Make software great again: can open source be ethical and fair?
Is there a way to go beyond open source, and have ethical, fair software in a cloud-first world? This is what some people in the open source community think.
In the 20 years since its inception, open source has turned out to be the most successful model for building software. The world today runs on open-source software (OSS). An ecosystem has been created around OSS. Businesses and software builders use OSS directly or indirectly, while others offer services and products based on OSS.
OSS is perceived as being free, fair and/or ethical. This perception, however, may not be entirely true. That may be counter-intuitive, but it’s at the heart of the debate around OSS. As OSS is growing up, it’s becoming more successful, more complex, and ubiquitous. It seems we are entering a new phase for OSS, and it’s not without growing pains.
Commercial OSS in the cloud
The four essential freedoms are a cornerstone of OSS. They refer to what users can do with the software, but they tell us nothing about the economic cost, or benefit, related to the software. OSS is free as in speech, but not free as in beer. Someone has to build the software, and then someone has to maintain, run, and manage it.
As far as the perception of OSS being fair or ethical goes: it’s just that – a perception. The perception stems from the OSS community ethos, but in reality, the OSS freedoms are at odds with notions of fair or ethical use. Anyone can contribute as much or as little as they please to OSS. Anyone can use OSS for any purpose, regardless of contribution.
This has led to where we are today. Cloud vendors like AWS, Google or Microsoft, have built their infrastructure based on OSS. Each of them also contributes to OSS in many ways, including code and outreach for existing OSS projects, as well as establishing new OSS projects. But use of, or contribution to, each OSS project is not really accounted for.
Recently, the Apache Software Foundation, one of the key OSS institutions, celebrated its 20th anniversary. The ASF claims the value of the software under its auspices is around $20 Billion, by its own estimates. Everyone is entitled to use the software for free, and many do. But the ones who create this value are the ones who contribute to OSS, be it in code or in other ways.
As analyses have shown, many OSS contributors do this because they are intrinsically motivated: the software is interesting to them, they need it, or they feel good about their contribution. In that respect, they are not much different from vendors that have chosen to build OSS products. Those vendors have invested in their OSS, and their ROI depends on it.
Which brings us to cloud vendors. As many pundits note, cloud vendors operate on a whole different plane. If commercial OSS vendors are about taking innovation from 0 to 1, cloud vendors are about taking it from 1 to n. This brings value in and by itself. Cloud vendors also release OSS projects of their own, and contribute to existing ones. Their strategies, however, differ, and this is where things get complicated.
AWS is the leader in the cloud market. The strategy AWS has adopted with regards to OSS, however, has exposed it to criticism. Recently, an independent data-driven analysis was done on GitHub, where OSS code lives. The analysis showed that in terms of code, AWS does not seem to be contributing much to the development of the OSS products it offers as a service.
It’s understandable why vendors building those products are looking to tweak their licenses to disallow AWS from running their software as a service. It’s also understandable why the OSI, which has control over OSS licenses, is pushing back: by introducing those tweaks, the software is no longer OSS.
If this was just a clash of commercial interests, we might be getting our pop corn to watch. But for something with such high value to society at large as OSS, the ramifications are important. Is there a way everyone involved can get a fair share of the profit, and keep contributing to OSS? Let’s hear what 2 CEOs from vendors who build OSS, and work with AWS, have to say.
The co-opetition view: one big act vs. many small ones
Dor Laor is the founder and CEO of ScyllaDB, an OSS vendor with an interesting story. ScyllaDB was built on a contentious premise, as it is a re-implementation of another OSS database: Apache Cassandra. Laor has shared thoughts on OSS license changes, as well as Amazon’s latest move to offer Cassandra as a managed service on AWS cloud.
Our discussion started touching upon ScyllaDB’s latest features. According to Laor, these features (most prominently lightweight transactions) do not just bring parity with Cassandra, but go one step further. Laor expanded on the technical aspects of ScyllaDB’s solution. As these seemed technically sound, yet conceptually simple, the discussion moved to a broader topic.
Laor claimed none of ScyllaDB’s closest matches, namely Apache Cassandra and AWS DynamoDB, have such features. When asked why he thinks that is, given the nature of those features, Laor offered 2 answers.
For Cassandra, he mentioned that for the last few years its former main contributor, namely DataStax, has taken a step back. Naturally, this has stalled Cassandra’s development considerably. As for AWS, Laor noted that AWS has the tendency to offer products that are good enough, but not necessarily the best in their league.
As ScyllaDB is also available on AWS, and Laor was present at AWS’s main event, re:Invent, in 2019, he offered a metaphor to explain this. Laor said there were a number of stages set up for various acts in the re:Invent after party, and he found all of them mediocre. Laor went on to add that he sees that as a metaphor for AWS’ philosophy of going wide, rather than deep in its undertakings. This is a point shared in other OSS vendor strategies, too.
