Thank you everyone for joining Solate in the first day of FOSDEN.
Quick introduction before we start.
My name is Thierry Carreze.
I'm the general manager for the Open Infrastructure Foundation, which was previously known as
the OpenStack Foundation.
I was also elected to the board of the Open Source Initiative, and I'm serving as its
vice chair right now.
And as part of those activities, I've been working on the draft response for the OSI
on the release of a new license called a Functional Source License.
And as part of that, I really reflected back on some of the licensing that has been happening
over the past few years, and recently at Ashicorp, I don't know if you're familiar
with that probably, a very well-known previously open source company that decided to switch
licensing for products like Terraform or Vault, and therefore creating some tension in the
ecosystem.
So looking at those critically, it just occurred to me that single vendor open source is the
new proprietary.
And this talk will get into details why I think that way.
And I realize this might be a controversial opinion.
I realize that some people will disagree with me.
I realize that I will probably make some enemies out of this.
But I think it's an important way of looking at it, and it might be a bit of an extreme
characterization.
The rant will be very short so that we have plenty of time at the end for you to engage
in an open discussion and hopefully prove me wrong before I do it again.
So all this real licensing that we've been hearing recently, hello.
All the real licensing that we've been hearing about recently is all built on the same narrative
around open source.
And the story is very well known.
It starts like this.
At the dawn of the computer age, I think some people will get in at the end of the rant.
At the dawn of the computer age, software was not considered very valuable.
It was all about the hardware.
And the people using those machines would actually develop the software that would run
on those hardware as a commons and share it relatively freely.
And it's with the advent of the 80s and the rise of the PC that made hardware a lot more
like a commodity and with it made the software much more valuable.
And that's when software companies like Microsoft were created and with it the proprietary software
approach.
The proprietary software approach is when a single entity owns the software that is produced
and intends to capture all value thanks to restrictive licensing conditions.
And we've seen the 90s after that that really led to a lot of excesses, especially as Microsoft
decided to exploit that dominant position that they had.
And openly developed open source really grew in the 90s in reaction to this evil proprietary
approach.
It predates obviously that period, but that's really when it really caught on.
In that model, software is produced as a commons by a community of participants of organizations
of individuals openly collaborating and the value is shared across the participants in
that ecosystem.
And this is all made possible thanks to free and open source licenses which guarantee a
number of freedoms including the freedom to build on it without asking for permission
and the freedom to use it for any purpose including making money.
And in the next 20 years, really open source got overwhelmingly popular and it unleashed
a software revolution.
And those that have been around for that time measure how dramatic that change was.
A recent study estimated that the demand side value of open source software today is nearly
$9 trillion.
It is estimated to be part of 96% of the software that is run.
Like 96% of software contains an open source component.
And it would be very hard to develop new software today without using open source.
And so like everyone else, the companies that produce software massively adopted open source.
They would develop in-house but release the end product under an open source license.
And we call that single vendor open source.
And with internet becoming more ubiquitous, some turn to a software as a service model
and we saw the rise of the cloud and without the rise of the hyperscaler clouds.
And some of those hyperscalers would run open source software at scale which would be seen
as unfair competition by those open source software companies that were using this software
as a service model.
And that brings us to today where those companies say that while open source is great to get
that initial visibility, it's bad for monetization.
It's bad for business.
And so if it's not business friendly, we need to invent new licenses, you know, to continue
defending open source and especially against this evil proprietary software.
And you know, with those licenses, we continue to give you access to the code for free.
So you know, what's not to love.
And in some cases, the license will even revert to an open source license after some time.
Why do you hate us, Thierry?
And I'll explain why.
I think this narrative is built on three misconceptions, especially the last part, which this talk
is going to deconstruct.
The first one is that open source is great because you don't have to pay for it.
The second one is that single vendor open source is the reasonable way to do open source.
And the third one, interestingly, is that proprietary software is evil.
