In this post, I’ll outline my position on the future of Open Source Software. I will look at the current open-source landscape and analyze not only how Open Source tools are currently used, but I will also reflect on how the usage of OSS is sometimes limited by the security issues and problems connected to licensing of intellectual properties. I’ll talk about how this influences and perhaps also restricts the use of Open Source in general. In the conclusion of this article, I’ll also summarize my position on the future of Open Source in general.
Instead of speculating what the landscape of Open Source is today and what is may look like in the future, I decided to find and investigate if there are any studies done on this somewhat specific and narrow topic.
I found two research organizations, namely North Bridge and Black Duck, that are dedicated to extensive study and research in the area of Open Source tools. For the past 10 years, North Bridge and Black Duck have been annually releasing their research findings in a report document called ‘The Future of Open Source’. The study is one of the most inclusive reports on Open Source use and an essential reading for anyone interested in exploring this area further.
The 2016 report was the most comprehensive so far, summarizing findings about the use of Open Source tools in 52 different organizations ranging from start-ups to some of the leading Open Source vendors, such as Apache Software Foundation, Red Hat, Microsoft, HP, Ubuntu, EDB, openSUSE, Huawei, Eclipse, etc.
North Bridge with $3.8 billion of capital under their supervision, subsidised more than 170 corporations creating many billions in market worth. They are a well know name in the industry and attracted many global organization to participate in 2016 survey. To provide a sense of the massive scale, the following image illustrates some of the big names that partaken in the 2016 survey:
© North Bridge (2015)
That said, in this article, I’ll briefly look at the ‘The Future of Open Source’ report from 2015 survey and also go over the summarized results gathered in a freshly released 2016 study. This will provide us with an awareness of what’s happening within Open Source industry, as well as it should paint the picture of what the landscape of Open Source looks like in general. From these discoveries, I’ll try to draw the lines and make some assumptions and conclusions, which should provide some idea of what the future of Open Source may look like in the future to come.
I’ve parsed the most interesting results of the 2015 survey and following were the most notable learnings from ‘2015 The Future of Open Source’ study (North Bridge, 2015):
- 78% of companies use Open Source tool. Only less than 3% don’t use Open Source at all.
- 14% increase in corporate participation on Open Source projects
- 64% of survey respondents said their company participated in Open Source projects
- 88% of survey respondents think their companies will increase Open Source contributions
Looking at the result of the 2016 survey, I want to start the section by quoting Paul Santinelli, general partner of North Bridge, who reflected on 2016 results by saying that “Open Source today is unequivocally the engine of innovation, whether that’s powering technology like operating systems, cloud, big data or IoT, or powering a new generation of Open Source companies delivering compelling solutions to the market.” (Vaughan-Nichols, S.J., 2016)
That sentiment seems to be shared by Open Source vendors, business employers, IT professionals from various industries and others who provided 1313 survey answers and otherwise responded or participated in the 2016 North Bridge survey.
So, how does Open Source fare today? I’ve compiled the list of some of the most interesting outcomes of the study:
- Open Source is the basis now for almost all applications used in IT organizations.
- Open Source is powering businesses as it allows for a faster and more agile development.
- Organizations that participate in the Open Source community report increased modernisation as well as amplified delivery of value, as well as claiming that it’s more enjoyable for employees to work on Open Source projects.
- Open Source remains to be one of the key employment and retention tools not only in enterprise organizations but also in start-ups, IT shops, and governments.
Looking at the results of the studies done in the past two years, we could say that the 2016 ‘The Future of Open Source’ survey results is even more surprising than those seen in 2015.
Since 2010, use of Open Source tools in business IT environments grew by a factor of two and Open Source has widespread use in cloud computing, on database systems, operating systems, as well as in big data organizations. Open Source enters the code from every angle, in approved components, developer downloads, code reuse and it’s in commercial apps, third party libraries, and outsourced development.
So, how about the future? There are a couple of Open Source areas that will most likely generate the highest revenue for Open Source vendors. Based on the survey responses, these are the top three Open Source industries that we’ll likely see the most growth in the future to come.
