Every year brings changes in the open source ecosystem. Myriad new projects, new applications and frameworks, new foundation working groups and new business trends. 2023 was no exception.
Open source software is no longer viewed as a novelty; indeed it is today thoroughly mainstream, to the point of banality. Nonetheless, the emergence of new projects and the progress of existing ones, the use of open source licenses, the role of open source code and the ups and downs of the open source ecosystem continue to present both challenges and opportunities.
Four Decades of GNU
In October 2023, the GNU project and the larger category of Free Software turned 40 years old. Free Software was once considered radical, even anathema to organizations wishing to preserve rights around intellectual property. When introduced in the 1980s, it was not expected to be particularly significant or even to survive.
Well, survive it has, and has flourished.
The software components and development tools that underly the Internet, the Cloud, mobile phones, automotive technology, IoT and myriad other areas are built on and with Free Software. Organizations of all types - enterprise, device OEMs, service providers and governments - use, integrate and deploy Free Software, mitigating risks to IP (actual and perceived) by managing use cases in context.
Open Source and AI
In 2023, Artificial Intelligence exploded, impacting almost every area of the IT ecosystem, from enteprise to embedded to mobile and beyond.
Artificial Intelligence (AI) is a focal domain for developers, for end-users and for the venture capital community. It’s as hot a commodity as Linux and open source were two decades ago. But AI and open source share more than just hype. Across natural language processing (NLP), Machine Learning (ML), Computer Vision, and Robotics, both AI and open source drive the democratization of technology, and open source is helping to drive the utility and ubiquity of AI platforms and applications.
"Source Available" Licensing - Walking Back Freedom
In 2023, the software development ecosystem witnessed the introduction and propagation of a number of "source available" licenses intended to bridge between open and fully proprietary software. The terms of such licenses include access to source code, but fall short of actual open source practices and do not pass OSI muster: they invariably fail to observe the entire Open Source Definition, in particular by restricting freedom of redistribution and freedom of use.
These licenses have emerged in response to organizations publishing their software under an OSI-approved license only to discover that other, established open source users and publishers (Red Hat, Amazon et al.) were integrating, deploying and monetizing that software with no direct benefit to the project founders.
Critics of this movement characterize the shift to source available licensing as "sour grapes" or at least as a failure of vision in harmonizing business models and accompanying licenses. Proponents claim to want to protect investments in software development, especially by start-ups, under the rubric of "Freedom without Free-riding".
The poster children for this movement are Hashicorp, Sentry, MariaDB, and Redis. and the licenses they promote include
These licenses purport to protect software authors by including terms and limitations on the number of users, size of organization, revenue enjoyed from the governed software and/or establishing a timeline for exclusivity and conversion to OSI-approved licenses like MPL.
The RHEL Paywall
In June 2023, Red Hat, now a part of IBM, erected a paywall between its RHEL (Red Hat Enterprise Linux) source repositories and the rest of the open source ecosystem. Many other commercial open source companies restrict access to their open source code to paying subscribers. But the move by the Raleigh-based open source giant had implications for both enterprise users of open source and for other distributors of Linux-based products and services.
The impact of the change was especially great coming on the heels of the company's 2020 decision to discontinue availability of the comprehensive RHEL clone CentOS (acquired by Red Hat in 2014), replacing it with the rolling CentOS Stream. Lacking CentOS and access to RHEL repositories, CentOS replacement suppliers Alma Linux, Rocky Linux, and others now must find indirect, even circuitous paths to build their RHEL-identical offerings that serve SMB and other cost-sensitive segments of the marketplace.
The move was not unexpected, given that Red Hat viewed CentOS as an inside competitor, a source of leakage from its RHEL-based revenues. But the history of open source is one of innovation and circumvention of strictures. Rather than driving growth in RHEL subscribers, discontinuing CentOS and erecting a paywall will both drive the mid-market and CentOS-clone providers to seek new platforms and ways to produce and maintain them.
CISA Open Source Security Roadmap
For the past several years, and especially in 2023, the open source ecosystem has been subject to a range of well-publicized supply chain attacks. These attacks have exploited variously lax oversight and technical vulnerabilities in the communities and platforms that maintain and distribute code to users, integrators and deployers of open source software. The exploits, rather than consituting direct threats, provide vectors of the insertion and distribution of malicious code in corpus of open source projects and the software stacks they populate.
the White House, the Office of Management and Budget and various branches of the U.S. defense infrastructure have invoked concern and requirements for improving the cybersecurity posture of IT in general and of open source code in particular. In the popular imagination, such efforts to improve cybersecurity tend of focus on deployment, whereas some of the most effective efforts start with the supply chain.
CISA - the Cybersecurity Infrastructure Security Agency - has a mission to work with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future. In September 2023, the agency laid out a detailed roadmap of objectives for improving the security of open source ecosystem:
establishing CISA’s role in supporting the security of open source software,
driving visibility into open source software usage and risks
reducing risks to the federal government, and
hardening the open source ecosystem.
Learn more at the CISA web site and Duo.com
The Impact on Test Automation
The headline-level items laid out above mostly impact test automation indirectly.
GNU at 40: Many if not most users of test automation software (e.g., OpenTAP) are also either users of GNU software or at least benefit from its operation (via Linux, GNU tools and libraries).
AI and OSS: Test automation increasingly leverages artificial intelligence and deployers of AI code enjoy a range of benefits from AI tools and platforms being licensed as open source.
Licensing: As test automation increasingly leverages the cloud for collaboration and delivery as SaaS, the licensing status of cloud infrastructure projects can directly impact the availability and viability of next-generation test automation products and services.
RHEL Paywall: many organizations that rely on open source test automation software also leverage alternatives to RHEL to operate their businesses and to host product development. Red Hat's move to restrict access is unlikely to affect such OEMs and ISVs directly, but is already impacting the vendors that support those companies' operation.
CISA Roadmap: superficially, the objectives laid out by CISA may appear to be distant from the daily activities of test automation. However, the security testing requirements laid out by CISA, and earlier by the OMB raise the testing bar for hardware and software manufacturers. While these emerging cybersecurity requirements initially focus on the how technology is supplied to the U.S. government, such requirements quickly propagate to the larger IT ecosystem in the U.S. and abroad.
Conclusion
This blog has laid out some of last year's most significant headlines that impact the open source ecosystem of users, developers and vendors. The real scope and reach of open source is of course much broader. Stay tuned in 2024 for more news and insights about open source and the ecosystem that supports it.