So let's go one by one.
The first one, open source is great because you don't have to pay for it.
I mean, we are the ones writing the software and we continue to give it to you for free.
Like why do you not happy with that?
We just need to preserve our business interests, you know.
So, well, the problem is open source is not great because you don't have to pay for it.
Open source is great because everyone is free to use it.
And that's a subtle distinction.
I realize that.
I mean, cost is a factor, but this goes way beyond monetary concerns, monetary barriers.
What matters is not having to ask for permission.
Just use it.
Anyone, anywhere for anything.
Not just the ones with deep pockets, not just the ones in certain geographies.
And this really, this permissionless innovation that enabled a ton of valuable software itself
often released as open source, which fed into that virtual cycle.
Those non-compete licenses that they propose restrict you from doing anything with the software
that the company disagrees with or considers competition.
And they use pretty vague and untested legal terms and the end result is that it ends this
permissionless innovation.
You can no longer just use it.
The second misconception is that single vendor open source is the reasonable way to do open
source and resist evil proprietary software.
I mean, we are the self-proclaimed commercial open source companies.
We are the business conscious open source folks.
You should follow our model, et cetera.
Well, let's go back to the definition of proprietary that I used earlier.
Single entity owns the software that is produced and intends to capture all value derived from
it thanks to restrictive licensing conditions.
Well, if you take that definition, single vendor open source companies are still doing
what is essentially proprietary software.
I mean, they will disagree, obviously.
But they still consider the software being produced as their exclusive property and intend
to capture all the value that derives from it.
They aggregate copyright assignment so that they can change license anytime they want.
So it's still proprietary.
They just choose for now to release their software under an open source license.
So single vendor open source is not the reasonable way to do open source and fight evil proprietary
software.
It's actually just another way to do proprietary software.
It's just a relicensing time bomb.
And sure enough, a lot of those exploded over the past year.
So the proprietary development model is moving back to restrictive licensing now in a very
predictable attempt to capture incrementally more value.
Now that was predictable if only we had seen single vendor open source as the temporary
tactic of proprietary development that it is.
And that it always was.
The third one, proprietary is evil.
Well, this whole story would not hold if we did not demonize proprietary software in
the first place and opposed it to open source software.
But as we've seen, you can be proprietary, have a proprietary development model, and do
open source as a temporary tactic.
So it's not open source versus proprietary.
We need to shift that.
It's actually more complex than that.
You can represent it as a quadrant.
On one axis you have open source licensing versus not open source licensing.
That's pretty clear cut.
The open source initiative defines it.
It comes with a bunch of freedoms.
And it ultimately enables that permissionless innovation that I talked about.
Why do we have those freedoms?
It's because they enable the permissionless innovation model that we all benefit from
today.
On the other axis you have the development model.
It's either openly developed by your community that will share the value of the work or it
will be developed by a single entity that will own it.
And if you look at the traditional proprietary software, that's what I call restricted software.
It's when you're using a non-open source license to impose some licensing conditions,
especially to preserve your business model or to gain some other benefit.
If you look at the open source side, depending on whether it's developed by a group of organizations
as a commons or if it's developed by a single entity that retains all copyright aggregation,
it's either openly developed open source or single vendor open source.
And the issue here is that we're seeing movement from single vendor open source back to restricted
software.
And they hope that by doing that they will retain enough aura from their open source days
to hide the fact that it's just restricted software and pretend to continue to be on
the good guy's side and fight against the evil proprietary software.
But proprietary software is not evil.
The abuse of dominant position in the 90s was evil for sure.
But the proprietary model itself is not evil.
In my opinion it's just inferior.
If you truly think that software developed by a diverse set of actors working in open
collaboration is not better, you should definitely do proprietary development.
That's fine.
Just be honest about it.
What's evil is really the lies and hypocrisy that we are seeing there.
Doing proprietary while pretending to be open, that's evil.
That's what we call open washing.
