Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, an open source static analysis security tool for Ruby on Rails.View the profile
About the talk
RailsConf 2019 - The Unreasonable Struggle of Commercializing Open Source by Justin Collins
With at least $55 billion in open source-related acquisitions in 2018, you might think we finally figured out how to fund and monetize open source software. Unfortunately, we have only reached an awkward stage of growing pains! With conflicting goals, people are struggling to turn their OSS work into revenue while not losing the powerful open source effects which made the software successful in the first place.
From the perspective of someone who has gone through the pain of commercializing open source, let’s take a deeper look at the unexpected challenges and potential solutions.
Alright, so this is a very large room and for those watching the video. I want you to know it is completely full and everyone here will back me up on that as you can hear. You may be wondering why there's a picture of Hawaii on this title slide. It's because I like to show people my vacation pictures, you know, the the way people used to force their neighbors and friends to watch slideshows at their house. So thanks for participating with that. Hello, my name is Justin Collins on the internet. You can find me under President beef. I generally look
like this or that on the internet. Something about gravatar once you pick a picture, it's you for life. I work at a company called synopsis among other things. We have products to help you write better safer code so I can Alice's tools dependency analysis tools. We also have security Consulting amongst other things and happy to talk about that afterwards if you like. I just want to get this out of the way right up front that this is an awkward talk for me. It's weird for me because it's not a technical talk and
it's weird for me because I'm talking about myself which I like talking about myself, but usually not onstage. So I just went and get that out of the way. Also. I used a lot of drop shadow in this talk just preparing you for that. And apologizing little bit. So here's some drop Shadows. So this is kind of split up into three different parts going to talk a little bit about my experience some challenges that I experienced during that experience and then let's talk about some open source ideas in general. Start off with my experience.
This is what I look like in 2010. I'm the one on the right. In 2010. I did not know it but I was at the midpoint of my PhD career and my advisor was kind of running out of money. And so I had to find a job. So right I found a summer internship at a company called AT&T interactive. You may recall this company that used to sponsor a lot of Ruby events. That's why I applied there. Also the place where Aaron Patterson and Ryan Davis used to work. I did not talk to them at all cuz I was
way too shy to do so. and when I got the internship at AT&T Interactive it was on the security team. Which basically kicked off my career and security and while I was there I created tool called break man. You heard about a moment ago static analysis security tool for Ruby on Rails. I hope at this point most people are aware and are using it. But if not, that's okay. This is how you use it. You install it and then you run it and you'll get a report about potential vulnerabilities in your application. So I created this
again as a internship project and then I said hey what's open source? And there are yeah, that's cool. I said cool. What what license do you want me to use and they said usually use a mighty. I remember this conversation very clearly. It was all recent release it put under a mighty. I found my original tweet about it. You can tell it's old because the link is not linked to fight and also use as a link shortener. This is actually a few weeks after brake
line was released. Anyways, the WinCo's in my blog on this wonderful website that I used to have with a bunch of drop shadows as you can see. And there's a line in there where it says. Unfortunately. It's not yet compatible with rails 3.0. That is because real 3.0 was released a week after the first version of break man was released. So let's jump forward now. I did kind of have an inkling that this was near the end of my PhD. I ran into a gentleman named Jim manico in the middle at a
conference and he said hey Dustin if you ever think about turning Brake Man into a commercial product building a company around it. Let me know. I'd like to help I'd like to be involved. Maybe in a small way maybe in a big way. I'd like to be involved. Jim manico is a well-known figure in the web application space. He started a few companies. He's written at least one book that I'm aware of and he's very involved and in the community so they have something like this reaching out to me and saying hey like I'd be interested in helping you start a business. I like that's pretty crazy. I
wouldn't have expected that but I followed up with him later. And were you serious about that. Do you really want to help me do this? He said yeah, let's do it. Like but you know, you should really bring in Neil Young Mater tall is a gentleman on the right. I think you should really bring him in now meal is and was the number to committer to break man. And also my coworker makes a lot of sense. Now you might notice that this picture is in Hawaii and it looks kind of recent that's because we took this picture a couple weeks ago at a conference in Hawaii. And I said look, we have to get a picture of
