
A few months ago, I posted here about the New Power Dynamics in Open Source: Rug Pulls, Relicensing, and Forks, but it’s something I’ve been continuing to think about over the past few months. I recently published a blog post for OpenUK on The Shifting Power Dynamics in Open Source: Rug Pulls, Relicensing and Forks, and at the recent Open Source Summit EU (OSSEU) in Amsterdam, I gave a talk on this topic, which Jon Corbett did a lovely job of summarizing in his LWN Coverage of the talk. Here’s the video if you’d like to watch the full 45 minute talk.
What Can Your OSPO Do?
I’ve spent quite a bit of time looking at relicensing and rug pulls, but the data isn’t the important part. What really matters are the actions that we take based on what we’ve learned. It’s important for OSPOs and other open source teams within companies to think strategically about what these power dynamics mean and how we can anticipate and mitigate the risks associated with rug pulls from open source projects driven by software vendors. During my talk at OSSEU, most of the discussion during the Q&A was about the indicators and red flags that can help us anticipate these risks along with how we can mitigate the risks through open source project contributions.
Indicators and Red Flags
There are a couple of indicators that can help you anticipate which open source projects might be more or less likely to be subject to a rug pull or relicense in the future.
- Contributor License Agreements (CLAs) create a power imbalance within open source communities where the power is tilted toward the company who owns the project and controls the CLA, which gives the company more power than other contributors; for example, the power to relicense a project. This is probably the biggest red flag when assessing whether a project might be at risk of a rug pull in the future.
- Neutral Foundations and Governance provide a level playing field where people from many different companies can work together on an open source project as equals to create something that benefits everyone. Projects are much less likely to experience rug pulls if they are under neutral, well-run foundations and have governance structures with leaders and maintainers from a variety of organizations. This is in contrast to projects owned or controlled by a single company, which is a red flag because those projects are more likely to experience rug pulls.
Mitigate through Contribution
The most impactful action that a company can take to mitigate potential issues within an open source project is to have employees actively participating and contributing to the projects that are most strategic for your company. This is an important way to better understand and mitigate the risks associated with future rug pulls, but it also goes beyond just that one concern. Companies have the power and resources to make real improvements within open source projects, and corporate involvement can positively impact the sustainability of our projects. Companies can allocate employee time to contribute to projects or provide funding and other resources to help sustain open source projects.
Having your employees working within a project helps you understand the power dynamics that might be at play and better understand the strengths and weaknesses of that project while also being able to influence the project from within. If your employees are in positions of leadership within a project, you might be able to help prevent future rug pulls, or at the very least, maybe you can anticipate them.
Resources:
- Power Dynamics, Rug Pulls, and Other Corporate Impacts on OSS Sustainability at OSSEU (video)
- New Power Dynamics in Open Source: Rug Pulls, Relicensing, and Forks
- OpenUK Blog Post: The Shifting Power Dynamics in Open Source: Rug Pulls, Relicensing and Forks – OpenUK
- LWN Coverage of my recent talk: Rug pulls, forks, and open-source feudalism
- Companies Can Mitigate Sustainability Risks
- CHAOSS Practitioner Guides