As IT leader, you are in need of reliable, long term solutions for your enterprise to build on. You can’t have a sudden license change forcibly increase cost, weak security undermine trade secrecy or sale or bankruptcy of a vendor deprive you of qualified support. Designed to protect the recipient of the software rather than the vendor, Open Source licenses like the GPL provide exactly this guarantee. Rather than buying the product, you purchase support and services, ensuring quality and continuity. As long as you manage to avoid pitfalls like open core businesses trying to sell you something they don’t have, you can benefit from the confidence in your infrastructure which helps you run an efficient, effective operation.
Licence agreements are notoriously terrible, which is probably why almost nobody reads them. Software maker PC Pitstop once included an offer of USD 1,000 in its license for the first user to notice the clause offering it. It took four months before someone collected! As Aaron Perzanowski and Jason Schultz write in their book “The End of Ownership: Personal Property in the Digital Economy” (MIT Press):
“When high-quality products are indistinguishable from poor ones, we get what economists call a market for lemons.”
That was, indeed, quoting from the Nobel Prize winning economist George Akerlof who showed in his classic 1970 article, “The Market for Lemons,”, asymmetric information can systematically distort the quality of what’s available in the market. In other words, people not reading or understanding Terms of Service and licenses will result in quality of those dramatically falling. You can read an excerpt from the book by Perzanowski and Schultz here.
These lemons are hurting your enterprise. Business is built on a simple rule: companies deliver what makes money. Proprietary licenses have the perverse incentive to lock in and squeeze customers, while not incentivising the most important service every customer needs: first rate support. Many proprietary software companies are infamous for their support for this very reason! To get access to their product features, you have to accept whatever support they offer.
Open Source offers a way out of this conundrum: you can rely on any vendor for support for your software, even hire your own engineers, thanks to its copyleft license. Even if the ‘unicorn’ runs out of money, the project can persist and you won’t run out of support.
When it comes to licensing, third-party verification of compliance provides some additional security and certainty about a vendor. Nextcloud had its compliance verified through OpenChain, a Linux Foundation project.
A different style of license
At the core of ‘open source’ is a different type of licensing. While anyone and their dog can call their product open source, the Open Source Initiative offers a Open Source Definition which helps you separate real from fake. Open Source licenses broadly fall in two categories: permissive or copyleft. Permissive means ‘do with it as you like’ while ‘copyleft’ licenses put limitations on restrictions. It is exactly these limitations that provide your business valuable protection from vendor abuse, ensuring quality and enduring service from your vendor.
The GPL and its derivative for web software, the AGPL, are the most used, accepted, proven and tested copyleft licenses. Developed with input from lawyers all over the world, these licenses are primarily designed to protect the recipient of the code from abuse by the vendor. Can you imagine this, a license agreement explicitly designed to protect your business rather than that of the vendor?
Thanks to their wide usage, the implications of these licences are widely understood. For example, you can be assured that the license allows your existing infrastructure to connect with it through well defined API’s, has no restrictions on time or number of users or functionality you add yourself.
Open Source enables communities to built software collaboratively. Open Stack is built by dozens of companies and individual volunteers, providing customers the certainty that as long as there is business, there will be a great product, no matter what happens to an individual vendor. As nobody can change the license, you’re ensured of a long-term investment in the efforts your team has put in to get the product implemented.
The open development also ensures a better security, a prime concern for many organizations these days. With open code, products benefits from many eyes and vendors like Nextcloud throw in a Security Bug Bounty of up to USD 5000 as a show of confidence in their product.
The GPL provides legal certainty, protects you against vendor lock in and puts a clear incentive for your vendor to provide you top notch software, service and support.
As Gartner wrote, the open-core emperor has no clothes. When looking to reap the benefits of open source solutions, companies often fall into the trap of open core businesses. At its core, they have a business model which simply tries to reap the marketing benefits of open source without actually giving any of its benefit to its customers. They claim to built on an open product while actually selling you a proprietary licensed product.
Many companies build their business and products on Open Source, including Google, Apple, Microsoft and Facebook. Nobody is under the illusion that their products are anything but a proprietary solution, even though some open source components are used. When you buy a closed product, as Gartner points out, even if it is from a ‘open core’ provider, “any direct value from an open source license is lost to you.”
Examples of that would include the benefits of better security (the proprietary parts did not receive any scrutiny), lack of vendor lock in, the legal certainty a single license brings and on.
Health and risk
Even the fake ‘communities’ surrounding open core products are merely marketing: by mostly relying on customers and ‘resellers’ rather than code contributors, they create a sense of openness – even though “we’ve been calling this a software ecosystem for the last twenty years”, as Gartner rightly points out. Luckily, code hosting services like github can easily provide you with a ‘pulse’ of a community and it let’s you check the overall activity and health of a software project. This way, you’ll know if a project is doing well or would survive the death of its ‘unicorn’ startup.
Moreover, Open Core products mixing open source and proprietary licenses expose their customers to the risk of license breach. On top of a closed source core you can not legally run community-provided extensions. In some cases, open core products are even shipped as a mix of AGPL licensed and proprietary licensed software, which according to the license is not allowed. When a product is fully (A)GPL (rather than mixing proprietary and open licenses, there is no risk of non-compliance.
As IT leader, you have to separate the wheat from the chaff. There are real benefits to be had from a strategic use of open source products in your company, but don’t fall for the cheap knock-offs from vendors trying to sell you something they don’t have. Community metrics can tell you some things, security practices another. In the end, you have to do your due diligence, just like with any other product.