SlideShare a Scribd company logo

WSO2CON 2024 - Does Open Source Still Matter?

WSO2, profile picture
WSO2

The document discusses the relevance of open source software in today's environment, highlighting its benefits such as improved software quality, cost efficiency, and independence from vendor lock-in. It also addresses emerging challenges like security risks from decentralized contributions and increased regulatory burdens. The future of open source is predicted to face difficulties due to these regulations, yet it will remain crucial for software independence amid geopolitical uncertainties.

Software
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Does Open Source Still Matter? Jonathan Marsh VP Strategy, WSO2 9 May 2024
Yes!
But … let’s look deeper at the current environment ● Challenges addressed by Open Source ● WSO2’s Open Source policies ● New challenges to Open Source itself ● The future of Open Source 3
Challenges addressed by Open Source
Better software ● Transparency improves software development practices ○ More eyes on the code ○ Contributes back to human knowledge (human and AI training) ○ Wider set of constituents ○ Wider set of contributors ○ Open marketplace of ideas ○ Rewrote how software is written with decentralized tools and governance methods ● Reduced duplicative efforts ○ Freely build on best-of-breed components ○ Allow technical consensus to coalesce around best software ● Attracts geekiest developers 5
Cost & equity ● Software is necessary for modern societies ● Traditional software vendors may impose undesirable terms: ○ Unaffordable ○ No control over evolution, maintenance ○ Controlled by private entities ○ Controlled by foreign entities ● Open Source provides legal path to obtaining low-TCO software ● Maintains market pressure on proprietary software vendors 6
Software independence ● Open Source broke open the problem of “vendor lock-in:” ○ High prices ○ Unresponsive to evolution needs ○ Opaque quality & “abusive relationships” ○ Product lifecycle pressure (early EOLs) ● Now governments are emerging as a more significant source of uncertainty ○ Data privacy and other software regulations ○ Trade restrictions ○ International sanctions ○ Snooping by “law enforcement” 7
WSO2’s Open Source Policies
WSO2’s extraordinary Open Source commitment 9 All downloadable products SaaS offerings may differ All enterprise features No dual licensing Permissive license Apache 2.0 Critical security updates On latest release only Open process Apache Way governance model 5 1 2 3 4
● Ideological decision deeply embedded in company history and culture ● Increased employee equity ○ Establish personal reputation ○ Access to code after leaving the company ○ Exposure to a global community (contributors, users/customers) ○ Supports development of software talent beyond Silicon Valley-like hot spots ● Secures unique business advantages ○ Replaces expensive marketing with viral/word-of-mouth awareness ○ Benefits from open-source preferences (individual, institutional, regulatory) ○ Expectation of high value/low cost Why does WSO2 prefer Open Source? 10
WSO2’s business model Image by Freepik No marginal cost Broadcast Community Public Free Marginal costs Individualized Expert Private Paid Users Customers 11
⦿ Community releases ⦿ Regular releases with new features & bug fixes ⦿ Critical security updates (only) on latest release (only) ⦿ Community support (public, best efforts) ⦿ DIY & community expertise WSO2’s business model ⦿ Supported distributions & SaaS products ⦿ Continuous updates on 3+ years of supported releases ⦿ Security bulletins & updates, updates to supported releases ⦿ Enterprise support (private, SLA) ⦿ WSO2 expertise Users Customers 12
Challenges to Open Source
The #XZ story: ● A compression library central to the linux stack was maintained by an overworked volunteer ● Nation-state hackers posed as open source developers to gain commit rights and assume effective control over the component ● After a year of productive participation the new committers inserted a very significant back door ● An alert developer/consumer at Microsoft identified degraded performance, located and reported the problem ● Worries remain that a loose system of decentralized volunteers is open to manipulation See https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ Maintaining security in a decentralized system 14
SaaS ● Strong trend towards SaaS for the last decade or more ○ Ease of trial ○ Low entry cost ○ Low maintenance effort ● On-premises still continues to grow ○ “Reshoring” SaaS to save money ○ Cloud native characteristics now more readily available on-prem (Kubernetes) ○ Competing regulatory regimes leading to a fragmented global market 15
