ITAMChannel is a hub of coverage for all the latest news and views within the IT Asset Management Industry

Open source at 20: The ubiquity of shared code

SHARE
,

“Why is open source important? That’s like asking why is gravity important,” stated Brian Behlendorf, a leading figure in the open-source software movement, and executive director for the blockchain consortium Hyperledger.

While this year marks the 20th anniversary of open source, it is hard to imagine a time before open-source software. Today, it’s difficult to find a solution or piece of software that was created without some open-source components.

According to Behlendorf, the largest companies out there including Amazon, Google and Facebook, would not be possible if it wasn’t for open source, or if it was possible, their solutions would be much more expensive.

“Today, open source is the assumed default for any new software development,” said Simon Phipps, president of the Open Source Initiative (OSI). “Having the freedom to meet your own needs with software collaboratively with a community is the best way of dealing with large complex systems in large complex stacks, and consequently everyone is doing that. Everyone would rather work in a open source environment then try to replicate the attributes of the open-source environment in a proprietary space.”

Behlendorf recalls first being attracted to the open-source space because he didn’t really trust his own coding abilities, and the idea that there were other developers out there willing to read his code and help him fix it was a “godsend.” “For many people who became programmers after the ‘90s, working publicly, pulling down open-source code, sharing improvements back if you made any or even taking your work and releasing it pubilicy became the default. It was what was expected,” he said.

However, being able to share and collaborate openly on software wasn’t always possible. OSI’s vice president VM Brasseur describes the early days as the “wild west” where programmers were building tools for programmers, driven by the philosophical belief that “sharing is good and right.”

According to Brian Fox, CTO of Sonatype, there were no campfires in the beginning. There were no places for developers to come together except for forums, and even with forums it was really hard to share code. It took the release of solutions like SourceForge, and later GitHub, to really make open-source software more accessible, Fox explained. “GitHub has made it super easy for people to fork your stuff and contribute your code back in pull requests. That was one of the major innovations GitHub provided,” he said. “Prior to that, it was a lot of work for a committer to be able to take a patch from someone else and merge it into the codebase.”

The start of “open source” began around 1998, when OSI’s Phipps says the company Netscape came along with plans to release its browser code under a free software license. Instead of going for the GPL, the company created a new license, which became known as the Mozilla project license. “It became obvious that there was a big slice of this software freedom movement that was unrepresented. Tied up with that was a difficulty in talking about it because the words the movement used to talk about it up to that point were confusing. When you hear the world free, you assume it doesn’t cost anything,” he said.

So, in 1998, a group of people got together and decided to reframe the software freedom movement in a way that would allow people to quickly understand what it was about, and would allow businesses to embrace it without needing to engage in a complicated debate about ethics, Phipps explained. Out of that, came the decision to use the term open source.

“The introduction of the term ‘open-source software’ was a deliberate effort to make this field of endeavor more understandable to newcomers and to business, which was viewed as necessary to its spread to a broader community of users,” Christine Peterson, who is known for coining the term open source, wrote in a February blog post retelling the story. According to OSI’s Phipps, the term open source had already been commonly used in the industry at that point, but really took off when Peterson and Todd Anderson began using the term at a meeting at VA Research. Weeks later, the term was picked up by Tim O’Reilly, who renamed his Freeware Summit to Open Source Summit, and was also started to be used by Netscape.

“For the name to succeed, it was necessary, or at least highly desirable, that Tim O’Reilly agree and actively use it in his many projects on behalf of the community. Also helpful would be use of the term in the upcoming official release of the Netscape Navigator code. By late February, both O’Reilly & Associates and Netscape had started to use the term,” Peterson wrote.

As the months went by, open source’s popularly only continued to grow to a world where we can’t imagine not using the term — or the code.

“A quick Google search indicates that ‘open source’ appears more often than ‘free software,’ but there still is substantial use of the free software term, which remains useful and should be included when communicating with audiences who prefer it,” Peterson wrote.