- 46% – SaaS
- 42% – Custom Development
- 41% – Services/Support
There are tens of different Open Source projects that come to my mind, but in this section, I’d like to point to only two candidates among Open Source projects that are in my opinion probably the best examples from the world of Open Source software. I’ll look at 3 categories, Open Source operating systems, programming languages and others.
Among Operating Systems, Linux is a true champion of Open Source. Its most essential element is the Linux kernel that first released by Linus Torvalds in September 1991. It’s licensed under GPL/LGPL Open Source license, with Kernel written in C programming language. Even though it initially supported mainly Intel x86 architecture, today it’s available for x86, IA-32, i386, x86 SMP, IA-64, Xen , x86-64 , PowerPC, PowerPC SMP, SPARC32, SPARC SMP , MIPS, Alpha, ARM, XScale, PA-RISC, M68k, FR-V, Cell, ETRAX, Xtensa, CRIS, M32R, h8, s390, SuperH, OpenRISC and in hosted mode also for UML, coLinux, MkLinux, Itanium Linux-on-Linux and wombat architectures. I am listing all these modes for specific reasons, I want to show how immensely Linux OS grew in the last 25 years. There is virtually no other OS that is so versatile as Linux. Among Open Source OS’s there is no other system that supports more hardware, network systems, file systems or features, including security features. And the same way Microsoft Windows is the king on desktop and laptop computers, Linux is the leader among servers and supercomputers.
As of April 2016, according to StatCounter (LLC, A.W.S., 2016) and W3Counter (StatCounter, 2016) reports, Linux reached a very important milestone. Among all online computers, Linux kernel derivatives combined have first time in the history overtaken Windows operating system. Linux OS has become the most used operating system among all computers connected to the Internet. And as of December 2016, Linux based Android system is with 37.88% usage the most used operating system, right behind it is Windows 7 (17.47%) and iOS (12.65%).
There are many Open Source programming languages in existence, such as Ruby, Python, Perl, Java, or even ASP.net which is also an Open Source project. But the one which deserves to be mentioned the most is PHP.
As of December 2016, PHP is “used by 82.3% of all the websites whose server-side programming language we know” (Q-Success, 2016) and PHP is also the third most popular programming language among all programming languages in existence. According to foremost industry leaders, PHP has arisen as the most approachable Open Source language, which explains why some of the most popular Open Source packages such WordPress, Joomla or Drupal are built using PHP. It has one of the strongest community bases among all languages, it provides cross platform compatibility by running on major OS platforms such as Windows, Linux and MAC OSX and pretty much all webservers such as Apache, Nginx, IIS, etc. There is probably not a better candidate to feature in this short overview.
One of the best resources to explore when it comes to currently trending among Open Source projects is following GitHub resource https://github.com/trending. As of 5th of December 2016 at 3 PM EST, these were the top 3 most popular Open Source project of the day:
- JID – allows its users to drill down JSON interactively by using filtering queries. – 603 star ratings today.
- FreeCodeCamp – Open Source codebase and curriculum project. – 464 star ratings today.
Do you still recall Heartbleed and Shellshock vulnerabilities and following attacks that created a worldwide havoc in 2014? These two security liabilities alone were responsible for millions of hacking attempts. I want to concentrate on these two issues more specifically because they show exactly what I consider to be a major issue of Open Source solutions.
Heartbleed was a security bug in the Open Source cryptography called OpenSSL, which impacted millions of websites, for example, it affected Twitter, Yahoo, Steam, Tumblr, etc. Heartbleed revealed the insides of a server’s memory, where the most delicate of data is stored. This way, the defect permitted hackers to snoop on communications and steal encryption keys. As a matter of fact, we were severely impacted by the Heartbleed bug even here in Canada. Canadian Revenue Agency reported a Social Insurance Number theft which was executed through an exploit of the Heartbleed bug in just 6 hours of it’s discovery in April 2014 (Vankrimpen, R., 2014). In total, well over half a million widely trusted websites ended up being vulnerable to Heartbleed.
Shellshock was another security issue related to Open Source. It impacted broadly used Unix Bash shell. “Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure” Shellshock (2014).
