.png)
There is a great cartoon from XKCD that nails the state of modern-day IT infrastructure. It features an image of a majestic, sturdy pile of children’s building blocks that maintains its balance thanks to a single, outlying block. Next to this block is the text: A project some random person in Nebraska has been thanklessly maintaining since 2003 [1]. That more or less sums up the state of things today. But how did we get here?
Back in the 1980s, people purchased software and owned a physical copy. If it didn’t do what you wanted, you got in touch with the supplier to get it fixed. In response, you would (hopefully) receive a floppy disk or tape cassette with a new version that included a fix.
The same applied to hardware that used software, like laser printers. And this is where Richard Stallman and the “free software” movement come in [2]. Apparently, Stallman wanted access to the software for a Xerox printer to resolve a paper-jamming issue. At MIT, the institute where he worked at the time, source code was seen as a communal resource, with many people contributing to various projects. However, access to this printer’s source code was denied to Stallman, leaving him with no way to modify the code to fix his issue. And that’s basically what kick-started the Free Software Foundation [3].
Clarifying the “free” in free software
When Stallman went out promoting “free software,” what he meant was more aligned with the freedoms provided by free speech rather than making software available at no charge [4]. However, as Red Hat and others began putting this free software into useful packages and selling it in the 90s, it was commercially challenging to justify why something labeled as “free” had a price.
The issue was solved by American forecaster Christine Peterson, who suggested the term "open source." This helped clarify that such software made the source code freely available for download and could be modified or even contributed to. By this point, however, the damage had been done. Many commercial entities had no qualms about posting huge profits and paying out shareholder dividends off the back of cloud services that leveraged the power of free, open-source projects. To better understand the free/open-source differentiation, check out the links in the postscript below.
What “free” actually costs
With the changes to VMware licenses following the Broadcom acquisition, many teams are looking at Kubernetes and the KubeVirt project, something that could provide them with a single platform to manage their existing containers and add virtual machines [5].
But what does the freely available Kubernetes actually cost…in money?
Well, for starters, and like most open source projects, there are cloud infrastructure costs for the build clusters and integration tests. According to Kubermatic’s Mario Fahlandt [6], $2.6 million in GCP credits and $2.3 million in AWS credits are used annually solely for building and testing, with a significant portion of the costs allocated to tests that ensure the promised 5,000-node support can be achieved.
On top come the non-code contributions, such as governance, infrastructure maintenance, communication, and the numerous meetings (around 37 weekly) that such a project requires to keep it running. Then there are other bumps in the road that need to be addressed, such as compliance with the EU’s Cyber Resilience Act (CRA) – not a bad thing, but another task that has to be taken seriously.
Underlying risks of our current open source attitude
All of these projects build upon the Stallman-esque assumption that everyone in open source is in it for the love of writing code and making society digitally better. But this isn’t always the case, as was highlighted by an issue with the XZ Utils project.
Hosted on GitHub, XZ Utils offers a top-notch compression utility that surpasses gzip and bzip2 [7]. Pulling up the contributor stats [8], you’ll see that the project is almost exclusively the work of user Larhzu. Then, in 2022, under pressure to expedite the release of updates, a user named Jia Tan was granted high-level access to the project.
Initially, Jia Tan’s changes were inconspicuous. However, upon reflection, it seems these were only made to garner the project owner’s trust because, early in 2024, the user made nefarious changes that impacted secure SSH connections. Luckily, the backdoor was quickly discovered, fixes were issued, and Jan Tan’s account was suspended pending further investigation.
Usage-aligned support of open source projects
The XZ Utils debacle highlights the fragility of the open-source environment. A single developer can be responsible for a project that is integrated everywhere (both Unix-like and Microsoft operating systems [9]). Without checks and balances in place, malicious actors can compromise this ecosystem. To avoid this, such projects require human and technical support, both of which cost money.
Some businesses provide open-source projects with access to hardware or allow their software developers to use company time to contribute. But time-limited sponsorships from a small group of benefactors fail to ensure these projects have the long-term outlook they require to manage increasing complexity and other demands, such as governance and security.
In an open letter, the OpenSFF (Open Source Security Foundation) presents its case for sustainable stewardship of open-source infrastructure [10]. In it, the signatories request a move away from the ‘illusion of free and infinite infrastructure’ toward sustainable models that align responsibly with usage. Their specific requests are:
- Show up and learn about the infrastructure you rely on with the goal of understanding operational realities, funding models, and needs.
- Engage with stewards on how you can contribute proportionally and review practices related to caching and traffic.
- Consider how framework, tool, and security defaults impact public infrastructure.
- Become a financial partner through membership, sponsorship, or employing maintainers.
Here at ape factory, we stand by the substance of the OpenSFF’s letter. Open source has enabled our business and many others, allowing our clients to implement some incredible systems. Despite being only a small cog in a much larger machine, we like to think we punch above our weight in the world of open source. All our employees are free to spend 20% of their time contributing to open-source projects.
Furthermore, we are paid members of the Linux Foundation and NeoNephos [11], cementing our commitment to making things like a sovereign EU cloud infrastructure and services a success. Hopefully, others, with deeper pockets and a greater dependency on open source than we have, will review their relationships with the projects that underpin their businesses.
Postscript
If you’d like a potted history of free software, open source, and its consequences, we can recommend Dylan Beattie’s “Open Source, Open Mind: The Cost of Free Software” from NDC Oslo 2024 [12]. You should also take time to understand Stallman’s differentiation between his vision of free software and the open-source movement [13].
---
[2] https://www.oreilly.com/openbook/freedom/ch01.html
[3] https://www.fsf.org/about/
[4] https://www.gnu.org/philosophy/free-sw.html
[5] https://www.apefactory.com/en/insights/running-and-managing-vms-on-kubernetes
[6] https://www.youtube.com/watch?v=zYQGamFUNLo
[7] https://daily.dev/blog/xz-backdoor-the-full-story-in-one-place
[8] https://github.com/tukaani-project/xz/graphs/contributors
[9] https://en.wikipedia.org/wiki/XZ_Utils
[11] https://neonephos.org/members
[12] https://www.youtube.com/watch?v=vzYqxo13I1U
[13] https://www.gnu.org/philosophy/open-source-misses-the-point.en.html
.png)