After the term was coined, the industry felt there needed to be an organization put in place that would act as a steward of the term, and thus the Open Source Initiative was formed. “The Open Source Initiative (OSI) is a non-profit corporation with global scope formed to educate about and advocate for the benefits of open source and to build bridges among different constituencies in the open source community,” the OSI wrote on its website. “Open source enables a development method for software that harnesses the power of distributed peer review and transparency of process. The promise of open source is higher quality, better reliability, greater flexibility, lower cost, and an end to predatory vendor lock-in.”

Open-source software vs free software
According to OSI’s Phipps, the history of software freedom dates back a lot further than 20 years ago, and Richard Stallman was one of the first people who started the free software movement with the GNU project in 1983, which resulted in the GNU public license.

“Without the genius insight of Richard Stallman (aka RMS) that existing copyright and licensing mechanisms could be leveraged to enable the distribution and sharing of software—freely and openly—none of us would be here talking about this today. There would have been no open source software history without the work of GNU, FSF, GNOME, and others. All of software development owes them a huge debt,” said OSI’s Brasseur.

Today, Stallman is the president of the Free Software Foundation, and while he is a significant figure in this space, Stallman does not agree with the term open-source software. According to Stallman, open source is a term that was adopted in 1998 by people who reject the free software movement’s philosophy.

“When we call software ‘free,’ we mean that it respects the users’ essential freedoms: the freedom to run it, to study and change it, and to redistribute copies with or without changes. This is a matter of freedom, not price, so think of ‘free speech,’ not ‘free beer,’” Stallman wrote in a post.

He explained that the term open source “misses the point.” While open source was created as a marketing campaign for free software, along the way the meaning has transformed.

“The term ‘open source’ quickly became associated with ideas and arguments based only on practical values, such as making or having powerful, reliable software. Most of the supporters of open source have come to it since then, and they make the same association,” he wrote. “The two terms describe almost the same category of software, but they stand for views based on fundamentally different values. Open source is a development methodology; free software is a social movement. For the free software movement, free software is an ethical imperative, essential respect for the users’ freedom. By contrast, the philosophy of open source considers issues in terms of how to make software ‘better’—in a practical sense only. It says that nonfree software is an inferior solution to the practical problem at hand.”

OSI’s Phipps believes open-source software and free software have the same meaning or purpose, they are just articulated in different ways according to the preference of the organization and the people who are articulating it. Phipps explained that the term open source was only created as a marketing program for free software. “A discussion about a philosophy doesn’t often get very far with a business, so people who are talking about open source tend to lead with the benefits of having the freedoms,” he said.

But Stallman disagrees. According to Stallman, the term open source was meant to remove the ethical language because it made businesses and people “uneasy.”

“When open source proponents talk about anything deeper than that, it is usually the idea of making a ‘gift’ of source code to humanity. Presenting this as a special good deed, beyond what is morally required, presumes that distributing proprietary software without source code is morally legitimate,” he wrote. “The philosophy of open source, with its purely practical values, impedes understanding of the deeper ideas of free software; it brings many people into our community, but does not teach them to defend it. That is good, as far as it goes, but it is not enough to make freedom secure. Attracting users to free software takes them just part of the way to becoming defenders of their own freedom.”

OSI believes open source means more than just access to source code. In order to be considered as open source, it must comply with 10 criterias:

Free redistribution
Source code
Derived works
Integrity of the author’s source code
No discrimination against persons or groups
No discrimination against fields of endeavor
Distribution of license
License must not be specific to a product
License must not restrict other software
License must be technology-neutral.

The tipping point for enterprise adoption
The coining of the term open source was meant to pave the path for businesses to adopt free and open-source software, but businesses didn’t travel there overnight.

In 2001, Steve Ballmer, CEO of Microsoft at the time, described the open-source operating system Linux as a cancer. “Linux is a cancer that attaches itself in an intellectual property sense to everything it touches,” he said in 2001. Of course, since then Ballmer has changed his stance now that he no longer sees Linux as a threat. Microsoft has also  embraced open source, and is now one of its biggest contributors. The company recently announced the acquisition of GitHub for US$7.5 billion.

