Why Europe needs open source
Date:
Okay, so I'm a little bit late with this one.
A while back, there was a post on LWN about the European Commission calling for evidence on open source. If you want, you can have a look at the EUR-Lex post for yourself:
The gist of it is, that Europe has become quite dependent on foreign tech, which means risks both in regards to the supply chain itself, as well as the overall governance - and given the state of the world, isn't a really good situation to be in:
The EU faces a significant problem of dependence on non-EU countries in the digital sphere. This reduces users' choice, hampers EU companies' competitiveness and can raise supply chain security issues as it makes it difficult to control our digital infrastructure (both physical and software components), potentially creating vulnerabilities including in critical sectors.
In the last few years, it has been widely acknowledged that open source – which is a public good to be freely used, modified, and redistributed – has the strong potential to underpin a diverse portfolio of high-quality and secure digital solutions that are valid alternatives to proprietary ones. By doing so, it increases user agency, helps regain control and boost the resilience of our digital infrastructure.
For a long time, it has been happening silently in the background, various systems being built, integrated and operated, or sometimes changing ownership to that of presumed allied countries, with nobody paying it much attention - such as the Netherlands DigiD identity system almost getting sold to the US.
It's not even the case of various large systems that might get treated like public utilities, but rather even the foundational building blocks, from OSes like Windows Server and RHEL (still controlled by a foreign company, despite being more open than Windows), to databases like DB2, SQL Server, Oracle and others, alongside a huge amount of proprietary solutions, frameworks and even libraries.
The thing is, that the risks of vendor-lock have been known for a long time, though sadly we have to contend with adages such as:
Nobody ever got fired for choosing IBM.
Replace IBM in that sentence with any mainstream large tech company, be it Microsoft, Google, or maybe even entire platforms like AWS. People keep waving their hands around and saying that proprietary technology is good, actually, since it often comes with support (not that you can't be the support for an open-source solution, or even pay someone to support you, but apparently that eludes most people; it might just be about covering your ass in case something goes wrong, but I'll explain why it doesn't actually work). Couple that with the sales departments of those companies having a lot of resources at their disposal and large govt. contracts being right up their alley, and the friction for using that tech as opposed to FOSS or even source-available software will often be lower.
Now, four weeks have passed since the call was open, so it's not like I would want to submit anything formal, but at the same time I at least wanted to share my thoughts on open source and why it matters to Europe. As an opinion piece, this won't really be that facts heavy, since I've had quite the busy weekend as well. My opinions are my own, my experiences are what I've lived through.
Why we need Open Source
First up, I don't believe that any of those companies are evil. They are companies - they are there to make money. It's just that that very assumption is likely to hurt you. They are not your friends, they are only interested in ensuring your success insofar as they'd be able to do further business with you. This implies vendor lock. They hold the cards in regards to control over the technology, licensing it, and might alter the deal whenever they please. That's just the reality that you have to accept when dealing with them, before sovereignty of any sort or security risks even enter the conversation.
Secondly, a lot of that "choose X to not get fired" is both a lack of imagination and spine - for technically inclined developers, not having access to source will almost always be more difficult to work with than being able to peel back the abstractions and see what's inside the solution, and make any alterations as necessary. Or, in lieu of having those skills themselves, being able to pull up a GitHub discussion and see what other brilliant people have done to find a workaround for a particular issue. Anyone who has been on StackOverflow, or even used AI to help with issues that have been publicly acknowledged, will know that.
The whole bit about covering your ass in case something goes wrong, it doesn't actually help you as much as you think. If you need support, there are plenty of companies that would be more than happy to support your open source installs of whatever software you can imagine. Often times, it can be even simpler than going for the proprietary software. You can get Mattermost installs that will even be run for you, same for Zulip if you need some sort of a communication tool. You can use Jitsi Meet for free until you have a need to self host, unlike Zoom. You can get managed installs of Nextcloud if you want, you can get Collabora Office in the cloud and use LibreOffice locally. You can self host all of the above when you need to, when you want to - the ability to do so is there.
There's also a lot of software out there, that you can get and run completely for free, that will be similar enough to the upstream offerings not to matter much - the likes of Rocky Linux if you need something RHEL-compatible, or maybe you can just choose to use Ubuntu LTS or Debian, which have never had that much of a commercial component to them, outside of additional management tools or getting longer EOL support, which you can do if you need to! Most of the above can also be easily set up and run as a Docker container, and the same applies to most types of software out there - from source code management platforms like Gitea or GitLab, CI/CD solutions like Woodpecker CI, the excellent GitLab CI, or heck, even Jenkins if you want to go in that direction, to issue tracking software like OpenProject or Kanboard, or APM tools like Apache Skywalking, or analytics solutions like Matomo Analytics.
