Cracks are showing in Enterprise Open Source's foundations

I've worked in open source my entire career1. To say that I'm worried about the impact recent events have on the open source ecosystem would be an understatement.

Red Hat and Elastic logos

In the past couple months:

  • Red Hat effectively killed CentOS
  • Elastic effectively killed Elasticsearch

People may rightfully refute these statements, but the statements are more complicated than you might think. Killing a project doesn't mean the project will vanish overnight, but what has happened so far is two very large companies in the 'enterprise open source' space have shown the chinks in the armor of the monetization of open source software.

For many years, everyone in the industry pointed at Red Hat as the shining example of 'how to build a company around open source'.

And for the past decade, the open source Elasticsearch, Logstash, and Kibana logging ecosystem was on a tear, becoming a standard in the open source cloud stack.

But Red Hat was bought out by IBM in 2019, and after taking over the community CentOS project (which happened in 2014, well before the acquisition), they basically neutered it by ending the decade-long support cycle it was previously known and loved for.

And Elastic switched from the Apache 2 license to a non-free software license for Elasticsearch just a couple weeks ago.

Video Version of the Post

I also have a video version of this post (in case you're more visually inclined):

Red Hat and CentOS

When Red Hat took over the CentOS project back in 2014, there was a mixed, but mostly positive reaction. The CentOS maintainers were sometimes having a hard time keeping up with upstream changes in Red Hat Enterprise Linux (RHEL), and major releases like version 7 and 8 were challenging due to the required architecture changes.

So Red Hat's willingness to come in and backstop CentOS was generally a good thing—for a time.

Last month, Red Hat dropped a bombshell: CentOS users who had started adopting CentOS 8 and expected support for stable releases until the end of the 2020s would get just one year of support.

They would need to switch to 'CentOS Stream', a kind of a 'stable beta' version of RHEL that's more stable than Fedora, but less stable than Enterprise Linux. Or they'd have to give up CentOS entirely.

This angered a lot of people, admittedly most of whom have been building on the free version of CentOS without contributing much if anything back to the project for years (but that's part of the whole 'free software' thing—there will be freeloaders).

But it also angered a lot of people like me, who don't really use CentOS much, except to test other FOSS software on multiple distributions, and used CentOS as a 1:1 proxy for Red Hat Enterprise Linux.

Red Hat extended a small olive branch in the form of less restrictive licensing for developers like me, but it's still not clear how much work I'll have to do if I want to do things like CI testing in containers without having to manage subscriptions and access keys. Those kinds of things may lead to me killing all support for Red Hat flavors of Linux in many of my own open source projects.

So I guess... Debian and Ubuntu for the win?

Anyways, there's more nuance to the entire debacle, but the main thing this points to is the fact that while increasing revenue via licensing might not be the only motive Red Hat had in this move, it was certainly a major factor. And the downfall of Scientific Linux and CentOS makes those who've built their careers or companies around Red Hat compatibility without paying the subscription fees nervous.

Many are waiting to see if up-and-coming Rocky Linux—which aims to be a perfect replacement for CentOS—is going to be released soon, with the same stability they grew to expect from CentOS.

Elastic and Elasticsearch

Now on to Elastic and Elasticsearch: There's again so much happening that I can't possibly cover it all in one post, but the basic story goes like this:

Elasticsearch was created under the Apache License version 2.0. It's grown to be an essential open source cloud infrastructure component, and I've seen it used everywhere.

Seeing its popularity, and the complexity of deploying and maintaining Elasticsearch clusters, Amazon Web Services (or AWS) decided to package up its own hosted Elasticsearch offering.

Well, Elastic, the venture-capital-backed company at the helm of the open source project, didn't like that, because the way they were monetizing their development, and showing growth to their investors, was by charging for their own hosted Elasticsearch offering.

So AWS was directly competing with Elastic, but not taking the same responsibility for the open source project or investing in it as heavily as Elastic was.

This creates a problem inherent to many popular open source packages—when a cloud computing behemoth like Google, AWS, or Microsoft decides to wrap up your free software in a hosted offering, and profits from it, how do you deal with that?