But ScyllaDB went beyond that, to do something no other OSS vendor we know of has done before: offer a compatibility layer for one of AWS’ products, namely DynamoDB. ScyllaDB’s DynamoDB API support will be officially available soon, and it will enable DynamoDB users to migrate to ScyllaDB. Laor said there is a waiting list for this.
This is technically feasible, and legally permissible. Unless things change, there are no restrictions on using APIs, as per the famous Oracle vs. Google case verdict. While some of AWS’ own people questioned this move, Laor claimed users are better off using ScyllaDB. In turn, this opens up some interesting questions. What about ethics, and contribution?
Building a new implementation of an existing API seems cleaner than using someone else’s implementation, but it still means benefiting from a userbase others built. Laor acknowledged that, as well as the fact that ScyllaDB leverages contributions from Amazon, Cassandra, and DataStax. He also pointed out that this spurs innovation and benefits users, and measuring contribution is very hard.
ScyllaDB has an open core strategy. Some features are proprietary, while the OSS core is licensed under AGPL, which Laor said AWS avoids. So far this has worked in deterring AWS from offering ScyllaDB as a service, although it could also be that ScyllaDB has not reached critical mass yet. In any case, as Laor said, these things change.
The collaboration view: balancing OSS makers and takers
Most OSS products fall under one of two categories. Many products are largely driven by a single vendor, whose employees contribute most of the related effort and drive its directions. Other products leverage contributions that cross-cut organizations who employ the contributors; often, OSS work is the main activity for such contributors.
But there is an OSS product in which the vendor commercializing it only contributes 5% of its code while still being the largest contributor. The product is commercially successful, has a community-driven decision making process, and is a distinguished AWS partner, too. And these are not the only reasons why Acquia, the vendor commercializing the Drupal CMS, and Dries Buytaert, its founder, stand out.
Recently, Buytaert shared his thoughts on balancing OSS makers and takers in an elaborate blog post. In our discussion, Buytaert confessed it took him a couple of weeks to put his post together. This is understandable, considering how many aspects of OSS it touches upon.
Drupal started in 2000, while Acquia was founded in 2007. As Buytaert highlighted, Acquia and the Drupal community have a unique relationship, which is formally documented in a charter. The community includes about 80.000 contributors, while Aquia employs about 1.000 people.
Yet, Drupal’s governance is not with Acquia. The community sets Drupal’s roadmap, and elects people in leadership roles. People choose to contribute to areas that matter most to them, and Acquia does this, too. Buytaert said that even when there is a decision Acquia does not agree with, the decision is carried through, if there is substantial backing for it.
Buytaert builds on the notion of OSS as part of the Commons, introducing an important distinction. For end users, OSS projects are public goods; the shared resource is the software. But for OSS companies, OSS projects are common goods; the shared resource is the (potential) customer. Makers invest heavily in the software, takers are mostly interested in customers.
Buytaert, leveraging Elinor Ostrom’s work in addition to his own experience, seems to have gotten to the heart of the issue. Research shows that when the Commons are left unchecked, without governance or rules for contribution, they collapse: shared resources are either engulfed or exhausted.
Organizations like the ASF and the OSI have done a good job in making OSS successful. But now that OSS is successful, without a mechanism for fair reward in place, we have no reason to believe OSS will not have the fate of Commons that preceded it. This is why we wondered whether the OSI should perhaps reconsider. Apparently, we are not the only ones, and the OSI seems to be listening.
First off, there seems to be an ongoing debate within the OSI itself as to what should constitute an OSS license today. This goes to show that what worked 20 years ago is not necessarily what works today. In addition, more and more people seem to be realizing the OSS conundrum, and are sharing ideas to move forward. Buytaert, on his part, offers 3 concrete proposals.
One, don’t just appeal to organizations’ self-interest, but also to their fairness principles. Two, encourage end users to offer selective benefits to Makers. Three, experiment with new licenses. Those points were also backed by Laor, who prompted users to consciously vet their OSS providers for fairness, and pointed to precedents like the Open Invention Network.
One thing is clear: AWS should not be excluded, it’s a vital part of the OSS ecosystem. The fact that this is a complex ecosystem with many actors that need to strike a balance is something many people agree on. This includes Buytaert, Laor, and AWS VP/Distinguished Engineer Matthew Wilson, a self-proclaimed “OSS romantic”, to name but a few.
Buytaert also agreed with Laor that while AWS is a good partner to have, if it decided to start offering ScyllaDB or Drupal as a managed service on its own, there would be nothing they could do to stop it. Buytaert was also clear on something else: making OSS sustainable may require a break with OSS as we know it. But if that’s what it takes, so be it.