In my view, they most importantly
- impacted the Open Source technology
- damaged a good reputation of Open Source technologies in general
- ended up being very costly
While it’s hard to estimate the Open Source reputational damages, it’s safe to say that following the discovery of above vulnerabilities many corporations started to pay little more attention to security issues associated with Open Source tools. The organization I work for, more specifically started strictly looking at the Open Source used in our technology stack, and we think twice before deploying any of the Open Source tools.
Regarding evaluating the total cost of security issues found in Open Source tools that are even more daunting and complex task. But to give you some idea, Heartbleed bug alone was estimated to cost as high as US$500 million in total (Kerner, S.M., 2014)
I want to open the summary of the security concerns section by quoting Mike Pittenger, an Open Source security management specialist and VP of security strategy at Black Duck whom I wholeheartedly agree with.
Mr. Pittenger saide that “2017 will be the year of the Open Source unicorn and the number of cyber attacks based on known Open Source vulnerabilities could increase by as much as 20 percent“ (Open Source Security Predictions, 2016).
That is very concerning, especially because we know that there are still major issues in Open Source. Mainly when it comes to security and management practices. These two areas of Open Source are critical and remain to be the most problematic because security compliance does not seem to be keeping stride with the quick adoption of Open Source tools.
North Bridge 2016 survey reported, that apparently, 50 percent of companies that use Open Source have no proper formal policy for choosing and approving Open Source code. That’s a problem on its own. North Bridge also reports that “47 percent of companies don’t have any formal processes in place to track Open Source code, limiting their visibility into their Open Source and therefore their ability to control it” (North Bridge, 2016).
In my opinion, Open Source projects need to place more emphasis on security and build systems that can better fight the breaches, because high profile security bugs such as Heartbleed and Shellshock are turning away potential customers of Open Source and take away a potential revenue.
Now that we talk of revenue… For a business to endure, it needs to generate revenue. This is, in my opinion, one of the most critical areas for the future viability of Open Source. Thus I decided to give it a section of its own.
A colleague of mine loves to quote from the movie Jerry Maguire, in which the lead actor shouts “Show me the money!”. This should be the relevant question every business needs to ask themselves. It doesn’t apply to regular business oriented organizations, but to Open Source projects as well. Many of the Open Source projects simply can’t survive in a competitive world and stay afloat without some source of revenue.
Approximately ten years ago, in 2007, JBoss founder Marc Fleury said: “The first time I saw Linus Torvalds (creator of Linux) on a panel, someone asked “why isn’t there an Open Source billionaire”, and I immediately thought “because you are distributing FREE SOFTWARE, dummy” (Atwood, J., 2007).
Most of you will agree, that was a very bleak outlook. Did the situation change, now, almost a decade later? Well, let’s look at the news. Now, towards the end of 2016, the Open Source operating system Linux is a poster child for all Open Source projects. It holds approx. 25-30% share of the server OS marketplace and thus it’s safe to say, that it very successfully competes against some of the toughest competitors such as Microsoft. As a matter of fact, Microsoft is embracing Linux, it supports Linux on their Azure cloud platform now, and that’s not all, they just released its first public preview of the next version of SQL for Linux (Microsoft SQL, 2016). Even though online community claims that this is just Microsoft resurrecting their ‘Embrace, Extend, Extinguish’ strategy, as comically as it may sound, the news like thee immediately bring to my mind a quote by Linus Torvalds, who in 1998 famously said “If Microsoft ever does applications for Linux it means I’ve won.” (Needle, D., 1998).
So, that’s impressive, but how do largest Linux enterprises fare money wise? Well, not so badly. Linus Torvalds net worth is assessed at $150M, with most of it indirectly related to his Linux fame and the largest Linux Open Source company “Red Hat s now the first $2 billion dollars open-source company” (Red Hat $2b, 2016). Other Open Source enterprises, such as IPO-bound Acquia, company that offers technical support for Open Source Drupal (web content administration platform) already reached $100M annual revenue (Acquia – Boston business journal, 2015). Drupal’s competitor Open Source company Alfresco recently announced that it has recurring revenues of well over $64 million dollars. And Actuate Corporation known for the Open Source Eclipse BIRT professional data reporting venture has revenues in advance of US $134.6 million (ACTU: Income statements, 2016).
