Open Source: “More than a License” but Not Quite a Business Model with Dotan Horovits

Javier Perez [0:19] Welcome to Pulling the Strings Podcast, powered by Puppet by Perforce. My name is Javier Perez. Today, I'm the host and I have a great guest. We are going to be talking about open source and open source business models. There's so much in the news these days, some good, some bad, and I think we're going to have a good time here, Dotan and I, to talk about open source in general and open source business models.

As a quick introduction, my name is Javier Perez. And my guest is Dotan Horovits, principal developer advocate at Logz.io, and he's also cloud native ambassador at the Cloud Native Computing Foundation. Dotan, great to have you here. Thanks for coming. How are you?

Dotan Horovits [1:18] I'm fine, Javier. Thank you very much for having me. Glad to be here on the show.

Javier Perez [1:21] Excellent. Hey, how about we started with you telling us a little bit more about yourself, a little bit of your background, and how did you started working with open source?

Dotan Horovits [1:32] Yeah, certainly. So I come from a software development background, lots of backend type, Java, and others, the hands-on coding development, then onto system architecture, solution architecture, working with customers. I even did product management at a certain period for a few products in the platform space for developers and DevOps personas.

And in the current incarnation for quite a few years now, I've been in the developer advocacy, technology evangelism field with a lot to do also not just with the DevOps developers community, but also with open source and especially with the current company Logz.io that you mentioned, which is a cloud native observability platform. And the reason I like it and the reason I joined the company is that it's based on the best of breed open source stack.

So taking the Prometheus OpenTelemetry, Argo, OpenSearch, and so on, and making them these discrete open source projects into one unified observability platform. So it meets me both in the day job and also on my community capacity. You mentioned that I'm a CNCF ambassador. CNCF is in the Cloud Native Computing Foundation, the open source foundation behind Kubernetes, Prometheus, Argo, and many others. We'll probably talk about open source foundations a bit today on the episode. So also on these capacities and involved in projects such as OpenTelemetry and others.

Javier Perez [3:04] All right. Well, so many different things to talk about. Yeah, the whole CNCF, that's a whole different episode, right?

Dotan Horovits [3:12] Definitely.

Javier Perez [3:12] But I had a chance to go to the last KubeCon in Chicago, it was last year. This is a huge, I mean, it keeps growing and growing and growing. It's just a tremendous conference, and that just tells you how much of the industry, especially in open source is moving in the cloud-native direction.

But let's start talking about some of the business. And one thing for me to share here, to start the conversation, it's something that we produce at OpenLogic, the state of open source. Every year we do a survey, major global survey, and then the results of that survey are published on a report, what we call in this case, the last one was... We published that in February, the 2024 State of Open Source Report.

And what we do with that, what makes it different to other industry reports is that not only we ask only things about only open source related questions, but we ask about the use of open source within organizations. So every single question relates to the use of open source in organization. If we are asking about cloud-native, if we're asking about telemetry, if we're asking observability, if we're asking about databases, everything within the context of the use within organizations.

So we're asking the respondents to basically tell us based on what they do in their organization. And that gives us some different perspectives, very good results and results around the maturity in the use of open source and organizations and so on. And I mentioned this because it relates directly with the topic that we want to cover today, right? There are so many different things and having the perspective from not only the individual developer but also what the organizations are doing with that open source.

So let's start with that, and I just wanted to give a quick intro on that. People can access the state of open source report, download it, the data set, the raw data, it's also available, we open source that. So anyone can just go and slice and dice the information based on company size or industry or job, title of the respondent, things like that. Region, of course, probably very different results in some cases similar or the same, in some cases, very different results if we're talking about the different regions, right? In North America or in Europe, in the Middle East, and in so many other regions.

So this is just to set the scene and one of the aspects always interesting there, it's the news that we hear. Dotan, we've been reading this news about companies changing license terms, changing the licenses and going from what we know as open source licenses to restrictions that make them no longer open source licenses. We can go into more detail, but what's your initial kind of reaction every time you hear about those news?

Dotan Horovits [6:23] Well, definitely it's painful. I'm a community guy and I know how much time it takes to build the community and how much effort it takes to maintain a community. Community is a long-term investment and then long-term activity and people put their time, their effort without being paid because they know that they're putting it in for the greater good, including their own. And suddenly, when they see this being misused, mispurposed, or taken for some certain vendor or entities, own profit on the expense of obviously the broader benefit of the community, that's painful. And also it's painful to see the impact on the end users because it also creates lower trust in users to adopt.

