Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Let the OSS Enterprise newsletter guide your open source journey! Sign up here.
Open source software (OSS) is never too far away from both acclaim and controversy, whether it’s a major security incident, a trademark tussle, or flying a helicopter on Mars.
Let’s take a look back at some big OSS talking points of the year.
A serious open source flaw
Security is always a major discussion point in the open source sphere, and 2021 was no different. The biggest story of the year was almost certainly the zero-day vulnerability found in the Apache logging library Log4j, which is used by countless companies across the consumer and enterprise realm — from Apple’s iCloud to AWS and IBM.
Log4Shell, as the vulnerability is called, had existed since 2013, but was only discovered by Alibaba’s security staff in late November and publicly revealed two weeks later. It is considered particularly dangerous, given that it enables remote code execution (RCE), allowing hackers to gain access to remote systems and sensitive data. Log4Shell was elevated to near-celebrity status when it was awarded a CVSS (Common Vulnerability Scoring System) security rating of 10.
Although the Apache team issued a fix on December 6, Log4j’s ubiquity across cloud services, infrastructure, and everywhere in between, makes it difficult for every company to update their systems quickly enough — on top of that, they might not even know that their software relies on Log4j in the first place. Needless to say, attackers began seeking to exploit Log4Shell in the wild and widened their scope to the ransomware realm.
There are many lessons to learn from this, as Reblaze’s open source program manager Justin Dorfman wrote in VentureBeat:
“The incident exposes how a vulnerability in a seemingly simple bit of infrastructure code can threaten the security of banks, tech companies, governments, and pretty much any other kind of organization.”
However, in the wake of the Log4j vulnerability, the usual argument reared its head, with countless people noting that it shone a light on the inherent security deficiencies of community-driven software. But others countered that by stating the main problem was that companies were happy to benefit from open source in the good times, not give anything back, and then point their finger at OSS when things go wrong.
The log4j thing illustrates, once again, the reason that I don’t do Open Source stuff any more.
People will take the stuff you built
They will make a tonne of money with it
They won’t give you a penny
They will scream at you as soon as there’s a bug— Dr Peter Brett (@PeterTBBrett) December 11, 2021
Serving as a somewhat sobering reminder, one of the Log4j project’s core maintainers — Ralph Goers, who fixed the vulnerability — has a full-time job elsewhere as a software architect. Goers works on “Log4j and other open source projects” in his spare time.
This is the maintainer who fixed the vulnerability that’s causing millions(++?) of dollars of damage.
“I work on Log4j in my spare time”
“always dreamed of working on open source full time”
“3 sponsors are funding @rgoers‘s work: Michael, Glenn, Matt”People, what are we doing. pic.twitter.com/2hAxUWCjuC
— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 10, 2021
Poetic license
Arguably, one of the biggest talking points came at the turn of the new year, when Elastic revealed it was transitioning its database search engine Elasticsearch from an open source Apache 2.0 license to a duo of proprietary “source available” licenses. The move, ultimately, came as little surprise and was the culmination of years of headbutting between Elastic and Amazon’s cloud computing offshoot, Amazon Web Services (AWS).
As a fully open source project, any company had been free to do whatever they wanted with Elasticsearch — including offering it “as-a-service,” as Amazon did when it launched the Amazon Elasticsearch Service way back in 2015. This kicked off a chain reaction of events that ultimately led Elastic to shift Elasticsearch — and the Kibana visualization dashboard — to new licenses.
That Amazon had elected to use “Elasticsearch” in the name of its own managed service was one of the problems — it was, in Elastic’s eyes, a clear trademark infringement, and it caused confusion in the market space about which Elasticsearch service was which. This is why Elastic filed a lawsuit against Amazon back in 2019, but lawsuits are not generally a swift process. Additionally, changing the license helped speed things up in terms of swaying Amazon away from the Elasticsearch brand. It worked, as just one week after Elastic announced the license switch, Amazon revealed it would begin work on an open source Elasticsearch fork, which would eventually ship under a completely new name — OpenSearch.
Licensing kerfuffles were evident elsewhere in the open source sphere too. The Software Freedom Conservancy (SFC), whose sponsors include Google and Red Hat, sued Vizio, alleging that the smart TV maker breached two open source licenses by using and modifying software without making the derivative source code publicly available. Vizio is showing no signs of budging, though, and the case took a somewhat ugly turn when Vizio filed a request to “remove” the case from California State Court, seemingly based on the belief that “consumers have no third-party beneficiary rights under copyleft.”
Meanwhile, former U.S. president Donald Trump’s upcoming social network “Truth Social” apparently violated Mastodon’s open source license, with Mastodon originally threatening a lawsuit. The crux of the problem was that Truth Social’s terms-of-service claimed the code was entirely proprietary, and made no reference whatsoever to its Mastodon foundation — moreover, the open source license stipulates that all derivative projects must also be made available under the same license.
While the social network is yet to formally launch, it appears it has gone some way toward meeting Mastodon’s licensing requirements — it recently acknowledged that it was built upon Mastodon, and the developers uploaded a zip file of its source code. Whether that will be enough remains to be seen, but the eyes of the open source community will remain on Trump’s company ahead of the official launch in 2022.
Trademark tussles
The issue of trademarks is by no means unique to AWS vs. Elastic. Just before the new year kicked off, Facebook asserted trademark ownership over the open source “PrestoDB” project. This caused a problem for PrestoSQL, a fork created by the original Presto creators when they left Facebook — they were forced to change their project’s name to Trino.
Fast-forward ten months to November, and live streaming software provider Streamlabs OBS had to drop “OBS” from its name after it was called out by the open source OBS project on which it is built. Similar to AWS vs. Elastic, avoiding brand confusion was central to this, with the OBS project’s Twitter account revealing that some of its support volunteers had to deal with angry Streamlabs’ customers, who were apparently confused between the two entities.
We’re often faced with confused users and even companies who do not understand the difference between the two apps.
Support volunteers are sometimes met with angry users demanding refunds. We’ve had interactions with several companies who did not realize our apps were separate.
— OBS (@OBSProject) November 17, 2021
Open source eats Mars
Open source software is so pervasive, it has often been said that it is eating the world. But if the first-ever Martian helicopter flight is anything to go by, open source software is eating the entire solar system.
The historic achievement was made possible by “an invisible team of open source developers from around the world,” GitHub’s former CEO Nat Friedman wrote. Some 12,000 developers contributed to open source projects used in the software that powered the helicopter’s maiden flight on the Red Planet — and yet, “most of these developers are not even aware that they helped make the first Martian helicopter flight possible,” noted Friedman.
To mark the occasion, GitHub placed a Mars 2020 Helicopter Mission badge on the GitHub profile of every developer who had contributed to code that was used in the mission.
Linux turns 30
Linux was first released on September 17, 1991, the omnipresent open source operating system turned the grand old age of 30 this year.
It’s impossible to understate the importance of Linux across the technological spectrum. Android — the world’s most widely used mobile operating system — is based on a modified version of the Linux kernel. Today, Linux is used in everything from automobiles and air traffic control to medical devices, and is also widely employed in web servers, the most common being Apache. In fact, the growth of the web over the past 30 years has been fueled in large part by Linux and similar open source software.
Here’s to the next 30 years of open source innovations.
VentureBeat
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more