where do we go from here? the future? of open source? and - PDF document

From: Paul Ramsey <pramsey@cartodb.com> where do we go from here? the future? of open source? and geospatial? This talk is supposed to be about the next ten years, but I felt the topic really called for more question marks. So this is ...

paul ramsey 2001- 2009-2014 2015- So, first a little about me, <X> I’m a co-founder and developer of the PostGIS open source spatial database project, <X> For six years, I worked for a professional open source support company, known first as OpenGeo and now Boundless, <X> And I currently work for a software-as-a-service company, CartoDB, that is built on 100% open source infrastructure, And that background definitely informs this talk, as you’ll see…

paul ramsey I have been allowed to speak at FOSS4G plenary sessions five times now, every two years, and from 2009 on my topic has always seemed to come back around to economics. The economics of open source software development.

economics of open source are CRAZY Which isn't surprising, it’s an interesting topic, because the economics don't make any sense.

When I grow up, I’m Sport, you’re out of going to give software your mind. away for free! The economics don't make sense… <X> when you try to explain them to your family.

Do I look stupid to Sir, we should make you? You’re out of the new software your mind. open source... The economics don't make sense… when you try to explain them to your boss.

Could go rock Could close climbing... tickets... I’m out of my mind... The economics don't even make sense… <X> when you try to explain them to your self.

here i am Now, obviously I am here, 8000 kilometers from home, speaking to you, well-fed and wearing, pretty nice shoes, so the economics can't be all * that * bad.

the economics of open source are bad, But they are bad enough. Bad enough to be worth mentioning.

open source $$$ • re-licensing • “open core” • professional open source (support) • software-as-a-service I spent my whole keynote in 2011 describing the different ways that open source development could generate revenue through various business models: <X> re-licensing, open core, support contracts, software-as-a-service, and so on. And all these models work, to an extent. But even when they work, a bit, they don't work all that well.

ha ha, a funny https://twitter.com/xof/status/622113231218192384 "Hi I'm an engineer at a well-funded company and we need this feature can someone implement it for free?" There's a reason all the open source developers laugh and nod and re-tweet this classic: it's all too true.

ha ha, a funny https://twitter.com/howardbutler/status/348168348795797504 My favourites in the genre combine a complaint about a missing feature with a threat to use some other software. Or there's this variant,

ha ha, a funny https://twitter.com/jordansissel/status/265528663339069440 "Hi, I'm a consultant who was hired to do this thing I cannot do. You do it for me. URGENT." Whether the request comes from someone at an outsourcing bodyshop, or a defence department contractor or the latest start-up, they all have a strong core belief that you should share their sense of urgency . There’s just always a huge mismatch between the resources available to the people ASKING for assistance and the resource available to those PROVIDING the software because,

open source is incredibly good at creating wealth and incredibly bad at capturing it The open source software model is incredibly good at creating wealth and incredibly bad at <X> capturing it. The canonical proof for this is the Heartbleed episode.

heartbleed For those of you who missed out, the synopsis is this: In late December of 2011...

december, 2011 ..., a bug was accidentally introduced into the OpenSSL network encryption library. OpenSSL is at the heart of almost every secure connection made on the internet.

If you're seeing the little lock in your browser, it's almost certainly OpenSSL at work.

$1,000,000,000s To say that OpenSSL is responsible for the security of billions of dollars of commerce every day would not overstate its important to the global internet economy. The bug, which was nicknamed "Heartbleed", was nothing more than a single-line bounds-checking error.

However, it was particularly pernicious, because it allowed attackers to remotely read portions of the memory of an affected computer. Any frequently used file, that was cached in memory, any security certificates, any passwords, any pieces of data transiently held in memory, they were all exposed to remote access.

april, 2014 Heartbleed was discovered and announced in April of 2014, leading to a world-wide rush to patch the vulnerability on every server on the internet. Millions of dollars were spent, retroactively , to paper over this small mistake in software. So, how could a simple error like this pass code review and get added to a library that protects billions of dollars in global commerce?

• 2011, four committers • 2011, one paid part-time developer • revenue from consulting and feature development • not core maintenance Easy, the community that maintained OpenSSL consisted of 4 committers, only one of whom was paid for his time. The OpenSSL foundation had to go begging for donations, and made most of its money doing consulting and contracting, not doing core maintenance. The foundation's president, Steve Marquess, said

“The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often.” - Steve Marquess, President, OpenSSL Foundation "The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often." OpenSSL generates billions of dollars in value, but failed to capture even a few hundred thousand dollars to maintain a staff of core maintainers. And because of that, millions of dollars were spent in the end, remediating a bug that slipped through.

openssl openssh ntpd gnupg After Heartbleed, some of the major internet companies, like Google, Facebook and Amazon, created a new fund for maintaining key internet infrastructure, and OpenSSL was among the first reciptients of funding. So, problem solved?

enlightened self-interest Google and company are displaying enlightened self-interest; they are supporting infrastructure that is critical to their commercial mission. The trouble with enlightened self-interest, though, is that it still requires enlightenment .

enlightened self-interest And it's not permanent. If, in five years, Google decides to save a few dollars,

“maybe they will fix it in the next release...” “facebook is funding maintenance? “why don’t you do a suckers...” better job with quality control...” self-interest “let someone else “that’s not in our take care of that...” core mission...” and leave the funding of the critical infrastructure project to Facebook and Amazon, there's nothing stopping them. And Google will still receive all the benefits of Facebook and Amazon's investment: after all, OpenSSL is open source! Letting others pay, while you still play, is called being a "free rider".

cooperators free riders contributions benefits public goods (aka OSS) The nice thing about open source, and digital media in general, is that there's nothing wrong with free riders, in that they don't * cost * anything. They don't add to the burden of the work of the project, as long as they don't ask questions and just quietly use the software.

free riders cooperators contributions benefits public goods (aka OSS) The danger of free riders is when the population of software users is so big, and so dominated by free riders that the societal impact and importance of the software dwarfs the resources that are being devoted to its maintenance and longevity. This is what happened to OpenSSL with Heartbleed, and it happens to projects in the open source geospatial world too. (JTS, GEOS and PROJ would be the obvious examples.)

here i am But wait! Again, here I am, standing 8000 km from home, wearing... passably nice shoes and looking well fed, the core committer of an open source project. What do **I** have to complain about?

me? no complaints Me? Nothing. Nothing at all. But I'm a corner case. There are hundreds of developers in the open source geospatial community contributing most of the code and progress,

your job is to make the open source software better!!! BUT there are only a handful like me who are employed with a job description that explicitly includes the goal of "making the open source software better". Most open source geospatial contributors are employed at jobs where building open source is a side effect of their real responsibilities.

the economics of open source are bad, except where they are good; And that's actually good news, because the economics of open source are terrible , <X> except where they are good , and that's in building systems * using * open source software.