And you mentioned the survey that Perforce ran, which is fascinating to hear. And actually, also we at Logs.io, we've been running a yearly survey on the state of DevOps and observability. And this year's survey, it was a bit painful for me to see that organizations reported less. Or let's put it this way, the organizations that reported less than half of their observability are open source grew. So you see that more organizations reporting less use of open source, and I cannot, obviously you can't ask the why in a quantitative survey.

The immediate question I would've asked if someone in front of me is why. But the why as far as I see, and I hear that in conversations is this concern, concern that organizations have from adopting episodes after experiencing these painful cycles where you base yourself on an open source. This open source could be really a mission-critical piece of your architecture, a database lying at the heart of your system, for example. And suddenly this very critical piece that you built on and you built around and you've developed a whole ecosystem of logic around and you tuned it and you optimized it for your own needs suddenly is, let's say, relicense for example. That's something we've been seeing quite a bit in the past few years. And suddenly all the things that you've built around or in question whether you're allowed to carry on using this in this fashion and modify it in this fashion and adapt it in this fashion and so on.

So it's really something painful, whether you are one of the maintainers and contributors are also just a plain user or an organization consuming it.

Javier Perez [9:04] If you are one of those contributors that you've been providing your free efforts, right? You're working for free and contributing back, and then all of a sudden you see a company changing the license, that has to be tough, right? And that's one aspect that you just mentioned.

But let's explain to the audience. I would like to summarize it in a couple of different types of these changes on licenses. By the way, most of the time when these companies change the open source license, they talk about protecting their business or maybe it's because their investors are pressuring them for better numbers and things like that.

But the reality, what might be those would be the reasons, I don't think that makes a lot of difference. At the end of the day, what we've seen in the survey is that elastic search, they've been with a different license now for a few years, hasn't really improved their financials, but also has not really diminished that much their financials, right? And we see elastic search and open search, the fork open search growing a lot and it seems to be like there's a space for everyone.

So the one aspect in my opinion is let's just protect ourselves from the cloud providers, right? So that will be that service. What is it the SSL license where you can do everything?

Dotan Horovits [10:35] I think you mentioned SSPL, that's the-

Javier Perez [10:37] SSPL.

Dotan Horovits [10:38] ... service side license. And that says source available license, and we should maybe just say a word about what source available means because I keep seeing that people get confused between source available and open source because they see the source. So they're saying, "Okay, if I can reach the source code of my software, it's probably must be open source. And open source is much more than just the accessibility of the open source. So I think it's important to stress data.

Javier Perez [11:09] So on this license, SSPL, basically, it no longer open source because there are, for example, the hosting and that's the main thing, right? They don't want to the AWS and the Microsoft Azure and Google Cloud and others to host it and build a business and take from the business. So the fact that they're restricting on where you can deploy, that makes it no longer open source.

Dotan Horovits [11:34] Where you can deploy and also discriminate based on what you're going to do, which is one of the fundamentals. There are 10 principles of open source. It's called the open source definition maintained by the OSI, the open source initiative. And that's a very important pillar that you shouldn't be discriminating about how people are going to consume and modify and use the open source.

Javier Perez [11:57] Exactly. I recommend people to go and check out the open source definition there. Good read, quick read from the OSI website. So that's one aspect. And then you talked about the source available. Yes. So when they switch to these licenses, they say, "Yeah, the source is still there. You can still contribute. Everything the same." Well, did you believe that, Dotan? Is it everything will exactly be the same?

Dotan Horovits [12:27] It was funnier. And by the way, we were heavy consumers of Elasticsearch, my company Logs.io. For us, it was a firsthand experience, this relicensing and we were one of those advanced users that optimized and modified and tweaked to our own use case. So it's definitely something that we've experienced. And the funny thing is that when we saw coming back from the New Year's vacations, first week of January or something like that, and suddenly you see that and the post was titled Doubling Down On Open.

So you said, "Okay, Doubling Down On Open," and then you start reading. And then it was confusing because it didn't seem like doubling down as you mentioned. And also the phrasing there was we are going to let our users use and consume and modify. So it sounded like all the things about FOSS, free and open source software, and the sound bite, the only thing that it wasn't. So that was very, very confusing, I think, for the entire community.

Javier Perez [13:27] Yeah. And then there's one more. The second one is that the business user license, which not only the hosting but also prohibits commercialization. So obviously not an open source license anymore. And you're thinking, well, I'm just using that for internal purposes, right? Just for my internal system. I'm not going to commercialize, I should be okay. Well, are you? All right? And if you are embedding that software on some of your other solutions, then they're not complying with the license anymore.