This section is as a short overview of the most popular types of Open Source licenses. It is to raise the alertness to the importance and impact that Open Source licensing has on something that is many times only perceived openness of Open Source solutions.
It is typically used to preserve the open nature of the software. It is also there to grant approval to everyone who wants to use, amend, and share licensed software for any purpose. Open Source licensing varies between their types and is typically subject to conditions. That said, it is important and always to our benefit to pay a very close attention to the type of license under which the Open Source software is released. It should be a standard practise to review the license type before Open Source software is deployed in an organization.
In this overview, I’ve organised the top 3 most popular Open Source licenses in ascending order, featuring the one with no conditions or restrictions of any kind at the top, moving towards the one with the sturdiest of conditions at the bottom.
This is the only license I am aware of; that has no conditions of any kind attached to it. This license is so open that it allows anyone to grab a source code and release it as a commercial software without any repercussions. This license is used by HTTPkit (a Ruby toolkit for building HTTP clients), Tor.rb (a Ruby library for the Tor network) or youtube-dl (a command-line program for downloading from YouTube). Learn more at http://unlicense.org.
MIT license is considered by many to be the best time of Open Source license; it’s also my personal favourite. This is a very simple type of Open Source license, it’s very short and to the point. The important thing to keep in mind when using MIT license is to preserve the license notices and copyright. Software such as .NET Core, jQuery, and Rails use the MIT License. You can learn more at https://opensource.org/licenses/MIT.
When it comes to Apache license 2.0, it’s for users who are concerned about patents, but otherwise not so different from MIT license. It expresses grant of patent rights from contributors to users. Apache License 2.0 is used by Apache from which it derived its name, but also by Android and Swift. More at http://www.apache.org/licenses.
All other licenses, such as Mozilla Public License 2.0, GNU LGPLv3, GNU GPLv3 or GNU AGPLv3 are far more restrictive than the ones I’ve just listed, and users need to be well are of the restriction types.
Let’s summarize the implication of the licensing by drawing a comparison between one of the top 3 licenses and the GNU AGPLv3 License. GNU AGPLv3 License is also an Open Source license, but it’s the one of the toughest when it comes to conditions implied upon its user. Imagine an organization that takes an Open Source software under this license type and needs to extend it with their own components. If the product they need to extend is licensed under MIT or Apache license, the organization could do so without any issues. However, in a product licensed under GNU AGPLv3, the organization would be required to make the code they added publicly available, alongside with a complete source code and notification of all modifications. Additionally, they would need to make the source code of an added component licensed as a work under the same GNU AGPLv3 license. They would also need to preserve copyright and license notices; contributors need to provide an express grant of patent rights. As you may imagine, this is something to be aware of.
So, how open will the future be?
In my opinion, some significant challenges remain when it comes to Open Source, especially in the area of Open Source security, administration, and management practices. As a matter of fact,”eGartner says that through 2020, security and quality defects publicly attributed to OSS projects will increase significantly, driven by a growing presence within high-profile, mission-critical and mainstream IT workloads” (Ventures, C., 2015).
Mihai Doinea, from the Economic Informatics Department in Academy of Economic Studies in Bucharest, Romania says that “Open Source security is widely discussed because of its primary characteristic, openness, which make some developers say that this is a security breach, and others to say that if a product is free-source, security holes are less. This idea is equally valid because if the product isn’t developed properly and that’s the case for a lot of licensed software, even more being Open Source, presents a high level of vulnerability. On the other hand, if the Open Source program is developed properly, tested by many different programmers with different visions, covering a broad range of vulnerabilities then certainly the vulnerability level is lower, and much lower than a licensed software”.
That is something I can certainly agree with, because when it comes to Open Source, the fact that many people are inspecting the code, security is likely to fare better than in the case of their commercial counterparts, where there is a limited quantity of resources that can be dedicated to the task of securing the application.
Regarding Open Source licensing, yes, it’s often described as radical, but “it is built on solid, traditional legal foundations, including the rights granted by copyright under the law of the United States (and elsewhere)” (Laurent, A. M. S., 2004)
Open Source licensing is surely far more confusing and complicated than it needs to, so that is why it is so great to see projects such as choosealicense.com, a website that helps everyone to make a right choice about how to license their Open Source code. This project aims to show exactly what one can and cannot do with the Open Source code, and they do so in a simple and easy to follow manner, making it much simpler to navigate the complex nature of Open Source licensing.
