Open Source Under Attack Chris Aniszczyk (@cra) Michael Cheng Max Sills How we, the OSI and others can defend it...

2 Agenda: 1. The Software Commons 2. The Attacks 3. The World Has Changed 4. Possible Solutions 5. Q&A

Free and open source software was recognized as a shared public good from the very beginning. Like trees or water. The intent of the GPL and early licenses was to protect and grow the commons by encouraging software consumers to also give back. When there were fewer consumers and less money riding on FOSS, this was an effective mechanism to protect the commons. The Software Commons 3

A ‘commons’ is any unregulated, shared good. It can be trees, water, animals, or shared software. As the economic incentives to exploit the commons grow, more people will exploit them absent intervention. No way around it. If mitigating self-regulation doesn’t match the growing benefits from exploiting the commons, the commons will disappear. The Software Commons 4

No one sees the problem until too many people start overfishing shared waters, or too many people consume FOSS without contributing back. It’s a key feature of unregulated shared public goods. Up until now, mutual agreement on ‘Open Source’ branding has been an effective self-regulating mechanism to prevent overfishing the software commons. But it’s become too lucrative to lie, so the system is breaking apart. We need stronger protections than best-effort self-enforcement. The Software Commons 5

Greenwashing hurts the environment by diverting resources that should go to environmental preservation, to private benefit. Openwashing and license switching hurts the public software commons by diverting resources and time (technical and financial investment) pledged for developing the commons, to private benefit. The Software Commons 6

“The Federal Trade Commission is pursuing compensation for consumers that could rise beyond $15bn, according to a lawsuit filed on Tuesday seeking the repayment of “ill-gotten monies”. The FTC alleges that VW systemically deceived customers over seven years with an advertising campaign promoting “clean diesel” vehicles that were in reality much dirtier than government rules permitted. VW has admitted to equipping up to 11m diesel-powered cars around the world with software that tricked regulators by reducing nitrogen oxide emissions only when pollution tests were under way.” 7 Clean Diesel!

8 Agenda: 1. The Software Commons 2. The Attacks 3. The World Has Changed 4. Possible Solutions 5. Q&A

9 1. The Attacks NEW, MISLEADING LICENSES OPEN CORE PROPRIETARY MASQUERADING AS OPEN SOURCE CREATES CONFUSION

10 This confusion erodes the commons of goodwill and trust Efficiency Community

11

12

13

14 Server-Side Public License Commons Clause Confluent Community License

Source Available Isn’t NEW… 2001! ▪ “Two specific shared source licenses are interpreted as free software and open source licenses by FSF and OSI. However, former OSI president Michael Tiemann considers the phrase "Shared Source" itself to be a marketing term created by Microsoft. He argues that it is "an insurgent term that distracts and dilutes the Open Source message by using similar-sounding terms and offering similar-sounding promises" https://en.wikipedia.org/wiki/Shared_Source_Initiative 15

16 More time spent trying to understand a license = Closer to a proprietary world BYOL (Bring Your Own Lawyer)

Death of Open Source: Proprietary Rises Again ▪ Trust is lost, Lawyers everywhere, Low Efficiency ▪ Free Software lives on but potential pool of converts shrinks 17

18 Agenda: 1. The Software Commons 2. The Attacks 3. The World Has Changed 4. Possible Solutions 5. Q&A

19

We now DEPEND on open source software... 2010 39% 2015 78% 2020* 99% 20 Percentage of companies running open source software https://www.synopsys.com/software-integrity/resources/analyst-reports/2019-open-source-security-risk-analysis.html

We have CHANGED how we build software 2017 36% 2018 57% 2019 70% 21 Products are comprised of more open source vs proprietary https://tidelift.com/subscription/the-tidelift-guide-to-managed-open-source

“In 2019, 33 percent of the software in the WhiteSource data set relied on copyleft licenses while 67 per cent of the software favored a permissive open-source license, three percentage points more than in 2018. Rewind to 2012 and copyleft licenses could be found with 59 percent of projects while permissive licenses accompanied just 41 per cent.” 22 A More Permissive Commons

“After another record year of breaches, analysis of responses found that 3 in 10 organizations suspected or verified breaches stemming from vulnerabilities in open source components — a 55% increase over 2017, and 121% increase since 2014.” 23 Securing the Commons

24

$140B+ Valuation of Commercial Open Source Companies... oss.cash 25

VCs are expecting returns... However, there have been many successful open source companies… MongoDB, Elastic all have had great IPOs and success since then! 26

“Amazon’s behavior toward open source combined with lack of leadership from industry associations such as the Open Source Initiative (OSI) will stifle open-source innovation and make commercial open source less viable.” 27 Lack of Leadership?

