The views and opinions expressed in this Blog are those of the authors and do not necessarily reflect the views or positions of any entities they represent.
Open source is currently the object of increased attention and specific strategies by private and public actors. A growing number of organizations are seeking to make the most of this model of software development, while also ensuring that they use and develop open source code in a secure way. In particular, the role that Big Tech has been playing in the open source ecosystem has expanded exponentially over the last couple of decades. One can see them now investing significant amounts of resources in open source foundations, publishing new code repositories, and getting directly involved in many different open source projects. In this article, I will explain how the disproportionate role of large technology companies—mostly American but also now Chinese—in shaping the open source ecosystem can potentially have harmful effects on the open source model itself due to the huge commercial interests at play.
The role of tech companies in funding the open source ecosystem
The global open source ecosystem relies on the contributions of developers, whether they are individuals, communities, or companies. This ecosystem is structured around actors that host open source projects, organize and make accessible contributions to source code, bring together relevant stakeholders, channel funds to contributors, promote open source, and help to define business models around those technologies. Open source foundations and code repositories are two of those structuring actors in which large technology companies have gotten directly involved through sponsorship or even financial acquisition.
Foundations play a key role in the governance and structuring of the open source ecosystem. A small number of mainly US-born foundations are particularly prominent due to their historical role, their growing resources, and the hosting of widely used open source projects. The US-based Linux Foundation (LF), for example, was set up in 2007 with the objective of promoting Linux—an open source technology originally born in Finland. The organization is now engaged in developing projects of commercial interest in various fields. Currently, more than 100 projects fall under the umbrella of the LF in sectors such as AI, autonomous vehicles, networks, or security. The Linux Foundation has 200 employees and over 1,500 corporate members. LF’s revenue was $124 million in 2019 (rapidly growing from $15.6 million in 2011), with the main sources of income being primarily the many conferences and events hosted by the foundation, its fee-based services, as well as corporate membership fees and its training and certification activities. While LF offers great visibility to the projects it supports, it has also been accused of playing into the hands of Big Tech corporations at the expense of the community spirit of its beginnings. Some even call it “an industry consortium that organizes discussions between [the Big Tech]”. In fact, most Big Tech companies are members or sponsors of organizations like the Linux Foundation. Becoming a Platinum Member of the Linux Foundation costs $500,000 per year, a sum that only large corporations like IBM / Red Hat, Microsoft, Huawei, Ericsson, Intel, VMware, and Meta can actually afford. Big Tech companies can also support such organizations by providing technical resources. For instance, after becoming a platinum sponsor of the Apache Software Foundation, Amazon announced that it would also support the technical infrastructure on which the organization operates.
The acquisition of GitHub, the main code repository
As the use of open source software has become more widespread, communities of programmers have organized themselves and practices have become standardized around repositories that host software projects and allow developers to collectively feed and manage source code. Nowadays, GitHub is the main platform, with more than 90 million contributors worldwide (versus 40 million in 2019). The company, founded in 2008 in San Francisco, really gained in popularity when major tech companies like Microsoft chose it to host their open source projects, closing their own source code hosting services. The quality and simplicity of its free web interface led the Apache Foundation to migrate all its projects to GitHub too, and this became the standard software development platform that the Linux Foundation recommends. In 2018, Microsoft acquired GitHub for $7.5 billion.
For contributors, the fact that most open source projects are hosted on GitHub has certain advantages. The platform allows them to centralize their contributions, build a technical résumé and a network of contacts, and even receive sponsorships. However, no matter how much developers and open source projects prefer alternative platforms, the fact is that, in practice, it has become very difficult to migrate their repositories because of the centrality acquired by GitHub. Another criticism of the platform is that the largest hosted projects are either developed or managed by Big Tech firms—individually or through consortia. As a result, the governance of these projects is not in the hands of the individual developers or smaller companies contributing to these projects, but derives from the industrial interests of the large corporations that control their governance bodies.