In terms of profitability, I think I’ve also sufficiently shown that even Open Source projects can and do make revenue. It’s mainly when it comes to providing expertise and support for Open Source software products, but a lot of profit also comes from the development of custom components. While only a decade ago, we had a handful of Open Source solutions that made profits of millions of dollars, we are now looking at the billion dollar enterprises that build their solutions around Open Source projects.
That said, in my personal view, the benefits of Open Source far outweigh the risks associated with adoption of OSS technologies. As we could observe, literally all signs point to a bright future of Open Source, and while only couple years back adoption rates were not so prevalent, today the situation is completely different… Today, Open Source is the foundation for virtually all IT applications, reaching nearly the 100% adoption by mainstream IT organizations now.
I will close this article by quoting J. Mayo, who in the 2016 research paper named ‘Open Data: A policy subject reference for governments and regulators,’ stated something I must passionately agree with:
Development is the way to winning. Advancement is what’s to come. And Open Source is the place where development and advancement are happening. (Mayo, J., & Phil, N., 2016).
Part of the results from 2015 survey was a finding that only less than 3% don’t use Open Source at all.
I was wondering about why this would be the case. However, as North Bridge & Black Duck aren’t clear about which organizations are part of the 3% that aren’t using OSS, I suspect that many of the organizations that do not use open source are simply just tied up in government contracts which may prohibit use of OSS. Another possible reason is that these companies are so specific in their line of work, that a niche product they develop does not require any open source project to run. Also, as we know, many companies run to OSS to reduce their development costs and this way gain a competitive advantage, so it’s very much possible that among the enterprises in the reported 3%, are monopoly firms that do not have to be as competitive as rest of the businesses.
However, more likely than these 3 possible options above is something that may actually be the best reason of all…
You see, when Black Duck Software (the open-source software (OSS) logistics and legal solutions provider) and North Bridge (a seed-to-growth venture capital firm) have announced the results of the annual Future of Open Source Survey, they found that the enterprises are adopting open source like crazy, but they also discovered that they’re not managing it worth a darn.
As we can read in the survey results, still more than 55% of companies that use OSS have no policies and procedures associated with it. Only 27% report having a formal policy for employee contributions to OSS project and mere 16% report having an automated code approval process. So while 78% of companies run on Open Source, many lack the formal policies to manage not only security risks but also the possible legal risks. Thus, iSo in my opinion, this could be a major issue for some of the firms in the 3%.
The findings such as these and couple of others that I list through the attached slides below, would definitely be a good reason for doubt and adoptional hesitance:
I’ll close this addon section by quoting Lou Shipley, President and CEO of Black Duck, who outlines quite well what needs to be done in order for those 3% of enterprises to come on board.
Mayo, J., & Phil, N. (2016). Open Data: A policy subject reference for governments and regulators. IRA-International Journal of Management & Social Sciences (ISSN 2455-2267), 1(4). (Accessed: 3 December 2016).
Doinea, M. (2009). Open Source Security–Quality Requests. Open Source Science Journal, 1(1), 126-135. (Accessed: 4 December 2016).
Laurent, A. M. S. (2004). Understanding Open Source and free software licensing. ” O’Reilly Media, Inc.”.
North Bridge (2015) 2015 future of Open Source survey results. Available at: http://www.northbridge.com/2015-future-open-source-survey-results (Accessed: 3 December 2016).
North Bridge (2016) 2016 future of Open Source survey results. Available at: http://www.northbridge.com/2016-future-open-source-survey-results (Accessed: 3 December 2016).
Vaughan-Nichols, S.J. (2016) Black duck and north bridge find that today, and tomorrow, belong to Open Source. Available at: http://www.zdnet.com/article/black-duck-and-north-bridge-find-that-today-and-tomorrow-belong-to-open-source/ (Accessed: 4 December 2016).
Red hat $2b (2016) Red hat becomes first $2b open-source company. Available at: http://www.zdnet.com/article/red-hat-becomes-first-2b-open-source-company/ (Accessed: 4 December 2016).