So those two flavors is what companies are switching to. Now, the other thing I want to stress, and I wrote a blog post about this, which I believe the title was something like Much I Do About Nothing. You see if you agree with this, Dotan, my point here is yes, big news when Elasticsearch changes big news, when HashiCorp goes and changes to a business user license. HashiCorp obviously with popular open source projects, no longer open source like Terraform and Vault, and others.

And now the most recent one, Redis, right? And I put that on my blog post. I think we can count about 10 cases and open source has been around at least the way we know it for the last 30 years. So yes, they make big news. Yes, there are some articles out there that are recycled from now recycling for Redis, the HashiCorp, and then before that the Elasticsearch and the MongoDB articles. But that, in my opinion, has not completely changed the industry. Yes, there's a considerable pain on the users and especially if you're a contributor, but it's, let's say, just to round numbers 10 out of millions or let's say thousands and thousands of open source projects. So what do you think about that, Dotan?

Dotan Horovits [15:27] So obviously the vast majority is still there. It's not that it's becoming an issue in terms of the quantity. I do see however a disturbing trend that I think we as a community need to give a thought to because you give a few examples, by the way. I wouldn't say just SSPL and BSL... Or BUSL by the way is the correct term because BSL is a different license. But anyway, but there are others, there's FSL and there are others.

And the idea is that you gave good examples because there are other examples, but these are actually classic examples to show people that the fact that an open source is established and it's been around for a decade or two or even three, does not guarantee in any way that it'll not change. So people start thinking from a certain point onwards that, "Yeah, it's written in stone." No, it's not written in stone and the company is acquired or maybe going public and then economics changes and the pressure changes and maybe VCs are putting their own pressure to monetize.

So the question is I think more than just a license, I think the question should come down, and I think this is why I like the framing of this episode as you said it about a business model, is that people need to understand that open source is more than a license. And that they need to understand it both as end users when they evaluate the project to look beyond the license, but also as companies are vendors as even a couple of maintainers that decide to go down the open source path to look at the full scope of what it means to open source a project, a piece of code, and it's much broader than just a license.

So I think this is the deep discussion that we've yet to have as a community in a meaningful enough sense. I do see very active discussions now on Twitter and Mastodon and others that I take part in, but it's just the beginning. And now that you also introduce AIs and models around licensing around data models and things like that, which makes it even more complex because it's not source code, but it's modeling and training of models and things like that. It's becoming even more complex. So I do think that we are in a transitional period that is healthy. It's maturing up as a community.

Javier Perez [17:52] It is, it is. And yes, the AI brings a different conversation and there are a number of initiatives and a number of forums discussing actually a proper definition of open source within AI because there are, as you said, many different things. Not just the source code but data and the models and weights on the models and then the responsibility and ethics and security around that.

Let me step back for a moment there because another aspect that is relevant, and again as you said, it's beyond the license changes, is when open source projects are driven by a single company, right? That's another issue that we've seen there and that's part of the business models, right? And good that you see organizations doing open source and starting their software in the open, but when there's an open source project that is driven by a single company, it means that that single company makes all the decisions, right? And we have a number of examples where that affected again, the users and the investments and the strategy and everything that you plan around an open source project that all of the sudden changes.

The one that comes to my mind, it's CentOS because of the forcible lane of life and complete change, but there are others. What do you think about that though? Especially when we talk about just a single company driving the project.

Dotan Horovits [19:37] So it's funny, I wrote a blog post about a few years ago and I called it Is Vendor Owned Open Source and Oxymoron? Because even back then I found it disturbing seeing these even earlier trends since then, as I mentioned, we have had collected more data points to support that, but that's been quite concerning. And yeah, there is an inherent conflict when there is a single entity that controls owns and drives and open source. And then there's the built-in conflict between the commercial incentives and the community incentives.

And we've seen too often recently that these vendors reached that point where they gave the priority the switch and gave the priority to the commercial side over the community. They were willing to sacrifice to a certain extent the community maybe to a large extent. So I think you brought up also something very important in what you said before, that it's not just licensing and you gave the example of CentOS. CentOS was something else. It was the rollout of the code that changed essentially just the process that changed, but it changed entirely whether this is something that you can take and deploy to production or you'll have to revert to rail to the enterprise edition to use that.

And for those who don't know, the CentOS streams versus rail and so on. So the stable release, and actually more recently we've seen something similar to an extent with the Linkerd, that's a project in the service mesh space where the company behind it essentially decided that they're no longer going to release deployable artifacts. So you still have the source code in the strict sense of the word. You may say it's still open source. So it didn't go past the open source in the licensing sense, but in the essential experience, especially when you change things that used to be a certain way for the community and suddenly you shift and you say no. Now if you want to actually go and deploy it in production, go to that vendor or figure out for yourselves how you're going to build it and so on. So unpackage it.