The same also extends to those same building blocks: you can get good relational databases, like PostgreSQL and MariaDB, use SQLite for more local or simple use cases, can get S3 storage in the form of Garage and key-value store in the form of Valkey, message queues in the form of RabbitMQ or NATS and there's a slew of open source solutions for both full-stack work, front end and back end: you could build a Django app that has Vue on the front end with PrimeVue today, if you wanted to, and get it running in the cloud behind Apache2 with Let's Encrypt certs (mod_md; some might prefer Caddy) without spending money on any of the tech. The only thing keeping you from doing that is making the choice not to, and let me tell you - often the engineers are not the ones making the choice to go proprietary.
(Note: okay, Let's Encrypt being under ISRG is a bit of a risk, EU probably should provide a similar service, though if the global CA trust falls apart, then I guess the Internet would also be severely fragmented and hopefully nobody wants that, so maybe that's a bit paranoid to say; either way, I moved my domains at least from NameCheap to INWX to support more local business)
I know so, because I have done so in the past - and when issues arose, I just resolved them, because I'm an engineer and that's what I do. I don't claim to be some genius or an expert in any one particular area, so that if I can do that, then hopefully the many people working in the public sector can, as well. And in regards to the software, it doesn't even matter that much, who originally developed it - because if they try to rugpull you at any point in time, you can just say "No, thank you, I will make a fork of your project and set off in my own direction." That happened with Redis and Valkey, as it did with many other solutions - and standards like S3 only help this, because when MinIO starts going in a more commercial direction, which might not be a problem for a government project but is for me, I can just thank them for their effort and go with Garage instead.
My argument isn't even that you can't buy software, or use foreign tech as utilities when it makes sense (e.g. US based AI inference when you really need it, while not forgetting that Mistral exists and is actually pretty dang good) - I've gotten iframe-resizer licenses for a project at work once, when it made sense and we needed to save time, it worked okay. My argument is that I should never be (figuratively) held at a gunpoint and made to fork over cash for Kendo UI when my project doesn't really call for it.
Hiding behind support and the status quo is nothing other than cowardice. Saying that you can't use something open source because your procurement department can't "buy" it is plain stupid. There, I said it. I'm not saying that about the people themselves, but rather their choices, mind you.
For most of the apps there, if you can get Oracle working as your DB, it will most likely work fine on MariaDB or PostgreSQL - with the added benefit that you can do whatever you want, with no restrictions. Need to set up a new development environment? Run a copy of the whole database locally? Build and run some containers across a wide variety of hardware configurations? If your system runs on the aforementioned open source DBs, licensing doesn't even enter the equation, whereas going with any of the proprietary solutions in some cases will tie your hands.
I can already hear people saying:
But open source solution X doesn't have feature Y.
I hate to be the obnoxious person telling you this, because it's unhelpful at a glance - but you don't need it and you can work around it. There is no single feature that's so foundational that your entire success depends on it and it alone, at least in a way where it doesn't exist in another software package in some shape or form. If it truly doesn't, then shout about it from the rooftops, or better yet, write it yourself.
Yes, switching would be a pain in the ass. Yes, most people might find the UI of LibreOffice a bit dated (honestly their customization is lovely and I like that look over the MS Ribbon, very, very much), and that the experience around pivot tables and some of the formulas will be a bit awkward. Heck, if you switched over to a Linux distro like Linux Mint, the overall user experience would be pretty solid, even if there'd be absolutely nothing you could do to avoid some level of switching pains, for the people that are used to Windows. They'd still get over it.
Because otherwise, you are hostages. If you have no alternatives, Microsoft can charge you whatever they want. If they're a business, treat them as such - have enough leverage to negotiate better prices for their software, if you ever decide that you truly need it, like the Germans did. You need to explore the other options, lest you end up with none.
It's not even a matter of complacency, or realpolitik, but also of cost.
Why B-tier Europe can't afford anything else
I will be the first to admit that Latvia and many other EU countries like it are pretty poor. The tone in places above is a bit inflammatory, because going for expensive proprietary solutions is like burning money that we don't really have. Countries like Germany and France, or smaller ones that are still wealthy like Denmark and Netherlands can afford to do that, but we are just not like them. If they're A-tier Europe, then we are B-tier Europe: I'm still thankful that we're a part of EU, but our day to day reality is quite different when it comes to economic matters.
It's a bit like comparing how much a software dev might earn in the US vs EU. If you are curious, a developer over here in Latvia makes on average around 23 EUR an hour, or about 3700 EUR per month, before taxes, according to government data:
The data is also corroborated by some other sources as well, like the site algas.lv where people report their own salaries:
That site is actually more telling and suggests that what most of the people make, the values closer to the median rather than the skewed averages, fall in line somewhere between ~1300 and ~3700 EUR, after taxes. This actually gives us a more realistic look into how much people make here. Per year, that is between 15k and 44k EUR for the majority of people here.
