The open source world had a couple of harrowing years a few years back, when some of its major players decided to lock down their licenses in a play to sustain their business in the long term. Following this shakeup in the open source world, we witnessed a sort of holding pattern with relative silence over the wire, with developers holding their breath to see where things might land. There was probably more concern during these times regarding the security of open source than anything else.
During the “big licensing change era” and particularly when the Open Distro for Elasticsearch was announced, I wrote the post, “What the Fork, Amazon?”, which discussed the need for finding more ways to sustain open source in the long-term. In particular, those projects that are not supported through commercial or foundation entities, and I’m feeling renewed hope on this front.
In the wake of the move by Amazon Web Services, Elastic then went on to change its license entirely, adopting MongoDB’s SSPL (well really a more complex dual-licensing scheme, but we’ll focus on that for the sake of simplicity), and well, the status quo was sort of just accepted. The OpenSearch community (an actual fork) arose out of the fallout that seems to be gaining momentum, but there weren’t any other major dramas.
A New Dawn for Open Source?
The first notable ecosystem move that makes a new dawn for open source, that happened in the interim, has been the ability for individuals and even organizations to start sponsoring open source projects on Github (where Microsoft — the Github parent company — have proven its commitment to open source many times over). This introduced more avenues to support individual contributor-maintained projects that had been crumbling under the burden of the maintenance of popular tools and projects. Github went even further to double down on this, by even introducing sponsored-only repositories, providing exclusive access to repositories through sponsorship of the projects.
This is interesting, because formerly there were a few well-known models that enabled open source sustainability — namely the commercial open source model or the foundation model — this was a catalyst for something that has been a long time coming. Instead of just being able to “buy a coffee” for the maintainers of your favorite open source project, real organizations that see value in the open source work being done by individual contributors could finally put their money where their code is.
The next notable move in the industry are dev-centric companies that have taken public strides since the open source shakeup to better support open source projects. First Netlify announced a $10 million Jamstack Innovation Fund, and now Spotify just announced a $100KEU FOSS Fund.
I believe this is a trend that will only continue to grow, and gain momentum, as open source takes center stage in developer stacks. This is a culmination of many industry trends converging — be it the evolution of developer products to individual contributor (IC) and dev-first product-led growth (PLG) adoption strategies (from the dated enterprise B2B strategy), with a focus of putting developer experience at the forefront. Likewise, DevOps as a practice now 12+ years old and well-established, having become de facto as an industry standard, and not just the purview of small, agile, and early-adopter startups.
Supporting Open Source Security Takes Center Stage
One such company known for their long-standing support of open source is Google, whether through projects it has created and contributed onward — from Android to Golang and Kubernetes. Google has taken its direct sponsorship one step further by making the $100 million Secure Open Source Fund to support independent organizations and individuals who will do the heavy lifting and work to help fix security vulnerabilities in open source projects (see: SOS Rewards for more info on the bug bounties). They also publicly joined the Open Source Security Foundation.
“The world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure,” SiliconAngle staff writer Mike Wheatley summarized.
This is important, as this last year or so was actually pivotal in open source security. Widely adopted open source projects, such as Codecov, Log4j and even PHP had major zero day security vulnerabilities that put many systems at risk, and the individual contributor maintainers couldn’t keep up pace with the patch timelines. We’ve seen this happen before with projects like OpenSSL, ultimately maintained by two primary individual contributors Steve Marquess and Stephen Henson, likewise, cURL created and maintained by Daniel Stenberg. (Side note, Daniel Stenberg will actually be “uncurling” his take on maintaining open source for 30 years in a memoir I am personally waiting to read.)
The move to make open source sustainable is not just being taken on by major players like Google, Spotify, and Netlify though. One interesting move that has the potential to change the game for open source maintainers, is the sponsored “adoption” of open source projects by companies who believe in them.
Toni de la Fuente, the Founder of Prowler (a widely adopted open source security project), recently announced on LinkedIn that he joined Verica as a founder-in-residence to lead Prowler Pro, in order to help support the project’s maintenance work and enhance Prowler in the long-term.
Another company taking a similar approach is Jit (as a platform that orchestrates open source security tooling) and wants to support the projects integrated in the platform directly, to proactively ensure sustainability in the long term. The first step was to publicly partner with Zachary Rice and his very popular open source Gitleaks project (a tool for scanning repositories for any public-facing or hard-coded secrets), by supporting both the project and Zachary financially through paid work for important and much-needed project maintenance.
Keep Calm and Open Source
So if in 2019, there was a time of panic for open source advocates like myself, fearing the worst for open source and expecting it to start becoming a dying breed — we’re now seeing new innovation in this world. In the past few years, exciting new startups betting on open source at their core have sprouted up, like Docker Slim (doubling down on other dev-strong communities than just AWS and Kubernetes––Docker FTW!), as well as Treeverse, DagsHub, Startree, just to name a few.
All of these moves together have instilled in me a newfound hope for open source. Whether it’s the continued innovation through open source, the move to make the open source more consumable and secure for major industry players to be able to leverage these projects as best of breed, and especially the greater sense of ownership by industry players to support and sustain open source in the long-term. It’s clear that a lot of creative thinking went into the process, and it wasn’t left behind as “someone else’s problem.”
I’m looking forward to how this ultimately plays out in terms of the possibilities this will enable for the evolution of technology, as well as making open source more production-grade, accessible and secure for the entire industry.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Jit, Docker, Calm.
Amazon Web Services and MongoDB are sponsors of The New Stack.