Mega-cloud competition ● Smaller companies can face existential competition from Amazon etc. should they decide to offer a SaaS version of a popular open source product. ● Vendors moving towards “source-available” licenses to provide most of the full benefits of open source to MOST users, while precluding “predatory” use. ○ MongoDB, MariaDB, Cockroach Labs, Couchbase, Redis, Hashicorp, Elastisearch 16
● Open source companies have not proliferated ● Low uptake from traditional VC investors ○ No playbook for success ○ Difficult to make quick returns ○ Hard to defend/monetize proprietary IP ○ SaaS is more attractive ○ Dual-licensing (i.e. not truly open) at best ● Value of open sourcing is often indirect ○ Preempt competition ○ Boost reputation ○ Leverage community to lower long-term costs Investment expectations 17
Increasing regulation ● US Cyber Trust Mark Act ○ Safety certification allowing consumers to choose safer products ○ Certification performed by independent labs ○ Voluntary - open source projects can choose whether to apply ● European Cyber Resiliency Act ○ Product safety regulation - software vendors may be penalized for for insecure software and sub-standard security processes ○ Requires self- documentation of security practices, ongoing responsive measures (i.e. security patches) ○ Applies to all software vendors with business in Europe, with global spillover ○ Also applies to open source software sponsored by vendors with business in Europe 18
Gift horse or trojan horse? ● Increased costs of releasing software ○ Formalized risk assessments ○ Documenting releases ○ Achieving zero known vulnerability goals ● Increased costs of maintaining software ○ Making security updates available freely ○ Promptly report security vulnerabilities to authorities ○ Committing to a product lifetime ● Increased financial risk ○ Penalties reaching millions of euros 19
Who pays for conformance costs? ● Software vendors ○ Higher prices for commercial products to subsidize open source ○ Where the open source is ancillary to a commercial product sale (e.g., tools) ○ Where the open source is a precursor to a commercial product sale (e.g., dual license) ● Open source foundations ○ Established open source foundations can provide systems and support for conformance. ○ Foundations are usually funded with pooled corporate dues and donations ● Governments? 20
The Future of Open Source (my predictions)
● Regulatory damage to “as-is” open sourcing ● Harder for companies to justify open sourcing in the face of increased obligations and liability ● Public funding is insufficient to fully support open source as a public good Entering a time of push and pull ● Waning globalization and waxing geopolitical instability will drive demand for software independence ● SaaS may peak in some areas - “reshoring” underway ● Open source can avoid traditional marketing saturation failures, with word-of-mouth awareness 22
● OpenSSF (Open Source Security Foundation): defining and promoting repeatable security practices ⦿ https://openssf.org/ ● Open Source Quality Institutes (OSQI): Tim Bray’s idea for public funding for open source “commons” maintenance efforts ⦿ https://www.tbray.org/ongoing/When/202×/2024/04/01/OSQI Awareness of the need to treat open source as a public good 23
Developer quandary Release as open source? Fully conform, accept liability & maintenance obligations Don’t release at all Release as closed source/dual license Regional “open source” license variants Explore new revenue sources Minimize conformance costs 24
Less license purity ● Increased use of dual-licensing and source-available licenses (addresses the investment problem) ● Increased use of SaaS-prevention licenses (addresses the SaaS problem) ● Emergence of “as-is” licenses (addresses the un-funded mandate regulatory problem) 25
Return to Open Source Foundations (OSFs) ● OSFs will gain some special regulatory status ● Pools costs and mechanisms for satisfying regulatory requirements 26
Personal thoughts ● Open source will need your help! ● Be open to a diversity of open-source-adjacent licenses ○ Licenses that prevent direct competition by SaaS providers ○ “As–is” licenses ● Support open source as a public good ○ Support initiatives to provide public support ○ Expect more certification options ○ Recognize secure use of open source is a joint responsibility of developer and user ● Know your Open Source - examine the SBOM ● Expect somewhat less diversity and vigor in open source community ● Expect somewhat higher costs for commercial equivalents 27
Thank You!

More Related Content

PDF
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
WSO2
 
PPTX
Open Source vs Proprietary
M. Antoinette Jerom
 
PPT
Open source technology
Rohit Kumar
 
PPT
Asf icfoss-mentoring
Luciano Resende
 
PPT
Open Source & Open Development
Sander van der Waal
 
PDF
Open Sources 20 The Continuing Evolution 1st Edition Chris Dibona
imyouioluhle
 
PPTX
Guide to open source
Javier Perez
 
PPT
Open Source: Lessons Learned (2006)
Matt Asay
 
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
WSO2
 
Open Source vs Proprietary
M. Antoinette Jerom
 
Open source technology
Rohit Kumar
 
Asf icfoss-mentoring
Luciano Resende
 
Open Source & Open Development
Sander van der Waal
 
Open Sources 20 The Continuing Evolution 1st Edition Chris Dibona
imyouioluhle
 
Guide to open source
Javier Perez
 
Open Source: Lessons Learned (2006)
Matt Asay
 

Similar to WSO2CON 2024 - Does Open Source Still Matter? (20)

PDF
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
AdaCore
 
PDF
Open Source: What is It?
DuraSpace
 
PPTX
Contemporary software TRENDS SOFTWARE TRENDS
melissaguillermo
 
PDF
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
WSO2
 
PDF
Smau Milano 2016 - Fabio Alessandro Locati
SMAU
 
PPTX
The Rise of Open Source
Martin Westhead
 
PPT
Osp summary
ashutosh5290
 
PDF
Open Source Licenses
Ortus Solutions, Corp
 
PDF
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
Black Duck by Synopsys
 
PDF
Open source software 101: Compliance and risk management
Osler, Hoskin & Harcourt LLP
 
PPTX
OPEN SOURCE SOFTWARE
Sarvesh Maurya
 
PDF
IrmaBorst
Ernest Stoepker
 
PDF
What’s Driving Open Source (for MyGOSSCon)
Simon Phipps
 
PDF
Breaking Free from Proprietary Gravitational Pull
Great Wide Open
 
PDF
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
FINOS
 
PDF
Eclipse Legal Day - Nov 2013
Mike Milinkovich
 
PPT
Open Source and its role in a new IT ecosystem
Bruno von Rotz
 
PDF
Exploring Open Source Licensing
Stefano Fago
 
PDF
Leaping the chasm from proprietary to open: A survivor's guide
bcantrill
 
PPTX
Open source presentation_v03
Sergi Torrellas
 
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
AdaCore
 
Open Source: What is It?
DuraSpace
 
Contemporary software TRENDS SOFTWARE TRENDS
melissaguillermo
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
WSO2
 
Smau Milano 2016 - Fabio Alessandro Locati
SMAU
 
The Rise of Open Source
Martin Westhead
 
Osp summary
ashutosh5290
 
Open Source Licenses
Ortus Solutions, Corp
 
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
Black Duck by Synopsys
 
Open source software 101: Compliance and risk management
Osler, Hoskin & Harcourt LLP
 
OPEN SOURCE SOFTWARE
Sarvesh Maurya
 
IrmaBorst
Ernest Stoepker
 
What’s Driving Open Source (for MyGOSSCon)
Simon Phipps
 
Breaking Free from Proprietary Gravitational Pull
Great Wide Open
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
FINOS
 
Eclipse Legal Day - Nov 2013
Mike Milinkovich
 
Open Source and its role in a new IT ecosystem
Bruno von Rotz
 
Exploring Open Source Licensing
Stefano Fago
 
Leaping the chasm from proprietary to open: A survivor's guide
bcantrill
 
Open source presentation_v03
Sergi Torrellas
 
Ad

More from WSO2 (20)

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
PDF
Platformless Modernization with Choreo.pdf
WSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
WSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Ad

Recently uploaded (20)

PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
System and Network Administration Chapter 2
jaramharo
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
AI in Product Development-omnex systems
omnex systems
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Transform Your Business with a Software ERP System
Canada Software Company
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 

WSO2CON 2024 - Does Open Source Still Matter?

