AWS exec: 'Our understanding of open source has started to change' AWS is wary of vendor-driven open source projects, performs business health checks on all its open source dependencies, and suffered impact on the development of Amazon Linux when CentOS as we all knew it was discontinued, The Register was told at the internet giant's re:Invent conference. David Nalley is director of open …
If so, it's not for the better.
I get the spirit of OSS, but it is the likes of AWS, that have gourged themselves on a free buffet, and when you take somebody else's product, and start to compete against them, and give absolutely nothing back, i.e. giving nothing towards development and new features.. then it's understandable, it is gonna piss off the developers and they are gonna become defensive... and when AWS response each time is 2 midd
"We’re doing that so we know that they’re paying attention to it. We don’t want to learn that this thing that’s really important is maintained by a guy living in a basement on public assistance. That is not acting in the best interests of our customers."
Indeed. So what is their approach to this situation? Do they help the original person... or do they just go ahead and copy it? I hope the former, I suspect it is the latter.
So what? There's nothing wrong with that and perfectly legal. How many OpenSSL forks have there been since HeartBleed? Five? Six? Maybe more?
It's in everyone's interest that an open-source project is well staffed and viable. Even if it means some big corporate giant gets to pull the string in which direction the project is going.
A quick look shows that in the case of FreeRTOS Amazon have helped and staffed up the project with the original maintainer. They're a platinum sponsor of the Apache foundation. A check of historic complaints that they don't contribute to projects such as PostgreSQL that they use is at a casual glance baseless (multiple people on the contribution team).
With others, who knows, there are people who do things with AWS on the OpenSSL github for instance, but they're not explicitly listed as a company sponsor. They've a cross platform OpenJDK implementation, and others.
The key thing I think some Linux users are missing about what I suspect is their corporate takeover and business interests priority driven fear of projects is : You're fifteen years too late. Linux is *already* driven by large companies with their own priorities, with at worst only their own interests, and at best only Linux's interests in mind (remember Unix is not just Linux although I fear I've lost that argument). Plenty of Linux users like it that way.
AWS (or any company) copying a project may or may not be a bad thing. It might even be welcomed by the current maintainer. There's always the option to fork if the community doesn't like it, but far too often the reason people start projects in the first place is because the functionality does not exist or is too expensive. I'm certain some maintainers would be very glad if a well resourced team took the job from them.
This may also be about money, it's not the source code. I approach this from a BSD viewpoint, but whilst it's unfortunate that cloud providers can enhance product internally and not contribute back to the original source, the issue is really money. It would be exactly the same if one of the more complex config file riddled pieces of software was changed to a turnkey system, and suddenly zero support or consultancy was needed.
BSD isn't entirely immune from this either. Whilst on the whole BSD people are pleased to see BSD code used anywhere, the core projects ultimately need funding. One reason for a lack of distributions is this dilutes the pool of available resource and funding, which is already orders of magnitude smaller than Linux.
Get it right, Amazon-bod: it's a person [1] living in a basement in Nebraska!
[1] and not necessarily a "guy", either, although in one particular case of xkcd all too accurately reflecting truth, it actually was…
> .. in one particular case of xkcd all too accurately reflecting truth, it actually was…
Only a programmer could have uttered the following statement:
“Depending on what GPS/GNSS receiver is in use, and how it is configured, the chance is either 0 per cent or 100 per cent.”
Becuse thats how Americans make money, they bleed little people. To be really rich you must bleed a lot more people. Nobody got rich being fair or honourable or actually sharing their profits. Its a disease, they aren thappy with making milliosna nd billions, they cant and dont even share a few percentage points to keep the FOSS improving, they want it all.
“Our understanding of open source has started to change, and realising that, we have to measure and assess risk every time we take a dependency. How do we ensure that this open source project continues to be developed?
Pay the developers to keep doing it? And in money, not "exposure".
If your making millions if not billions off of Free Open Source Software then you can afford to spend a tiny fraction of that on making sure that it's adequately supported and maintained.
And on that topic, this article literally talks about Amazon complaining that Amazon Linux was originally CENTOS, and then they had to change it because CENTOS was discontinued by Red Hat.
CENTOS was basically an older version of Red Hat, so my reading of it is that there was a decision to fuck over Red Hat Enterprise Linux by not paying for their software and yet still benefiting from the development. If Red hat realised that, it's no wonder that CENTOS was axed. Amazon could have chosen to pay for Red Hat Enterprise Linux and i'm sure that Red Hat would have been delighted to have them as customers and they wouldn't have had to change practically anything.
That they didn't I think speaks volumes.
I think this reflects exactly how FOSS is supposed to work - deliberately, by design - and it is working well.
Companies like Amazon have the right to decide whether to use any particular FOSS code, or switch at any time, and they have the right to decide whether to contribute financially to it or not. Exactly what I expect when I release code under a FOSS licence.