the three of us together because we have no pictures of the three of us the founders of company together. So that's why it looks recent and it was in Hawaii. So we ended up starting break ground Pro. Kind of in the vein of sidekick Pro or any of these other companies where you just got to throw pro at the end. Not a lot of thought put into the name, honestly. About a year-and-a-half later. We put out the first version of break medpro. What was Rick Renfro actually get this question a lot. And that
means I really failed as a business person. So first of all, we built a desktop application kind of a front end for brake man. This is built Sanjay Ruby and jruby effects and we bundled it up with Java and everything and people really like the interface. That was put together by r u x guy Adam Korman. So that was one piece and that was like completely separate from breaking on the open source project. Just completely separate codebase completely separate thing. Then we also had like the pro version of the gym, which we called the engine and it was basically like the open-source when
you can't even type break man, and it would run breaking in Pro. So kind of the same thing. Let me have the starting piece, which was the code Climate Pro engine, which allows you to run breakdown Pro on cold climate. Now you might have noticed we did not build a sass do not build a sass product or a service around breaking on itself. So a little bit different than a lot of open-source to commercial kind of conversions. There are a lot of reasons for this. One of those reasons is well could climate already existed as well as several
other what I call Brake Man as a service providers and it didn't really make sense to me either like redo the work that they'd already done and I wanted to focus on actually making break man better not like trying to build a whole staffs around it. So we started the company and then we basically had something like this sort of a very slow but steady customer growth. There's like a little bit of a jump in the middle. I believe that was because of railsconf 2017 seem to get a bit of a bump from that and just kind of like continue up, you know up
and to the right. Force that happens when you count total customers anyways, so last year 2018 break man and Brinkmann Pro were acquired by a company called synopsis, which I mentioned before is where I now work. So that is like a very compressed eight years of break man break around Pro. And you know sort of sets up now, you know the history of where I'm coming from with this. And I was talking about some challenges and I tried to focus on the challenges that arise from taking
something that's open source and trying to build a company around it. It's also kind of like my challenges. I don't want to represent the other people in the company. This was like things that I struggled with. First things first is naming things. I think we're we're naming things as hard and I think I did a spectacular job. There is a thing called break man, right? That was the open source project the company we called Break Man Inc. And then we either serve a pro
desktop Pro engine and then something I could never figure out what to call Brinkmann Pro cold climate engine because cold climate also called the things engines. So we had a thing called engine. They had a thing called engine and then we ended up with two things called engine is it's just you know these things And I got called out on it. I had posted a Blog about something similar to this talk actually some difficulties around commercializing open source, and this lady came along and she's like, yeah. So
in other words, this is why you should never try to use the same brand name for your Revenue product in your open source project, but you know, right and she followed up with a fundamentally irreconcilable name is equal to value proposition. So you can't have two different value propositions with the same name and just a drive this home in this is real because I pulled up these tweets a couple days ago. This tweet is her pinned tweet on her profile. So every now and then someone will come by and liked it reminding
me. But I got called out on this even though we've sold the company. Okay. This is these aren't actually in any particular order, but I would say this is one of the hardest things. When you have something that's open source, and then you wanted people to start paying for something related to it. Now, you're competing not only with something that's free. But your own free thing that you are still maintaining and updating and so on. This is something I heard a few times. Hey, the free version of break man is great. We don't really need Pro. And for me that was like wow, thanks for the
compliment. But also, can you still buy my thing? Don't know the free version. It's so good. We we really don't see the need to buy the pro version. Okay partner. Are you? There's another thing that happened which is we and mostly me completely flooded the initial pricing so initially and I I tried to pull this up from some some old documents that I had initially. We were going to charge $2,500 a year for an individual to use the pro version of the brake man Jim if you wanted that desktop out that was
