Open Source Under Attack (FOSDEM 2020)

Open Source Under Attack (FOSDEM 2020)

Open Source is currently under attack via multiple angles, what can we do to ensure that the open source software commons many have built over the years continues to thrive and be sustained?

8ccf2bfccb6b570c4fae81e50dd80ed8?s=128

Chris Aniszczyk

February 02, 2020
Tweet

Transcript

  1. 1.

    Open Source Under Attack Chris Aniszczyk (@cra) Michael Cheng Max

    Sills How we, the OSI and others can defend it...
  2. 2.

    2 Agenda: 1. The Software Commons 2. The Attacks 3.

    The World Has Changed 4. Possible Solutions 5. Q&A
  3. 3.

    Free and open source software was recognized as a shared

    public good from the very beginning. Like trees or water. The intent of the GPL and early licenses was to protect and grow the commons by encouraging software consumers to also give back. When there were fewer consumers and less money riding on FOSS, this was an effective mechanism to protect the commons. The Software Commons 3
  4. 4.

    A ‘commons’ is any unregulated, shared good. It can be

    trees, water, animals, or shared software. As the economic incentives to exploit the commons grow, more people will exploit them absent intervention. No way around it. If mitigating self-regulation doesn’t match the growing benefits from exploiting the commons, the commons will disappear. The Software Commons 4
  5. 5.

    No one sees the problem until too many people start

    overfishing shared waters, or too many people consume FOSS without contributing back. It’s a key feature of unregulated shared public goods. Up until now, mutual agreement on ‘Open Source’ branding has been an effective self-regulating mechanism to prevent overfishing the software commons. But it’s become too lucrative to lie, so the system is breaking apart. We need stronger protections than best-effort self-enforcement. The Software Commons 5
  6. 6.

    Greenwashing hurts the environment by diverting resources that should go

    to environmental preservation, to private benefit. Openwashing and license switching hurts the public software commons by diverting resources and time (technical and financial investment) pledged for developing the commons, to private benefit. The Software Commons 6
  7. 7.

    “The Federal Trade Commission is pursuing compensation for consumers that

    could rise beyond $15bn, according to a lawsuit filed on Tuesday seeking the repayment of “ill-gotten monies”. The FTC alleges that VW systemically deceived customers over seven years with an advertising campaign promoting “clean diesel” vehicles that were in reality much dirtier than government rules permitted. VW has admitted to equipping up to 11m diesel-powered cars around the world with software that tricked regulators by reducing nitrogen oxide emissions only when pollution tests were under way.” 7 Clean Diesel!
  8. 8.

    8 Agenda: 1. The Software Commons 2. The Attacks 3.

    The World Has Changed 4. Possible Solutions 5. Q&A
  9. 9.

    9 1. The Attacks NEW, MISLEADING LICENSES OPEN CORE PROPRIETARY

    MASQUERADING AS OPEN SOURCE CREATES CONFUSION
  10. 11.

    11

  11. 12.

    12

  12. 13.

    13

  13. 15.

    Source Available Isn’t NEW… 2001! ▪ “Two specific shared source

    licenses are interpreted as free software and open source licenses by FSF and OSI. However, former OSI president Michael Tiemann considers the phrase "Shared Source" itself to be a marketing term created by Microsoft. He argues that it is "an insurgent term that distracts and dilutes the Open Source message by using similar-sounding terms and offering similar-sounding promises" https://en.wikipedia.org/wiki/Shared_Source_Initiative 15
  14. 16.

    16 More time spent trying to understand a license =

    Closer to a proprietary world BYOL (Bring Your Own Lawyer)
  15. 17.

    Death of Open Source: Proprietary Rises Again ▪ Trust is

    lost, Lawyers everywhere, Low Efficiency ▪ Free Software lives on but potential pool of converts shrinks 17
  16. 18.

    18 Agenda: 1. The Software Commons 2. The Attacks 3.

    The World Has Changed 4. Possible Solutions 5. Q&A
  17. 19.

    19

  18. 20.

    We now DEPEND on open source software... 2010 39% 2015

    78% 2020* 99% 20 Percentage of companies running open source software https://www.synopsys.com/software-integrity/resources/analyst-reports/2019-open-source-security-risk-analysis.html
  19. 21.

    We have CHANGED how we build software 2017 36% 2018

    57% 2019 70% 21 Products are comprised of more open source vs proprietary https://tidelift.com/subscription/the-tidelift-guide-to-managed-open-source
  20. 22.

