StillSecure, After All These Years

I have been doing some more thinking on the ClamAV acquisition by Sourcefire, some of the comments I have received and a couple of blog posts (here and here) that Matt Asay has done over at his C/Net Open Road blog. This has solidified for me that the open source game is very different than it was 7 years ago when we started StillSecure.  Back then many folks would work with open source tools and components, build functionality on top of them and sell into the market.  You could bundle them and put your work on top of it and a business was born.  Think about the UTM business.  Where would Astaro, Fortinet or any of the UTMs be without being able to bundle open source products?  Forget security, what about so many other products that are using open source databases, Linux and other open source tools and components.

The changing face of open source has thrown a monkey wrench into the works.  What we are seeing between new license "clarifications", acquisitions of open source projects and taking open source closed, is now more than ever plain to see. If you are going to use open source components in your product or service, you have to pay the piper.  The copyright owners of that open source  software are going to want you to commercially license that software.  No where is this becoming more apparent than MySQL. Matt thinks that there is a double standard between traditional software companies and true open source companies. He defends MySQL's latest moves to only make Enterprise code available to paying customers.  He says if IBM or another company made a version of their code available open source they would be universally applauded.  Matt is correct, but what he fails to realize is that these open source companies owe their success to people using it because they buy into the whole open source thing.  Companies like MySQL, Sourcefire and others have been only too happy to reap the benefits of open source.  Good will in the community, having others help with code, testing, bugs, etc.  Then when others seek to use the code, they turn the open source thing on its ear and use it as a shield to keep others out. And please don't give me they won't help us, that is why they can't use it stuff.  Commercial companies don't want help maintaining or developing their code.  They just want cash.

So this is exactly what is going to happen with ClamAV.  In fact as Matt writes here, Tim O'Reilly thinks that virtually every open source company will eventually be acquired by a commercial entity.  Matt says you can either pay your money or contribute code.  Matt that does not cover the overwhelming majority of users of open source and as I said earlier most commercial entities don't want your code contributed.  This would mean they don't own the complete copyright on it and so can't do what they want.  Unless Matt you advocate that code developers should sign their copyright over for the work they do to the commercial entity.  I think you would agree that this is not fair either. Also lets not fool ourselves, even licensing the software is going to get expensive, as the copyright holder is not going to let the licensee make more money then they are if they compete.

So do I think this is right?  My answer may surprise you.  Yes, I think it is right and the natural way of things.  It goes to exactly what we did with Cobia.  I am not hung up on the dogma of open source.  I believe people who do work developing code should be paid for it.  I don't think using open source as a shield is right though. I say be upfront about what is going on.  So when I look at the FAC for the ClamAV deal as one commenter suggested and see this:

"Will Sourcefire change the way that ClamAV open source software is offered? Sourcefire has no current plans to change the way the ClamAV software is offered to end-users. Sourcefire is committed to investing in and advancing the ClamAV technology, just as we have with Snort and Snort.org. Sourcefire is absolutely committed to the continued distribution of ClamAV and the ClamAV malware database as an open source solution under the terms of the GPL."

I think to myself, who are they kidding.  They are going to try and use the same "clarification" to change the terms and use under the license.  Using ClamAV in a UTM is going to take a commercial license.  Why not just say so. Anyone who thinks differently is either a shill for Marty and gang or really, really naive. Another question is why doesn't Sourcefire just come out and say what they mean here? I think we would all respect that  more.

So what are UTM and other vendors who use open source to do?  Great question.  What I would like to see for the good of open source communities everywhere, is that anytime a commercial entity makes a licensing move like this, other companies that are using that open source tool band together with others in the community and fork the project as is their right.  Often times there are plenty of commercial companies using an open source tool, as well as a sizable enough community to support a fork of the project that will remain truer to the ideals that many people have around the use of open source.  That will stop the use as a shield of open source and encourage others to join the community. Without one commercial entity owning the project, all can share and share alike without fear of having the rug pulled out from under them.  The challenge is can competing commercial entities put aside their differences for the common good.  That is the question.  I would love to hear some comments on it!