Tech companies as code contributors
US and Chinese tech companies as the key contributors to open source
Aside from their financial involvement, large tech companies contribute to the development of open source via their development teams and sometimes also by making the internal software they produce available under an open source license at some point. Developers employed by Big Tech companies contribute massively to projects hosted on GitHub and play a disproportionate role compared to other private players. Based on the volume of contributions their employees make on GitHub, it is apparent that Microsoft, Google, and Red Hat are the top three open source contributors nowadays, while it is estimated that only 15% of the Linux code, for instance, is still produced by volunteers. In turn, as part of this normalized interaction with the open source world, open source technological bricks are usually then integrated into the proprietary software and XaaS platforms that these companies bring to market. According to one estimate, modern software applications often contain more than 100 open source components.
US technology companies are also directly involved in the structuring and management of the global open source ecosystem through their purchasing of companies or code repositories, as Microsoft did with GitHub. The desire to maximize this investment explains why Microsoft is by far the company whose employees contribute the most to the platform. Meanwhile, IBM made its largest open source acquisition in 2018 when it bought Red Hat (with its 13,000 employees and $2.4 billion in revenue) for $38 billion—the third largest acquisition in US tech history.
Big Tech’s increasingly central involvement in the open source ecosystem is not only a US phenomenon, with Chinese companies quickly catching up and playing a much more active role in recent years. According to the China Academy for Information and Communications Technology (CAICT), back in 2019 around 87.4% of Chinese companies were already using open source technologies. Between 2012 and 2018, the number of Chinese corporate members of the Linux Foundation grew by over 400%. Of the 73 million contributors to GitHub in 2021, 7.5 million were based in China, representing more than 10% and becoming the most represented nationality behind the US. Illustratively, in March 2021 Alibaba, Huawei, and Tencent got into the top 20 GitHub repository contributors for the first time. In fact, Huawei, a company placed on a red list in 2020 by the US, has become the largest contributor to several new versions of the Linux kernel over the last few years. Besides GitHub, there are also alternative Chinese repository platforms, such as those founded by Tencent and Alibaba, and of course there is Gitee, the leading platform in China, with over 8 million users.
What are the motivations of Big Tech companies to develop and make their software available under an open source license? This practice can result from their obligations under certain licenses (e.g. GPL or EUPL), if based on an original project that was itself released as open source. But, in many cases, publishing as an open source project some software that could have been otherwise developed internally is a calculated choice. Far from taking these decisions lightly, most companies weigh the benefits of sharing their code and knowledge very carefully against the risks of losing control and differentiation from open source communities and potential competitors. However, there are in fact multiple advantages to open source, which, on the whole, largely compensate for those risks, which is why open-sourcing tends to be increasingly widespread.
Efficiency and cost saving
The use of open source helps to speed up the process of developing new software, lowering costs by re-using already-existing components. This motivation is shared not only among software developers but also by system integrators and companies from many industrial sectors (e.g. retail, automotive), since software is now everywhere. Using open source reduces labor costs by saving time for the company’s development teams. For tech companies, resorting to open source can also help them identify talent among programmers participating in those communities: they can scan the profiles of contributors and identify and try to recruit those who have developed the most useful skills.
Cybersecurity and supply chain visibility
Almost all software products contain open source components as external dependencies. These components (like any software dependency) can create vulnerabilities which might indirectly affect proprietary software and XaaS services developed by those companies integrating them into their commercial products. It is therefore in their interest to develop knowledge about, and contribute to, the maintenance of the elements present in their supply chains.