Trying to dilute the meaning of open source by creating deceptively named licenses like
common clothes or server side public license or business software license.
That's evil.
Switching licenses from under your community after having promised to be forever open source
like Aishikop just did.
That's evil.
Being fitting from open source freedoms to build your software in the first place.
And then denying that those freedoms actually have value.
That's evil.
So yeah, as a summary, and I thought I would leave a lot of time for engagement from the
crowd so I want to make sure we have time.
I want to leave you with three takeaways.
Three actions.
First, I think it's time for us to remind everyone that the permissionless innovation
that we currently benefit from should not be taken for granted.
It is a direct consequence of the prevalence of open source licensing as defined by the
open source initiative.
And it requires all of the open source freedoms including the freedom to use the software
for any purpose.
The second takeaway is that I think it's time for us to describe what a world where
they win looks like.
Because if their vision wins, if everyone adopted their approach, all the innovation
that those open source freedoms allow to unleash would come to a halt.
And we would quickly be back in the 80s.
And I've lived through the 80s.
You don't want to be there.
Imagine a world where you have to ask your lawyers for permission before you use any
library, any programming language.
And they will say that after some time it reverts to open source license.
After two, three years, four years, the license automatically transforms into an open source
license.
But that's a trap too.
Like imagine a world where you have to run a buggy two-year-old version of the software
with known vulnerabilities because that's the one that is open source.
That's not just practical.
Finally, takeaway number three.
I think it's time for us to reassert the value of software developed in an open collaboration.
Everything else is proprietary.
Everything else is a relicensing time bomb.
So beware of CLA's when they are not held by an openly governed non-profit.
Beware of single vendor open source software because it's just a proprietary model that
happens to temporarily use open source licensing.
And they have lots of money, lots of resources to spread their very confusing message around
openness.
And we're clearly disorganized.
So I think as a conclusion that it's time for us to all clearly say that single vendor
is the new proprietary.
Thank you.
Ah, objections.
No, actually my questions are answered in your notes.
So I'm interested in having your notes if that's possible with the slides.
So the short story about this talk is actually the text that I wrote for the OSI to answer
the functional source license.
It was deemed to be too extreme to be representative of the organization.
And so we toned it down and changed it.
But that's actually what made me have the idea that I should turn it into a rant that
I would present.
And first then is clearly the right crowd to try it.
So you would publish the notes?
Yes, basically I'll make a blog post that's basically the same speech.
OK, I have a question.
What if the code is even developed by one component but under a position of Linux foundation?
There's happened many times.
You can notice that it's quite common at this moment.
I wouldn't call that proprietary.
What makes the proprietary approach is not just that you have a single participant.
It's that it's close to others to join.
And I'm pretty sure in the case of a project under the Linux foundation where they have a major vendor,
they would be happy to have someone else.
And I'm pretty sure that they would not be able to unilaterally change the licensing conditions
because the trademarks and copyrighted creation would belong to the Linux foundation and not to that single company.
So I think it protects you.
If by design it's a single entity but I don't think they have a lot of projects like that,
then yes, there is a problem.
If you are prevented from participating as an equal in an open collaboration, yes, then there is a problem.
So a provocative question.
Is the GPL...
It doesn't allow you to do anything.
You cannot choose to follow the GPL as invasive in that sense.
In your definition, is it still free, software in the most direct sense or is it something in between?
I mean, a GPL?
No, the GPL.
The GPL itself?
No, it's totally embedding those freedoms.
To me, it's clearly an open source license.
Some would say the one, the open source license.
The main difference between the GPL and the permissive licenses is how much of a function you want to have back into the contribution cycle.
It's really what makes it slightly different.
And depending on how much you think you will get contributions without it or with it,
all the big projects they have that moment where they have to choose between permissive and copy-left licenses,
it's all a bet on the future.
If you think that your ecosystem is so big that you will get contributions anyway without forcing people to give back,
it's actually better to have a wider funnel to get into your system.
