The Limitations of Open Source

Open source — the practice of assigning licenses to source code that allow regulated use and value generation by parties other than the license holder — has been at the foundation of progress in software for the last 30+ years. Projects like Linux, Git and PostgreSQL, to pick only a few, are some of the strongest examples of why we intuitively argue that open source is good.

Open source was a necessary bootstrapping mechanism. But I am questioning whether we can continue on the same path, or whether it is time to make different choices about how we share the building blocks of future innovation.

The case for open source rests on a familiar idea: that we generate value from the contributions of third parties who don't need to be part of the monetary value chain. This is, of course, similar to many other systems like education, academia and the arts. In all of those fields we build value on ideas that came before us, and we generally don't have to include the originators of those ideas in the value chain as long as we follow certain rules, such as citation and copyright laws. This has been a driving force behind much of global progress over millennia.

The foundational belief here is that progress is good for everyone and should be shared globally. A good idea in Estonia should be able to positively influence progress on another continent and benefit people in India. The reverse is true as well: a good idea in India should ripple through the world and improve lives in Estonia.

But that belief in fair global economic development has largely been set aside and swapped for a competitive world order between superpowers and related players such as middle powers and developing economies. We might not agree with this new world order, but it does not care about our feelings towards it. It has arrived, and it is here to stay until it is displaced by another order.

So the question is no longer whether open source is good in the abstract. It is whether it still makes sense under the conditions we observe today. I see a number of pressures bearing down on it — security, commercial appropriation, geopolitics, and the way companies actually use open source to go to market. Let's explore those in more detail.

Security

Open source has become a common injection route for exploits and attacks, and the comforting idea that openness improves security has largely been debunked. The model assumes everything happens in the open and runs on trusted committer relationships. But committers and maintainers can be infiltrated — by criminals and by national security interests alike — and they should not be trusted by default. The xz backdoor was the clearest demonstration: a patient attacker spent years earning maintainer trust on a small but critical compression library before slipping in a backdoor that created a veritable security threat. There is too much activity and noise to keep track of everything happening in the open, and this threat vector is difficult to close reliably.

Yet, closing the source does not make this problem go away — secrecy can make it worse. The reader might recall Crypto AG, the Swiss company that sold encryption equipment to more than a hundred governments for decades, and which turned out to be secretly owned by the CIA. The very closedness that was supposed to keep those machines trustworthy was precisely what allowed a deliberate weakening to go unnoticed for a generation. Proprietary code has supply-chain attacks too, often with far less outside scrutiny to catch them.

Security exposure is not specific to open or closed source and I am making an argument for allocating resources to guarding the critical underpinnings of our interwoven software stack - open as well as closed.

Commercial appropriation

The fact that open source code — license permitting — can be used by any party without closing the value chain back to the developers is problematic. The clearest example is Amazon building a cloud service on top of Elasticsearch without returning any value to the people who created it. Amazon was legally on safe ground; Elasticsearch's permissive Apache 2.0 license placed no obligation on them to share anything back. And that is exactly the point. A more powerful player can take the work, wrap a service around it, and capture the value for itself without including the creators. The dispute pushed Elastic to relicense to a less permissive license and HashiCorp, MongoDB and Redis all went through similar experiences. The effect of less permissive licenses are that less value can be generated from the original source. This restricts the exploitation and commercial appropriation but limits the downstream value potential of the innovation. Restricting permissiveness of the license is a sane choice to make.

Geopolitics

If the basic idea of open source is to benefit all parties globally, then it is in direct competition with a world order built on competition between nations and power blocs. These competing nations and blocs will happily consume global innovation to their own advantage, and they will share the benefits only as far as it serves their economic or military interests. In light of this, does it really make sense to share innovation in the form of code with everyone — even with those working against your interests? Should Estonia publish code as open source so that Russia can pick it up and use it to its own advantage?

Open source pretended to be blind to national and political interests, but that way of thinking belongs to the 90s, when we believed that sharing innovation to further global development was good for everyone and perhaps even a moral imperative. The facts have changed. One could imagine keeping source open only within a restricted region — a nation state, or a bloc of nation states — so that the strategic value stays home. Yet a license agreement will not deter a rogue nation state from exploiting restricted software when it wants to. Enforcement against the very actors we worry about is not likely to be successful as long as the source code is in the open.

Go-to-market

Open source is often used by companies simply to test the waters and see whether there is product–market fit. By setting the price to zero, the bet is that a product will find some adoption if it creates real value — and that if it finds no adoption even at zero cost, no amount of expert marketing will create a pull effect for it later. Once traction has been demonstrated, the company introduces a paid tier, or, if that is not attractive enough, changes the license or removes the open source option altogether.

Open source is used as a transition path from testing the waters to a fully commercial product. This is not a problem per se — but if you are building on someone else's open source, you should understand that the license you depend on today can be changed under you tomorrow, once the vendor decides the market is proven. That dynamic belongs in your thinking when you construct a software supply chain. Create deliberate dependencies and know which ones you can depend on.

Conclusion

Some of these arguments - e.g. open source as go to market instrument - are not inherently turning the tide agains open source. We need to understand the risk and make educated decisions. Some arguments - e.g. security - are risks that can be mitigated by adding resources but not likely solved completely. There is a foundation of trust necessary in any functioning relationship. A pressing question is whether trust is more easily established with commercial entities or with communities of maintainers — and how to guard against willful deception either way. Crypto AG was a trusted commercial vendor; the xz backdoor came through a trusted maintainer. Deception was used in both examples.

Commercial appropriation can be mitigated through more restrictive licenses but the value creation potential of open source is diminished along the way. Its unlikely that licenses can be restricted only towards large international players and not restrict also the ones who were to benefit from the open source idea in the beginning. Only the geopolitical pressure makes a genuine case for abandoning open source alltogether.

What has become obsolete is not open source itself but the 1990s assumption that it is universally and unconditionally good. We still all wish to live in a world where openly sharing innovation is the most logical way to spread prosperity, and I do not see today's climate as conducive to that in a fair and mutually beneficial way. The risk of unfair exploitation by large commercial players across borders, and the security interests of nation states, are trumping the old spirit of the cyberculture movement of the late 20th century.

We might need to consider stop treating open source as a default moral good and start making essential choices. Building and protecting intellectual property inside companies, nations, or blocs of nations is the more likely strategy for today. We have to make good judgement calls in how open we can afford our software to be.