“Open source has gone from something that was almost anti-company to something that really got embraced by businesses. Open source really set the standard for how you can more effectively work together, and companies are now embracing that way of working as well,” said Sid Sijbrandij, CEO of GitLab. “Overtime, all the concerns with licenses and how to work together with the community got better, and as a result it got more popular.”

In spite of that, OSI’s Brasseur thinks most businesses still haven’t realized the importance of open source.

“I’ve seen companies shut down their open-source programs. I’ve seen companies swear they don’t use any open-source software and then seen the stunned looks on their faces when they’re shown how much of their stack is free and open-source software. I’ve seen companies release faux open source, either by throwing unlicensed and unsupported projects over the wall and calling them ‘open source’ or by releasing them under proprietary licenses and claiming they’re ‘open source’ when at best they may be ‘source available,’ ” she said.

She does admit that there has been an explosion of corporate involvement, contribution and sponsorship.

For Hyperledger’s Behlendorf, the tipping point for businesses to realize the benefits was in the late ‘90s when the Netcraft web server service conducted a survey asking about the web servers businesses were running. “That survey was this compelling visual indication of the prominence of the Apache Web Server,” he said. “It is still the main web server running on the majority of active websites on the Internet today.” Behlendorf explained that this was the first time the non-technical audience could visualize that there was something important happening here.

In addition, Behlendorf said he was approached by IBM in the late ‘90s. IBM said it recognized something was happening in the Apache world, and wanted to be a part of it. This interest was borne from a survey IBM reportedly conducted amongst their Fortune 100 customers. The company asked the CIOs of each of those companies how many were using Linux or other open-source software in their infrastructure. While only a handful of CIOs reported they were using it, when the company repeated the same question to technical managers and system admins at a lower level who worked closer to the code, a majority reported using Linux or open-source technologies. “It was a indicator that there was commercial opportunity, not just interesting curiosity,” Behlendorf said.

GitLab’s Sijbrandij agreed with Behlendorf that IBM’s embrace of the Apache Web Server was momentous at the time. “It was one of the most respected brands, and they were adopting this open-source project,” he said. Sijbrandij also gives Oracle’s acquisition of MySQL and Google’s release of Kubernetes credit to bringing the open-source movement to enterprises.

Sonatype’s Fox believes the tipping point happened when build systems made it possible to consume open source.

However OSI’s Phipps says the transition for enterprise adoption has been more gradient rather than a tipping point. “I think people gradually understood the value of using software where many people are collaborating around it.” he said. “What tends to swing things for people is when they realize that open source isn’t about giving everything away, but actually it is an alternative way of investing your intellectual property.”

The state of open source
Today, you would be hard-pressed to find a solution that doesn’t contain some form of open-source software. Forrester and Gartner have reported 80 to 90 percent of commercial software developers use open-source components within their solutions.

“Nowadays, if you started a project, it would be unthinkable for you to decide you were going to build everything from the ground up and start with that massive investment,” said OSI’s Phipps.

Open source is everywhere, Behlendorf stated. It is about empowerment and giving the community the tools to create economic value. “Proprietary code still has a place, but it now has to justify its existence rather than the other way around,” he said.

Closed-source software is starting to become frustrating, according to GitLab’s Sijbrandij. If you find a bug in closed-source software, you can’t solve it. You don’t have a way to access it. “It is like driving a car where you can’t open the hood. That is super frustrating because if you want to fix a bug or add new wiper fluid, and you can’t if it is closed. No one would accept a car like that, and developers are starting to reject software that is made like that,” he said.

What we are seeing now is that collaborative innovation is working, said OSI’s Phipps. “We have seen Google and Facebook bring themselves into existence with layers of open source. We have see millions of startups being able to get going because they are able to install Linux, run Apache Server, run Apache Tomcat and use open source to their advantage.”

Now that it is the default, the next question to ask is where is it going. “We have all the freedom we need in place, so now we have the luxury of being able to ask meta questions about governance, continuous improvement, safety and so on,” said Phipps.