another $2,500 a year. And I know what happened. What happened was we are thinking this is a security tool if you price it as a security tool. This almost makes sense, but our initial audience what's looks like you folks at railsconf Developers for the most part asking someone to go from. Hey, I'm not paying anything for this tool to please pay $2,500 a year. Did not get us anywhere and I totally understand it. And this is a problem for any. Situation where you're competing with something that's free. You have to
justify going from $0 to some number of dollars and that's a tricky thing to do. We did revise the pricing. I can't remember if this for the second or third set of prices that we had but we ended up in creating at this the lowest price being $500 a year individual with the desktop app. Tom and also $1,000 a year sort of like site license for the gym, which we can talk afterwards, but that's super awesome business decision to be like $1,000 a year and you can use this thing as much as you want doesn't matter how big your company is
doesn't matter. We also had a pricing later on where we added monthly pricing and we've actually ended up bumping these prices up a little bit on the higher end as well. But still you had to just make this justification of well, there's a free thing. Why should I pay anything? All right number to challenge I got to go faster to the community. I think this would have been more of a personal challenge for me. But I have this weird feeling of like I don't want to be like, I don't know like easy about pushing people to pay for something when they're happy using the
open-source version right there. This email back when brake Manhattan mailing list. Damn thing I hey, we're going to do this treatment for the thing. But it like, you know, don't worry about it. And one thing I said in particular was this will be the only email I sent to this list regarding break menfro. And at the time I felt very strongly about this and like look a I don't want to be there pushing a paid product on the community, right? But this is really dumb because this is where the customers these are the people who are looking for a solution like this. I don't know. It might have
been a personal problem. But that this was a challenge that I had and then of course it created further challenges cuz I had already made this promise so I stuck to it, but that's okay. Let's get into something a little bit more meeting Meechie so managing open source and proprietary development. You might think it looks like this you have the open-source version and then you forget it. And then that's it for you have your open source, you have your paid for work. My experience has been a little bit more like
this stuff goes from open source into the paid. And then sometimes I had you know, you're working on something in your eyes. I've actually just needs to go into the open source version little tip. If you have a closed proprietary branch do not merge things from that Branch into your free branch and bring all of your get history along with you. That's a bad idea. The good side of this from my perspective is it led me to mostly focus on trying to put things into the open source version as much as possible and keeping a little bit cleaner separation with the paid
features. You may Wonder then. Okay, what goes into the paid version what goes into the open-source version and a lot of people win the project does a commercial for work they get a little bit where you that's all you're going to abandon the open-source, right? And that was something I didn't want people to Field. Of course. That's why I kind of came up with a system and this is a bit specific to me, but maybe it will help you think of something if you're thinking about going on this road, and I kind of think there's three properties of the open-source version of break man that I
think are important one that it's fast to that. It has let's a relatively low false positives and attempt is made to keep stop low. And number three it is developer focused. It's made me easy for developers to use. And I thought okay. So then the proprietary version can be slower. That's fine. It can produce a wide array of results may be more false positives but we have tools to help you deal with those like the desktop app. And then maybe I'll be more security person focused then developer focused and that helped me make some decisions about which
features go where for example, no one's really too worried about PDF reports in Excel reports being in the open source version people. No one really asked for that. But that's something that if your security professional you might want to have Unfortunately, there's another level to this great man is not just some open source project, right? It's not just a database or a web server or something on those lines. It's actually security tool. So now you have to wonder okay, if I do not put this feature into the open-source version.
Am I somehow affecting the security of rails applications that people are using for their businesses for their livelihood to keep data safe. This is something I really wrestled with to say, I like okay. Well, if I don't put this in the open-source, am I somehow causing people to be less secure because they're not getting the paid feature. I feel like I said, I tried to focus more on things not so much related to does it find more security issues or not, of course compromises were made. But I tried to err on the side of if it's finding valuable security features.
Let's try to put it in the open source. Brookwood coming on this I don't know why but every time someone does a commercial Fork someone has to come along and back but what if someone opens a pull request that implements your proprietary features of this is like some gotcha that no one's ever thought of before right? In my experience. I don't know if any of you have ever seen this happen. I've never seen this happen where someone who spends the time to implement a proprietary feature and then like try to submit it back is open source. It's not doesn't
seem like something that happens and it definitely is not something you have to like plan for up front, right you can deal with it one-off basis. This was also kind of a personal problem. These were all the things I had to do to do a Brakeman Pro and Brake Man open-source release, which I almost always did at the same time and buy one day at work. I mean like starting at like 9 or 10 in the morning and finishing like midnight or 1 in the morning. So this is just again, maybe this doesn't apply to every commercialize open source project, but this was a problem that I had.
Another problem that just has a business problem sales are hard. I heard this a few times and I'm not blaming anyone but people say hey, that sounds awesome Brinkmann Pro. I want to buy that let me know when it comes out. I will buy that a lot of those people never bought it and I'm not blaming them because developers don't really buy software if you want to buy software at a company or spend money on something probably you're not authorized to do that. You have to ask your manager. They have to go to budget. You got to go through it procurement
process. You have to justify it as a business expense. So someone like telling me this and we getting excited about it. Kind of mask the reality of how things are purchased in a company write another thing that happens. Well companies do not buy software to be nice. They're not going to say I can pay you for something I'm using for free. I will do that because I'm a nice person. I'm a nice company. I want to support you and I can't look into the hearts of all of our customers, but from you no feedback and so on I would say less than five companies purchase
Brakeman Pro out of the goodness of their hearts because they wanted to support the open-source version. Of course the ones that did. Thank you. Okay. So legal and moral questions as you can tell I tend to wrestle with these moral questions anyway, but let's talk about some more. Who owns the code? Who owns the code in an open source project? My understanding of us copyright law it's whoever wrote the code. And possibly their employers depending on their Employment contract. so if I'm going to sell their code, is that
okay? Is it okay that I'm taking someone else's work and I'm turning it into something that I'm charging money for. This is a question. You have to answer if you're going to take something that's open source and try to make a business out of it unless you have zero contributors which kind of rare and say Another thing that came up. This is not a moral thing exactly, but I never worried about GPL dependencies and now I had to worry about them because we package it up and we distributed the software. In brake pads case there were like one or two and they weren't critical. So we ended up
removing them. If you want to take a picture of the challenges, here's the challenges. Here's a summary. Let's move on because I'm behind on time. Let's talk about open source. Let's talk about why we feel the way we feel about open source. And I think it's a lot like the keno yesterday. What are the stories that we've been told about open source. How is that form the narrative that we all feel about open source. Well probably goes back to these two gentlemen back to Richard stallman
and Eric s Raymond Solomon being the founder of the free software Foundation Eric s Raymond being involved in the open-source initiative essentially the two foundations which Define open source for us today. We're going to come back to them. So there's some articles that have been coming out recently. This one was back in February. It says the internet was built on the Free Labor of open-source developers. Is that sustainable? I feel like the way they phrase that you have to say. Like, no probably not built on the internet seems
like a big thing Free Labor probably not sustainable. Now, dhh had a thought on this. So if you if you want to pause and go and watch his and then come back we'll wait. Alright, we are young according to a report put out by synopsis where I work a few days ago 60% of commercial code is open source components. This is based on our dependency analysis tool and our customers and in the report they say this actually might be a low estimate some estimates are as high as 90%
So 60 to 90% of the code that companies are using to run their businesses to make money to generate revenue is coming from open-source and likelihood that they're paying for that or even contributing back low. Let's say More specifically this article came out last week and this is just like that. I notice of Articles coming out that made me like have to keep changing my talk a little bit. Do they say Amazon is have gone from neutral platform to Cutthroat competitor say open source developers, but I like
the title they have in the URL which you can't read and I almost can't it says open source betrayed industry leaders accused Amazon of playing a Rings game with AWS, which I feel is like more like a 1920s kind of newspaper headline. And I encourage you to go read this article cuz I don't have time to go in-depth with it. It's a long article and has a lot of details, but let me just give you some some other articles that that led to this one. So AWS Amazon. I know there a sponsor this conference. I'm not trying to call them out that they're in the news in the last couple weeks or