  • 1. Does Open Source Still Matter? Jonathan Marsh VP Strategy, WSO2 9 May 2024
  • 3. But … let’s look deeper at the current environment ● Challenges addressed by Open Source ● WSO2’s Open Source policies ● New challenges to Open Source itself ● The future of Open Source 3
  • 5. Better software ● Transparency improves software development practices ○ More eyes on the code ○ Contributes back to human knowledge (human and AI training) ○ Wider set of constituents ○ Wider set of contributors ○ Open marketplace of ideas ○ Rewrote how software is written with decentralized tools and governance methods ● Reduced duplicative efforts ○ Freely build on best-of-breed components ○ Allow technical consensus to coalesce around best software ● Attracts geekiest developers 5
  • 6. Cost & equity ● Software is necessary for modern societies ● Traditional software vendors may impose undesirable terms: ○ Unaffordable ○ No control over evolution, maintenance ○ Controlled by private entities ○ Controlled by foreign entities ● Open Source provides legal path to obtaining low-TCO software ● Maintains market pressure on proprietary software vendors 6
  • 7. Software independence ● Open Source broke open the problem of “vendor lock-in:” ○ High prices ○ Unresponsive to evolution needs ○ Opaque quality & “abusive relationships” ○ Product lifecycle pressure (early EOLs) ● Now governments are emerging as a more significant source of uncertainty ○ Data privacy and other software regulations ○ Trade restrictions ○ International sanctions ○ Snooping by “law enforcement” 7
  • 9. WSO2’s extraordinary Open Source commitment 9 All downloadable products SaaS offerings may differ All enterprise features No dual licensing Permissive license Apache 2.0 Critical security updates On latest release only Open process Apache Way governance model 5 1 2 3 4
  • 10. ● Ideological decision deeply embedded in company history and culture ● Increased employee equity ○ Establish personal reputation ○ Access to code after leaving the company ○ Exposure to a global community (contributors, users/customers) ○ Supports development of software talent beyond Silicon Valley-like hot spots ● Secures unique business advantages ○ Replaces expensive marketing with viral/word-of-mouth awareness ○ Benefits from open-source preferences (individual, institutional, regulatory) ○ Expectation of high value/low cost Why does WSO2 prefer Open Source? 10
  • 11. WSO2’s business model Image by Freepik No marginal cost Broadcast Community Public Free Marginal costs Individualized Expert Private Paid Users Customers 11
  • 12. ⦿ Community releases ⦿ Regular releases with new features & bug fixes ⦿ Critical security updates (only) on latest release (only) ⦿ Community support (public, best efforts) ⦿ DIY & community expertise WSO2’s business model ⦿ Supported distributions & SaaS products ⦿ Continuous updates on 3+ years of supported releases ⦿ Security bulletins & updates, updates to supported releases ⦿ Enterprise support (private, SLA) ⦿ WSO2 expertise Users Customers 12
  • 14. The #XZ story: ● A compression library central to the linux stack was maintained by an overworked volunteer ● Nation-state hackers posed as open source developers to gain commit rights and assume effective control over the component ● After a year of productive participation the new committers inserted a very significant back door ● An alert developer/consumer at Microsoft identified degraded performance, located and reported the problem ● Worries remain that a loose system of decentralized volunteers is open to manipulation See https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ Maintaining security in a decentralized system 14
  • 15. SaaS ● Strong trend towards SaaS for the last decade or more ○ Ease of trial ○ Low entry cost ○ Low maintenance effort ● On-premises still continues to grow ○ “Reshoring” SaaS to save money ○ Cloud native characteristics now more readily available on-prem (Kubernetes) ○ Competing regulatory regimes leading to a fragmented global market 15
  • 16. Mega-cloud competition ● Smaller companies can face existential competition from Amazon etc. should they decide to offer a SaaS version of a popular open source product. ● Vendors moving towards “source-available” licenses to provide most of the full benefits of open source to MOST users, while precluding “predatory” use. ○ MongoDB, MariaDB, Cockroach Labs, Couchbase, Redis, Hashicorp, Elastisearch 16