    “In 2019, 33 percent of the software in the WhiteSource

    data set relied on copyleft licenses while 67 per cent of the software favored a permissive open-source license, three percentage points more than in 2018. Rewind to 2012 and copyleft licenses could be found with 59 percent of projects while permissive licenses accompanied just 41 per cent.” 22 A More Permissive Commons
  21. 23.

    “After another record year of breaches, analysis of responses found

    that 3 in 10 organizations suspected or verified breaches stemming from vulnerabilities in open source components — a 55% increase over 2017, and 121% increase since 2014.” 23 Securing the Commons
  22. 24.

    24

  23. 26.

    VCs are expecting returns... However, there have been many successful

    open source companies… MongoDB, Elastic all have had great IPOs and success since then! 26
  24. 27.

    “Amazon’s behavior toward open source combined with lack of leadership

    from industry associations such as the Open Source Initiative (OSI) will stifle open-source innovation and make commercial open source less viable.” 27 Lack of Leadership?
  25. 29.

    AWS + Open Distro ▪ “Our intention is not to

    fork Elasticsearch, and we will be making contributions back to the Apache 2.0-licensed Elasticsearch upstream project as we develop add-on enhancements to the base open source software.” https://aws.amazon.com/blogs/opensource/keeping-open-source-open-open-distro-for-elasticsearch/ 29
  26. 30.

    MORE Open Products? ▪ YugaByte goes more open ▪ Competitive

    differentiation https://blog.yugabyte.com/why-we-changed-yugabyte-db-licensing-to-100-open-source 30
  27. 31.

    Chef: 100% Open!? ▪ Who needs Open Core? ▪ Retains

    trademarks ▪ If RHT can do it, why not us? 31
  28. 32.

    Clouds Strip Mining Open Source…? ▪ Revenue sharing with clouds!?

    ▪ Google: 7 open source partners ▪ ApsaraDB: Alibaba + MariaDB 32
  29. 33.

    33 Agenda: 1. The Software Commons 2. The Attacks 3.

    The World Has Changed 4. Possible Solutions 5. Q&A
  30. 35.

    35

  31. 36.

    Government Regulation 36 ▪ Legislation - Deceptive Marketing □ OSI

    or whoever could sue ▪ Independent Commission / Regulatory Body - EU ▪ Regulating open source branding (greenwashing)
  32. 39.
  33. 40.

    40

  34. 41.

    41

  35. 42.

    Open Core is the 1st Fork. More will come. ▪

    Before: Open source principally created and driven by individuals ▪ Now: Open source now consumed and created by individuals, corporations, governments and everyone ▪ In open source, stakeholders without representation will inevitably fork ▪ Expand governance to included more stakeholders 42
  36. 43.

    Call out Proprietary ▪ Control narrative by calling out: □

    proprietary □ source available licenses □ unclear licenses ▪ OSI License Proliferation Report but for Source Available? ▪ Not just reports, but active intervention 43
  37. 44.

    New Certification Program 1. Could be “OSI Approved” or any

    name that closely attributes the source of origin as the OSI. 2. Use certification to communicate and possibly moderate other community norms 3. Like driver’s education, training could be a path to redemption for violators 44
  38. 45.

    Transition + Fund OSI away from volunteerism ▪ The OSI

    is primarily run by amazing individual volunteers which leads to overwork; they should transition away from volunteerism to a hiring more full time staff ▪ OSI should structure and accelerate initiatives in giving companies and governments a formal voice; could spur more funding 45
  39. 46.

    Create Sustainable Open Source Index / Certification ▪ Public shaming

    indexes work over time… □ HRC Corporate Equality Index ▪ Sustainable certifications… for companies? projects? □ LEED for greener buildings □ B Corporations for social and environmental good 46
  40. 48.

    Corporate Sustainability Includes Open Source ▪ Corporate Social/Sustainability initiatives are

    ~30 years old and popular at large companies and drive change □ https://www.microsoft.com/en-us/corporate-responsibility □ https://sustainability.ups.com/sustainability-reporting/ □ https://www.microsoft.com/en-us/corporate-responsibility/privacy ▪ Include open source in Global Reporting Initiative (GRI) standards: https://www.globalreporting.org/standards 48
  41. 49.

    Conclusion ▪ Open source has changed the last decade from

    less hobbyist and niche business to pervasive across our lives ▪ OSI should accelerate initiatives involving companies ▪ There is no “one solution” just as there isn’t one solution and organization for corporate sustainability or climate change, let’s all work together ▪ Fund OSI: https://opensource.org/donate 49
  42. 50.

    50 Agenda: 1. The Software Commons 2. The Attacks 3.

    The World Has Changed 4. Possible Solutions 5. Q&A