Why focus on that? Because it's a pretty comparable example for the people that might read this. At the same time, our public sector is underfunded - teachers don't receive nearly enough money, for how important their work is. Medical nurses don't either, nor do policemen or firefighters. It is tough for everyone out there. Pensioners struggle to afford their necessities and medicine.
Then why do we act as if we can waste millions on consulting companies and expensive software and platforms that we don't have the money for? Yes, there are a lot of consulting companies here that pay the local developers and I'm glad for that - it's bringing at least some money into the economy where we otherwise don't have a strong tech sector. It's at least something and lets our developers work on a wide variety of projects - but it's something that the "rich" part of Europe should purchase.
We shouldn't act like we can afford Microsoft licenses for everything. We shouldn't act like we can afford to run things on AWS or pay for Cloudflare. We shouldn't act like we can afford Oracle or DB2 licenses and treat software development projects like a black hole that we just throw money into and hope for the best.
We should invest as much as we can into our people and developers and only reach for that software when the engineers in charge decide that it's what we truly need. If a project crashes and burns, then so be it - don't try to cover your ass by shifting the blame, because at the end of the day it doesn't matter whether you have support by a vendor or don't, the solution either works or doesn't and that is that.
Stop building your platforms in others' walled gardens and start using open source properly. And when possible, contribute back to it. The same goes for the rich part of Europe - because currently, if you pay a vendor a bunch of money for some proprietary software, they're gonna take that money, spend it on whatever they do and make their closed software better. That's it, nobody else other than them will benefit from it. And yet, if you sponsored the development of PostgreSQL and improved the query performance by 1%, you are improving that for everyone using PostgreSQL, all across the world, in perpetuity.
Most of the software out there is developed below the poverty line:
(image sourced from the blog post, there's a higher quality version there)
The person maintaining log4j had three GitHub sponsors:
I don't know about you, but I don't think Michael, Glenn and Matt should support the development of a large part of the logging infrastructure for Java by themselves, as nice as it was from them.
The person maintaining sudo recently said they could really use some money:
Again, a utility that's used in almost every server running some variety of GNU/Linux out there, and the person is struggling financially and the project needs support. Remind me, just how much money do the corporations that provide Linux cloud services earn?
The longer I live, the more it feels like this XKCD is completely correct and representative of our reality:
While even a single person that's tirelessly working on the software you all depend on is struggling financially, I cannot ever say that you should reach for paying a bunch of corpos that will just take the money. These people are working on the backbone of the technology that runs a good part of the world and... they still have to worry about making ends meet? What the fuck is wrong with the world?
Most of the commits to the Linux kernel are corporate-backed, that much is true. So live in that reality: when considering buying software from one of those large orgs, ask them if they're going to make the source available to you together with the purchase, for you to use in whatever capacity you desire. If they say no, you say no.
There's no reason why you shouldn't use something like Visual Studio Code (maybe ideological reasons, but I'm more concerned about realpolitik here), but there is relatively little friction in regards to switching to something else, when compared with a foundational relational DB that is at the core of your system and has 5-10 years of work running to it right now. The dependencies that cause risks include the entirety of your tech stack, all the way to the OSes and hardware you use.
You don't have to go all-in on the Free Software movement, just please take the first steps towards a saner world:
- Invest in talent when you can, instead of trying to replace it with a pre-packaged software solution.
- Don't give away control over what you'll build just because of rosy promises.
- Unless you have a set of very specific requirements, go for open source solutions first.
- Take ownership over the implementation and contribute back when you can.
- Seriously, stop burning my tax money, please. I'd much rather it go to devs than corpos.
There are second order effects to this, as well. Right now, there may or may not be a project somewhere that is about migrating from one proprietary form solution to another and it's behind, largely because they just didn't go with an open source solution and didn't build some of the primitives themselves. They gave up control in exchange for promises and the promises won't get them far. They instead have an over-complicated mess of XML and two packages that are hard to work with and no source for either. It will probably be late.
It's probably easy for me to speak, because when your country has no more than 2 million people in it total, you could even get away without having huge DB clusters in many cases, especially for the systems that aren't used by too many of those and are primarily there for the purposes of basic digitization - in which case, you should prefer monoliths to complex microservices and it can probably run on a single server on-prem (hopefully with regular and tested off-site backups).
Whatever the case, I hope Europe wakes up. We need a cultural shift, to have proper digital sovereignty and create jobs to build our digital future. This doesn't mean turning away from the rest of the world in the slightest, but to not turn away from projects that are developed in the open and benefit everyone across the world.
Other posts: Previous »