Open Source Faces Challenges In 2020

I recently wrote a couple of posts about open-source EDA tools, OpenROAD: Open-Source EDA from RTL to GDSII and 2nd WOSET Workshop on Open-Source EDA. I have also written about open-source in general, as an approach to development and an approach to business in a post from over four years ago that I think stands up well: The Paradox of Open Source. The reason I called it a paradox is that it seems to be one of the most effective ways to develop software but it doesn’t really have a business model that works.

All over the internet are pieces complaining that open source is broken. A particularly good one is The Cathedral and the Bizarre—a critique of twenty years of open source. The title is a play on The Cathedral and the Bazaar, a book by Eric S. Raymond (also known as “esr”) who introduced the term “open source” as a replacement for “free software”, which always needed to be qualified as “free as in speech, not as in beer” but was the term introduced by the pioneer in the space, Richard Stallman (“rms”). I discussed the book in my earlier post linked to above.

The effectiveness of open source as a development approach is summed up in the aphorism known as Linus’s Law (actually created by Eric Raymond but named in honor of Linus Torvalds, the father of Linux):

With enough eyeballs, all bugs are shallow.

In a recently updated article cleverly called The Cathedral and the Bizarre, Mark Tarver introduced the term FDD, for “Financial Deficiency Disease” as a way of capturing the paradox that open source is a great way to develop software but is largely broken as a business model.

Financial Deficiency Disease
Some projects, such as Linux, have huge teams of professional developers paid for by big companies like IBM, Google, and Amazon. They rely on hardware running Linux and the cost of a few developers is a rounding error in their businesses. This gives the misleading impression that all of open source is like that—projects that last for years and are well funded.

In fact, 98% of projects on Github are abandoned within a year. In Open source failure is its greatest success, Matt Asay argues that since open source is about experimentation and iteration, so this high abandonment rate “may well be” the best sign of its success. Count me unconvinced. Even venture capitalists can’t survive with a 98% failure rate. Their rule of thumb is something like 10% hit it big, 25% fail totally, and the others don’t really go anywhere. Venture capitalists don’t really care about singles, they want home runs or strikeouts.

Even the biggest successes, such as Red Hat, are only successful compared to all the other companies that tried the business model of selling support for an open-source project. In Why There Will Never Be Another Red Hat: The Economics Of Open Source, a16z partner Peter Levine points out that the market cap of Red Hat is nowhere near the market caps of similar closed-source companies (see chart). Of course, since Peter wrote that piece, IBM acquired Red Hat for $34B but I remain skeptical that this will turn out to be a profitable deal for IBM. The fact that IBM could acquire them at all (as opposed to acquiring Oracle, or even VMWare) is because they were relatively cheap.

Even more dubiously, Microsoft acquired Github for $7.5B. Github is the dominant repository for open-source projects. It also hosts other private projects for a fee, which is the main source of their revenue. But as André Stalz points out in Software Below the Poverty Line:

The total amount of money being put into open source is not enough for all the maintainers. If we add up all of the yearly revenue from those projects in this data set, it’s $2.5 million. The median salary is approximately $9K, which is below the poverty line. If split up that money evenly, that’s roughly $22K, which is still below industry standards.
…
GitHub was bought by Microsoft for $7.5 billion. To make that quantity easier to grok, the amount of money Microsoft paid to acquire GitHub—the company—is more than 3000X what the open-source community is getting yearly.

Heartbleed
Heartbleed was a vulnerability in the SSL layer of the internet that caused massive disruption in 2014. It was one of those vulnerabilities that was so significant it had its own logo. I won’t try and explain Heartbleed but it affected the basic plumbing of the internet, not just used by smartphones, PCs, and servers, but also by routers from Cisco, Juniper, and others, and similar projects. The bug was in an open-source project called OpenSSL.

So how come with enough eyes that bug managed to get through? Well, despite pretty much the entire internet depending on OpenSSL, it turned out that:

If the number of people that relied on a project—and its importance to the overall web—was proportionally related to the amount of support a project has, OpenSSL would be well-funded and have a heft of full-time paid employees and maintainers.
It’s not.
OpenSSL, a project that runs on 66% of all web servers, has just one full-time employee. One.

So the lack of business model is not just something that affects underpaid developers, it means that some of these projects are so under-resourced that they are unable to deliver what users think they are getting.

