I’ve spent quite a bit of time looking at relicensing and rug pulls, but the data isn’t the important part. What really matters are the actions that we take based on what we’ve learned. It’s important for OSPOs and other open source teams within companies to think strategically about what these power dynamics mean and how we can anticipate and mitigate the risks associated with rug pulls from open source projects driven by software vendors. During my talk at OSSEU, most of the discussion during the Q&A was about the indicators and red flags that can help us anticipate these risks along with how we can mitigate the risks through open source project contributions.
Indicators and Red Flags
There are a couple of indicators that can help you anticipate which open source projects might be more or less likely to be subject to a rug pull or relicense in the future.
Contributor License Agreements (CLAs) create a power imbalance within open source communities where the power is tilted toward the company who owns the project and controls the CLA, which gives the company more power than other contributors; for example, the power to relicense a project. This is probably the biggest red flag when assessing whether a project might be at risk of a rug pull in the future.
Neutral Foundations and Governance provide a level playing field where people from many different companies can work together on an open source project as equals to create something that benefits everyone. Projects are much less likely to experience rug pulls if they are under neutral, well-run foundations and have governance structures with leaders and maintainers from a variety of organizations. This is in contrast to projects owned or controlled by a single company, which is a red flag because those projects are more likely to experience rug pulls.
Mitigate through Contribution
The most impactful action that a company can take to mitigate potential issues within an open source project is to have employees actively participating and contributing to the projects that are most strategic for your company. This is an important way to better understand and mitigate the risks associated with future rug pulls, but it also goes beyond just that one concern. Companies have the power and resources to make real improvements within open source projects, and corporate involvement can positively impact the sustainability of our projects. Companies can allocate employee time to contribute to projects or provide funding and other resources to help sustain open source projects.
Having your employees working within a project helps you understand the power dynamics that might be at play and better understand the strengths and weaknesses of that project while also being able to influence the project from within. If your employees are in positions of leadership within a project, you might be able to help prevent future rug pulls, or at the very least, maybe you can anticipate them.
If you want feedback or help with your open source strategy and how your organization can mitigate potential impacts from rug pulls, I’m available for consulting engagements.
I’ve spent a lot of time over the past year doing research into open source projects that have moved to proprietary licenses and the forks that were the result of those license changes. More recently (starting with a talk at Monki Gras), I’ve been thinking about how the power dynamics within the open source ecosystem have evolved and how rug pulls, relicensing, and forks can shift those power dynamics.
“With the rise in popularity of large cloud providers, the open source power dynamics are looking kind of similar to the feudalism example I talked about at the beginning of this blog post, but in the open source case, what’s different is that we have ways to shift or flip the power dynamics. A smaller company deciding to move a project away from an open source license can flip the power dynamic and gain power back from those large cloud providers. Still, they also shift the balance of power even further away from contributors and users at the same time when they decide to relicense that project. This encourages those with less power to take collective action to fork a project, flipping the power dynamic in favor of the contributors and users, often including the cloud providers as users. Within the open source world, we are better off than the peasants and serfs because we have certain freedoms that allow us to take collective action to regain power by forking projects when others abuse their power.” – read the rest of the blog post on The New Stack.
If you want to learn more about the research, here are a few places to get started:
