Podcast transcript: Is this the beginning of the end for open source?

The IT Pro Podcast logo with subheading 'Transcript' and the episode title 'Is this the beginning of the end for open source?’

This automatically-generated transcript is taken from the IT Pro Podcast episode ‘Is this the beginning of the end for open source?. We apologise for any errors.

Rory Bathgate

Hi, I'm Rory Bathgate.

Jane McCallion

And I'm Jane McCallion.

Rory

And you're listening to the IT Pro podcast where today we're discussing the future of open source.

Jane

Open source software can be found in a huge number of businesses' stacks. Whether it's for cost reasons, a niche need that open source developers have filled, or because it's frequently updated and has a thriving community, open source is a mainstay of the tech sector.

Rory

In recent years, however, concerns over security and ethics have hampered open source expansion. Vulnerabilities like Log4Shell have made some IT decision makers wary of adopting open source, while increasing demand for open source software from others has put developers under pressure that they can't maintain.

Jane

Today, we're speaking to Keumars Afifi-Sabet, features editor at IT Pro and our specialist covering open source, to discuss the challenges facing the open source community and whether it will last. Keumars, thank you for joining us.

Keumars Afifi-Sabet

Thanks for having me.

Jane

So for any of our listeners who aren't familiar with the term, what is open source software?

Keumars

Open source is essentially software that people can develop and release under an open licence. There are many types of open licences, it's available, it's free to access and there aren't any restrictions normally on who can access it.

Rory

So you've mentioned that it's iterative, and other people can add to and collaborate on open source software, who are the main contributors to open source repositories?

Keumars

That's a tough one, to be honest. There are lots of individual developers out there who have launched passion projects, let's say they've written packages and so on. There are also huge companies involved in the scene. So Red Hat, for example. They're they're all part of this wide and quite vast ecosystem, spreading all kinds of areas of development in various languages, and so on.

Jane

Red Hat, which famously has its own Linux platform. So Linux being the open source software, and then Red Hat iterates on that. If you buy Red Hat Enterprise Linux, then you get additional features, additional support, that kind of thing, right?

Keumars

Of course, that's essentially how it might work in practice.

Jane

And kind of more casually another place that people might have come across open source type stuff is on Twitter for now. Things like Daphne's Catflap, which uses Raspberry Pi and Linux on Raspberry Pi to let the internet know when Kate Bevan's cat has come through her catflap.

Keumars

Well, yeah I mean there are so many different applications. And anyone can tap into the ecosystem at any time really, for a whole variety of reasons. It's part of what makes open source so wonderful, in a way.

Jane

So beyond the sort of passion project uses, are any of the bigger companies say even the Microsoftss of this world, or Googles or whatever, are they contributing to the repositories as well? Or is it just kind of smaller players, like you say, either passion projects or organisations that fundamentally are based on open source as a philosophy, or that's what their products are based on?

Keumars

Well, that's actually quite an interesting question. Because for a lot of the tech giants, there's always been traditionally some resistance to open source in some way or another. A lot of the likes of Microsoft, Google and so on have always been kind of, not necessarily obstructive I suppose, but they haven't embraced the ethos in a way that I guess the wider development community might like them to. And that changed quite recently, actually. I think there was a lot of confusion and some shock at Microsoft, for example, acquiring GitHub and a lot of people forecast the end of open source and the likelihood for Microsoft to essentially take this adversity to the concept of open source. And I don't know, for want of a better way of putting it, shut things down.

Jane

Yeah, yeah, I remember there was a lot of worries when that happened that GitHub being one of the main repositories of open source code that yeah, Microsoft was gonna take it and "thank you very much", put a little wall around it or charge a subscription or whatever. That of course hasn't happened. In fact, until you mentioned it just now I'd forgotten that Microsoft owns GitHub even.

Keumars

And then there's IBM and Red Hat too.

Jane

Yes, yes, you're right.

Keumars

It's another one. Yeah, similar story there really. I think one of the - we'll come on to this later - but one of the speakers at the event I was at, described that as blowing his mind at the time. And not in a good way.

Jane

Yeah, so you were at the State of Open Con conference in London in February, and what was what was that all about, then?

