Vendor ownership doesn't mean lower open source risk

Having a big-name vendor backing an open source project does not necessarily translate to lower risk of implementation, and companies looking to rely on open source should be prepared to support the project inhouse, urged a founding member of the Apache Software Foundation (ASF).

Bill Stoddard, who served as a director with the ASF, said in an e-mail interview with ZDNet Asia that a vendor's "ownership" of an open source stack does not mean there is reduced risk of implementing that project in an organization.

Projects maintained by a single major vendor are often mostly developed by that vendor, without much support from the open source community. This turns that project into a risky implementation because it could be orphaned by the vendor sponsor, leaving businesses with the choice of maintaining the failed project on their own or transitioning to replacement software, Stoddard explained.

This uncertainty around open source has remained a barrier in large organizations toward accepting open source, he said.

Companies weighing the cost-benefit of adopting open source often have to measure the worst-case scenario of a mission-critical system getting abandoned by its vendor.

As a result, open source use has been confined only to the "most trivial of tasks". Stoddard said: "An ability to self-support will allow open source to move into more mission-critical tasks, but at an additional cost to the organization."

He added that vendors such as Red Hat and Oracle, with OpenSolaris, employ a model where their separately-maintained copy of the open source project is only available to license-holders. The free version that is available to the public is not as rigorously maintained, he said, noting that this is part of the value proposition of the license fee.

This trend, as well as needing to pay a support fee for the project, diminishes the cost-benefit of deploying open source, he noted.

Stoddard added that subscription charges increase when more mission-critical systems are involved as these demand a higher level of support.

Small heads to community
For small and midsize businesses (SMBs) looking to save cost in adopting open source, they can only choose projects that have large community support, such as Linux, the Apache HTTP Server project and PHP.

Stoddard explained: "These projects have very diverse development communities, huge user communities and a long record of success."

He noted that the number of developers who have contributed to ASF projects has increased from 1,765 in 2008 to 2,303 this year, and the number of projects supported has grown from 65 to 79 in the same timeframe.

According to a Gartner report last year, the worldwide PHP developer community grew from 3 million in 2007 to 4 million in 2009, and could reach 5 million by 2013.

Forrester's principal analyst, Jeffrey Hammond, also pointed to Apache as well as Eclipse as examples of stable open source projects.

"As long as a project has a good set of bylaws, clear provenance over its intellectual property, an active set of committers, good capabilities and a passionate community, there's no reason why it can't survive and prosper," said Hammond via e-mail.

But commitment on the part of the company's in-house IT team implementing these projects is still a must in open source deployments, he said.

Since most adoption of open source software happens bottom-up, where user demand drives adoption, these are often evaluated side-by-side against sponsored projects. In comparison, top-down directives would more likely take into consideration a corporate vendor's "ownership" of a project, he said.

For instance, he noted that community-maintained supply chain management (SCM) tool, Subversion, has higher developer adoption than the next four most popular open source SCM tools--which are all backed by commercial vendors--combined.

Eclipse is also the most-used Java integrated development environment (IDE), he said.

Balance between open and commercial
According to a December 2009 paper published by Gartner's research director, Mark Driver, conservative companies looking at open source will still want support from the commercial channel to facilitate deployment.

"In these cases, users must often accept compromises between the 'open' nature of the open source model and the competitive realities of commercial software providers," Driver said.

He said mainstream adoption of open source will rely on an "idealized" scenario of sufficient internal skill to handle difficult support challenges, service level agreements (SLAs) through community support channels, and an acceptable risk profile.

Community-centric open source projects also carry additional risk of uncertainties regarding copyright or intellectual property governance, he said.

Conservative adopters should therefore look at commercial-class projects with community backing as well as vendor endorsement, in order to balance the features of the traditional open source "hacker ethic" with commercial service and support channels, the Gartner analyst said.

Driver acknowledged that the breadth and depth of the large developer community will be sacrificed in vendor-centric open source projects, which are often maintained by a smaller number, or often only one vendor.