Why the last thing open source needs is more corporate oversight

Well-intentioned people keep proposing solutions to open source governance and revenue models. They're wrong. Here's why.

Image: iStockphoto/DragonImages

According to a new Black Duck survey, developers can't get enough of open source, ramping up open source adoption by 60% last year. Why the uptick? A whopping 84% cited superior cost savings, ease-of-access, and no vendor lock-in.

That same survey, however, would have us believe that developers live in fear of open source, shuddering at open source vulnerabilities exposing their code, open source "infecting" proprietary software, and more.

Across town, other developers have started creating new, hybrid licenses to help pay the rent for their open source efforts, even as the volume of open source code continues to grow.

In other words, something is amiss.

We've spent decades wringing our hands over the need for open source review boards to govern the intake and release of open source code, yet that code hasn't waited. And despite pleading poverty for years, the open source developer population keeps defying Malthus, cranking out code (and, apparently, getting paid for it). Can we put the fear-mongering to rest?

More and faster

It's not as if the fear-mongering has worked. Quite the opposite. Open source has become so pervasive that, as Cloudera co-founder Mike Olson declared: "No dominant platform-level software infrastructure has emerged in the last ten years in closed-source, proprietary form." That's "none" as in "zero." Indeed, open source is such a staple of developer life that, he continued, "You can no longer win with a closed-source platform."

Already rampant, open source adoption has grown 60% within the 819 enterprises surveyed by Black Duck. Why? Because of "cost savings, easy access, and no vendor lock-in (84%); ability to customize code and fix defects directly (67%); better features and technical capabilities (55%); and the rate of open source evolution and innovation (55%)."

SEE: Open source documentation is bad, but proprietary software is worse (TechRepublic)

Even so, these same respondents worry about a variety of factors:

  • License risk/loss of intellectual property (66%)
  • Exposure to internal applications to exploitation from open source vulnerabilities (64%)
  • Exposure of external applications to exploitation because of open source vulnerabilities (71%)
  • Unknown quality of components (74%)
  • Failure of development teams to adhere to internal policies (61%).

Given these concerns, it's perhaps not surprising that roughly half of those surveyed are worried about the lack of formal policies for managing open source code. So worried, in fact, that they keep adopting more and more open source software. They can't seem to download it fast enough, but they're sure worried about what might happen!

See the disconnect?

Getting paid for free

And then there's the "Brother, can you spare a dime?" nonsense. I spent most of my career trying to monetize open source software. It's hard. I tried a variety of approaches, many of them involving the GNU General Public License (GPL), essentially as a scare tactic to induce risk-averse enterprises to pay. The companies I worked for had various degrees of success with this, most of it middling.

Why? Because open source isn't a business model, as Marten Mickos has stressed. It's a fantastic way to develop software and a pretty miserable way to sell it.

SEE: Why AWS Lambda could be the worst thing to happen to open source (TechRepublic)

This isn't new. This is common knowledge, which is why I have little patience for Sourcegraph, MariaDB, and others that have recently launched hybrid licenses in an attempt to capture the benefits of open source without actually being open source. Good luck with that. In the past I ripped into Sourcegraph's Fair Source Licensing, and a year's worth of pondering hasn't changed my opinion. Redmonk analyst Stephen O'Grady has diplomatically offered, "It's not clear...that hybrid licenses...are a worthwhile approach."

I'll go one step further: They're garbage, and decades of open source make that crystal clear.

Envoy developer Matt Klein, contemplating building a business around the software, decided not to. Among other reasons, perhaps the primary reason was that the success of the project largely depends upon it not having a single company standing behind it. He wrote:

The fact that there is no commercial entity behind Envoy is extremely compelling to many potential users.... There is a general perception, which I think is correct, that we are making technology-first decisions that are not tainted by corporate interest....Even as Google has taken increasing interest in the software, other large companies have some level of confidence that the project will not be completely subsumed and we will continue to make technology-first decisions that put the overall community first.

Get that? Open source is all about developers, and developers speak code, not corporate. This is why so many vanity foundations, set up as a facade for corporations to control code but appear not to, don't end up succeeding. To succeed, open source needs to be about code, not the whims of a corporate sugar daddy.

In short, open source continues to do amazingly well precisely because open source review boards aren't stunting its growth. It's thriving even as corporations can't figure out efficient ways to monetize it directly. That's the point. It's always been a way for developers to get stuff done with minimal corporate bureaucracy. It's time to celebrate that and not continue trying to shove it into a corporate cubicle.

Also see