Keumars

State of Open Con 23 was the inaugural event run by OpenUK, which is an advocacy body for open source not just for the UK but you know, a UK based voice. It's an organisation that aims to lobby on behalf of the open source community when it comes to either policy or corporates. It's a hub for developers to get together. It's a forum for discussion and this was the first major event of its type, based over two days and inviting representatives from all kinds of companies, people from different small businesses, startups, corporations, people from the government, DCMS, or as it is now known DSIT, I believe? I'm not sure.

Jane

Yet because the government has quite gone, perhaps all in isn't quite the right term. And we have, of course, had about two, maybe three changes of administration since this happened, but they were very kind of pro open source bringing open source into both national and local government. Is that still something that's sort of prevalent in the UK?

Keumars

Definitely. And I think it's prevalent, more and more prevalent, across the world especially in the UK, the US, lots of EU countries that I'm aware of. Government, and this is again one of the themes that came up, government is a big customer, or consumer if you want, of open source technology. Whether it's open source software or even going, you know, into the peripheries of open data, open hardware standards it's something that is very early days, but this is something that a lot of people in the open source community are excited about, but also slightly concerned about

Jane

What are their concerns?

Keumars

Their concerns are largely regarding the health of the ecosystem, and whether large consumers who access this free software whether it's in the form of small packages or anything, whether they should be contributing back to the vast ecosystem in any way. And currently it seems that although the public sector is quite a big consumer, there doesn't seem to be much in the way of giving back. And it's not necessarily a deliberate, nefarious kind of negligence of duty more just, those conversations haven't really happened yet I don't think.

Rory

So would you say that the current read is that it's more of a transactional relationship, in a community that's historically been more about sharing ideas and collaborating on things?

Keumars

In a way, yeah, I think a lot in government have started to tap into the potential of open source and start to kind of use it in a good way and in a healthy way. But again, the future of open source as we're kind of discussing is kind of unknown. And although there's a lot of excitement, and this buy in from the public sector is really welcomed because it does help put open source issues and all the problems such as security on the map somewhat, and we have written legislation potentially coming in the EU and lots of different regulatory questions being asked in the UK in the US. So it helps raise all of these issues to the surface. But again, if you dig beneath it, there are issues about "okay, well, how do we ensure that there aren't these security issues that are prevalent?" How do we make sure code in future is run over and combed over and curated and made as robust as possible?

Jane

So you say that government, whether that's the UK government or elsewhere, are viewing this more as a transactional relationship. That they are taking without giving, possibly through a misunderstanding or just because it's complex? Is this just a government problem? Or are there others who are kind of taking without giving it back?

Keumars

Well, it's actually quite broad. And it's, again, not really deliberate it's more due to a misunderstanding or a lack of awareness as to how the ecosystem works and the principles underpinning it. For example there's the question of, normally, if you consume open source there is an expectation of giving back in some way. In the public sector, at the moment, that is not necessarily happening. If we move on to other companies in the private sector, and it's a good thing that more and more companies and organisations are embracing open source, but if you look at some businesses that are embracing open source, without really being fully aware of how the whole ecosystem works, many of them are consuming open source software and essentially expecting a service when it comes to the maintenance side of things. So it's akin to purchasing a piece of software and then expecting bug fixes, if something goes wrong, they might get in touch with maintainers who are unpaid and largely working on this in their free time. And you know, just out of out of a passion for whatever it is, they might get in touch with maintainers and say for example, "we've identified that there might be some flaws in this, we need a fix by, you know, next Friday because it's a critical part of this piece of software that we run", or whatever it might be. There's that element of well, that's not actually how it works. And there shouldn't be those unfair expectations being placed on maintainers. So there's quite a lot of tensions that come with as the ecosystem grows and grows. How do you manage those expectations? And how do you make sure that it doesn't undermine the expansion of open source

Jane

Isn't sort of feeding back bug fixes and yeah, fixing the bugs yourself and then feeding them back into the ecosystem. Isn't that supposed to be a fundamental part of how you use open source? Oh, guys, if you're trying to do X, Y, Z, then you need to watch out for blah, rather than just taking it and then being like, "there's a problem, fix it".

