#Nugate and the Reality of (Commercial) Open Source

#Nugate and the Reality of (Commercial) Open Source

Note: this post is the opinion of its author and may not represent the views of Black Duck Software, its shareholders, and other employees.

There was a small scandal in a small corner of the open source world last week (#nugate). A pull request was submitted to the Nuget Gallery project to add setup instructions for Paket, a third party dependency manager. The request was rejected without a reasonable explanation. The Nuget Gallery is owned by the .NET foundation, a non-profit foundation founded by Microsoft. Two of the foundation's three directors and all four of its team members are Microsoft employees at time of writing. So naturally, the suspicion is that the ghost of the old anti-openness Microsoft is rearing its head to restrict the competition. This is a very reasonable and likely explanation.

But so what?

This Isn't Your Daddy's Open Source

Let's be blunt. Richard Stallman's utopian vision of open source is dead. Code is no longer contributed to open source to grant some freedom that has been ordained an inalienable human right by reason and providence. This is in part because open source communities are no longer mere playgrounds for university students with time to spare and passions to pursue. Today, open source is just another way of doing business. Even when Stallman's beloved GPL is used by a project, the goal is usually to restrict. Take, for example Oracle's OpenJDK, where GPL and the contributor agreement* combine to give Oracle a monopoly on closed-source forks. Or consider dual-licensed products (such as MySql), where GPL's copyleft provisions are used to compel closed-source redistributors to fork over commercial licensing fees.

In other words, when businesses contribute to open source, these contributions often have business goals attached. These business goals tend to be one or both of the following:

  1. To leverage external contributors on a product or component used or sold by the business.
  2. To facilitate adoption of a product or ecosystem by eliminating the risks posed by vendor lock-in and increasing transparency.

With the second goal, there is usually an up-sell. In the case of Microsoft, the up-sell is quite transparent: Azure — the most .NET-ready cloud computing service. And in order to maintain Azure's premier .NET readiness, Microsoft (and its employees pulling the strings at the .NET foundation) have to have a tight grip on the ecosystem.

Read about the dramatic shifts in open source license enforcement

When Business Control Creates Value

The detriments of corporate control of open source ecosystems are obvious: project leaders may solve for value to their own business at the expense of other contributors or users. But if this control was so prohibitively limiting while providing no value in return, the open source project in question could just get forked. So why is forking not enough to make disenchanted contributors happy?

Because the corporate associations with a project have value. Microsoft has donated the efforts of the employees who built (and continue to build) the bulk of the ecosystem. Microsoft's marketing muscle has grown and continues to grow the user base of that ecosystem. And it is this association with Microsoft and support by Microsoft that, even in its open source incarnation, will enable enterprises to adopt the .NET ecosystem.

The Open Source Free Market

Fortunately, open source creates a kind of free market for project leadership. If the restrictions placed by the corporate leadership of an open source project exceed the value of that leadership, the net incentive will swing toward forking the project and adopting the fork. The fact that the original project continues to thrive despite the ever-present forking ability is an indication that for most contributors and users, the restrictions are not prohibitive.

The market, as they say, has spoken.

 Value of Leadership charting incentive to fork vs. leadership effectiveness

* This is a summary of a much more nuance body of legal documents. I'm not a lawyer, and this summary should not be construed as legal advice. Consult your lawyer with any licensing questions.

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Why People and Businesses Get Blindsided by Threats

| Jul 24, 2017

When Black Duck released the results of its 2017 Open Source Security and Risk Analysis, the results were deeply concerning. Among the audited applications, 96% utilized open source, of which 67% contained known vulnerabilities. On average, the identified vulnerabilities had been known for four

| MORE >

From Java to .NET Core, Part 2: Types

| Jun 22, 2017

This post was originally published on the Red Hat Developers blog. In my previous post in the series, I discussed some fairly surface-level differences between C#/.NET and Java. These can be important for Java developers transitioning to .NET Core, to create code that looks and feels “native” to

| MORE >