What CIOs don’t know about open source software

More companies are contributing to open source projects, but the management of open source software is still chaotic.

Those are two of the findings of the 2016 Future of Open Source survey from Black Duck Software, a maker of products to help secure and manage open source code.

The survey of over 1,300 developers, development managers, architects, CIOs, CSOs and CEOs from 64 countries found that many companies that previously downloaded and used open source software without contributing to any projects are starting to give something back to the community. Sixty-seven percent of companies said they now actively encourage their developers to engage in and contribute to relevant open source projects, and one in three have full-time resources dedicated to open source projects.

“I call it the second stage of open source adoption,” says Jeffrey Hammond, a principal analyst at Forrester Research. “It used to be that companies said, ‘We let developers contribute, but only in their own time, using their own email.’ Now they are saying that they want their developers to contribute to projects under the company name.”

One reason for this, Hammond believes, is that the latest generation of developers are so used to contributing to open source projects and sharing code with other developers that they will only work for companies that allow them to continue doing so. That means that companies that want to retain talent have little choice but to allow contributions to open source projects.

There’s another reason as well, Hammond says, and it’s to do with recruiting the top developers who work on relevant projects. “Companies are saying that they want to attract developers in those communities that are strategic for them.”

The Wild West of software

Despite encouraging staff to contribute to open source projects, free software is still a Wild West for many businesses: The survey found that almost 50 percent of companies have no formal policies for selecting and approving open source code, and half of those that do either don’t enforce them or have policies that can be bypassed.

The risks of allowing an open source free-for-all instead of using a formal management process include license violations — particularly if open source code ends up in commercial products — and security problems if open source software is not patched to fix known vulnerabilities.

“These sorts of numbers are a constant shock to me as it still feels like we are back in 2008,” says Hammond. “It’s a little bit better than it used to be but it still blows my mind as it doesn’t have to be that hard.”

Any companies that are tempted to believe that they don’t need to worry about open source software because they only use Windows-based products are deluding themselves, Hammond warns. “Microsoft’s .Net Core is open source now, so saying that you are exclusively a Microsoft shop is no longer an open source policy,” he says.

And he adds that getting younger staff in particular to comply with open source policies is likely to be an uphill struggle. “It’s a generational thing,” Hammond explains. “Show me a developer who is under 25 and I will show you an open source software user. The traditional buying process is just foreign and time consuming to them.”

Open source on the rise

Regardless (or perhaps because) of the fact that many companies don’t have adequate open source software policies in place, the proportion of survey respondents who report using open source software has risen from 60 percent last year to 65 percent this year.

While this number has been increasing steadily over the past few years, one of the most notable changes are the reasons behind open source adoption, according to Bill Ledingham, Black Duck’s CTO.

Five years ago the survey found the key driver for open source software adoption was the fact that it cost nothing. More recently access to the source code was most important. But this year “competitive features” is the main reason cited for adopting open source and Ledingham believes that’s because open source software is now at the leading edge in many fields.

“If you take the example of big data, there are different projects (like Hadoop or Cassandra) that companies can leverage,” he says. “This is not cost driven: adopting them is purely about access to new technologies.”

Black Duck’s survey sheds some light on the technology areas in which open source software is most commonly used, and what’s clear is that there has been a fundamental shift away from cloud computing and big data projects. Operating systems is now the hottest area.

Ledingham says the interest in operating systems is likely due to the popularity of Docker and other container technologies: 76 percent of the companies surveyed say they have plans to use containers, and the last 12 months has seen rising excitement around open source container operating system projects including CoreOS, Snappy Ubuntu Core, RancherOSand Red Hat Project Atomic.

Ledingham confesses that he was surprised that operating systems have become the hottest thing in open source development, because it was operating systems (such as BSD Unix and Linux) that were the focus of some of the oldest open source development projects. You would expect operating systems to be “old hat,” he says, illustrating that the world of open source software is nothing if not unpredictable.