The government is now a little more open. This week, the White House released its first official federal source code policy, detailing a pilot program that requires government agencies to release 20 percent of any new code they commission as open source software, meaning the code will be available for anyone to examine, modify, and reuse in their own projects. The government agencies will also share more code with each other, essentially adopting open source practices within their own governmental universe.
It's the latest in a long line of high-profile victories for the open source movement. As recently as a decade ago, the worlds of both government and business worried that using open source software would open them up to bugs, security holes, and countless lawsuits. But despite these early fears, open source came to dominate the digital landscape. Today, practically every major piece of technology you interact with on a day-to-day basis—from the web to your phone to your car—was built using at least some form of freely available code.
Some of the biggest companies in the world are not only using open source software, but open sourcing their own code as well. Earlier this year, Walmart released an open source cloud management system. ExxonMobil released an open source developer toolkit to help oil and gas companies adopt standard data formats. Financial giants like the London Stock Exchange Group, JP Morgan, and Wells Fargo are among the companies backing Hyperledger, open source software that could reinvent the stock market. In short, open source is now a core part of how software is created not just by software companies, but by every kind of company.
That's because governments and corporations are realizing that open source is often the best way to develop software. Open source lets companies share the burden of developing common infrastructure and compatibility standards. And because anyone can participate, regardless of what company they work for,or whether they work for any company at all, open source can potentially attract a more diverse pool of talent–people with unique perspectives, who can spot problems or develop new features that the original creators of a piece of software never imagined.
But despite this mainstream success, many crucial open source projects—projects that major companies rely on—are woefully underfunded. And many haven't quite found the egalitarian ideal that can really sustain them in the long term. Some open source developers struggle with burnout, while others have trouble working their way into the open source community. Though the community has proved that open source is among the most important ideas in the history of technology, it faces a whole new set of tests as it transforms from scrappy underdog to pillar of the mainstream.
An Unsolved Problem
Venture capitalists are betting big on open source startups. A Silicon Valley outfit called Cloudera raised over a billion dollars all on its own. Meanwhile, existing companies like Google, Facebook and Microsoft spend enormous amounts developing open source in-house. But many important and widely-used projects still struggle to raise funds, according to a recent paper published by the Ford Foundation.
Take OpenSSL, an encryption software library used by countless websites and operating systems, including Android and iOS, to securely process sensitive data such as passwords and credit card details. Prior to 2014, only one person worked on the project full time, and this was a big reason no one noticed Heartbleed, a massive security hole that led to one of the worst digital security emergencies in history.
The OpenSSL team patched Heartbleed, and the incident helped raise funds to prevent future problems. With support from several major tech companies, the Linux Foundation started the Core Infrastructure Initiative (CII) to help support important but under-funded open source projects, including OpenSSL. But now that the Heartbleed publicity has worn off, donations have slowed to a crawl, says OpenSSL Foundation co-founder Steve Marquess. Not counting its CII money, the organization only has enough money saved to keep paying two engineers for another year and a half. "CII funds less than half of our current operation," Marquess says. "We hope that continues, but it's something that we don't necessarily want to count on."
As important as CII is, it can't fund everything. Plenty of projects face neglect, including Dnsmasq, which is used in Android phones, Wi-Fi routers, and cable modems, and OpenBSD, a security-focused operating system included in many commercial firewall products. OpenBSD was nearly forced to suspend operations in early 2014, but a generous donation saved it at the last minute. The project exceeded its fundraising goals last year, thanks in large part to the publicity surrounding a close call the year before, as well as the Heartbleed fiasco. But this year, the foundation has only reached about a third of its goal. "The bottom line is that unless things pick up we will not be able to meet our goals and will reluctantly be forced to reduce our support for OpenBSD and related projects," says OpenBSD Foundation director Kenneth Westerback.
Barriers to Entry
The other problem is that although the open source projects really thrive when everyone has a say—when democracy really takes over—this isn't always the ways things work. Because they have the money, the big companies now have a much greater say in how things work, and outsiders have a hard time breaking in.
Sure, the path is there. Open source contributions are a kind of living resumé that can get you a job at the big companies. A developer's open source contributions make it easier for employers to see how that developer codes, how they approach particular projects, and how they've evolved over time as coders. And small companies are free to contribute as well. But all this takes time or money or both. A single parent may not have the free evening. A small company may not have enough funds.
One result is that the open source community is already less diverse than the tech industry as a whole. According to a survey published by Libresoft in 2013, only about 11 percent of open source contributors were women. That was up from 1.1 percent in 2002. But it still lags far behind the number of women employed in the software industry in general (21 percent of all computer programmers are women, according to Bureau of Labor Statistics). Burnout exacerbates the problem, as volunteers–particularly those engaged in the non-technical aspects of open source projects–find themselves overwhelmed with obligations outside their paying jobs.
The Next Wave
Neither of these problems have easy solutions. Money won't solve all of open source's problems–the tech industry has plenty of diversity problems as it is–but it would go a long way towards bringing more people to the table, and making sure that important projects get the attention that they deserve. It seems clear that the companies that benefit the most from free and open source software should contribute more funds towards its development, but that funding can raise its own issues.
For example, Marquess says that in order for people to trust OpenSSL, it's crucial that no one company or organization control the project. That means one company alone can't hire all the engineers and pay them to work on OpenSSL. The project needs lots of different companies to chip in to stay independent.
Software developer Audrey Eschright argues that a new movement is emerging from the open source community. She believes the movement should bring more attention to community and actually paying people for their labor. "We're here not because of the source code, but because of the community," she says. That may sound heretical purists who have fought long and hard to bring source code–including code funded by tax dollars–out into the open. But their own ideas were once fringe and have now hit the mainstream. Perhaps it's time for a new generation to throw away old assumptions and offer a new way forward.