EP4: Time to reconsider open source?
This is the fourth episode of my newsletter where we discuss Software Architecture, Leadership and Beyond. In this episode, we will focus on recent events that should impact our perception of open source. At the end, you will also find a summary of all the content I released in the month of April.
As a junior developer I rarely questioned open source. Could you imagine writing a Java application without relying on a framework like Spring?
As a software architect, I was more analytical and critical when evaluating an open-source solution. I would question: “Is this project backed by an active and healthy community? Do they have a regular release cadence? Is the project sponsored by a renowned company? Is there commercial support available?“
Recently, I realized that I have been overlooking important aspects like ownership and security.
Is open source decentralized or centralized?
According to Wikipedia, “the open-source model is a decentralized software development model that encourages open collaboration. A main principle of open-source software development is peer production, with products such as source code, blueprints, and documentation freely available to the public.”
I agree with the decentralized definition if we focus on how open source is produced. However, if we shift our attention to the concept of ownership, it became evident that open source can maintain centralized ownership. Most importantly, the owners of an open-source project can change a permissive license to a more restrictive one and can also decide to terminate the project. The developers who contributed to the project have no say at all.
There are many notable examples:
- Red Hat shutting down CentOS on June 30th, 2024
- Buyoant introducing a new model for stable releases in February 2024
- Hashicorp adopting a Business Source Licence in August 2023
- Elastic adopting the Elastic and Server Side Public Licenses in 2021
- MongoDB adopting a Server Side Public License in 2018
I know these cases are very different from each other and their impact varies from one business to the other. However, the message is clear. Open source is a bet. Today you have an active and healthy community that delivers you stable releases without asking you a dime, while tomorrow you might have to pay for a license to use a product, or scramble to find an alternative solution to a terminated project.
I want to highlight that I am not debating whether this is fair or not. I am just stating that we need to be aware of potential shifts in the way an open-source project is licensed or released.
Is open source secure?
I am sure you heard about the backdoor planted in xz Utils (CVE-2024-3094). This is possibly the most sophisticated and creative supply chain attack we have seen to date.
The attack is a combination of social engineering and carefully crafted commits that have been happening over the course of several months. The final payload was hidden in two obfuscated and encrypted test files and eventually bound to the release artifacts through a series of convoluted steps. The potential impact could have been massive considering how ubiquitous this library is in Unix-like operating system and the fact it hijacked the sshd
process under the right conditions.
The visualization above was shared by Thomas Roccia, a Senior Security Researcher at Microsoft, on Mastodon. I also suggest you to read this great article from Ars Technica if you want to know the whole story in more detail. However, I want to focus on the social engineering aspect of it and what it means for open source.
The attacker, Jia Tan (JiaT75), had joined the project about two years ago and became very quickly an important contributor to the project. Around the same time, pressure was mounting against the original maintainer, Lasse Collin, who was being accused to have lost interest in maintaining the code base.
I think this conversation is particularly telling. Whether we want to admit it or not, many open source projects are the voluntary work of kind individuals who dedicate their time to the community while coping with a full-time job and personal life challenges.
Not all open source projects enjoy massive communities. Not all open source projects enjoy the backing of large companies. Still, there is no big or small project when it comes to security. They all have the potential to cause massive damage at a global scale.
Support and Awareness are key
That said, I cannot imagine a world without open source. I know talk is cheap but I really believe we need to embrace open source even more.
There is the need of financial support for those developers who pour in a huge amount of hours in creating code that powers our own infrastructure and software systems.
There is the need of more contributors that help develop all these libraries, frameworks and solutions we use daily.
There is also the need of more awareness about its weaknesses. It is only through retrospection and constructive criticism that we can make open source more secure and reliable.
What's your take?
April's roundup
This month I was particular prolific 😁
API Security
On YouTube, we have started our journey into API Security and I covered the concepts of Broken Authentication and Broken Authorization. This series is inspired by the incredible work done by the Open Worldwide Application Security Project (OWASP).
AI Coding Assistants
This month I also discovered a good alternative to GitHub Copilot that is completely free for individual developers. Enterprises have also the ability to deploy it in their own environment for a fully air-gapped setup.
Avoiding Burnout and Analysis Paralysis
Incredibly enough, I managed to produce all this content while avoiding burnout and analysis paralysis. If you want to know how I manage, make sure to read my article on the topic.
Personal Events
I was entrusted with the Platform Owner role in my full-time work, which is something I'm incredibly proud of! Head on my LinkedIn and let's connect!
Sponsor me
I do not expect anything from my audience! Delivering high quality content to fellow software engineer, architects and leaders is a huge pleasure for me.
However, if you represent a brand or simply are someone willing to help me, please do by sponsoring my work.