And so I think we see that. We see other aspects even within the open source realm, by the way, even going copyleft where a certain project that used to be, for example with Grafana labs that took its project Grafana low-key tempo for example, and shifted them from Apache 2 to AGPL version 3, which is a copyleft license. For the listeners who don't know, copyleft is a viral license in the sense that it requires, if you modify it code that uses the modified code, you also need to release under the same license under a GPL version 3. And it doesn't matter if people interact with it over the internet or network or whatnot, it still applies in full force. So these are the sorts of other patterns that we see that go beyond just going non-open source and show us how complex this situation could be.

Javier Perez [22:56] Yeah. No, it's very interesting when you have products like the SCA, software composition analysis, that are there for scanning, right? The scanning and identifying open source software and open source libraries, in one hand you're looking for vulnerabilities, right? On the security aspect. And then in the other hand, you're looking to identify the open source licenses. And you just reminded me this because going from a Apache license or a permissive MIT license and then switching to any one of the GPL family of licenses, that has a significant impact if you are commercializing your software, because now as you said, it has to continue with that, the same open source licenses.

And then there obviously a much longer discussion, but there's obviously people saying, "Well, look, thanks to GPL, we've been so successful on many different projects including all this Kernel and Linux distributions, right?" So there's good and there's the pros and cons on everything, but these are the things that people have to keep an eye on. And if we can talk about doing about some recommendations, in my case, the first thing I said is you have to do your homework, right? You have to do a little bit of research before you start using an open source project. Things like what we just discussed, like the license or the contributors, how active the community is, who is part of those communities.

A good rule of thumb you're going to agree with me is, well, if the project is already part of a open source foundation that means that it's properly wrong, has some governance and has a sizable community and a commitment of life cycle of releases, that's a good that for the most part it will be a really good bet on going on those type of projects. Others, you have to do more of your homework. What do you think about that, Dotan?

Dotan Horovits [25:03] So I definitely agree, and I think when you come to that point of choosing a tool for your organization, people obviously go and evaluate the license. But this is where I state again and again, don't just look at the license. First of all, the license has its intricacies as I mentioned, not all open source license were born equal. We mentioned the difference between copyleft and others and so on. So even within the open source licensing, it's important to understand the details, but there's enough articles and the material about that, what you said. That's the part that I emphasize. Look beyond the license, look about who's behind the open source project.

As we talked a lot about single vendor owning and could lead to these situations of, I call it rights ratchet, where they tighten the rights around you and suddenly you find yourself with a whole different set from what you began with or pulling the rug from underneath your feet. But by the way, on the other hand, even project maintained by a single maintainer, even if it's not a vendor, one or two maintainers is also a problem. It's also a single point of failure.

Javier Perez [26:13] Yes.

Dotan Horovits [26:13] We all experience the log for shell vulnerability and we saw the extent of usage of this very, very popular logging library. And that was a project that was maintained by two maintainers, and we have tons of that. The vast majority of projects out there on GitHub and GitLab and whatnot are these sorts of one two maintainers behind the project. So this is also a problem. So look who's behind the open source project.

And you mentioned the very good point that we should emphasize again is also the governance. What's the governance behind that? Obviously, who can decide on relicensing, but also how can people be promoted to contributors to maintainers who can review, can approve PRs? We saw cases where vendors owning a project pushed back on contributions from people who were affiliated with competitors, although they're providing valid contributions, PRS and so on. So we need to see that there is a very clear, transparent, and governance policy.

So definitely, I fully agree. And you mentioned about foundation open source. I think foundation open source, and I know that I'm biased, I'm a CNCF ambassador, but I think having a foundation as the only entity is first means that no vendor owns it. And secondly, the governance and the directives that the foundations bring is amongst others. Bring this diversity and sustainability metrics to encourage, go down the right path in this respect.

Javier Perez [27:42] Yeah. And that's why the Linux Foundation now adopted OpenTofu, the fork of Terraform, and now Valkey, which is the fork of Redis, very interesting. And I was just last week at the open source summit, the open source summit in North America, in Seattle, and it was a big part of the conversation and part of the keynotes promoting Valkey, the new fork from Redis. So all-

Dotan Horovits [28:12] That was astonishing, by the way, I escorted the fork open search forking from Elasticsearch took like half a year to reach a GA. And then I escorted the folks from OpenTofu that forked Terraform for OpenTofu took a good few months. And now, seeing that within a span of less than a month, really weeks to reach the point that you fork, you release a GA and you even go through the paperwork to get it into the Linux Foundation, that's astonishing. Which is also a good indicator for the maturation of the community. The community learns from these cycles and becoming more efficient. The foundations are becoming more efficient in establishing and absorbing these forks. So maybe a positive upside for this conversation as well.