Well, Elastic dealt with it by switching to a new license, which many in the FOSS, or Free and Open Source Software Community, have decried as not being truly open source.

The SSPL, or Server Side Public License, is touted as a GPL version 3 derivative license. It's similar, but has a major restriction, stating you can't build a hosted service without also releasing all the code you used to build that service.

But the Fedora community has publicly stated that "to consider the SSPL to be 'Free' or 'Open Source' causes a shadow to be cast across all other licenses in the FOSS ecosystem."

And the Open Source Initiative dubbed the license "fauxpen" in their article The SSPL is Not an Open Source License. They said "it's deception, plain and simple, to claim that the software has all the benefits and promises of open source when it does not."

So what did Amazon do in response? They forked Elasticsearch. Something well within their rights, since they're forking the last truly open source version.

It will be interesting to see how the communities around these two now separate projects diverge.

Conclusion

So like I said, this post can't do justice to the nuance of the situation. And it's not as simple as "[IBM|Red Hat] is bad", or "leeches are bad for open source", or "giant AWS is forking little Elastic's project." There's a lot more to it, and I encourage you to read more about the news.

But I know for me, it brings up some challenging questions:

First, how can we make sure developers who build open source software are compensated for their work in a just way? And how can we hold both giant corporations and billion-dollar venture-backed startups accountable for riding the coattails of free and open source software without giving back proportionately?

Second, how can I mitigate against software and services I use and love changing licenses and causing headaches? One way is to become more restrictive in licensing, choosing only copyleft licenses that were originally created to offer more protections to individuals than corporations.

Third, if I want to earn a living or build a company around open source, what are my options? We all used to point to Red Hat as the paragon of open source, but it seems like that company—for all the great things they have done and are still doing in open source communities—has begun travelling down the path of sales over source code.

The more corporate-friendly open source has become, the more power has been ceded to giant mega corporations. And who's to blame? Well, sadly, after some deep introspection, I have to admit maybe I'm a part of the problem!

Anyways, these events are causing a lot of developers to second guess their dismissal of the open source 'licensing weirdos' who always yell about the importance of choosing the right license. But maybe they're onto something. Maybe blindly adopting permissive open source licenses to invite more corporate ownership isn't the right answer.


1 The definition of 'open source' I'm using loosely in this sentence is inclusive of both FOSS and OSS licensed software. About half the projects I've made a living with have been GPLv2 or v3, the other half Apache or MIT. You can go down a deep rabbit hole arguing with pedants over what is meant by the term 'open source'.

Comments

The word "refute" means "to prove a claim or argument to be false". If you say "Alice refuted Bob's argument", you are saying not only that Alice expressed disagreement with Bob, but that you yourself believe that Alice successfully demonstrated that Bob was wrong. If you didn't want to take a position on who was right, you would say "Alice disputed Bob's argument".

Unfortunately, in the last few years, a lot of journalists and other people who should know better have been abusing the word "refute" to mean "dispute".

At this point, I'm not sure which meaning you intend.

Plz fix the link to this page in Youtube Video. It's broken there.

You missed the critical issue in Elastic's business model, which also relates to the fork.
Elastic's model was to withhold features that most businesses required, behind an expensive license.
Multiple people tried to add those features, were denied, created plugins, which Elastic then inevitably broke.
Amazon tried to contribute those features too, and were also denied.

The problem with monetizing open source succesfully is finding the aspects people are willing to pay for. Most people didn't consider $10k/core/year reasonable for User security and ACL around the data, but you had no choice.

In the same vein, pfsense CE and pfsense +

If open source users are allowed to freeload and "that's part of the whole 'free software' thing," why can't Red Hat decide that not contributing to CentOS is also "part of the whole 'free software' thing?" Why is one side's actions OK, but the other sides actions are bad or wrong? Anyone who wants to provide for the CentOS freeloaders are certainly able to do so. Step into the gap left by Red Hat and do the engineering required to keep CentOS (or a similar project) going.