Atwood, J. (2007) Coding horror. Available at: https://blog.codinghorror.com/where-are-all-the-open-source-billionaires/ (Accessed: 4 December 2016).
Microsoft SQL (2016) SQL server on Linux. Available at: https://www.microsoft.com/en-us/sql-server/sql-server-vnext-including-Linux (Accessed: 4 December 2016).
Needle, D. (1998) Why Intel and Netscape bought into Linux – October 10, 1998. Available at: http://www.cnn.com/TECH/computing/9810/01/whylinux.idg/ (Accessed: 4 December 2016).
Acquia – Boston business journal (2015) 23 February. Available at: http://www.bizjournals.com/boston/blog/techflash/2015/02/ipo-bound-acquia-reaches-100m-annual-revenue.html (Accessed: 4 December 2016).
ACTU: Income statements (2016) Available at: http://www.wikinvest.com/stock/Actuate_(BIRT)/Data/Income_Statement#Income_Statement (Accessed: 4 December 2016).
Vankrimpen, R. (2014) RCMP says it asked revenue Canada to delay announcing stolen sINs. Available at: http://www.cbc.ca/news/business/heartbleed-bug-rcmp-asked-revenue-canada-to-delay-news-of-sin-thefts-1.2609192 (Accessed: 4 December 2016).
Shellshock (2014) Infogalactic: The planetary knowledge core Available at https://infogalactic.com/info/Shellshock_(software_bug) (Accessed: 4 December 2016).
Open Source Security Predictions (2016) Available at http://www.forbes.com/sites/adrianbridgwater/2016/11/11/black-duck-lays-2017-open-source-security-predictions (Accessed: 4 December 2016).
Kerner, S.M. (2014) Heartbleed SSL flaw’s true cost will take the time to tally. Available at: http://www.eweek.com/security/heartbleed-ssl-flaws-true-cost-will-take-time-to-tally.html (Accessed: 5 December 2016).
License and Notice, C. (2016) Licenses. Available at: http://choosealicense.com/licenses/ (Accessed: 5 December 2016).
Unlicense yourself: Set your code free (no date) Available at: http://unlicense.org/ (Accessed: 5 December 2016).
The MIT license (MIT) (no date) Available at: https://opensource.org/licenses/MIT (Accessed: 5 December 2016).
Ventures, C. (2015) Cybersecurity vendors, companies, employers, and firms. Available at: http://cybersecurityventures.com/open-source-security-report-q3-2015/ (Accessed: 5 December 2016).
Apache Foundation (2016) Available at https://www.apache.org/licenses/LICENSE-2.0 (Accessed: 5 December 2016).
LLC, A.W.S. (2016) W3Counter: Global web stats – November 2016. Available at: https://www.w3counter.com/globalstats.php?year=2016&month=11 (Accessed: 5 December 2016).
StatCounter (2016) StatCounter global stats – Browser, OS, search engine including mobile usage share. Available at: http://gs.statcounter.com/#all-os-ww-monthly-201611-201612-bar (Accessed: 5 December 2016).
Shah, A. (2016) Open-source programming languages: A basic overview. Available at: http://tweakyourbiz.com/technology/2015/09/18/open-source-programming-languages-basic-overview/ (Accessed: 5 December 2016).
Q-Success (2016) Usage statistics and market share of server-side programming languages for Websites, December 2016. Available at: https://w3techs.com/technologies/overview/programming_language/all (Accessed: 2 December 2016).
simeji (2016) Simeji/jid. Available at: https://github.com/simeji/jid (Accessed: 5 December 2016)
pubkey (2016) Pubkey/rxdb. Available at: https://github.com/pubkey/rxdb (Accessed: 5 December 2016).
FreeCodeCamp (2016) FreeCodeCamp/FreeCodeCamp. Available at: https://github.com/FreeCodeCamp/FreeCodeCamp (Accessed: 5 December 2016).
Vaughan-Nichols, S.J. (2015) It’s an open-source world: 78 percent of companies run open-source software. Available at: http://www.zdnet.com/article/its-an-open-source-world-78-percent-of-companies-run-open-source-software/ (Accessed: 6 December 2016).