 open source is not a business model and that when they build the business around the open source they need to very clearly define the business strategy around that. So having a very successful and virally spreading open source is fine but where is your value? Hi, this is your host Soplin Bhartiya and welcome to you for Let's Talk and today we have with us Otan Horowitz, principal developer advocate at LOX.io. Otan is great to have you back on the show. Thank you so great to be here. Yeah and today's topic is around open source and as the theme was suggested open source is more than a license which is totally appropriate for today's discussion and I think one of the reasons we I mean I remember my early day of the journalism I started as an open source journalist and I met all these luminaries back in 2005 Jim Zumbla and Marshall and it was a new word to me back then our idea was you know why companies should open use open source what are the benefits look at 15-20 years most of the companies are not using open source the word runs on open source but it feels that companies don't even know why they open they use open source how they can become good open source to even at the same time as the business has grown we have seen a disturbing trend where companies start with the open source license and then when it gains momentum they change the license which becomes incompatible I remember early days we used to worry about hey is this license compatible with you know GPL v2 or not and now it doesn't matter it's a very very difficult word lines between you know what is open source and what is not open source you know lm2 and all those things it becoming very very difficult so I want to just hear from you to just give us a broader high labor overview what you are seeing in the market industry communities today where you're seeing the lines you know between open source proprietary or open core are getting blurred yeah so we see that definitely we've seen that in the past couple of years for sure and more so even lately probably all of your audience has been aware of the terraform re-licensing for example and other projects in the in the HashiCorp family so and we've seen that in the past as well we all remember probably MongoDB and Elastic and Confluent and others so as you said you can worry a lot about licensing which most of the people do but then the licensing can actually change so you can find the licensing that they appropriate for you and then one day find out that the licensing of the project has changed that's one of the things we can see other things in the in the industry that are peripheral that are not just the re-licensing itself we can talk about things such as for example if you look at the repository where you keep the your own assets like the registry so the terms of service of a registry can also be a significant change if you think about the terraform registry in the example that I mentioned before think about other registries as long as it's open you can use it that's one thing but if the terms of service change again a major change or we can look at about the red hats change on the CentOS or more more so the rail the enterprise and the way that it's not a change of license just a change of the way that the the code is being released and what comes before what and how CentOS is or is not compatible with rail and and so on so these sorts of of changes makes it more blurry whereas before you knew this is open source now you have also source available or foxpen source license and you have all sorts of other flavors that are open core obviously like like redis model and others so it's a more complex world these days as you said if you just forget about all of that and let's not look at the definition of open source of free software by fsf of our OSI what is the goal of open source what is the basic idea of open source so I think this is the core questions because people get really confused especially these days and so source available is that open source is not not open source because people say open source so open meaning that the open source is source code is open and I can access it but that's actually not a open source that's source available or foxpen source license so the term actually is free and open source software false as you probably well know from your experience but the free part is very important because what is free in free and open source so as we said it's not free access to the to the source code because you have you have the source available for that it's also not free of charge people think about the cost no you have community additions for many of the proprietary products as well so the free I think it comes to the essence of the freedom to use to modify to redistribute the software for any purpose without restrictions or discrimination and that's that's the really differentiation of open source from all the other alternatives we mentioned how much do you see people understand what open sources are you are like they do consume a lot of open source there's a difference in the open source user and those pencils consumer consumer is a one-way traffic user is a two-way traffic so how how much awareness or education you think that this is there or we are going back to 2005 where you have started educating people hey you know what is open source and why should do it right I find myself very surprisingly going back to the basics of what is open source what is free and open source software in many discussions in many forums and yes the question becomes comes back again but in a different form because there are so many variants and so many things that are similar but not exactly that that are challenging by the way even the professionals you look at the OSI the open source initiatives struggling to find its position you look at the the CNCF the cloud native computing foundation needing to issue