Why aren’t more things open-source? And to remember: open source doesn’t mean free and it doesn’t even need to mean open contributions.
Switzerland mandates open source for the public sector
I saw some news about the mandate issued by Switzerland.
As with anything on the internet, mixed reactions.
For most people outside Switzerland and even there, this doesn’t matter much (sorry Switzerland).
Between that and the launch of Llama 3.1 with the weights and a comprehensive paper on how it was made… it resurfaced a thought that at one point most of us might have had:
Why aren’t more things open-source?
It might be just source-available, closed to contributions and paid. But why not open source? Is your way of doing CRUDs so innovative or special? How about the way you center divs? Is it that good?
Because I’m pretty sure most companies and us “out there” are all using the same libraries for that… which are probably open-source.
Open source already does the “heavy lifting”
The most marvelous pieces of engineering are already made in an open-source manner, some of which make money out of it and some are “unicorns” (companies evaluated at 1B without even being publicly traded on the stock market).
The case for closed-source:
The bad ones
No need to hide credentials from the code if it’s internal.
No need to mind using real people's data in tests and the like.
Easier to obscure shady practices.
The good ones
Not show the “next big thing” and make a surprise. (In this one I would argue that after that, why not open the source?)
Some companies might have something that is their “secret sauce” (intellectual property) that they don’t want others to use or know about. (There are software patents that might cover also this.)
The valid ones
Security concerns about vulnerabilities in the open without enough resources to dedicate to a security team.
Security is hard and closed means a smaller vector of attack, on one hand, you could have people contributing to finding those vectors, but before that, you would probably have someone exploiting then.
The case for open-source
My biggest point is that if we learned to learn from each other, maybe a lot of things could be easier to achieve.
We already joke about “stealing” (copy-pasting) from other sources available, this would just streamline the job. Have a problem? Just show the code, no NDA or its “private code” concerns… it would be all in the open.
The “shoulders of giants” is where all the foundation is built and why we got so far. If more things were closed source back then, then the internet might have been a different place (or maybe it just wouldn’t be, maybe just a niche thing if that).
I know it’s a naive view. And that there are more valid reasons not to open source that I just can’t think of.
A lot of companies probably think they would “lose revenue” because people would just host the solution… coming from a world where people don’t even have “personal pages” anymore and just use whatever centralized solution is more popular.
Or that some company will just steal their code. Not to mention that companies will already steal if they want and just pay a settlement if needed (or just buy it).
Code is just a tool
Think of most social media nowadays: they do the same thing, and they work in the same way.
The code is a detail, and if a “new thing” appears they will just copy it. The code doesn’t matter and the idea is usually simple enough. All that changes is all the shady “how to keep you here for the most time possible” (that they probably don’t want out there).
Even in the “real” tangible world, few things can be truly kept a secret, most are reverse-engineered anyway and copies are out there. But between patents, lawsuits, and “branding” the copies don’t matter and people will still go for the original ones.
Meanwhile… many brands today started out just copying something (some still do), and started adding their own spin to things and improving further than the “originals”. Then they are the copied ones and the cycle repeats.
Top comments (9)
You can't reverse engineer my server code, see what libraries I use, or see how I code my security because my code is closed source and is not available for reverse engineering. I think a lot of your arguments are focused on front-end delivered solutions, where someone will have access to the code in some form.
Software is stolen wholesale across national boundaries, reducing innovation because the years spent making a thing are gone for free to someone with low morals.
Software patents only work in countries that recognise them. They're expensive to create and hard to defend, and I hate them because they stifle creativity.
I'm all for open-sourcing things which are modular and generally useful to people, but I'd never open-source the entirety of my code base.
You have some points and I agree about the patents.
Yes, I can't reverse-engineer your code, but is it something really that unique and original?
You say if it was open it would "reduce innovation", but if it was, I think we would just see that everyone does the same things... in a slightly different syntax.
What you think was something "smart" only your company does, is something "smart" everyone does. Because after all, there are only so many ways to call a function, create an
if... make a CRUD.If we stopped wasting time with those "smart" things, maybe someone might start doing something that others would soon use and improve upon.
We can't think code is a special sauce because it's just a tool.
Code is just the plate.
Isn't CRUD just open-source everywhere? I mean, mine is based on an MIT-licensed module.
I make a system that stores secret client data that is highly valuable to them, and highly dangerous to lose control of. The system is unique in the fact that the combination of security and database access I use is one of millions of possible combinations of such things, one that would be very hard for someone to hack unless they just knew exactly how things were implemented. If someone had the code it would be easier to identify an exploit that could compromise things. They don't, hence it's massively more secure.
You seem to take the attitude that people close source stuff because they arrogantly think that "it's special". I don't believe that. As I say, I do it so my servers are secure. That said, I certainly don't build CRUD apps or applications where CRUD is the core purpose. I have lots of other algorithms and processes, I'd happily tell anyone how they work, build libraries of the generally useful ones and MIT license them, in fact, I've done just that with every "cool thing I don't see working elsewhere". Still never going to open source my application's actual code base.
EDIT:
Other people spend years and millions researching things - new ways of compressing data, new AI techniques, and whatever. They can only do this because someone invests and pays them in advance of a discovery. If that discovery cannot be monetised then the investment will dry up and we'll be reduced to finding things by happy accident when we are doing something else.
I understand there are several security implications and that what I wrote is a naive view.
Someone more focused on security could give a better input but from my understanding, I saw over and over again that "security by obscurity" is never enough.
I heard about novel ways of compressing data or storing them, but they usually are about a custom solution for the in house use case. Are they actually unique? Who knows how many companies might have the same or similar solution to the same problem.
Even then, they can monetize. There are multiple open source projects that monetize their projects.
The point is that with "one less wheel" to be reinvented, everyone could have that better compression algorithm and build upon that technology to go even beyond.
My point would be this: your app is not more “secure” because it’s private. It still has all the same vulnerabilities as it would if it were public. Although obviously it’s easier to find a vulnerability if you have the entire code. I think security is often an afterthought to a lot of private backends because it “feels” safer. There are also plenty of ways to leak code and figure out what technology someone is using. Also exploits happen but usually backends are hacked by going through the front door, AKA someone’s username and password. The problem with open source projects often isn’t people finding exploits, but exploits being introduced by others on accident or on purpose. Obviously this can be mitigated but it’s always a risk. Specifically I keep most of my code private not because I think it’s special but because I don’t think it’s “special” enough, meaning it won’t add anything that’s not already out there. Open source works well for things that don’t have to worry about security and credentials but it becomes a real pain in the ass. It takes a lot more effort to manage an open source project effectively.
A key exists for my front door. If I leave the key in the front door it is effectively open. If I leave the key in a locked box, it's more secure no? Sure you can break open that box and extract the key. So if I hide the box, then it's more secure right? Now you have to search for it. It is more secure, but not 100% secure, many people will be deterred. Pen Testing frequently identifies information leakage, so I will have reduce that - reduced but not eliminated.
In short, I'm still taking my key out of the front door, and I'm sure my insurers think my house is secure enough.
I would be more worried about those being added in closed source projects.
Take the xz incident, having the code people were able to reverse engineer what was going on.
But on the CrowdStrike incident, while people engineered why it crashed the machines, this could have been someone adding a exploit in a jiatan way to exploit it later.
Many places you commit what you need, check what you need, but if someone had added some xz jiatan level thing... who would know? how long it would go unoticed?
That describes pretty much all the code I've written in the corporate world behind NDAs
Because people care about themselves, not about some abstract progress.