The first part of open source was released just over 70 years ago, and now open source software is found in almost every application that exists today.
AND Report for 2024 from Synopsys found that the average application has more than 500 open source components in it, and the latest industry reports show that more than 95% of code bases contain open source software.
Chris Aniszczyk, the company’s technical director Cloud Native Computing Foundation and vice president of developer relations at the Linux Foundation, says that open source, while largely used in applications in the technology sector, has been expanding in recent years to almost all industries, such as agriculture and pharmaceuticals. The Linux Foundation also recently announced OS-Klima to solve the problem of climate change.
Given the ubiquity of open source software, let’s take a look at some of the trends we’ve seen over the past year and what we can expect from the open source community this year.
Open source security is now being handled by governments
In general, open source software has been under a greater microscope recently due to several major security issues in the past decade involving open source components, such as the Log4Shell vulnerability in Log4J.
Both the United States and the European Union are now working to improve the security of open source projects. Inside the US, President Joe Biden signed executive order about improving cybersecurity, and part of that is improving open source security. CISA also has several initiatives solving this issue.
In the EU, the Cyber Resilience Act sets stricter security requirements for software. While not specifically targeting open source software, Mike Milinkovich, CEO Eclipse Foundationhe says “there’s really no way you can regulate the software industry without regulating open source as some kind of first-order side effect.”
The executive order made people start thinking more about things like the Software Bill of Materials (SBOM) and vulnerability management (including license management), said Michele Rosen, director of research at IDC.
“If you install a package that three dependencies deep uses some kind of GPL software, and now you’re building software on top of it, that can be a huge legal risk for the company,” she said. “So one of the things they found is that SBOM management systems can help not only manage vulnerabilities, but also manage base code licenses.”
According to Aniszczyk, this regulation and the effort for transparency makes sense, because when we go to the store, for example, we want to know exactly what is in the food we buy. Until now, there really hasn’t been an incentive to do this with software.
“We have so many choices in the land of open source, and developers just use what they find on GitHub or GitLab or all over the Internet,” Aniszczyk said. “There’s just not the maturity that you’d find in industries like manufacturing or the like, where there’s a little bit more oversight of the supply chain.”
Milinkovich hopes that a side effect of this regulation is that it encourages larger corporations to contribute more to open source.
“There is absolutely no incentive in any part of that relationship especially for open source companies to contribute anything,” Milinkovich said. “There is no reason to; it’s like ‘thanks for the free stuff’. And then we’ll put that into our applications in our internal systems. And that’s great. But regulation changes that equation somewhat. So with the regulation, now they might have a requirement to be able to produce SBOMs, they might have a requirement to demonstrate that the software components that they use in their products that they sell to the US government must follow NIST SSVF capabilities.”
Open source can win the AI race
AND leaked letter from a Google employee last May titled “We Don’t Have a Moat, and Neither Does OpenAI” explored the idea that while Google was busy trying to compete with OpenAI, it realized the possibility that no company would win the AI race— me: open source can.
“The Moats memo basically said that the open source guys are getting similar results, or in some ways even better results. And they’re making progress at a pace that’s faster, even with much smaller datasets,” Milinkovich said.
The letter states: “Simply, they are stalking us. Things we think of as “big open problems” are now solved and in the hands of people… Open source models are faster, more adaptable, more private and pound for pound more capable. They do things with $100 and 13 billion dollars that we struggle with with $10 million and 540 billion. And they do it for weeks, not months.”
Some large companies are even starting to open source their models, and open source vendors are also contracting with larger companies, Rosen said.
For example, Meta recently partially open-sourced Llama and Mistral, a French startup that produces open-source models made a deal with Microsoft.
“So I think it’s pretty clear that open models are going to play a role in this whole AI space in one way or another… there was a question I would have said last year when some people were implying that network effects being the way they are, we they’re all going to kind of converge on one model and I don’t see that happening at all, I think there’s going to be a proliferation,” she said.
Another thing to pay attention to when it comes to artificial intelligence is how contributions made using artificial intelligence will be handled, given the fact that the author may not actually be the author, Milinkovich said.
He believes it will become more popular to use plagiarism checking tools. “There are some options in Copilot, where it will check that the code it produced is almost identical to the code that went into the training data,” he said. “If there’s something that a human would interpret as plagiarism, you have to try to use those tools to avoid it.”
Rosen says “the problem is that, especially with the open source model, it’s very difficult to know how to apply those licenses to, say, a training dataset or an architecture or even a system query or something like that.”
The impact of technology failures on open source
According to Rosen, about half of open source contributors are paid in some way to contribute to open source. That’s why Google decided to release its open source division made some waves last year.
Google wasn’t the only one; According to Crunchbase’s resignation tracker191,000 tech workers are out of a job in 2023, and as of March 8, another 31,000 have already been laid off this year.
However, despite the layoffs, data from Open Source Contributor Index reveals that the number of active contributors from top tech companies (including Google) grew every month in 2023.
“The truth is that clearly some of the leaders of open source, commercial software have been subject to layoffs,” Rosen said. “And while we know that some developers contributing to open source projects had to be let go, it’s important to put those layoffs in context. The losses represented a relative minority of the hiring that occurred in the previous two or three years, so the overall effect is not something that I’ve seen or that I feel has been an attrition.”
How to sustain open source projects in the long term
The long-term sustainability of open source projects is another thing that has received more attention in recent years. There have been several examples of popular projects that have changed the license or business model of their projects in the past year. For example, HashiCorp switched Terraform from MPL v2 to a Business Source license last year, and earlier this year, Buoyant announced that stable releases of Linkerd would only be released to Enterprise users. Also, Red Hat had previously announced that its RHEL releases would only be available via CentOS Stream, which upset many in the open source community.
However, these are not isolated incidents over the past year; A number of other open source projects have changed licenses over the years, including Akku, CockroachDB, Elasticsearch, MongoDB, Redis, and more.
Aniszczyk believes that due to the backlash companies have faced, this won’t be a common occurrence for open source projects. “I think it’s going to happen less because of how much pain it’s caused them, like they’ve lost a lot of community trust,” he said, referring to HashiCorp.
Rosen says he believes companies are starting to think more about long-term project strategy than before.
“[They’re] maybe be a little more active in diversifying management and really try to think about a longer-term strategy,” she said. “However, I think a lot of open source projects are started in some way thinking about innovation and maybe not thinking about long-term management. If this project becomes successful, how will we sustain it, what will happen?”
AND work published in January, Harvard Business School revealed that 96% of the value of open source is created by 5% of developers.
“We have a relatively small population of people that, frankly, society depends on,” Milinkovich said. “And, you know, how do we make sure these people don’t burn out? … How do we make sure that these developers are sustained, but also how do we replace them when they retire and the next generation has to come back behind them and pick up the mantle of some of these key pieces of infrastructure.”
The value of open source
That’s an important problem to address because that same Harvard Business School paper estimated demand for open source software at $8.8 trillion and supply at $4.15 billion.
“We found that if OSS did not exist, companies would need to spend 3.5 times more on software than they currently do,” the researchers said in the report.
Milinkovich believes Harvard’s figures are an underestimate because they only measured websites, not operating systems.
“Some of the headlines I saw made me think they didn’t actually read the paper, because it’s like, you know, ‘open source is worth $8.8 trillion?’ No, they only measured a fraction of the open source ecosystem, right? They only measured web pages and specifically excluded operating systems. So basically, the economic value of the entire web infrastructure across the planet that we use every day, and open source’s contribution to that is about $8.8 trillion, but that excludes other uses. Excludes operating systems. So obviously it’s actually much, much more than that.”