Javier Perez [28:56] There are more options now, right? There are more forks, more options. One thing that I learned last week is that some of the contributors of Redis that they've been contributors for many, many years, now, they are behind of this Valkey. And some of the top companies, technology companies like AWS and Google and others are behind this just like they are behind OpenSearch and OpenTofu. That's another discussion, right?

Why these companies are so involved with this. I guess the answer to the quick answer is it benefits everyone, right? It benefits them, and then it benefits everyone. Let me just end with one other point, Dotan, to chat about. And we talked about business and we've got all these podcasts about the business models, and we know that it's not exactly a model. I think you've been talking about this for a while. I'll let you comment on this, but in my opinion, I see just this day and age, almost like only two options for monetizing open source. One is the open core, which you support the open source part, but then you add proprietary components on that and added functionality. Many, many companies have been very successful with that model. And then of course, in combination or separate the hosting, right? We take care of the maintenance, we take care of the infrastructure, you just pay us to use these open source projects.

What's your take on that, Dotan, and obviously the conversation about business model?

Dotan Horovits [30:32] Yeah, so first of all, I think even before going into the different models, it's important, especially for startups. Many young entrepreneurs come to consult with me about their initial initiatives and they go down the path, yeah, we need to do it open source. This is the way. And they develop a tool around Kubernetes, so it's native for them to do it around there, because Kubernetes is open source and it's part of the cloud native ecosystem, so let's do ours also open source and so on.

And I always bring them to that basic question and explaining to them that open source is not a business model. And if they want to establish a company as young as it is, it still needs to have a solid business plan on how they're going to monetize. Open source can bring the brand, can bring usage for the open source, but still they need to understand what's their added value on top of that and distinct from the open source.

And so that's first thing that I advise that probably for you a veteran in the industry is, it sounds trivial, but it's important that we keep on iterating that and working with entrepreneurs and founders to understand and to think about it top of mind from the get-go. And yes, as you mentioned, there are several paths. It could be services model. We've seen Red Hat doing that exquisitely well and maintaining distros of the open source that they build a packaged versions of the upstream that they maintain and they take care of all the compatibility to different hardware setups and all the testing and then the guarantees, and obviously the indemnification in terms of licensing and so on.

So this is the services model. And then there's the product model where a company provides, it could be an open core, as you mentioned. It could be a managed version without an extensive layer of the added value, but still they take away all the hassle of installing, maintaining, upgrading, and all of that. So whether hosted or fully managed. And of course, for example, what we do at Logs.io is that we provide the open source as managed, but also we provide a unified observability, let's say, enterprise grade on top of all the open source.

So you have also an additional value. Some of that is about AI and machine learning. Some of that is alerting capabilities and connectivity and compliance. So it's really dependent where you see the added value and the UVP, the unique value proposition, that you provide on top of the open source where you have your secret sauce that you want to keep as your IP, your intellectual property. And make it distinct from the open source. The open source needs to give value on its own right. If you make it too castrated in a way so that you, I don't know, above three nodes, it's already you need to pay. And if the open source does not stand on its own right, people will not adopt it. But if you give all the value in the open source, then you'll find yourself without your added value, your UVP. So this is the part that I think people need to think about much more carefully.

Javier Perez [33:37] Yeah, I mean, I think there's a path for everyone organizations to be very successful supporting and building from open source in many examples. One of them, the case of Puppet here, our host, but also the services side, which is the company that I represent, OpenLogic and many, many, many others. There's a space for everyone.

And then just to finish here, our session, I want to comment on going back to last week at the Open Source Summit, a person that you probably know or you've been following, Dotan, Kelsey Hightower.

Dotan Horovits [34:15] Yeah.

Javier Perez [34:17] He was in one of the keynotes and he talked about exactly the license situation with HashiCorp. And he talked about the story of his own project that was forked by HashiCorp. And then he became Vault. I forgot the name of the project right now, which it was completely news to me, very interesting. And he said, "And that's okay, right?" It's open source. Anyone can take it and do all the things with it. And then he finished his keynote basically saying, "Look, I don't think the changing license terms licenses is the solution. I think the solution is for you to provide more added value."

And I just say that, and probably more of the enterprise-grade features that you can offer. The more value you add, the better you're going to do for your business, and you don't really have to go and change open source licenses. So with that, I'm going to leave it there because we run out of time, but thank you for joining the Pulling The Strings Podcast, powered by Puppet, and we'll talk to you next time.

Dotan Horovits [35:20] Thank you.