responses to a grafana labs relicensing or to to uh to elastic search relicensing and others because it's so heavily used by the way by other open source projects so the impact of these moves is not just commercial impact and a business risk for companies it's also a risk and an issue for other open source projects within the open source community itself I think if I'm a project and I'm an Apache to a licensed project and I use another tool or another dependency or library and that library suddenly changes from Apache 2.0 to a non open source license that's a no no I can't carry on using it and even if it changed to another open source license that is not enabled so for example the CNCF does not permit using AGPL version 3 so when grafana tool changed from Apache 2.0 to AGPL version 3 that was an issue to many many projects utilizing that project so this is a main concern both for the open source community and for businesses where it's an actual business risk let's look at the role of some of the organizations you know CNCF which is part of Linux Foundation of course OSI is also there uh how much they can do or what role they can play in addressing some of these challenges of course you know open tofu was a great example where you know the whole user community came together uh to kind of find a way around the license change by Hashikar for Terraform so there are a lot of things going on but in general what are you seeing there what will these organizations can play yeah open tofu was an amazing example I I scored the fork of elastic search into open search that took like six months to reach the first version the GA and with with open tofu it was so fast and I I've been in touch with the founding members I even had a them on my show to expose to provide more exposure to this initiative and get more people on board and that's amazing and closing the loop also with the Linux Foundation and making sure that this is being adopted by the Linux Foundation as a as a its own project so really a great example that I'm curious to see how it evolves but a very good start now foundations for those who don't we're not familiar this this is a different creature so both from vendors and also from single maintainers that create very cool projects in their basement but still you have the risk of a one-man show or someone you know flipping the the on you one day and you don't have the project with the foundations it reduces a lot of that risk thanks to the fact that you have the project is actually owned by the foundation a vendor neutral foundation is the legal entity owning it to not any of the vendors no matter how heavily involved they are within the project so that's about the legal side of who can actually decide to change the license and secondly it's about diversity you have a vendor neutral ground and you have very clear governance behind around the project to make sure that there's no single entity that will grab control and there are very clear governance that will balance out all sorts of potentially conflicting interests and making very transparent who can become a committer who can become a maintainer who can become an approver of of PRs and so on and so forth so a very clear process so I think this is the main value of foundations with regard to these risks and above that there is also other additional benefits such as encouraging collaboration between the different open source projects underneath under the same umbrella of the same foundation the cross pollination between the projects and between the maintainers that are actually part of one forum one slack workspace if you want if you look at the cncf's massive slack workspace for example so it's a really powerful way to reduce the risk I'm not saying it's it's a full proof bullet proof but definitely reduces the risk tremendously now the next question I'm going to ask is a very tricky question and it could be sensitive as well is that if you look we have been talking about FSF and OSI and if you look at some of the most popular licenses that predict and whether it's gonna gpl v2 v3 agpl or you know a lot of other OSI approved licenses they were written in the age when we used to write and distribute software we will download it we'll run on our own machines where the whole point was that if you are redistributing with many changes I want to see the changes back when I talk to Linus he was like you know I only thing I care about is if you have made any changes that improves my code I want that change back so I can further improve it and that is also the idea behind it but the challenge in the cloud centric or sass word is that nothing is being distributed everything is running on my own server you are just a second service from my own server so I'm not even compelled or bound by the license so actually I'm not violating any of those licenses of course agpl can be challenging but others are not and sometimes we hear this message you know what these big cloud vendors are you know using our services so we cannot compete with them and that's why we are changing license restricting their usage which goes against the whole idea of open source that we talked about I had this discussion with Stefan also at open source summit from OSI about the license change that do we need instead of these companies keep coming up with their own licenses which are obviously not OSI approved and not compatible with other licenses should we come up with a license which is more suitable in the cloud word so do you think that we need to come up with a license which is more suited for the modern word so licensing is a very subtle thing and to be honest I'm not a lawyer I'm an engineer so I don't know if I'm the most qualified especially if you had the chat with Stefan or the executive director of the OSI but what I can tell you that there is a very large range of open source licenses within the OSI