Jürgen Fälchle - stock.adobe.c

Navigating the shifting sands of open source

As open source matures, the Cloud Native Computing Foundation is grappling with issues ranging from licence rug-pulling and the rise of artificial intelligence to the changing dynamics of open source contributions

The world of open source is undergoing significant transformation, moving away from its roots in individual developer contributions to become increasingly dominated by technology companies. This shift brings opportunities and challenges, as the motivations and priorities of these corporations can sometimes clash with the ethos of open collaboration.

Take the move by HashiCorp last August to transition from the Mozilla Public Licence to the more restrictive, “source-available” Business Source Licence for future releases of Terraform, a popular infrastructure-as-code tool. The decision rattled the community, prompting the creation of OpenTofu, a community-driven fork of Terraform.

In a wide-ranging interview with Computer Weekly on the sidelines of KubeCon + CloudNativeCon + Open Source Summit in Hong Kong, Chris Aniszczyk, chief technology officer of the Cloud Native Computing Foundation (CNCF), talks up the challenges of navigating the global open source landscape, future directions at the CNCF and the motivations behind the surge of open source projects emerging from China.

Editor’s note: This interview was edited for clarity and brevity.

Talk to me about the growth of open source projects in China. Are they mostly driven by technology providers that are trying to solve a problem?

There are two motivations. There’s a company called PingCap which has contributed the TiDB database to the CNCF. They have an existing customer base in China, but they wanted to get customers elsewhere, so they needed to be perceived as more of a global company. And if their code is in a global foundation like the CNCF, they can gain trust and more customers from all over the world.

There are also companies like Alibaba that have solved a problem at scale through a project like Quasar that runs WebAssembly modules in a sandbox. They wanted to share that expertise with everyone, get people to adopt it and make it the de facto standard globally, more so than selling. We help them run better open source projects too, through security audits, documentation and how to structure things so the projects are truly global.

Are these projects mostly driven by technology vendors? What about end-user organisations?

The majority of projects from China are vendor-driven. In the US and Europe, we have more user-driven projects like Backstage from Spotify and Envoy from Lyft. But those took a while because many end-user companies generally don’t have strong open source skills and strong engineering cultures. Spotify and Lyft were able to do it because they had good open source processes and were okay with their engineers contributing code.

How is the CNCF managing tensions between different stakeholders in the community when open source commercial vendors like HashiCorp choose to adopt more restrictive licences?

CNCF’s stand is that all our projects can only depend on other open source projects. When Terraform became closed source or source-available, we had projects that couldn’t depend on it anymore and so OpenTofu was born.

The stand of the Linux Foundation, the parent organisation of the CNCF, is that we will support companies and end-user organisations that want to come together to do a fork of something. We have a good process, and we know how to galvanise people to do it because we are proponents of open source.

There’s a difference between a product and a project. If you're monetising an open source project, you want to tap your community for ideas and improvements, but those are generally not the people you necessarily sell your product to. You want to have a different brand, potentially, to treat things differently
Chris Aniszczyk, Cloud Native Computing Foundation

When the Terraform thing happened, I received a lot of phone calls from friends working for banks and other companies who didn’t think it was possible. I was telling them you don’t understand the difference between single-vendor open source and open source that lives in a foundation like the Apache Foundation or CNCF, where you can’t relicense the software. People will still use single-vendor open source, but it is a bit of a risk and there’s pressure now for users to evaluate options.

There are also bigger startups that haven’t gone public like Redis, which are under pressure that people could use their stuff for free. So, when they do a licence change, like Redis did, they upset cloud providers that were offering services. It also made community contributors and maintainers upset, because while they are okay with contributing to an open source project, they are not going to spend time contributing to a project that’s just owned by one company.

If you look at Terraform, the reason why it has been so successful is the plugins written by many volunteers. The core is still valuable, but it’s that plugin ecosystem which you potentially lock out when you move to single-vendor open source. The Linux Foundation has become better at these things which aren’t that common. Over the past 20 years, there were about 16 projects that had gone from open source to proprietary or source-available. Companies and users are also getting smarter. They see the value of open source foundations which protect the integrity of open source. A single vendor could just change the licence, but if it’s in a foundation protected by us, then it’s truly available for everyone.

Earlier this year, the OpenTofu project received a cease-and-desist letter from HashiCorp which claimed that OpenTofu copied Terraform’s code for the “removed” block feature.

