Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
April 12, 2024
The Open Source Initiative (OSI), steward of the Open Source definition, is firing up a panel at the upcoming All Things Open conference to discuss doing business with open source. This topic encompasses a number of challenging and contentious issues surrounding open source business models, licensing conflicts, and the complex dynamics between corporate interests and community-driven projects.
“The supply-side value of widely-used Open Source software is estimated to be worth $4.15 billion, and the demand-side value is much larger, at $8.8 trillion,” OSI program coordinator Ariel Jolo said in the announcement. “And yet, maintaining a healthy business while producing Open Source software feels more like an art than a science.”
Participants will have to apply to be part of the panel and OSI is soliciting pitches on topics that are at the heart of the discussion of navigating the complex landscape of open source in business environments:
The challenges have recently been brought into sharp focus, following Redis Inc’s decision to abandon its open source licensing, blindsiding the majority of contributors who were deeply opposed to the decision. Redis cited the challenges of monetizing open core software in the cloud era as the reason for the shift away from open source, echoing Elasticsearch’s move to a “fauxpen” source license in 2021.
In a post on the AWS Open Source Blog, Amazon announced its support for the Valkey fork and criticized Redis Inc’s decision to move away from its open source roots:
It’s a mistake to undervalue the contributions of devoted users and contributors who helped make Redis and other open source technologies what they are today. When Redis was open source, the majority of commits may have come from Redis employees in recent years, but many other contributors added significant value to the project which should not be discounted — especially considering the degree to which Redis employees also decided which contributions to accept. Redis broke with the community that helped it grow and left them stranded.
OSI, as an advocate of open source, is looking to change the tides on this trend of companies claiming that cloud providers have forced them into abandoning open source licensing.
“Most of these companies have reached the end of their Open Source exploitation cycle: they grew fast after they chose to use non-reciprocal Open Source licenses,” OSI Executive Director Stefano Maffulli commented on the trend. “These licenses like the BSD/MIT or the ASLv2.0 are basically donations to the commons, they don't require anything in exchange (they're often referred to as ‘permissive licenses.’)”
Reflecting on this pattern, Maffulli noted the strategic timing that often coincides with key corporate milestones.
“After the propulsion of increased popularity granted by these licenses tapers off, predictably around the 10-years anniversary (right before or after their planned IPO) they start to blame some external forces (either 'free riders' or another excuse) to change the license revealing the truth: All they care about is to exclusively monetize the full value of their Open Source contributions,” he said.
This is where a few companies have discovered some of the distinct merits of copyleft licensing. In pursuit of a way to replicate the MySQL business model, Maffulli said some companies accept reciprocity or discuss different licensing options with the rights holder. This model requires a copyleft license from the GNU GPL family or the Mozilla Public License.
“These licenses are more complex, they're not well understood, they're also not well explained and they were written when Software as a Service didn't exist,” Maffulli said.
“The FSF published a special version of GPLv3, called Affero GPLv3 to respond to SaaS but hasn't published a dedicated FAQ for it, rendering the interpretation of the license even more complex.
“Some of the companies move away from Open Source claiming that there are no Open Source Approved Licenses that force reciprocity in the SaaS environment: this is the ‘SaaS loophole.’”
Maffulli said this call for papers is part of OSI’s initiative to start a conversation aimed at removing the excuse of the SaaS loophole.
OSI’s leadership on this topic seeks to educate and advocate for licensing strategies that ensure the spirit of open source is maintained even when software isn't distributed in the traditional sense, protect the integrity of open source projects, and foster a more sustainable ecosystem for OSS development, particularly in SaaS models.
Anyone who runs a business producing Open Source products or whose company’s revenue depends on open source in any way is invited to submit a 300-word abstract for consideration. OSI will narrow it to five speakers who will also develop their ideas into a series of articles. Selected participants will join an online discussion during the summer, followed by a panel at All Things Open in Raleigh, NC, on October 29, 2024.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.