including you mentioned agpl so agpl does have a section that discusses about accessing the software via the internet via networking which is exactly the use case so definitely I think there's a lot of room to maneuver within the OSI and maybe there's room to fine tune that but I think the core issue here is not about the licensing I think the core issue is that these founders that are so excited about open source and they realize open source is the go-to way and they start from day zero many of them around open source and they get the viral effect and everyone using the open source but they don't realize that open source is not a business model and that when they build the business around the open source they need to very clearly define the business strategy around that so having a very successful and virally spreading open source is fine but where is your value is your value around the general providing services around the open source is that value around creating a commercial product an enterprise level one a hosted version of the open source or many other ways so it is very clear and this is something that I find myself day in and day out talking to young founders starting new ventures that they need to pay extra attention to setting the business model for their company and making sure that the open source provides its own differentiated value okay it has to stand on its own right it can be that if you use just a one and a half or three nodes and suddenly you need to start paying or something like that if if you castrate so to speak the the open source developers will immediately go away and look for alternatives it needs to provide value on its own right as an open source and then in addition you may make sure that you have your unique value proposition on top of that very clearly distinguished from the open source actually the most of the projects out there on github are actually single individuals and just not to sound like I only talk about vendors and vendors are evil no vendors are not evil I work for vendors as well and and everything is fine and also these passionate individuals that compose their own open source in the basement I tell them by the way the same advice if you decide to open source your project don't expect material compensation out of that you have lots of ways to to earn your your box from from code development from software from these things but if you go down the open source path don't expect that material compensation and we've seen issues with single maintainers that realized at some point that it's such a heavy burden and on the other hand they haven't seen any income from the open source and they started getting frustrated because all the fortune 500s are using I don't know look at the log for shell the vulnerability that just showed what extent the log for j2 is being used and it's two maintainers around that project so for individuals are saying the same don't expect material compensation with your project if you decided to go for the open source path realize that and either accept that or you can find a lot of work again by the way including for pay developers in open source some companies pay open source developers to work for them it's fine but or go down the path of setting up a vendor entity around that like the around the around Kafka the folks from what's their name I forgot their name that started the start up around the Kafka anyway so lots of examples there around the m3 and many other the ex uber guys and many others that started their own company around the open source that the company spun off but but don't be confused you need to determine whether you want to start an open source or if you want to go down the the money earning path two different things if you look at the general trends that are going on in the industry do you see that the trend is becoming really disturbing whether we look at the whole miscommunication around redhead and centOS or hashik or business source license and before that a lot of other things happened in past where you're like hey this is a disturbing trend or you think hey you know these things always happen in past if you look at the whole sql sql and all those you know the whole lawsuits and everything else happened the whole you know samsung versus apple happened microsoft was nt linux but now they have become actually i was joking that actually window is the biggest distribution of linux these days with wsl2 you know uh the desktop linux joke is here windows is the linux desktop today uh so so the point is that you feel that no these are minor events they will keep happening they have been keep happening in past we should not worry about it and focus on helping those individuals or companies who do want to build an open source ecosystem or you're like no those disturbing trends are going to help affect the larger open source ecosystem i'm not worried to be honest i think it's an evolution i think maybe uh we're maturing up as a community and as an industry so maybe before there was more of a romantic view of open source and more a binary way of saying you're either open source or proprietary and today's world is more complex and you have more shades and more flavors around uh but i think it's ultimately maturing up as a community and there's an industry so as i said we need to realize we need to face the fact especially in the industry that is venture back to a large extent and you have the the financial pressure to deliver financial results which are always short-term whereas community is the longer term play obviously so we need to balance out the community and the business incentives i don't expect it to change these pressures and these conflicts will carry on being and the different startups and businesses will need to balance them out i think as an industry we need to as i said realize better how we build out sustainable business