This also seems to be the gist of Wilson’s position as stated in a number of Twitter threads: this is how OSS works. If you are not happy with it, do it differently – just don’t call it OSS. This is a fair point, made by others, too. Recently Stephen Walli, principal program manager on the Azure engineering team at Microsoft and an OSS veteran, shared his ideas on Software Freedom in a Post Open Source World.
Walli went through the history of OSS, the four essential freedoms, and the ways and reasons people challenge how OSS works. Walli’s message is along similar lines: “I am happy for people to challenge the ideas that define our software collaborations and culture of outbound sharing. But I want them to be bold. If you want to define a new movement then do so.”
Some people call it Commercial OSS, others Cloud Native OSS. Either way, it’s not just commercial interests that question how OSS works today. It’s also people concerned about the ethical implications of OSS. Although it could be argued that fairness touches upon ethics too, Coraline Ada Ehmke and the Ethical Source Movement (ESM) have a somewhat different angle.
Ehmke, who founded the ESM, is a software engineer, a public speaker, and has been an active OSS participant since the early 2000s. Ehmke, who previously stated that “OSI and FSF are not the real arbiters of what is Open Source and what is Free Software” is now running for the board of directors of the OSI, and the OSI’s VP seems open to engaging with her. The ESM states:
“Today, the same OSS that enriches the commons and powers innovation also plays a critical role in mass surveillance, anti-immigrant violence, protester suppression, racist policing, the deployment of cruel and inhumane weapons, and other human rights abuses all over the world.
We want to do something about this misuse of our software. But as developers we don’t seem to have any recourse, no way to prevent our work from being used to harm others. We want to change that”.
The definition of Ethical Software breaks with the four essential freedoms of OSS, creating licenses such as the Hippocratic or the Atmosphere Licenses. This raises questions, including how to enforce such licenses. Though a definite answer is not readily available, for the time being the thinking seems to be that fear of exposure of illegal use should work on a first level. People seem sympathetic to the notion.
Ethical software licenses are not the only OSS variant around, however. There is also the Fair Source License, allowing users to view, download, execute, and modify code free of charge. Up to a certain number of users from an organization can use the code for free, too. After an organization hits that user limit, it will start paying a licensing fee determined by the software publisher.
Fair Source was created by Sourcegraph and drafted by Heather Meeker, a prominent OSS lawyer who also drafted the Commons Clause for RedisLabs. Fair Source got featured on Wired, and received praise from GitLab, but it does not look like it got much traction. The reason is probably that as things stand, Fair Source is also not an OSS compatible license.
This all seems to be pointing somewhere: perhaps we’ve reached the limits of what OSS in its current form can do. People are realizing it, and questioning the status quo. Whether that will lead somewhere, remains to be seen. But some first steps are taken, and the potential seems to be there. OSS was a bold step in its time, too, and its pioneers paved the way.
To wrap up, let us revisit the “quantifying OSS contribution is hard, and it’s not only about code” argument. This is true beyond the shadow of a doubt. But before dismissing quantification as mission impossible, we should consider a few things.
Commercial OSS vendors are building platforms to power today’s data-driven economy. As a 3rd party analysis on GitHub data shows, they -expectedly- seem to be key contributors to their own codebases. While there may be communities of practice built around the products, in most cases we would assume vendors do much of the non-code work too – promotion, support etc.
OSS vendors have people who contribute to these tasks in their payrolls. Presumably, these people leave the digital footprint of their work on all sorts of systems. From OSS code repositories to issue trackers, HR, project management tools and spreadsheets, to social media. Nobody should be more motivated or better positioned to develop a holistic, data-driven model for OSS contribution, than commercial OSS vendors.
Doing this would make their claims much more grounded. To be entirely fair, commercial OSS vendors should also apply this to external contributions, be it from individuals or from organizations such as cloud vendors. And to back claims about putting OSS sustainability and the common good first, changing their status to B Corporation to reflect that might help, too.
To get over the OSS midlife crisis, and make software great again, leadership is paramount. There is no doubt the amount of legal, social, software, and data engineering needed to evolve OSS is staggering. But OSS is so important, that it would be irresponsible to shy away from it. Some OSS leaders are showing the way. Opinions may vary, but the issue is being acknowledged. Who would not want to have ethical, fair, open-source software available on demand in the cloud?
This is a chance for everyone to put their data to good use. Amazon, as well as commercial OSS vendors, are leaders, each in their own way. They have great power, which comes with great responsibility. The way other cloud vendors deal with OSS vendors may not be perfect, but it’s a start. We’d like to see that taken to the next level, and involving the entire industry.
Coming up with a way to fix commercial OSS by measuring and rewarding contribution is something that will not just benefit vendors, but the world at large. So if not them, who? If not now, when?