The state of open source in 2016

OSCON's coming to London in October and I'm talking about Open source as a strategy for innovation, which focuses on how to use FOSS to increase innovation. I chose that topic after casting my eye over the state of open source in 2016 - it's worth reviewing where we now stand.

Open source is widely considered to have 'won' [fn1] by proponents in 2016. Vertically across the technology stack and horizontally across application domains it's thriving.

"Today, practically every major piece of technology you interact with on a day-to-day basis—from the web to your phone to your car—was built using at least some form of freely available code."

Open Source Won. So, Now What?

For infrastructure the existing economic benefits of FOSS have accelerated. Horizontal scaling, containerisation and infrastructure through an API all lead to treating servers as cattle not pets. When running thousands of systems the marginal cost per server has to be close to zero which magnifies the financial benefit of FOSS. Building anything at scale using non FOSS infrastructure would be a feat in and of itself these days!

Web technologies continue to widen and deepen the scope of their domain. Whether it's databases, frameworks, front-end or back-end most of these technologies are open by default [fn2] . The impact has been to bring a huge swathe of developers into an environment where collaboration and sharing are the base-line.

To paraphrase the criticism - open source is only free if your time has no value [fn3] - which is really a comment on any complicated technology. Technologists are expensive which is why there's been so much focus on developer efficiency encompassing Dev/Ops in tandem with improved ways of collaborating. As an example, all the major languages have extensive libraries and frameworks, with a wealth of capabilities reachable over the network [fn4]. And, as a way of sharing and contributing, DVCS in the form of Git and Gihub have been revolutionary.

Browsing Hackers News shows that the rising open source tide means that entrepreneurial, Web focused businesses are extensive users. Of course, that isn't the whole of application development, with many line of business platforms remaining resolutely closed on proprietary systems [fn5]. And, you can make a argument that the focal point of technology is shifting away which presents serious challenges.

But, in general there's been a widening of open source for the portions of the stack that developers work with.

I believe the main change has been in the values and motivations for collaboration. There's always been a utilitarian ('scratching an itch') and learning motivation for developer collaboration and contribution to FOSS code bases. But, there's now a wide-spread belief that having an open source portfolio is career enhancing as it provides public proof of a developers capability [fn6] and increased social capital [fn7]. Hiring without being able to see a transparent public record of collaboration is challenging, and locations such as Github only enhance the trend.

However, the level and scale of professional contribution hasn't kept pace [fn8] with the widespread use. Open source projects are fundamental components within IT across many sections of industry. Firms take advantage of the benefits of the commons without making any contribution back to it: whether through money or their own efforts. That's because the benefits of using open source are clear and well-known, but we lack a strategic framework for the value of contributing. This means that many organisations believe there's a free lunch - the free rider problem remains [fn9]. Using FOSS as part of your technical architecture is strategic, while collaborating is a tactical piece-meal often underground decision [fn10].

There are lots of arguments that this is an inherent part of FOSS, after the code is open it does no damage to others if there are contributions or not [fn11]. I believe this is true in many situations, if someone uses a small component in their code it doesn't damage the commons in any way. For many classes of code there is a free lunch, FOSS really is giving something for nothing! However, there are whole swathes of infrastructure and applications which we depend on that which suffer a lack of contribution [fn12]: episodes such as the SSL bugs demonstrate the depth of contribution is not sufficient [fn13].

I don't think it's immoral to use Free Software without contributing, that adds a censorious value judgement I don't like [fn14]. I do think that if a firm has the resources then the principle of reciprocity should apply - if we use something from a shared store, we should also provide for it. Second, it's almost certainly against a firms best interests to not contribute to public goods that they depend on, the problem is that most firms don't yet realise the costs. Free riding is a short-term gain, while contributing assures the vitality of technical dependencies and builds the knowledge and capabilities of the firms developers. The long-term benefit is that the value of the commons is increased when we build and collaborate together, it requires a level of reciprocity and altruism.

For most company leaders altruism is a light weight on their balance sheet, and amongst all the other priorities it's difficult to argue for. However, organisations have strong self-interest in driving innovation. Over the last few years collaboration has become a watch word in the innovation area, as firms try to release innovation by opening up collaboration across company walls. For practical purposes 'innovation' means either reducing what a firm pays for services, or creating value (that serve customer needs) that it can sell for a profit. Economics 101 I know, but this is why there's so much focus on innovation strategy and developing innovations amongst organisations - though it's much easier to talk a good game than it is to deliver one. As market barriers have broken down with globalisation and faster, nimble competition has formed there's been a lot of focus on the ideas of "open innovation". Many of its precepts are based on values and practises that chime with those of Open Source.

There's a clear opportunity to demonstrate how innovation can benefit from an open approach which encompasses open source - fundamentally, open source represents a concrete 'blue print' for developing and testing new ideas.

[fn1]Matt Assays review is interesting, What I've learned from 15+ years in open source and for a good background see Open Source Software No Longer Optional. The State of Open Source Security in Commercial Applications survey from Black Duck found open source software in 95% of the applications they survey, although it has an obvious bias since they're open source specialists.
[fn2]Wikipedia lists some of them in Open Web Platform and the W3C continues their work.
[fn3]Jamie Zawinski roughly and famously said it, or possibly didn't without the context, but it stuck anyway.
[fn4]Python has PIP, Node JS has npm and Haskell has cabal. New offerings such as Golang, Rust and Swift all make some form of package management a key function.
[fn5] being a good example.
[fn6]12 Things You Must Do to Land a Junior Web Developer Job is par for the course despite the click-bait headline. For an alternative perspective see the comments on Hackers News - When it comes to hiring, I'll take a Github commit log over a resume any day. However, Yochai Benkler says in his The Unselfish Gene that academic research on FOSS contributions directly contradicts this belief.
[fn7]Wikipedia article on Social capital gives a nice overview, and specifically on open source see Dries Buytaert post for a practitioners view. This paper's dense argument that developers receive 'private benefits' for the creation of public goods is very interesting - mentioning reputation, control over technology and learning opportunities.
[fn8]I freely admit a lack of direct evidence for this - it's merely my sense having worked in the industry and been involved with monitoring a variety of FOSS projects. For some supporting opinion see Open Source is good but proprietary is still winning <>._
[fn9]See Wikipedia free rider problem, the Tragedy of the commons is also very good.
[fn10]Asking for donations causes tactical piece-meal responses, but rarely leads to a sustained consistent level of money or effort contribution.
[fn11]Open Source: Free as in Free argues that using a project is the highest compliment you can give because it's worth using.
[fn12]Pragmatically there's a difference between code we use one-off (a small utility) and projects that are ongoing critical dependencies, though it's a matter of degrees rather than different categories. The Black Duck survey noted earlier found that "over 10% of applications tested included the Heartbleed vulnerability (disclosed a minimum of 18 months prior to our analysis), and almost 10% included POODLE" with 40% of the vulnerabilities rating a CVSS (Common Vulnerability Scoring System) of 7/10.
[fn13]HeartBleed is believed to have impacted around 17% of secure servers - 500k systems . Heartbleed Exposes a Problem With Open Source, But It's Not What You Think covers the underlying causes.
[fn14]The strict requirements are those as defined by the license, beyond this is a matter of opinion. Overall, more people using open source is still a benefit as from the wider audience some contributors will be created and other opportunities for promotion will happen.

Posted in Business Tuesday 30 August 2016
Tagged with FOSS strategy