  • 17. ● Open source companies have not proliferated ● Low uptake from traditional VC investors ○ No playbook for success ○ Difficult to make quick returns ○ Hard to defend/monetize proprietary IP ○ SaaS is more attractive ○ Dual-licensing (i.e. not truly open) at best ● Value of open sourcing is often indirect ○ Preempt competition ○ Boost reputation ○ Leverage community to lower long-term costs Investment expectations 17
  • 18. Increasing regulation ● US Cyber Trust Mark Act ○ Safety certification allowing consumers to choose safer products ○ Certification performed by independent labs ○ Voluntary - open source projects can choose whether to apply ● European Cyber Resiliency Act ○ Product safety regulation - software vendors may be penalized for for insecure software and sub-standard security processes ○ Requires self- documentation of security practices, ongoing responsive measures (i.e. security patches) ○ Applies to all software vendors with business in Europe, with global spillover ○ Also applies to open source software sponsored by vendors with business in Europe 18
  • 19. Gift horse or trojan horse? ● Increased costs of releasing software ○ Formalized risk assessments ○ Documenting releases ○ Achieving zero known vulnerability goals ● Increased costs of maintaining software ○ Making security updates available freely ○ Promptly report security vulnerabilities to authorities ○ Committing to a product lifetime ● Increased financial risk ○ Penalties reaching millions of euros 19
  • 20. Who pays for conformance costs? ● Software vendors ○ Higher prices for commercial products to subsidize open source ○ Where the open source is ancillary to a commercial product sale (e.g., tools) ○ Where the open source is a precursor to a commercial product sale (e.g., dual license) ● Open source foundations ○ Established open source foundations can provide systems and support for conformance. ○ Foundations are usually funded with pooled corporate dues and donations ● Governments? 20
  • 21. The Future of Open Source (my predictions)
  • 22. ● Regulatory damage to “as-is” open sourcing ● Harder for companies to justify open sourcing in the face of increased obligations and liability ● Public funding is insufficient to fully support open source as a public good Entering a time of push and pull ● Waning globalization and waxing geopolitical instability will drive demand for software independence ● SaaS may peak in some areas - “reshoring” underway ● Open source can avoid traditional marketing saturation failures, with word-of-mouth awareness 22
  • 23. ● OpenSSF (Open Source Security Foundation): defining and promoting repeatable security practices ⦿ https://openssf.org/ ● Open Source Quality Institutes (OSQI): Tim Bray’s idea for public funding for open source “commons” maintenance efforts ⦿ https://www.tbray.org/ongoing/When/202×/2024/04/01/OSQI Awareness of the need to treat open source as a public good 23
  • 24. Developer quandary Release as open source? Fully conform, accept liability & maintenance obligations Don’t release at all Release as closed source/dual license Regional “open source” license variants Explore new revenue sources Minimize conformance costs 24
  • 25. Less license purity ● Increased use of dual-licensing and source-available licenses (addresses the investment problem) ● Increased use of SaaS-prevention licenses (addresses the SaaS problem) ● Emergence of “as-is” licenses (addresses the un-funded mandate regulatory problem) 25
  • 26. Return to Open Source Foundations (OSFs) ● OSFs will gain some special regulatory status ● Pools costs and mechanisms for satisfying regulatory requirements 26
  • 27. Personal thoughts ● Open source will need your help! ● Be open to a diversity of open-source-adjacent licenses ○ Licenses that prevent direct competition by SaaS providers ○ “As–is” licenses ● Support open source as a public good ○ Support initiatives to provide public support ○ Expect more certification options ○ Recognize secure use of open source is a joint responsibility of developer and user ● Know your Open Source - examine the SBOM ● Expect somewhat less diversity and vigor in open source community ● Expect somewhat higher costs for commercial equivalents 27