Thoughtworks Technology Radar Themes The Bizarre Bazaar: The Changing Economics of Open-Source Software At Thoughtworks, we’ve long been fans of open-source software, popularized in part by Eric Raymond’s famous essay “The Cathedral and the Bazaar.” Open-source software improves developer mobility and crowdsources both bug fixes and innovation. However, attempts at commercialization demonstrate the enormous economic complexity of the current ecosystem. See, for example, AWS forking Elasticsearch to OpenSearch in September 2021 in response to Elastic changing their license to require cloud service providers who profit off their work to contribute back. This shows how difficult it can be for commercial open-source software to maintain a competitive moat. (The same concern applies with free closed-source software, as we witnessed some companies exploring Docker Desktop alternatives because of Docker’s ongoing effort to find the right commercial model.) Sometimes the power dynamics work in reverse: because Facebook funded Presto as an open- source product, the maintainers were able to keep the IP and rebrand it as Trino after they left the company, in effect benefiting from Facebook’s investment. The situation is further muddied by the amount of critical infrastructure that isn’t corporate-sponsored, where companies usually only notice how reliant they are on unpaid labor when a critical security bug is discovered (as recently happened with Log4J). In some cases, funding hobbyist maintainers through GitHub or Patreon provides enough lift to make a difference; in others it simply creates an additional feeling of responsibility on top of their day job and contributes to burnout. We continue to be strong supporters of open-source software but recognize that the economics are becoming increasingly bizarre, and there are no easy solutions to finding the right balance. Software Supply Chain Innovations Public instances of severe problems — the Equifax data breach, SolarWinds attack, Log4J remote zero-day vulnerability and so on — were caused by poor governance of the software supply chain. Teams now realize that responsible engineering practices include validating and governing project dependencies, and this drives a number of blips in this edition of the Radar. Entries include checklists and standards such as Supply chain Levels for Software Artifacts (SLSA), a Google-backed consortium to provide guidance on standard threats to the supply chain, and CycloneDX, another set of standards driven by the OWASP community. We also feature concrete tools such as Syft, which generates a Software Bill of Materials (SBOM) from container images. Hackers are increasingly taking advantage of the asymmetrical nature of offense and defense in the security arena — they only need to find one vulnerability, whereas defenders must secure the entire attack surface — while employing increasingly sophisticated hacking techniques. Improved supply chain security is a critical piece of our response as we work to keep systems secure. © Thoughtworks, Inc. All Rights Reserved. 6