If you think your project is never going to be super big and you can use all the contributions you get,
I think the GPL approach is better.
So you said a couple of things that I found sort of interesting.
So one is, I think the objection or the observation is that if you leave the control to commercial entities,
they are going to be continually tempted to re-license it, de-license it, change the licensing.
So are you advocating that one should try and get the licensing and, well, the copyright transferred to a notionally neutral entity?
Because it doesn't, for me, it doesn't seem to be that having like GPL on the side of a license,
if the copyright belongs to one of these companies, they can just say, okay, fine, we'll leave that on the side,
but we'll keep doing stuff over here.
So you either then focus the GPL community and everybody has to turn it with their own resources.
So it doesn't seem that GPL provides the protection that you're suggesting.
So I think it's more about the ownership that you're pointing at. Is that correct?
Yes. I would say copyright aggregation is just one of the assets that you need to have in a neutral asset lock in open collaboration.
Trademark is another one. If one of the companies has the trademark,
it means it's more difficult to weaponize, I guess, than copyright aggregation,
but you can still pull the project identity away from the project, and so that can create some tension.
So, yeah, clearly being able to put all of those assets that make that project initially possible and have some stability,
so the name, the ability to change the license, under some kind of an asset lock,
and I'm not necessarily saying go for an open source foundation like the one I work for.
There are other ways today to actually create those open collaboration fields without necessarily going for a foundation.
I think today foundations really bring value to make that open collaboration successful, not just possible.
But yes, I think it's part of how you would fix the problem.
The problem is really that it's a single entity, it's software that is developed by a single entity.
They will try to hide it. They will say, well, we take contributions from the community.
I mean, that worked for some, and clearly there is the difference between the contributors that are on the inside and the contributors that are on the outside.
So it's free labor, it's not contribution, it's not an openly, it's not a common.
The common you have to make sure that the future participants will benefit from it.
Here it's like it's the pure ownership of one single company, and they take free labor when it's available,
and then they change the license under you when some VC tells them to, so it's bad.
I'm not a professional developer, so I know this is a rookie question. I don't know the answer.
How would an entirely new thing come into being if no one person can have that thing?
Doesn't every idea start with one person? So at that moment it is a proprietary thing.
And it may often live for some time before it becomes something else.
Your rant clearly doesn't cover somebody having a good idea. So how does something completely new come into being?
So it starts as one person, but that person makes a choice at that point.
They decide either to put it on some software force, name names,
and have a proto-open governance around it that says, well, I'm the maintainer,
but I would consider adding more maintainers and wants to create an open collaboration ground around it.
Then they take the role of openly developed open source.
At that initial stage they decide, wow, that's very interesting.
I could build a company around it and monetize the heck out of it,
and so I need to make sure I keep control over it.
And the second contribution, I want to make sure they assign copyright to me or my organization
that I can do whatever I want tomorrow.
That's there going the way of the proprietary software.
And it's really a thinking model.
You either want to monetize something that goes beyond those comments that you create with others,
or you think that software is going to be the real value that you create,
and you want to make sure you capture all of it.
Thank you very much for your...
I'm here at the top.
Thank you very much.
I'd like to have your view on what happened to the Matrix Element ecosystem,
where the server port was re-licensed in the last three years from a permissive license to a AGPL license.
So this is re-licensing in the opposite way you're describing, so kind of more open,
but there are still lots of discussion because they are forking their own community with their own software,
and the whole community is not really kind of it.
What is your view about that fact?
So yes, it's going in the right direction, but it's still proprietary software.
If they can actually do that, they can do it again.
And you never know exactly in which direction.
So I would argue that it's a proprietary holdout in the middle.
That is probably well-intentioned right now, and a lot of those companies are actually well-intentioned when they start.
It's when money comes in and they get some pressure about return on investment
that suddenly you need to extract a bit more juice from that lemon,
and the only lever you have is re-licensing.
