Open source is hot right now – as OpenUK CEO Amanda Brock likes to say. But the ecosystem is, and has always been, in a delicate position.
In 2023 and beyond, open source faces a set of existential challenges that could undermine its viability. These range from the three regulatory regimes being devised in London, Brussels, and Washington, to a widening funding gap that may slide into financial starvation.
“We’re either going to win or we’re going to lose,” Brock tells IT Pro, when asked how she sees the community, and the ecosystem, evolving in the next five years. “We talk right now about open source being ‘hot right now’ and ‘having won’, but I think we’re at a teeter-totter.”
Sitting across from Google’s VP of infrastructure, Eric Brewer, she explains it can go one of two ways. Either the efforts they’re both pouring into education, as consumption accelerates, especially around user curation, will be a success, or things can swing “really hard” the other way. It’s especially true for large enterprises and the public sector. “[They could] turn around and say this open source is rubbish – it didn’t work – I’m going to stop using it.”
Brewer holds an optimistic outlook – as does Brock – and mass abandonment of open source remains a "nuclear" possibility, as Rust Foundation CEO, Rebecca Rumbul, puts it.
The increasing unease over government intervention, the role of corporations, restricting the use of software, and the lack of sustainable funding, however, all means we’re undeniably at an inflection point for open source.
Chipping away at what it means to be open source
Among the main anxieties rumbling throughout State of Open Con 2023, hosted by Brock’s organisation, was the very definition of open source and how to apply it. For instance, is a project still open source if it’s not open to everyone?
What 2023 will mean for the industry
What do most IT decision makers really think will be the important trends and challenges in the coming year?
One particularly tense session, which focused on ethics in open source, saw two experts at loggerheads. PJ Hagerty, developer advocate and senior staff engineer at Spotify, clashed with the head of policy and innovation at Open-Xchange, Vittorio Bertola, who believed any restrictions on usage meant the project was no longer open source – and shouldn’t be referred to as open source. Hagerty, meanwhile, had no qualms about restricting usage on ethical grounds, with plenty of viable reasons why developers may want to do so. Some developers may not want their packages being used by law enforcement agencies, for example, while the AWS-Elastic controversy showed why “guardrails” were necessary.
Brock shares this concern that small but significant developments “start to chip away” at open source. “You sometimes see people creating licenses that aren’t open source licenses, for example, and holding them out to be open source, where they start to restrict things like commercial usage,” she says. “And the awful war in Ukraine – things like protestware around conflict, where people don’t want their code being used in other countries. It’s not a financial restriction, it’s a restriction by geography or people; these kinds of things chip away.”
Smothering open source with legislative support
Ahead of State of Open Con 2023, the department formerly known as DCMS published a consultation asking for views on how the UK government can play a role in security. Hot on the agenda is boosting security, particularly in light of incidents such as Log4Shell. The UK’s intervention follows the White House’s executive order on open source last year, as well as the EU’s forthcoming Cyber Resilience Act.
Both Brewer and Brock are encouraged by the language and intent of the DCMS paper – and how the UK might effectively, albeit belatedly, adopt a supportive role in the ecosystem. Brewer also remarks on constructive dialogue with the White House. There is, however, discomfort over how the EU’s legislation is shaping up, with confusion over some of the language used. For Rumbul, however, three regulatory regimes coming into force at once pose a material risk – particularly due to possible misalignment and confusion.
“You’ve got three different regulators – they’re all looking at open source, they’re using slightly different language, they’re focusing on slightly different areas, and they’re talking about slightly different solutions,” she outlines. “That, in itself – forgetting regulation alone if it’s poorly written could be a risk – the fact there’s this fragmentation even amongst three territories that should be pretty aligned – that’s going to be a risk for open source.
“Whether we like it or not, regulations can happen, we’re going to have to figure out how to work with them. If they’re poorly defined, or they’re pernicious in any way, even if they don’t mean to be, what we’re going to see is workarounds being used or unintended consequences.”
The trust deficit between communities and corporations
Putting the risk of government intervention to one side, ongoing tensions over the role of corporations in the open source community have not been assuaged – particularly where financing, and profiteering, are involved. Indeed, in light of the AWS-Elastic fallout, plus other examples, there’s still a ‘David and Goliath’ type of friction in the community.
“That power imbalance has always been a little bit uncomfortable between open source and proprietary – or between open source individuals and large companies,” Rumbul explains. “It’s worth remembering there’s a lot of mistrust sometimes in maintainer communities about big corporates, because [they] have been quite aggressive and disingenuous in the past.”
Although enterprises are “doing much better”, many still aren’t putting enough money into projects they’re effectively profiting from. With many more entities today – be it corporations, the public sector, or individuals – using open source software, too, some mistruths are gaining traction. “Open source isn’t free,” Brewer lamented in a public Q&A session, with Brock insistent open source consumers shouldn’t see adoption as a way to cut costs.
Brewer also touches upon the rise of curation, which plays a key role in the ecosystem. Curators often reside within corporations, and work to fix vulnerable code in software, much of which might, or might not be, well-maintained in the first place. Google, for example, launched a software-vetting initiative last year under the Assured Open Source Software brand. Often paid roles, curators have become hugely influential in software supply chain security, with Google predicting four in five enterprises will use curated software packages by 2025. Maintainers, however, who are largely unpaid and contribute code to projects due to an inherent passion, are weary of the growing influence of curators, largely due to the trust deficit between the community and large corporations.
“I hope we’ll see curation work, and I hope it’s something maintainers embrace and don’t feel threatened by,” Brewer pleas. “Actually, it can be great for maintainers, especially if it takes away some of the mundane work maintainers have to do. I think a good curator, for example, should be writing test cases and maintainers would benefit from [that].”
He sees the prevalence of a gap between a sense of purism – the “freedom and beauty of open source” as he puts it – and software that works with certain properties and most of the consumers. Although change is a “little bit scary”, getting curators and maintainers to cooperate could be mutually beneficial. “That gap exists, and it’s fundamental, and we have to bridge it. I think curation is by far the most likely way to do it.”
Funding the future of open source
Despite many for-profit entities playing a role in funding communities, meanwhile, others go against that ethos. Some for-profits, for instance, are beginning to put unfair expectations on largely unpaid maintainers to fix buggy or vulnerable code they use – to a deadline they set. Another cohort, that does fund projects, believes their donations award them priority status when putting in feature or fix requests. Governments, meanwhile, are becoming increasingly significant consumers of open source software – but have so far contributed nothing.
Observability in pre-production testing
Enabling more effective application monitoring through containers
Everyone agrees the status quo isn’t working, and a long-term sustainable funding and maintenance model must be found, but nobody can agree on what this looks like or how to get there. To illustrate the issue, foundations like Rumbul’s can play a small role in maintaining their own communities – but they can’t do this effectively without certainty over funding, despite pulling in more than $2 million in donations per year. Currently, for example, she can only hire staff on one-year contracts, because this future income is not certain.
What about the proposals that are out there? Everyone is in agreement that governments must step in with cash, to some extent, while Brock also proposes a ‘United Nations’ for open source, comprising independent and government-funded curators, that allocate funding fairly and across the entire ecosystem. Rumbul favours a model akin to that of the Information Commissioner’s Office (ICO), in which member organisations pay subscription fees. Another developer suggested a Raspberry Pi-esque model. Companies like Data Bricks, Brewer says, perform curation and efforts like this should be encouraged and supported.
While there are, indeed, many reasons to be optimistic about open source, the frictions that have long existed aren’t close to being resolved and the ecosystem’s future is far from guaranteed.
