The pervasive and growing use of open source and free software around the world is a blessing in many ways, but nevertheless it should make us all a little nervous. Who is maintaining all of this code, especially with respect to security and reliability issues? The answer to that question, in many cases, is no one or maybe just one overworked person operating on a shoestring budget.
Joshua Gans of the Rotman School of Management, University of Toronto, has recently pointed out that the internet in particular is very vulnerable to breaking down if certain individuals were no longer able to maintain critical code. This is especially important with respect to security vulnerabilities. Addressing and correcting this problem with open source software “makes Y2K look like a picnic, especially since the magnitude of these issues is unknown.” No one knows how vulnerable they might be. Because open source software is developed by communities of independent individuals, the commercial and governmental efforts that addressed the Y2K problem may not work with open source.
The risks of using open source software in the development of a new software program have been discussed and debated over and over. Some risks may be exaggerated or misunderstood, but more often than not they are simply ignored.
A good summary of various risks associated with the use of open source software is included in an SEC filing made by Cloudera, Inc. in connection with its recent IPO. The Risk Factors section of Cloudera’s Form S-1 Registration Statement includes the following risk issues with respect to the commercial use of open source software in hybrid open source-proprietary software products:
because of the nature of open source software, there may be fewer technology barriers for competitors who wish to make competing products;
lack of control over the future course of development of the open source components used in the hybrid product;
if individual open source programmers who are not employees of the company do not continue to develop and enhance the various open source components of the hybrid product, the hybrid product itself may suffer from a lack of further development and enhancement;
any court ruling that a certain open source license is not enforceable, or that certain open source components may not be reproduced or distributed, may negatively impact the distribution or development of the commercial hybrid product;
for the more widely-adopted open source components, there is a higher risk of intellectual property infringement claims;
under the terms of certain open source software licenses, the developer of the hybrid product could be required to publicly release the source code of its proprietary software, and to make proprietary software available under the terms of open source licenses, if the open source software and proprietary software are combined in a certain manner;
if the license terms of open source software components change, re-engineering or alternative solutions may be required;
developers of open source software generally do not provide warranties, support, or infringement indemnification, but customers who license the hybrid product may demand these items; and
if certain open source software is supported by a foundation, the commercial business could be affected by decisions made by the foundation or by claims or disputes involving the foundation.
The Cloudera SEC filing includes more detailed descriptions of these, and other, risk factors.