We have lawyers, both on staff and outside counsel, and processes in place to make sure that when we have a fork, there are rules about copying that maintainers are aware of. The OpenTofu team were accused of copying, but they didn’t copy from the proprietary code base – they copied some headers from an older version which is okay. We spent quite a bit of time and money to write a defence, and the evidence showed they didn’t copy and the cease-and-desist was dropped.

What would you say to companies like that?

At the end of the day, there’s a difference between a product and a project. If you’re monetising an open source project, you want to tap your community for ideas and improvements, but those are generally not the people you necessarily sell your product to. You want to have a different brand, potentially, to treat things differently.

My advice for companies like HashiCorp is that open source is truly commoditised. In a free market, people are going to steal your ideas and compete with you, but you can’t mistreat your community. Many times, your community is contributing because they want to solve a problem and see it as a public good. You don’t want to treat those folks poorly just because it’s going to lead to a fork.

And keep the business separate from the open source project – the people you’re targeting for open source projects are people who have a lot of time but no money. For your product, you’re generally targeting people who have money, but no time, and they’re usually different people. Confusing those two groups makes your sales team miserable.

There’s a lot of focus on artificial intelligence (AI) and large language models (LLMs) at this year’s KubeCon China. Many companies have not realised the full potential of AI, so how are you weighing your priorities in that regard, given that the technology might fall short of its promises?

For the CNCF, cloud-native doesn’t necessarily imply containers only. We have a set of principles on how you manage and run workloads at scale. Your workload could be container-based or VM [virtual machine]-based, via Kubernetes. It could be WebAssembly-based, running an LLM. It could be training stuff on it, so for us it’s just another workload.

With AI right now, while Llama’s great, if Meta suddenly takes permission away, you’d have to get a licence from them. So, AI is going to go through a movement where we’re going to have to define what open source AI is
Chris Aniszczyk, Cloud Native Computing Foundation

AI workloads are popular, and Kubernetes is getting better GPU [graphics processing unit] support. We’re flexible and we have good projects that are being repurposed for AI, such as OpenTelemetry which is getting support to observe the full AI pipeline, from training to deployment to inference.

And in cloud-native, we have this notion of canary deployments to roll out changes slowly, and if things happen, you go back to testing. The AI community is just figuring that out. We’ve learned from a lot of pain in making cloud-native work for datacentres and microservices, and those ideas apply to whatever the workload is. That is how we view AI at the CNCF.

For the Linux Foundation, open source AI models and technology infrastructure are very important, so we will host things like Opea [Open Platform for Enterprise AI] and OMI [Open Model Initiative]. The reason we have so much innovation across CNCF, and other foundations, is because of open source and permissionless innovation. With AI right now, while Llama’s great, if Meta suddenly takes permission away, you’d have to get a licence from them. So, AI is going to go through a movement where we’re going to have to define what open source AI is. Like what open source did for software, we’re going to do the same for AI models to hopefully unlock more innovation.

What sorts of projects are you looking at moving forward?

The CNCF has evolved from the early days of focusing on containers and microservices, to cloud-native for any type of workload that needs to be observed, resilient, and so on. In the future – and it’s already happening – Kubernetes, which is useful for datacentres, will be used in edge devices, satellites and cars.

If you look at our projects in the pipeline right now, they’re mostly focused not on core container infrastructure, but on day-two things like Backstage. These are technologies that improve developer experience and make stitching things easier. On the low level, there is a lot of work we’re doing in WebAssembly which could potentially be well supported and run by Kubernetes as a workload. That means you can have containers, WebAssembly, AI and VMs all using same substrate.

What keeps you up at night, besides vendors pulling back on open source licences?

The licence rug-pulling for sure. We probably have the largest open source community in the world. It takes a lot to manage different companies, get people to work together and make sure they’re feeling supported. It’s a very tough challenge.

The other thing that keeps me up is the number of projects. We have almost 200 projects and we need to do some spring cleaning. We want to enable competition and innovation, but we also have to get good at cleaning up stuff that doesn’t work. We want more simplicity for users, but we still need to enable that competition.

There’s also the pressure to grow. The Linux Foundation charges membership dues, but the CNCF hasn’t changed our membership dues in nine years. Imagine you’re an Apple or Samsung, but you can never raise prices. It’s an interesting business problem for us – people want more work and support from us, but we can never raise prices. We can raise sponsorship dues for events like this in Hong Kong, but a big chunk of our money comes from membership. We’re a non-profit, but we’re also kind of running a business which needs to be sustained. Part of our mission is to figure out how to get more support from more of the global 2000 companies that depend on open source software and train them to become better open source citizens.

Read more about open source in APAC

Read more on Open source software

CIO
Security
Networking
Data Center
Data Management
Close