Concerns Over the Future of Open Source? Much Ado About Nothing

In my role as an open source advocate and evangelist, I constantly talk about the benefits of open source software, the latest open source innovations, and the promotion of strategies with open source in organizations. I’m constantly talking to customers and executives who try to keep up to date in reading and watching industry news. Of course, the bigger the news, the more questions I get about certain topics. 

In today’s world of quick headlines and short attention spans, we frequently encounter discussions concerning the future of open source software. Certain themes tend to resurface from time to time, and although discussions wind down after a couple of weeks, it seems like we are caught in a cycle of recurring debates. Regrettably, there are many opportunistic and misguided news stories about open source software that cast a negative shadow on its future.

With this blog, I want to cover many of the questions I’ve been receiving. The recurring concerns over the future of open source software can be summarized in two categories: Security risks and licensing changes away from the definition of open source.

Short History of Non-Open Source Licenses

To kick things off, let’s start with open source license changes, or specifically, going from open source licenses to non-open source licenses. The most recent news was about HashiCorp’s decision to move its popular open source projects, including Terraform, Consul, and Vault, to a Business Service License (BUSL), which is a “source available” license that prohibits commercialization; in simpler terms, it prohibits activities such as resell, offer as-a-service, or bundling with commercial software.

Alarmist news and clickbait articles regarding the future of open source licensing come and go each time a well-known company such as HashiCorp changes licenses, this is nothing new, and at the same time it’s a small minority of cases and a fraction of all the open source software out there. 

Let’s recall a few other instances where we witnessed the same narrative and doomsday predictions about the future of open source software. Elastic, the company behind open source projects like ElasticSearch, Logstash, and Kivana, in 2021, they moved away from the Apache 2.0 license (APLv2) in favor of the Server Side Public License (SSPL) and their own new Elastic license, which restricts anyone who wants to commercialize hosting the open source projects in the cloud.  Indeed, Elastic’s decision was justified as a measure to safeguard their investments and business interests, particularly from AWS. Elastic, like now HashiCorp, was criticized for taking advantage of the work of hundreds of contributors who allowed Elastic to distribute their work without restrictions. Others perceived this development as indicative of a broader trend and the demise of open source software as we know it.  

Elastic’s decision became old news quickly, and, of course, similar talking points are now being used on the HashiCorp decision, which goes beyond SSPL. The BUSL allows distribution but without any commercialization at all, not just in cloud-hosted environments. 

Once again, it is not the end of open source as we know it and companies driving open source projects are not rushing to change their licenses to “protect” their investments. The immediate consequence was a significant backlash and criticism to HashiCorp, and it is likely that their business will be affected by the appearance of a Terraform fork, OpenTofu, a new open source alternative that is now part of the Linux Foundation.

In 2018, MongoDB made the change from open source AGPL 3.0 to SSPL. Following that, in 2019, Cockroach Labs shifted from the APLv2 for CockroachDB to BUSL. Subsequently, in 2021, Couchbase also made a similar move from the Apache license to the same BUSL v1.1 license, which HasiCorp has now adopted. It’s worth noting that neither Elastic nor Couchbase, MongoDB, or others created a trend or the demise of open source software. In reality, only a handful of organizations have made such transitions, primarily motivated by the investor’s pressure. HashiCorp’s recent decision may have generated substantial attention for a few days, perhaps weeks, but it is not going to alter the overall trajectory of the open source software landscape.  

Open Source or Non-Open Source License Selection

Large companies and startups are thriving by leveraging and building open source software, both consuming and developing in the open more than ever before. If organizations don’t want backslash and to lose contributors and customers, they should be upfront in their selection of licenses from the start. Changing a license from open source to a non-open source one after significant contributions and beliefs have been vested in their open source projects leads to bad and negative publicity, impacting the organization’s reputation, as well as the broader open source landscape.

Confluent is another example worth highlighting. Confluent commercializes Apache Kafka, with no changes there to the Apache license, which is of course part of the Apache Software Foundation. However, the extra features that Confluent offers are not open source software; they actually have a Confluent Community License, which is very similar to SSPL because those components are source available but prohibits hosting on SaaS, PaaS, IaaS, or similar cloud service that compete with Confluent. There is nothing wrong when companies are transparent with their licenses from the start and don’t mislead customers.

It is very important to educate everyone within the industry about distinguishing source available licenses from genuine open source licenses. It’s critical not to be misled by false advertisements that mislabel source available as open source software. Similar messaging is now happening with some AI large language models wrongly called open source.

I always recommend that people familiarize themselves with the Open Source Initiative (OSI) and the open source definition. When in doubt, identify OSI-approved licenses. A clearly defined open source license paves the way for both contributors and users.

Critical Open Source Vulnerabilities and the Best of Open Source

The other major concern regarding the future of open source centers on security. This concern escalates every time there is news about a critical zero-day vulnerability impacting many open source packages used in thousands of IT environments and applications. How frequently have we experienced such critical vulnerabilities? In reality, it is not very often. Heartbleed and Shellshock in 2014, WannaCry, not open source but critical Windows exploit, in 2017, Apache Struts in 2017, Drupalgeddon in 2014 and then again in 2018, and the most recent, now almost two years ago, Log4Shell in November of 2021. 

The impact of those major vulnerabilities has been significant and unquantifiable at the same time because not all companies disclose their cyber-attacks. Those are the major ones, and there are frequent exploits from other vulnerabilities (open or closed source). However, on the positive side of those critical vulnerabilities we have witnessed the best of open source. Maintainers, committers, and contributors have reacted immediately and worked tirelessly in most cases for free in order to fix those and many more high-severity vulnerabilities. CVE disclosures are at an all-time high, and that’s a positive trend. In most cases, when a vulnerability is disclosed, the fix is also provided, benefiting everyone. I strongly encourage open source developers to report vulnerabilities along with remediation, and it’s then up to the organizations to ensure they deploy the latest releases and patches.

Those major vulnerabilities have created more awareness in organizations and have increased the usage of security tooling, including scanners or software composition analysis tools. Government and technology companies are creating and funding initiatives to improve the security of open source software. The Open Software Security Foundation is driving the Open Source Software Mobilization Plan with 10 streams of work that are already having a significant impact. More and more organizations are deploying timely patches, generating software bills of materials, and addressing end-of-life open source software. This is a positive trajectory for the overall open source landscape.

No, the concerns regarding open source security will not radically change open source or compel organizations to exclusively adopt proprietary software. That ship has already sailed, as all software uses open source software. Organizations are using open source software because that’s where the latest technologies and innovations are happening.  Both license changes and security affairs have created more and safer software. There are no concerns over the future of open source, so be careful with bleak news; it’s much ado about nothing.