Funding open source
There are a variety of ways of funding open-source projects:

• Sweat equity, either volunteers (like Linus Torvalds when Linux started) or grad students (whose product is not directly the software but academic papers and an advanced degree): In this sense, the project is not really funded at all, but it has enough engineers. Of course, indirectly, even grad students are funded by the academic funding bodies, such as NSF, DoD, and the like.
• Donations: This tends to depend a lot on visibility. As André Stalz says in the article linked to above, “Because visibility is fundamental for donation-driven sustainability, the ‘invisible infrastructure’ projects are often in a much worse situation than the visible ones.”
• Professional enterprises that make their money somewhere else: Google makes a fortune from Linux by not having to pay Microsoft (or someone else) anything for their operating systems. Same for Microsoft themselves in the cloud, even though they could get their own operating system for free presumably—but users want Linux and it costs Microsoft nothing to provide it.
• Providing support: But read Peter Levine’s piece, subtitled (in the URL) “don’t tell me you want to be the next Red Hat”.
• Keeping some aspects of the project closed source: Have the base system be open source, and keep some of the good stuff closed source. Google does this with Android, for example, where some of the open-source version of Android is not in great shape, so Google substitutes their own closed-source implementations (the keyboard, for example) in the official Android releases (the ones with weird names like Cupcake or Gingerbread).
• Provide SaaS service based on the code, so that there is a whole paid bundle of servers, code, support, and more, that is paid for by the end-user, who never touches the code.
• Investment in yourself: Work on important open source projects to create a personal brand, and then get hired for a premium salary by a big company based on your reputation. Working for free is a loss-leader.

Open source as a religion
There is an aspect of open source that is treated as if it is inherently wonderful, and closed source is evil. You get some sense of this reading complaints about, for example, MathWorks’ MATLAB: it is closed source and therefore unacceptable compared to open-source competitors—but unfortunately, those open-source competitors are usually behind, trying to catch a falling knife.

That actually reflects a dirty secret about open source: it is not very good at innovation. What it is good at, is taking an existing closed-source system and creating a clone. I think it is Eric Raymond who pointed out that there are no good open-source games. By the time a game is a hit, it is too late to clone it since the gamers will have moved on by the time the open-source clone is ready.

That works really well if the closed-source system is not advancing fast. But not so well when the closed-source project is undergoing intense development. Despite starting before Microsoft Office even existed, OpenOffice has nowhere near the functionality. The copies of MathWorks are a lot less powerful. And many other examples. Even Linux is a clone of GNU, which is a clone of Unix. (See my post The Most Important Operating System Ever for that story.)

Viewing the lack of a good business model for most open-source projects leads to indignation when it gets exploited. Most phones in China run the open-source version of Android with no Google products installed at all, so Google gets nothing, not even search traffic. Amazon/AWS came into criticism for using MongoDB to provide various cloud services, without giving any money to MongoDB since it just took the open-source code, and created its own version without needing any help.

Here’s a line from the André Stalz piece above:

The struggle of open-source sustainability is the millennium-old struggle of humanity to free itself from slavery, colonization, and exploitation…If you want to help open source become sustainable, rise up and help humanity write new rules for society, that keep power and capitalist thirst accountable for abuse.

Good luck with that approach. But based on all the articles that I linked to in this post, it is clear that there is a growing awareness that many of the people working in open source for noble reasons are being exploited, and they need a new business model to get their fair share. Otherwise, open source will not be sustainable in anything close to its current form.

Closed vs Open
Here’s a quote from I Hate MATLAB:

MATLAB is closed source, proprietary, and prohibitively expensive if you have to buy it yourself.

Let’s face it, you could say the same about Cadence or any other closed-source software company. But I think that sums up the challenge. Software is expensive to develop. Today, either you pay for it by paying for the software, or you get it for free by exploiting the lack of a business model for open source, and the idealism of the programmers.

I completely recommend reading The Cathedral and the Bizarre. Here’s part of his closing paragraph:

The Cathedral and the Bazaar coincided with the dot com boom that made a few people very rich and wiped out many more. Eric S. Raymond started a popular movement, but in the process lost the point and direction of what was promised. Of course this is nothing new. The early Christians, the French revolutionaries, the Bolsheviks all engineered movements designed to free people and all of them ended out of control and being oppressive. The question is, can we liberate the amazing technology of open source and the internet and use it to benefit the creatives in our society?