models around open source and maybe make licensing options more elaborate to accommodate different models and having these foundations stronger and more of the larger vendors taking part i think that if you look at microsoft's transition to microsoft is to open source is an amazing example i think aws has been doing tremendous strides if i look at the open search and others compared to what they used to do before that so i think the realization also from the large companies that they need to pitch in and to also contribute back will balance out a more stable way of handling open source as an industry what advice do you have for you know organized students developer team engineering teams you know let's go back to the example of terraform who were heavily relying on some of these technologies suddenly the business sorry the license was changed which makes it difficult for them to continue to to use or work with that project so how how they should evaluate a project at the earliest phase that hey this is a project that we can rely and build a company around which will be around for 10 20 years that is first part of the question second part is that if they do end up choosing a project or a product that is in a dicey situation and the license change happened how they should deal with that so there are two four two part questions yeah so first of all if you need to choose a tool we all know to look at the licensing i think that you don't need me to explain find the license that is most permissive and the suitable for for your business needs but don't finish with just end with just the licensing go beyond that and try and understand who's behind the open source is that a one-man show as I said an aficionado there in the in the garage it's a it's a it's a single point of failure is that a vendor maybe the vendor can you know suddenly get you pulled a rug from underneath your feet so if it's foundational as we said you get more guarantees so these who's behind the open source is very important also what's the governance policy around it to understand who can who can be a committer can if i'm a competitor can i become a committer if i'm passionate about this open source but i'm a competitor of your vendor company or not will you block me will you block my commits will you block me from advancing up the ladder if i'm active and so on and so forth so and ultimately who can obviously relicence and this is for for look at the whole picture not just the licensing that's what i say and when you get to actually use it also use it with the relevant mindset so just like you treat you have the security mindset with with software saying with licensing managed your third party licensing exposure with the same care as you do for for security do s bombs to analyze what kind of dependent licensing you have down the stream with dependencies and others make sure that you don't have license contamination within your code and also when you use these dependencies do treat it with care we i'm an engineer we all like automation for example but treat be careful with using automation on your cicd pipelines and upgrading these versions of the of the third parties without putting safeguards and places where you check the licensing issue if you suddenly the license changes and you automatically upgrade you may find yourself in a lot of trouble so with all due respect to automation definitely take care of that and if you do find yourself needing to extend the functionality of the open source do try and do that not by modifying the core code which is the first thing that is gets blocked by relicensing but try to do it in a plug away with by extensions plugins and so on which is usually a more relaxed way of doing that and is less exposed to to the relicensing change who can be hit really hard if such a license change happens talk a bit about what kind of industries those will be and what can they do to avoid any potential fallout from license changes on the project that rely on obviously this license change can be a legally a very serious exposure to the organizations using that dependency or that library or that tool and for these organizations like financial services banks government or things like that that want to just like any other businesses to mitigate the risk and are willing to to put some maybe bucks on that but still want to work with the open source they like the open source then my recommendation they can just go with distros they can go with distros are like packaging of the upstream open source that are provided by vendors and they come with obviously the identification so the vendor that provides a distro will take the heat in case of such a thing and will be legally the owner of that and that's one way and obviously it comes with additional benefits they provide a support they provide certifications to run on specific hardware setups so you get more well rounded version of the the upstream open source that's for on-prem if you if it's a cloud-based and obviously you have SAS versions of the of the open source such as log zio that provides Jaeger or open search or others as a managed service so again you get that as as a service and you are not directly exposed to any relicensing and someone mitigates it for you in the in the cloud realm and on that way when you also purchase these distros or these services usually you also help fund the open source because these are also ultimately the force that they invest and and are part of moving the open source forward so I'd say it's also pay forward in a way instead of payback pay forward thank you so much for taking time out and kind of discussed this very complicated and sensitive topic in a very pragmatic manner thanks for all those insights thanks for great advice to companies as well there and I would love to chat with you again thank you thank you and may the open source be with you as I say