Despite all the progress the open-source space has made, OSI’s Brasseur explained there is still plenty of room to grow.. While the approach of  “by programmers for programmers” has gotten open-source software this far, to keep the momentum going, Brasseur said we need to shift to the idea of “by programmers for others.” “The usability, accessibility, and documentation of most FOSS projects are in such a state as to be entirely out of reach of people who don’t spend their lives steeped in technology and software development. We’re not going to further the missions of free and open source software if we can’t start developing software that reaches out to a new market of users and, most importantly, meets them where they are rather than expecting them to read code, edit config files, or open up a terminal just to perform basic tasks,” she said.

Brasseur says we are moving to FOSS v3.0, where free and open source has evolved into “Business As Usual.” Version 2.0 was the launch of the open-source definition, and version 1.0 was the dawn of free software, she explained. As we move towards version 3.0, we have to be mindful of how open-source software communities are going to work with corporations, and not lose sight of the open source’s mission and bigger picture, Brasseur explained.

Open source: It’s a matter of trust, and concern
One of the biggest concerns in the open-source world is whether or not users can trust the security of the project. Over the years, the dedication of developers, companies and organizations like the Core Infrastructure Initiative looking to support projects has dissipated this fear, but concerns still remain.

GitHub’s 2017 Open Source Survey revealed 86 percent of respondents find security a top concern.

While public open-source typically implies there are more eyes looking at the code, it doesn’t imply that it is more secure, according to Guy Podjarny, CEO of Snyk. The open-source projects backed by foundations or corporations tend to be very good from a security perspective, but there are still smaller open-source projects out there backed by individuals or a group of developers who aren’t as well-equipped to maintain security.

In Snyk’s 2017 State of Open Source Security report, the company found open-source library vulnerabilities increased by 53.8 percent in 2016, the mean time from disclosure to a fix being released is 16 days, 79.5 percent of maintainers don’t have a public-facing disclosure policy in place, and of 433,000 sites tested, 77 percent have at least one client-side JavaScript library with a known security vulnerability. “The open source landscape is massive and only getting more diverse. The overall security of open source is an important measuring stick. We need to know where we stand today to know what we can do better,” the report stated.

Forty-three percent of Snyk respondents stated they never audit their code, and 75 percent of vulnerabilities are not discovered by the maintainer.

According to the report, the lifecycle of open-source security should include: discovering vulnerabilities, releasing fixes, notifying users and adopting published fixes. “It’s clear we have some room for improvement, but it’s also clear we have a lot of opportunities to do so. It’s easy to see that maintainers are eager to make their projects more secure and that users want to make security a priority in their open-source consumption. It’s just a matter of ironing out the wrinkles a bit,” the report stated.

Some tips on maintaining and improving the security of open-source code include having a public-facing disclosure policy, running regular audits and security checks, and making it clear to users that you care about security. If you use open-source code, Snyk says you should check for any known vulnerabilities in third-party components, contribute back to the community, and report vulnerabilities as responsible as possible.

“Security is a complicated beast, and developers are not security experts. Open source is a very high-scale problem. We need the tooling and ecosystem to better cater to the open-source community,” said Podjarny

In addition, Brian Fox, CTO of Sonatype, says users need to be aware that the bar to producing open-source software has been significantly reduce as well as the bar of people paying attention. The next generation of publishers need to think about how their choices are going to potentially impact consumers. “There is a magnifying effect that you can write something and people can use it, and that is awesome, but what is not awesome is if you write something and everyone gets hacked or in extreme cases people potentially die because systems crash because of a careless developer.”

“Most of them aren’t setting out to do it on purpose, but they are equally not thinking about the unintended consequences of the things they do,” he added.

When developing open-source software, Fox suggests developers think about their choices as if they are protecting millions of people, because as a producer of open-source software that is essentially what is happening.

“Generally, it is good that we are able to share and reuse work without having to keep solving the same problem over and over again. I think we just have to get more mature in how we manage it. Then we will be able to really recognize the benefits of it without unmitigated downside,” he said.