It seems that there are unrealistic expectations from freeloaders that someone else is going to continue doing work for them. And there is much angst and pain when those people decide they aren't going to continue working for nothing.

We can thank the Mafia at Amazon Web Services (AWS) for that, which has been banking on Open Source projects but offering nothing back to the community.

The same occurred with KVM (which runs all of its virtualization) yet very little of that codebase went back to the community.

Jeff Bezos is a cancer whose goal is to take as much as possible from the hard work of others. This has been the MODUS OPERANDI of Amazon and Amazon Web Services (AWS) for decades. So much so that it prompted ES folks to pull the plug on the project.

Of course, let us not forget they also cheat us via tax evasion.

Tons of man hours go into creating awesome open source software that big FOR PROFIT corporation have exploited without doing what is done int he community, that is opening the code (a good chuck of it) back to the community !!! So GET YOUR HEAD OUT OF THE GUTTER IF YOU THINK THIS IS OK !!! IT IS NOT !

Tim Bray was right , the man is a freaking HERO !

https://en.wikipedia.org/wiki/Tim_Bray

https://www.tbray.org/ongoing/When/202x/2020/04/29/Leaving-Amazon

BOYCOTT AWS and AMAZON !

Two points:

1. FOSS stands for Free and Open-source. Great everyone agrees there. But "free" in this instance means you have a license that gives you the freedom to use and modify the source code with very little restriction. It does not mean 'free' as in beer. Most, if not all, open source licensing allows you to repackage code and sell the product with limitations.

2. We should be clear, Red Hat was planning on closing CentOS for a while, BEFORE IBM came knocking. So this isn't IBM's fault. And Red Hat has a pretty valid reason for taking their engineers off the project. All of the bug reporting and fixing that happened under CentOS was pretty much lost. There was no path for those fixes, reports and pull requests to make it back into the ecosystem and contribute to the core product. Was their solution the only way? Probably not. Was it the best way? I think the public reaction is the answer to that one. What shocks me is that we haven't seen a community supported fork of redhat to replace centos "as it used to be".

I've been a Linux user since 1993, and have used various distributions over the years. I've also earned my living working for a company with an open source product that also had a commercial offering. It's a tough balancing act, and an often overlooked part of the story is how much companies like IBM and Red Hat have contributed to the success of Linux (not 'defending' them in any way, just pointing something out that doesn't get discussed a lot). You can see where companies like Tidelift are coming from, but I think there's another overlooked option, at least for an OS base. BSD. Throughout all those years of Linux use, I've often bobbed back n forth as a FreeBSD user, and returning to it recently remembered what a beautifully simple, fast, OS it is. Since most FOSS happily sits on top of FreeBSD I'm mostly inclined to use it as the base for any projects these days, thus removing the whole Linux 'problem'.

Elastic is right about it's decision because AWS is just eating monster, and if Elastic is wrong, then why did elastic is able to maintain good relationship with Azure, GCP and both of these cloud services are helping the company grow by having proper business contracts with Elastic

Well, these aren't the first two. Docker upset many people when they instituted the $5/month subscription for non-personal use of Docker Desktop. I think the cracks in open source monetization are even deeper than this. In 2000, Marak went on protest of Fortune 500 companies using his Node packages, faker.js and color.js, by sabotaging his repos; issues were frequently submitted and expectations were being made of someone to work for free.

This has always been what I have feared with respect to open source software. People would be taken advantage of. There is this tendency to be dismissive of corporations, like Docker, Red Hat (IBM), and Elastic... but they employ people with the need shelter, food, etc. and they won't remain employed if there isn't a company to employ them. Does that mean the companies are without fault? Certainly not. They all benefit from open source, as well. This means that both sides probably need to have a bit of grace and try to work towards a sustainable solution. They need a sound revenue model, else they'll cease to exist... but they need to understand their up and downstream benefits/concerns. You cannot treat your customers like garbage and not expect a reaction.

I don't have any solutions, unfortunately.