Ahead of Trinity’s Code for Ethics event, Martin Callinan discusses the benefits open-source software can offer – along with the risks and ethical questions companies should consider.
Martin Callinan is the founder and director of Source Code Control, an open-source and cloud transformation consultancy business based in the UK.
He is an open-source expert with more than 20 years’ experience helping businesses manage risks associated with open-source software supply chains such as IP compliance processes, security vulnerability management and procurement.
Callinan is one of the speakers at the Code For Ethics conference taking place in Trinity College Dublin on 1 July. The event will look at how open-source technology and its community can provide code for all, make changes to social environments and the potential benefits for both commercial and not-for-profit organisations.
‘One area in particular where open source should play a key role is in public services such as health, local and central government’
– MARTIN CALLINAN
What are the biggest benefits open-source software can provide for businesses?
All software developed today will include open-source software components and libraries. The fundamental benefit is developers are sharing code that addresses technical challenges – this enables avoidance of having to develop common functionality from scratch, making software development projects more efficient and reducing the time to market.
A great example is the Android Open Source Project. Android is based on the Linux Kernel. The core mobile operating system is open-source and is developed by a community of organisations and individual developers. Having a community contributing to the operating system brings economies of scale. It also enables developers to collaborate and share the best practices and ideas to build skills and help the software industry advance.
Many traditional industries such as auto have evolved into being software companies. Tesla is a great example of a software-first auto company, where cars include software-connected services all built on open-source technology.
Another area where open source is proving a great benefit is in the area of cloud services. Many organisations are moving both infrastructure and application to the cloud. Legacy on-premises applications are being modernised, and the architecture and development required is enabled by open-source software.
How has open-source software developed in recent years?
The biggest change we have seen is the use of open source becoming accepted and enterprise ready. Many of the large software vendors who historically have seen open source as a threat have now embraced open source and are contributing code that can be leveraged by software developers.
A great example would be Microsoft, whose developers are now one of the biggest contributors to open source on the code-sharing site GitHub. This shift has also seen the coding standards and practices evolve, raising the quality bar of open-source code available.
Were there any landmark moments that drew attention to open-source software?
By far the biggest landmark related to open source is the success of the Linux Kernel and the software solutions and industries that have benefitted from open source.
The internet we all benefit from today is run on Linux. Similarly, mobile devices and cars are underpinned by Linux and other open-source technologies. Organisations are not locked in individual vendor strategies and restrictions and are free to control their own destiny.
Which industries can benefit the most from open-source software?
All industries can and do benefit from open-source software. One area in particular where open source should play a key role is in public services such as health, local and central government. Public sector organisations globally are delivering common services to citizens funded by public money.
The ability to share code for solutions which can be modified and evolved without the need to be locked into software vendors makes for great efficiencies and economies of scale. In the health sector, clinicians are getting involved in the development of software health solutions, working alongside software developers to create solutions that they need to deliver efficient health services.
You’re heavily involved in risk management in this field. What are the biggest risks associated with open-source and how can businesses mitigate these?
There is a widely held perception that open-source software can be freely used without any obligation or cost. This is inaccurate. The term ‘free’ related to open-source is related to freedoms, freedom to use, to view the source code, to modify the source code and distribute.
However, there are open-source licences that govern the rights to use open source. A basic obligation is that if you use code under an open-source license, you give attribution to the copyright holder. Some licenses have an obligation that if you use the code in a solution being developed, the users of the solution should have access to the source.
These obligations can create a legal IP risk to organisations and conflict with the business models. For instance, if a software provider has IP value in the software they are developing then controlling access to the source code would be a commercial imperative. There have been a number of cases where companies have been forced to disclose their source code due to the use of open-source libraries under a licence that obligates source code disclosure.
A further risk is in software security. Most developers are under pressure to deliver code. Leveraging open-source components from sites such as GitHub and NPM greatly helps in speeding up software development. However, some components may have known security vulnerabilities which could end up in a solution which could then be exploited by bad actors.
In recent years, there have been supply chain attacks where malicious code is injected into open-source code on code-sharing sites, which enters the software supply chain and is later exploited. Because of these risks, the industry has come together to provide standards and best practices to guide developers into build solutions that customer can trust.
In 2016, the Linux Foundation founded the OpenChain Project. This is a community project to build trust in the software supply chain. Organisations such as Microsoft, Siemens, Bosch and Google to name a few have collaborated to produce a best practice that can be adopted by software companies to mitigate the risks discussed. In 2020, this became an international standard.
In the US, the White House issued an executive order on improving the nation’s cybersecurity, which includes a requirement to track and manage the use of open-source components and provide to government users a software bill of materials – which is analogous to a list of ingredients on food packaging.
And what about the ethical side of open source?
One area of ethics which is a hot topic is the lack of contribution to open-source projects and also a lack of funding. There have been a number of high-profile security vulnerabilities related to open-source projects, for instance Log4J, which have exposed this issue.
Log4J is a relatively inconspicuous piece of code that is widely used. The vulnerability that was discovered is highly exploitable and many large companies use and depend on it. The maintainer who fixed the Log4J bug contributed to the project part-time, and had just three GitHub Sponsors (a way for people to pay project volunteers).
We have also seen a rise in what is known as ethical licensing. A developer called Coraline Ada Ehmke has created the Hippocratic License that adds ethics to open-source projects.
The point really is open-source software data is not a free for all – there are obligations and ethics to consider when adopting and using it.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.