When corporates swoops in
The enterprise is not only embracing open source, but it is  becoming more involved in the community today. Every day you see companies either releasing open-source software, contributing to a project, or even taking over a project. But you also see companies acquiring or starting to work on a project to benefit their own solutions and vision.

For instance, Microsoft recently announced it acquired GitHub, the web-based hosting service that is home to many open-source software projects. While GitHub itelf isn’t a open-source software project, there are fears that come along when a corporate company buys an open-source related company. Some fear that “they merge that into an existing solution from them, caring more about what their corporate customers want, rather than the open source community in general,” said Martin Gontovnikas, vice president of marketing and growth at Auth0.

Gontovnikas says as long as Microsoft keeps GitHub separate, there should not be anything to worry about. “Microsoft’s decision to keep Github separate with Xamarin’s CEO as the new CEO is a very smart idea. They’re showing from the get-go that they won’t ‘corporatize’ Github, or at least it doesn’t seem so,” he added.

Jim Zemlin, executive director at the Linux Foundation, believes Microsoft’s acquisition of GitHub is good news for the open-source world, and should be celebrated. “Should the open source community be concerned? Probably not. Buying GitHub does not mean Microsoft has engaged in some sinister plot to ‘own’ the more than 70 million open-source projects on GitHub. Most of the important projects on GitHub are licensed under an open-source license, which addresses intellectual property ownership. The trademark and other IP assets are often owned by a non-profit like the Linux Foundation… And let’s be quite clear –  the hearts and minds of developers are not something one ‘buys’ – they are something one ‘earns,’ ” Zemlin wrote in a post.

OSI’s president Simon Phipps believes the fear developers have of corporate takeover of open-source projects is more of a conspiracy theory. “Obviously a company is not going to harm themselves. There are benefits that accrue to them, and that’s shared maintenance and external innovation,” he said.

When a corporate company steps into an open-source project, it is important that it remains transparent about future plans and goals, according to Mik Kersten, CEO and co-founder of Tasktop.

“In my experience the effect of a corporate entity taking over an open-source project depends most on the business model of an entity. If there is a high degree of alignment with continuing the project and supporting its community, it can work. Typically this means the business can monetize the open-source user base either directly or indirectly. If there is a lack of alignment, the project can quickly see staff cut from it and start to decline. I’ve lived examples of both, and the best suggestion I have is to be clear to the community about where the project is headed and why,” Kersten said.

It’s not just being transparent about the code, Sid Sijbrandij, CEO of GitLab, added. It is about being transparent about the decision process, the roadmap, what is going well, and what isn’t going well.

Tasktop’s Kersten created the open-source Eclipse Mylyn project, a task and ALM framework for Eclipse. According to Kersten, one of the reasons he made Mylyn open source was to make it easier to get contributions from the community. Kersten decided to move Mylyn to the Eclipse Foundation because he believed it could help him have a bigger impact on developer productivity.

According to Kersten, when corporate takes over, developers need to look at how the open-source project is going to be structured going forward, what the governance model for the project looks like, and the licenses and contributor license agreement. “Once a company or even an individual gets more serious about embracing an open-source project, it becomes very important to ask questions because it will determine what happens or give you a sense for what will happen with a course of the project in the future,” he said. “For me, I try to distinguish whether the project is open source, which means the source code is available, or it is actually openly developed, which means it is very easy for an individual or company to start contributing to the project.”

While Brian Behlendorf, executive director for the blockchain consortium Hyperledger, hasn’t seen any examples of a corporate company taking over a project and trying to force developers to do things, there are times where a company comes in and ends up prioritizing the kinds of things they find important. “The bigger risk is generally more of where you have an open-source project. If a majority of the developers work for a particular company, than it is harder to ensure that the door is open,” he said. “Ideally, what you are trying to do is get this perpetual motion machine going and tell the world that this is a community project.”

The harder question to answer is whether or not a project will outlast a developer or company. Efforts like the Linux Foundation and Apache Software Foundation aim to help projects exist and grow into multi-stakeholder projects, Behlendorf explained.