important to ask questions because it will determine what happens or give you a sense for what will happen with a course of the project in the future,” he said. “For me, I try to distinguish whether the project is open source, which means the source code is available, or it is actually openly developed, which means it is very easy for an individual or company to start contributing to the project.”

While Brian Behlendorf, executive director for the blockchain consortium Hyperledger, hasn’t seen any examples of a corporate company taking over a project and trying to force developers to do things, there are times where a company comes in and ends up prioritizing the kinds of things they find important. “The bigger risk is generally more of where you have an open-source project. If a majority of the developers work for a particular company, than it is harder to ensure that the door is open,” he said. “Ideally, what you are trying to do is get this perpetual motion machine going and tell the world that this is a community project.”

The harder question to answer is whether or not a project will outlast a developer or company. Efforts like the Linux Foundation and Apache Software Foundation aim to help projects exist and grow into multi-stakeholder projects, Behlendorf explained.

The post Open source at 20: The ubiquity of shared code appeared first on SD Times.