In order to mitigate cybersecurity risks, Big Tech companies are investing a significant amount of resources in strengthening open source security. As an example, Google has directly taken several measures following the Log4Shell incident in December 2021, including a $100 million commitment to support dedicated organizations like the Open Source Security Foundation. Google has also proposed establishing an organization that would serve as a marketplace for “volunteers from companies” to maintain the most critical open source projects. In May 2022, the company created an internal team dedicated to this mission. Finally, the company launched a program in August 2022 through which it will pay researchers to identify bugs in the latest versions of Google’s open source software. The grant amount can go up to $30,000 per each vulnerability found in the flagship programs of the company. In other industrial sectors, companies like Mercedes-Benz are adopting a similar approach, providing financial support via GitHub to the contributors behind the open source projects that the car manufacturer considers the most important.
Encouraging product adoption
Technology companies can also have more strategic motivations when they choose to develop or release certain projects as open source, in particular as a way to encourage the adoption of their products. Indeed, open source can create network effects, maximizing the chances that a solution will be used by others while weakening the position of another competitor that is already dominant in a market segment—especially if that position is based on commercializing proprietary software. This is how we can explain Apple open-sourcing Swift in 2015 or Meta doing the same with PyTorch in 2016. Releasing these projects as open source has encouraged engineers from many other companies to develop applications based on these technologies, turning them into de facto standards, thus increasing the value and adherence to the Apple and Meta platforms. As a result of this strategy, PyTorch, for example, is already considered a leader in the AI market, with over 150,000 projects built on GitHub using this software.
Finally, investment in OSS can be a reputational strategy, which can border on “open source washing”. In the eyes of other companies and the general public, open-sourcing a software product can be used to try to counteract negative perceptions of dominant players. It can provide assurance (at least on paper) that a Big Tech company, for example, will not exercise excessive control over a given technology in the future. Furthermore, some companies stand by the fact that choosing open source can serve their marketing purposes. Therefore, there can be a tension between a façade of openness and the desire to create value and product stickiness. In short, the term “open source” tends to be hijacked for commercial interests.
Open source has become a major factor for the success of technological companies and for a broader range of industries that increasingly develop software products. As a result, Big Tech has been paying close attention to the vitality of the communities that develop and maintain the open source components they rely on, and has been investing significant and growing resources into open source communities and intermediaries, be they foundations like the Linux Foundation or code repositories like GitHub. These large corporations also pour money and human resources into the maintenance of critical open source components. This support is necessary to mitigate the risks associated with the lack of maintenance that has led to serious vulnerabilities in the past. Private companies have proved to be more effective and quicker than public institutions at mobilizing large amounts of funds and technical resources for those purposes.
However, the increasingly active involvement of large tech companies is not without risk for the open source ecosystem. In many cases, the motivations of private actors to invest in open source tend to diverge significantly from the original philosophy behind open source. These companies have an underlying interest in developing sticky products and in creating vendor lock-in. This goes against the original principles of open source and the ambition of interoperability. The use of open source by large platforms can thus, in the end, lead to a new scenario in which users and developers become dependent on those corporations in a pernicious way.
In addition, the global open source ecosystem is clearly dominated by companies from the United States and China. Despite the large number of European developers contributing to open source projects, large European companies are underrepresented in this sector, as shown by the number of contributions to GitHub repositories, for example. A greater participation and commitment of large and medium-sized European companies to open source could be a way to help develop European digital technologies and promote a greater diversity of digital products available to the global open source community.
Alice heads the Geopolitics of Technology Programme, launched at IFRI in October 2020, after having been Associate Researcher since 2019. Her research focuses on the geopolitical dimension of new technology, European technology policies, and transatlantic relations. She has also worked for a long time on European security and the foreign and defense policies of European countries, especially France and the UK. Prior to joining IFRI, she was Assistant Professor in International Relations and European Studies at Johns Hopkins University. Previously, she was a postdoctoral researcher at the Institute of Strategic Research (IRSEM) of the French Ministry of Armed Forces. She is a graduate of King’s College London and Panthéon-Sorbonne University and holds a doctorate in Political Science from IEP Paris, co-supervised with King’s College. Alice is the author of a recent IFRI report on “Software Power: The Economic and Geopolitical Implications of Open Source Software” (December 2022).