Keumars

I mean, that's actually a very interesting point, because we now have a situation where you do have some really critical pieces of software, some really important packages or whatever it might be used by all kinds of companies. And you know, demonstrated by Log4Shell, for example, which was a zero-day vulnerability found in the Java logging framework Log4J, which is maintained by Apache. So this piece of software was used by a host of different companies. And there are other examples of software that might be really widely used, but not very well maintained. And again, I don't want to say that Log4J wasn't necessarily badly maintained. But this vulnerability was present in the code for a number of years before it was exploited. And there are arguments to say, well if there were more eyes on the code, if you had more maintainers, if there was more of an incentive for the maintainers to be paid, for example, then maybe they would have found this bug sooner and fixed it. Now, there are lots of open source software out there that might only have one or two maintainers working on it. And maybe one day, they decide they don't want to do it anymore, and they start a new project. But by this point, thousands of companies might be using it. So you get into a position where who's maintaining this piece of software?

Jane

I was gonna say, what happens if you go from lots, to a handful, to no maintainers at all?

Keumars

Well exactly, and I believe it has happened before and not in a not such a devastating way as Log4Shell where a critical vulnerability was was found and exploited. But you do get that situation sometimes, which is where curation starts to come into picture. And this is companies themselves who use the open source software, essentially maintaining it from the inside. And there is this rising tension between the role of maintainers, especially in the small ecosystems with specific pieces of software that are quite well maintained, and the curation side of things. Google, for example, launched a software vetting initiative last year called Assured Open Source Software. Essentially it vets open source software, checking for vulnerabilities, checking for code, and stamps a licence of approval on it. It's essentially kind of symbolic. But because there's been this history of animosity from corporations like Google, like Amazon, AWS, you know, towards the open source ecosystem, maintainers are inherently a little bit untrustworthy of this involvement and the growing influence of curation.

Rory

You've mentioned Google there. And in addition to the service you mentioned, they also have a Software Delivery Shield, which isn't explicitly for open source, but it is about giving their customers assurances on the security of a software that they may want to be integrating into their stack. Are these kinds of solutions where say a public cloud provider is creating their own kind of supply chain for open source software? Are these long-term fixes for the security issues with open source? Or are these more of a temporary solution that happened to benefit you if you're already a public cloud customer?

Keumars

It depends on who you ask, to be perfectly honest. So if you ask people from Google, they'll say, and I did ask someone from Google, the VP for infrastructure, Eric Brewer. He believes, and a lot of other people believe, curation is the only way of having a long term and sustainable means of identifying and fixing vulnerabilities on on the hole in the round, generally speaking. However, as I mentioned, many developers are very wary of this. And they think, probably because of suspicions and lots of other factors, they believe that it's not the only way. That's one way of doing it. But it might not necessarily lead to this kind of almost utopian bug-free view of the open source ecosystem.

Jane

It's fundamentally a trust thing, then?

Keumars

I think it has a lot to do with trust. And I think a lot of... I mean, I don't want to take us to kind of deviate too far from what we're talking about. But even within the open source community, even developers who are all kind of on the same page on most fronts have disagreements over what open source means anymore. If you restrict by region, for example, some people think that's not open source anymore.

Jane

Restrict by region, in what sense? So like, your software is available in the European Union, but not Latin America, that kind of thing?

Keumars

So your software might be available in every country, except for Russia for example, for political reasons and you know, many people who... it's hard to find someone who thinks, you know, the war in Ukraine is a good thing. Unless, you know,

Jane

I'm not even sure that those committing it are that convinced anymore. Yeah.

Keumars

Essentially, there are some who feel that from an almost purist point of view, fine, you know, restrict by region, but don't kind of call it open source anymore. So these conversations are happening. And because some of these themes are quite new, nothing seems to be quite settled at the moment, and new conversation seems to be happening that weren't happening five years ago.

Jane

Yeah, it's funny isn't it that open source has a long pedigree. Linux is definitely not a new thing, and everything it's based on is very much not new either. But the uptake, like we've said, the interest of bigger companies that have previously been very fundamental on their proprietary software, the interest of governments in terms of using it not cracking down on it, or whatever is all very new from the past, say 10 to 15 years.