Sure, it might be nice to receive something in return (or maybe not - I may not wish to be associated with a political campaign which chooses to use my code, for example). But the real reason for me to release the code is that it is what I owe to the giants on who's shoulders I am standing. I am using their code and the deal is that I release my code in the same way.
If Amazon have a spat with Red Hat, that happens all the time. And they have a perfectly free moral right to shift to another distro, or a newer version of the same. Or choose to buy a commercial product - whatever they think is better in their situation. Just as I have that perfect right.
If they are dependent on something maintained by one developer they have the moral rights to decide what to do about that for themselves: they can fix bugs themselves, they can pay the developer or someone else to fix them, they can switch to another implementation (closed or open), they can redevelop it themselves. As long as they follow the licence rules (so, for GPL code, they must release their fixes/changes) that is perfectly morally OK.
If I am one of those who doesn't care at all about getting back any changes then I can release my code under a licence which doesn't require that. I do that occasionally. Mostly I want to release code under GPL (in many cases the code was based on something else under the GPL so I have no choice). I support the FOSS movement and the GPL in particular so I always release code I develop from scratch under GPL.
The result is that some important code gets supported financially by big companies, some other is not financially supported but their improvements get released for others to use, and some others allow big companies to make their own changes and lock them up - but only if that was the deliberate decision of the developers. I don't accept that there is any "moral right" involved - just whatever the previous developers chose to put in their licence terms.
Spot on, everything circles around the choice of a license. If you use MIT and then get angry at Amazon for commercialising on it then look into the mirror.
It is a bit harsh though because a lot of folks were brainwashed into believing the companies will either help you or pay you or make you famous or offer you the job, but it is imperative you use MIT or similar. It is all to make it easier to share code and make innovation faster.
It shows a lack of understanding about licensing and forward thinking. I do not blame anyone as this sort of stuff is not being taught everywhere.
Both were a big part of the failure of the community project model of open source, because they kept undercutting and free riding off the projects they were charging customers for. As a result we wound up with the screwball GPL variants, and some companies pulling the upstream on a bunch of huge projects becuase multi-billion dollar companies were free riding of their distros, even to the point of undercutting the originating projects support contract revenues.
Then when projects started keeping a commercial side to fund both the base and premium because it was almost impossible to support ongoing development on donations, AWS points the bone at them instead of looking in the mirror.
To be fair, I had the same conversations with management at my own employers many times over the years. Give enough back to pay your way at least, both in money or time, especially for projects your product depends on. I didn't realize it at the time, but the company I was at when I gave that speech the first time was using vulnerable versions of OpenSSL and the dev team was a skeleton crew. Management declined to support the projects their company exploited, and ended up shipping compromised products for years after I left.
So while this guys seems like the most reasonable version of that role the organization will put up with internally, I think they are years away from their ah-ha moment.
Good post. I think these are the main dynamics we have around commercialization of open source:
1) Linux may be a fairly freak, one-off type of a thing. Such a horizontally useful, platform level product, that has a large number of contributors and a hierarchy and structure set up by Linus T, which works, and feeds a bunch of commercial companies interests - The linux distrinutions, handsets and tablet makers, network gear makers, chip makers, server vendors, cloud providers, etc.. You can mayeb say Kubernetes fits into this box also as there is similar dynamics, except you have Google vs. an individual trying to keep orchestration of the advancements going.
2) Other products like databases, data products, and data gathering tools where a commercial company, usually VC backed, is started to make money from that product (e.g. MongoDB, Confluent, Cloudera, Elastic, Couchbase, HashiCorp..) and they end up creating a modified version of the more open source products like Linux. They had not been able to figure out how to make money with a more pure model, and when they get popular, then cloud providers, or other industry vendors try to co-opt their offering. Hashicorp just made some changes due to these dynamics.
I think we will see a trend of more open source software companies following path 2) and possibly less open source software commercial companies in general. With the AI boom, not clear how much value being "open source" is vs. "being valuable and useful ASAP" in this gold rush period...
Just say "no" to RedHat unless your wallet is particularly fat. With RedHat choking off the source code, that is no longer a viable distribution to develop for unless you want to pay RedHat and RedHat specifically for the "privilege."
Which also means a hard "no" vote on any RPM based distributions from this techie, including Fedora. There might be an exception for SuSE if their rebase takes off in popularity; it well could, if they could get Amazon on board. But I have a feeling they don't want Amazon in their playground.
This sounds like someone who does want to have any commercial companies involved in open source development, or have any developer who writes open source code to get paid for doing so. Last I checked Red Hat employs 20,000+ people including 5,000+ engineers that all get paid to write open source code - not sure what delusional planet you live on that somehow all this useful software and people to stand behind it when there are security issues and reliability issues is somehow free $ for all to use...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