And I don't think HashiCore planned it from day zero.
Although the VCs at some VC ventures actually have a playbook for it.
So it's a published tactic.
It's not as if it was like a secret or a surprise.
In the end, it's all a calculated move around their approach of how we build software today.
They can't really get around it, so they adopt it and try to make it do what they need.
I'm not sure if it's just the VCs.
I like to blame the VCs and investors too.
But one of the things that I think is that people that are paying for software
don't value open development and open collaboration as much.
They just want the vendor to be around.
They don't really value the history.
They could have been around for 10 years on their open source development,
but at the end of the day, they're still willing to pay for the software, the cloud offering, whatever it is.
But they don't value the open development as much as the rest of us do.
So I would disagree with that.
It depends on the software.
Obviously, if you run Firefox and you suddenly decide to use Chromium instead,
because you're weird, it's possible.
But in some cases, the project that I've been mostly working on
over the past 12 years is OpenStack.
And if you make an investment in an open source technology
because you think open source is the way to build it,
or you think that the software, the way it's built, it's not going to be changed on you.
There will not be new licensing that will force you to pay support from one single company, one of those things.
Having the guarantee that it's not going to change two years, five years, ten years from then
is an important guarantee because you make a pretty significant investment in that infrastructure.
So there are other open source solutions for providing infrastructure than OpenStack,
but all the others are single vendor.
And so that means you're potentially, if you choose them,
they might decide to do something else with the software,
and they might put your investment at risk because they might decide that you need to pay them for support
per seat, per server, for whatever, some condition that you can't really accept,
especially if you're a nonprofit.
I really like the idea of the kind of frictionless way you can use the open source.
What I think I'm hearing is that we really should be thinking about the fact
that even if you can use particular open source projects, you might want to if they're like this.
That's what I'm hearing.
And I'm just wondering then, practically speaking, if we have to check whether or not they're like that,
does that not interrupt the kind of value of the frictionless use thing?
Because now, I just don't understand how we flag those, or how do you know,
or how do you avoid this basically without interrupting this idea of just being able to use things that have open source software licenses?
It's an excellent point.
You can't just look at the license.
That's actually another thing that I've been speaking about a few times.
We need to go in the way we look at the software.
We need to go beyond just the open source license because it's not going to give you this certainty that I think you need.
And yes, it's a problem.
And there are some organizations when they put out a project,
they're pretty sure that they're under an open governance and they will be there forever, et cetera, et cetera.
But there is no label.
There is no brand.
I'm trying to say openly developed open source.
I have much as much as it's like a math fall.
It might not be the right, like, I don't want to say good open source, bad open source.
But yes, we need some way to say this sounds like safe open source
and this sounds like potentially a restrictive in two days open source.
And how do we differentiate that?
I don't agree.
We have an issue.
The talk here is more to...
The goal is to more of a wake-up call where I want people to realize how much we benefit from that permissionless innovation that open source licensing has.
I want people to realize that this...
Not all open source is aligned with that permissionless innovation.
A lot of it is actually saying open source should not be allowed to run on any purpose by anyone for any purpose.
And so going back to, you know, we've been through this cycle from the 60s to 2020,
going back to the age where computers, where we did not have this 9 trillion body of code that we can easily pull from and that we are free to build on.
And there's nothing that guarantees that's going to continue.
Like, 10 years from now, we could...
Why would open source still be around?
It's because if we hold the line on open source licensing,
if it's all the line, if the open source initiative continues to grab the open source definition,
make sure that all the freedoms are in there and we don't remove one freedom and see what happens to permissionless innovation.
And I think that's the general idea.
And yes, be more...
Look under the hood and see how the open source software that you're being sold is actually built.
I'm sorry.
It's at 6 o'clock, folks, so rain, livestreams ended.
But continue your questions if you have any theory outside.
Everyone agrees?