Source Available Side Effects... “Open Distro for ”

AWS + Open Distro ▪ “Our intention is not to fork Elasticsearch, and we will be making contributions back to the Apache 2.0-licensed Elasticsearch upstream project as we develop add-on enhancements to the base open source software.” https://aws.amazon.com/blogs/opensource/keeping-open-source-open-open-distro-for-elasticsearch/ 29

MORE Open Products? ▪ YugaByte goes more open ▪ Competitive differentiation https://blog.yugabyte.com/why-we-changed-yugabyte-db-licensing-to-100-open-source 30

Chef: 100% Open!? ▪ Who needs Open Core? ▪ Retains trademarks ▪ If RHT can do it, why not us? 31

Clouds Strip Mining Open Source…? ▪ Revenue sharing with clouds!? ▪ Google: 7 open source partners ▪ ApsaraDB: Alibaba + MariaDB 32

33 Agenda: 1. The Software Commons 2. The Attacks 3. The World Has Changed 4. Possible Solutions 5. Q&A

34 Possible Solutions ● Public Sector ● OSI ● Private Sector

35

Government Regulation 36 ▪ Legislation - Deceptive Marketing □ OSI or whoever could sue ▪ Independent Commission / Regulatory Body - EU ▪ Regulating open source branding (greenwashing)

Unfair Competition & Deceptive Trade Practices 37

Certification Marks 38

OSI 39

40

41

Open Core is the 1st Fork. More will come. ▪ Before: Open source principally created and driven by individuals ▪ Now: Open source now consumed and created by individuals, corporations, governments and everyone ▪ In open source, stakeholders without representation will inevitably fork ▪ Expand governance to included more stakeholders 42

Call out Proprietary ▪ Control narrative by calling out: □ proprietary □ source available licenses □ unclear licenses ▪ OSI License Proliferation Report but for Source Available? ▪ Not just reports, but active intervention 43

New Certification Program 1. Could be “OSI Approved” or any name that closely attributes the source of origin as the OSI. 2. Use certification to communicate and possibly moderate other community norms 3. Like driver’s education, training could be a path to redemption for violators 44

Transition + Fund OSI away from volunteerism ▪ The OSI is primarily run by amazing individual volunteers which leads to overwork; they should transition away from volunteerism to a hiring more full time staff ▪ OSI should structure and accelerate initiatives in giving companies and governments a formal voice; could spur more funding 45

Create Sustainable Open Source Index / Certification ▪ Public shaming indexes work over time… □ HRC Corporate Equality Index ▪ Sustainable certifications… for companies? projects? □ LEED for greener buildings □ B Corporations for social and environmental good 46

Reporting and share data can help shift companies behavior 47

Corporate Sustainability Includes Open Source ▪ Corporate Social/Sustainability initiatives are ~30 years old and popular at large companies and drive change □ https://www.microsoft.com/en-us/corporate-responsibility □ https://sustainability.ups.com/sustainability-reporting/ □ https://www.microsoft.com/en-us/corporate-responsibility/privacy ▪ Include open source in Global Reporting Initiative (GRI) standards: https://www.globalreporting.org/standards 48

Conclusion ▪ Open source has changed the last decade from less hobbyist and niche business to pervasive across our lives ▪ OSI should accelerate initiatives involving companies ▪ There is no “one solution” just as there isn’t one solution and organization for corporate sustainability or climate change, let’s all work together ▪ Fund OSI: https://opensource.org/donate 49

50 Agenda: 1. The Software Commons 2. The Attacks 3. The World Has Changed 4. Possible Solutions 5. Q&A

Thanks! Any questions? ▪ Chris Aniszczyk (@cra) ▪ Michael Cheng ▪ Max Sills 51