months. They publish this article keeping open source, open open distro for elasticsearch. So elasticsearch and started kind of mixing up. It's open source and proprietary code Amazon wasn't happy about that. So they 4 to have a pure open source distribution for elasticsearch. mongodb change their license Amazon takes aim at mongodb with launch of mongodb compatible documentdb. So they're all right forget mongodb. We will reimburse limited ourselves and provide an API just like mongodb. And the article points at
the license change for this. Mongodb open source server-side public license rejected so not a good response from the community. Redis Labs Wireless Labs made a huge mistake when it changed its open-source licensing strategy change has its open source license again. one thing that comes up a lot when these things happen people say look you change the license that's not open source, and we know it's not open source because open source is defined by the open-source Institute. And one of the things that's part of the definition of Open Source
that you can't have any restrictions on the use of it who uses it what they use it for if you do that, it's not open source. Okay. so We have this idea of open-source. We have this idea of if you change the license is not open source anymore. And if you do that, well, we're just going to first of all we're going to be angry as a community and we're going to force things and we're just going to keep going off our own way and forget you, right? And I should point out that I'm not saying that because I'm
upset about any Forex. This is just what's going on right now. And I think it's interesting because I propose this talk a few months ago and it seems like things are like accelerating. This keeps happening companies are trying to figure out while we have this open source, but now we're finding ourselves and an uncomfortable situation when it comes to our business in the open-source and other businesses competing with us. So again post talk acceptance Steve klabnik wrote a couple articles the second of which is called what comes after open source.
And just to be confusing this quote is in the second article, but is a quote from the first article just to be confusing. He says today's developers have never learned about this history or don't care about it mean the history of open source of free software or actively think it's Irrelevant for the same reasons that open-source came up with a new name versus free software. I think the movement that will arise from today's developers will also need a new name and honestly, this is right in line with what I have been thinking. So, thank you Steve for validating my thoughts. the idea that
something's happening right now a shift is happening in the developers today are going to be defining with the future of Open Source or what comes after it will be is it time for a new license? I don't know. Maybe it's just time for a New Concept. I don't know. Maybe it's not maybe maybe we're just like in a weird fluctuating thing and you know, all these companies that are trying to do weird licenses or just going to go away and we'll go back to tell things where I have no idea. But let's look back just for a moment. free software Foundation started in
1985 open source initiative found in 1998 Again by Stahlman and Eric s Raymond. Quick quiz, when was the term web app coined? I didn't expect you know, I looked on Wikipedia Wikipedia says 1999 in the Java documentation. They started using this word web app. Define like this job listing that you would build. What about South software-as-a-service? Kind Wikipedia two years later 2001. As you can tell those are after free software foundation and open source initiative. And I would argue that the world we're living in today is much different than the world in
1985 and the World 1998 from the perspective of course of building and selling software and services. Why does this matter well because GPL and related licenses are based on the idea that if you build a derivative work of something under a GPL and then you distribute it. You must also distribute your changes gplv3 clarified the distribution means conveyed. I don't I'm not a lawyer but it didn't help me at all today clarified. It is conveyed. There's also a GPL which has the most
confusing name because it's actually GA GP. Anyways, well if you access the the software over a network Then that's counts as distribution. The problem with both of those is that they can rely on this concept of derivative work and derivative work usually means it seems like we usually interpret that as modified the software. If you don't do that, you have no obligations whatsoever. This is from the GPL FAQ GPL FAQ. They say if you use GPL, it's awesome. Because this means you can avoid the risk of having to
compete with a proprietary modified version of your own work. That sounds like what we're looking for it, right? Well, let me tell you a story about a project called wpscan WordPress scanner. It's an excellent tool. If you're running WordPress, you should use WPS can definitely wpscan was licensed there GPL. I think version 2, but I could be wrong. Definitely GPL. And the creator maintainer of wpscan and his team, they interpreted GPL maybe a little bit differently and they started kind of going after these businesses
that we're building tools around wpscan and it caused a bit of controversy and I don't know the truth of what happened or how aggressive this person or that person was. What they would go to these companies and say you look and you are building derivative works of our project. You need to buy a license from us and companies didn't like that in particular. This one called do labs. They posted this blog post robbed at gunpoint. I don't know if they're embarrassed by that cuz it's gone now, but they basically ended up forcing wpscan and saying here's an open source version.
