There’s a meme that is almost as old as Free and Open Source Software itself: FOSS is not credible enough for corporate use. Of course, people spreading that meme do not deal with the cognitive dissonance brought in by the likes of Red Hat, Google, Suse or Canonical very well. And when they do, they start to realize the meme is in fact baseless. The problem however is that it does not help Free Software and has several unfortunate consequences.
The first one is heard a lot and is actually rather complex to explain: it revolves around the notion that some licenses are supposedly toxic while others encourage corporate partners to contribute to FOSS projects. In a nutshell, this is the old debate of the copyleft licences (like the GPL) vs. non-copyleft licenses such as the Apache Software licenses. Eben Moglen is famous for saying that a software license is the constitution of a community. He is right but I do not think a license covers the full reality of a project. I know Apache projects that are much more open and more free (as in spirit) than some communities release GPL software that are free software communities in name only.
Yet the idea that good licenses let third parties take what’s out there in the commons while not giving back is a bit puzzling, even if it’s a very interesting question. Despite a few bombastic talks here and there, I have yet to see any solid opinion about this (and counting the number of ASF projects does not help, I’m sorry). Also, the lack of solid opinion smells a bit like a subtle mix of marketing and lobbyism. But I digress.
The second unfortunate consequence is easier to understand. As much as one can meet people who doubt Free Software is a serious matter, they hardly realize the flat screen TV they’re watching at home embeds FOSS, that their car might very well use some sort of Linux or Android; and that their business actually run Linux, except for the collaboration part that may not, but that is because neither they nor their CIO actually believe Free Software is a thing. Let’s dig deeper now: companies embed Linux or Free Software in their products and will not give anything back: bug report, patches, hardware, money… nothing. But one can find Free Software pretty much anywhere and that’s the problem, because at the end of the day, they use it because it’s free (as in beer) and works usually well. What most of these companies don’t do, however, is to fund the projects developing the software components they rely on for their business as products, services or tools. And as they don’t, nobody else does. Meanwhile, everybody has to eat, sleep, live and work. Including those non-credible Free Software developers. They eventually turn to jobs that actually pay them, and this leads us to episodes such as Heartbleed and GrSecurity (among others).
One can object about the peculiar nature of the Heartbleed vulnerability, the fact remains the bigger issue lies outside of the code. It lies on the shared responsibility of several industries (IT, telecom, banking and others) not to adequately fund the SSL stack and assuming that “somebody else will do it”. Frankly no professional would assume this kind of things if had been something else than Free Software. No one assumes that somebody else will provide support and knowledge on your product without being paid or funded in a way; no one assumes the brakes of your car, while not actually engineered by your car manufacturer, can be embedded and installed in your car with no form of compensation from the brakes manufacturer. I could go on and on, but it is easy to understand my point: the whole situation is messed up, to say the least.
Let’s now put this problem in perspective with the pretended lack of credibility of Free and Open Source Software. If then FOSS is not credible on the market as some say it, it is their direct responsibility, not anyone else. They deny any critical analysis of Free Software components and solutions because they deem these to be not credible enough, and at the same time reuse entire FOSS stacks while never acknowledging their use and assuming it is possible and viable to use Free Software without ever questioning the sustainability of these components. This kind of double penalty is disingenuous and it continues to frame the whole conversation on Free Software in an artificially negative way. It can also become dangerous when it comes to components related to software security.
Fortunately, this issue is evolving in a more positive way as the industry realizes the ubiquity of Free Software and the existence of FOSS succesful businesses; change is a bit too slow to my taste however. I’ve already written this many times and I’ll write it again: FOSS is here to stay, and no amount of proprietary offers will pose a true existential threat to it. What threatens Free Software is neither bad licensing, compliance or failed projects. It’s the twisted attitude of some who refuse to consider Free Software as a viable choice while using it to generate revenue without fairly compensating its authors. A sad irony, in the end.