Keumars

Definitely. State of Open Con, for example, wouldn't have happened two years ago. And a lot of people who were there were so happy that finally that, you know, finally there's an organisation with enough funding, and enough of a voice to host something like this in the UK, and invite people from all over the world to come here and talk about all the big themes in open source. So there's a lot of momentum, and a lot of positive momentum, as well. So it shows the pace that things are moving at are very quick. And again, going back to the conversations in government across the different jurisdictions, the EU, the US, the UK, they're taking a big interest in open source. Not only from the supply chain security side of things because that is a huge concern, especially for a lot of public sector agencies who are customers, and who are vulnerable if a security flaw might be found in a software they use. But from the point of view of trying to maintain this ecosystem, build on it, encourage its long term sustainability, these conversations are open and they're happening. And it's not necessarily led by the governments respectively either. For example, the White House executive order was broadly encouraging, from the point of view of many in the open source community. The recent UK government intervention, again, is broadly positive. But my impressions were the government didn't really know what they were looking to do, they just knew they wanted to do something. And they were welcoming direction from anyone who was willing to offer it. We'll see how that develops. But it seems to be something that the government are very open minded about, which is better than the you know, if the inverse were true.

Jane

Yeah, yeah, absolutely.

Rory

So it sounds like despite the disagreements from maybe the purist side of the open source community, that the private sector and the public sector are actually at the table to a degree that they've they've not been before. Would you say that this is a fair assessment of the current state of things, and that this is maybe a new landscape that we're entering into?

Keumars

I think we are. I think we're into this landscape. We haven't been here long. And it seems like the direction of travel is positive, and I think you only need to look back to a few years ago to see where we've come from where we are now. As I mentioned, you know, you have the likes of Google and Microsoft at the table having these discussions with very pro open source people within those companies who are pushing the needle. On the public sector side, you've got a lot of a lot of goodwill and a lot of open mindedness to try to understand. So, you know, we've gone beyond "what the heck is this open source thing?" Okay, well, how can we make sure developers within this ecosystem, get what they need? You know, what are the best models for funding in the long term? What role can the DCMS, or fit or whatever it will be called tomorrow? What could what role can department like that play?

Rory

So looking into the immediate future? What's in store for open source? And can the community expect things to improve in the short term

Keumars

As Amanda Brock put it, who is the CEO of OpenUK, for open source either the community wins in the next five years, or it loses, and everything collapses. So it could go one of two ways, which is maybe not, maybe not a helpful answer, but I think it just it's reflective of the fact that these anxieties are out there and are being vocalised. And the reasons mainly are, nobody's yet decided how open source should move forwards. And nobody knows yet what this looks like, and how it will be funded. I think funding is one of the big issues. It's not the only issue, but it's a major issue. So as I mentioned, Amanda Brock, and Eric Brewer, both are in agreement that the government needs to put some money on the table. And there needs to be some kind of aggregation and distribution of funds by independent people who can offer resources to projects, to really important pieces of software equitably across the entire ecosystem. How that, you know, looks like nobody knows yet. We've got foundations, which are really important. So for example the Rust Foundation, which isn't very old at all, it pulls in between $2 and $3 million (£1.6 to £2.5 million) a year mostly in donations, it has a very small crew of staff. And it plays a really important role in its own community, among kind of Rust maintainers, and so on. But not every project has that, no matter how big or small, or how wide the use that is. So it's a really, really diverse community with a lot of different potential pain points. Again, security is a big problem and if we continue to see supply chain attacks over the next few years. I mentioned private sector and the public sector, lots of organisations, having only recently maybe dipped their toe into it, or you know, that they've heard a lot about it, they're starting out, maybe it's now an important part of their stack. They could just turn around and say, "well, we tried and we failed", you know, "let's try something else". And open source could just shrink back to where it was, you know, both in terms of the number of consumers of open source, but also its place on the agenda. There's a lot of positivity. But there are concerns. And I think the main priority for open source is to find a way to maintain software, find a sustainable model that people can rely on to ensure in the long term we can minimise potential security risks.

Jane

On that vaguely hopeful note, I think we're gonna have to end our conversation. But thank you very much Keumars for joining us.

Keumars

Thanks, guys. Thanks for having me.

Jane

As always, you can find links to all of the topics we've spoken about today in the show notes and even more on our website at itpro.co.uk.

Rory

You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the IT Pro Podcast wherever you find podcasts. And if you're enjoying the show, why not tell a friend or colleague about us?

Jane

We'll be back next week with more from the world of IT, but until then, goodbye.

Rory

Goodbye.

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.