They tried to extort money from us and we disagreed about what the GPL mint and so we ended up working it. There's some other licenses I kind of want to mention. So in math is very popular Network Port scanning tool. They need something. I found very interesting. It's license under GPL, but they clarified what they considered to be derivative works. One of the things they considered to be a derivative work is if you just run in map take its output modifier and then present it to user customer that's very different than how
I feel like most people interpret drill bit work but actually seems to have been successful for them. They sell commercial licenses for the software. And as far as I know, it hasn't really cause any problems I could be wrong. I didn't look that much into it, but I thought it was very interesting that they used you feel they didn't want to find the license. They just said this is our interpretation of what a derivative work is there's a couple more here. I want those. I feel like I have to address is the brake man public youth license. As a part of the acquisition by synopsis the
license under which brake man is distributed changed. For similar reasons to these other licenses and projects and I want the people here in the people watching to know that for most of you if you're just using it for your own purposes. You're fine to continue doing so and if you want to talk to me about this license, I'm happy to talk to you afterwards. So I didn't want anyone to feel like I was hiding from the fact that Brake Man itself also change the license post acquisition. I have another thought for you.
Why is Creative Commons non-commercial so unacceptable to us as a community for software? And I don't mean because Creative Commons says don't use Creative Commons licenses for software. That's a different issue. What I mean is why is it so hard for us to accept the idea of a non-commercial? Open free license when it seems like this is just my perception. It seems like we're totally cool with the idea of Creative Commons and then different options. They have four different kinds of licenses including non-commercial meaning I take a picture and make
some art. I write something I put it under Creative Commons non-commercial license, you can use it as long as you're not using it for commercial use sing totally fine with that as soon as you try to play it to software. It becomes a whole thing. Why I don't know. I think that's something we need to think about. I'm asking you to think about it because I don't know. I don't know why this is such a problem. I'm going to wrap up. I know I didn't present any solutions here. And if you were expecting me to drop Lake here's the like new license that I wrote with a lawyer
not happening. A lot of people have tried that and no one has been successful yet. You can look into some different things have happened around that. I just wanted to wrecked your attention to How were thinking about open-source and why we think about open source that way why is it that the community always has such a violent reactions. I didn't put it in the butt. If you look if you saw her recently Chef switch to open sourcing more or all of their software and you would have thought that the commute is like how cool right now that's not how the
community react they weren't happy about it. And I don't know there's something going on there and I think we really need to examine it and unfortunately, this is the end of my talk so I don't have any Grand conclusions for you. Just hopefully I provoked some thoughts. Now if you have some thoughts, there's a birds-of-a-feather session happening right after this and Zone B. I assume this is in the lunch area as in previous years. Aqua thank you for not eating if you're unaware birds of a feather
is something I didn't know first of all when I start going to conferences no one actually said it I don't know what that is. I don't know what that is. If you don't know what that is. It's just means it's an informal set up some people signed up for some time slots. It's like not a talk. It's just a little gathering of people. So if you're interested in this scene, you want to talk more and come to this. Of course, you can ask me questions afterwards. Thank you very much for attending. You can find me on the internet president beef. I will post these
slides all the slides and talks I've ever done or on my website. So these will also make them to the website and on Twitter, and of course if you're interesting break, man, and you can go to break man. Org or on Twitter, and if you have any questions of certainly, I'm happy to talk and answer we can chat and see what your ideas for about this. Thank you.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.