3 Questions About Your Open Source Strategy, or: what I learned at HP, Canonical, Cloud 66, and Snyk

Me: so why have you chosen open source as the way forward?

Early stage founder: because it’s the right thing to do.

Me: I’m sorry, but I find that too simplistic. Can we try and unpack that statement?

An honest look in the mirror

In my work advising early-stage deep tech and AI startups, the topic of open source (and open data) strategy comes up quite a bit. As someone who has been in the industry for a long time, I am genuinely delighted to see how approaches to open source monetisation have evolved; a more mature approach to this model of technology development is surely an important factor in its long-term viability. This post is intended to help founders think through some common themes in the interest of this maturity.

My own journey with open source started around 2012. After the tumultuous Windows 8 launch, there was an increased appetite for experimenting, and at HP UK&I we managed to launch a worldwide-exclusive Ubuntu desktop together with Canonical, its commercial sponsor.

Later joining Canonical , I had the privilege of launching and growing a unique partnership program with the cloud hyperscalers. That work contributed significantly to the Ubuntu project, and likely influenced how other open source sponsors approached the tension between community values and investor expectations.

At Cloud 66 , we open-sourced several useful pieces of software to help developers move faster with Kubernetes. Finally, at Snyk, it was great to contribute to the acceleration of open source by making it more transparent, secure, and trusted.

In addition, I wrote at length about open source in the venture-funded space on Forbes—as well as about the cultural impact of adopting open source methodologies. (Also re-posted on my website.)

All this isn’t meant as a brag—just to explain why I have strong opinions! So here are, mainly for startup founders, three questions I recommend asking when trying to build a business around open source software (and/or open data).

1. What's your why? (and the assumptions behind it)

So, going back to that “it’s the right thing to do”… Let’s rephrase that on the ethical level as: you believe software should be free (“free as in freedom, not as in free beer”). Two points here:

• First, I would argue that while Free Software is an ideology, while open source is more a development model. Could you be open source and not so aligned to Free Software values? Sure. For example, when a vendor switches to a license with more limitations on use (but not on contribution), that could be a huge message about shifting values to the community who helped build the project. As another example, if you open source a finished thing, but retain most of the control over it, that might be seen as a virtue-signalling, top-of-funnel effort.

• Second, you don’t have to merge the personal (e.g., being a contributor, maintainer, or activist) with the professional. Open source isn’t an easy way to make money for a company that is a builder. Your company could be an accelerator (see GitHub, Snyk, and others); or, as a benefactor, you could lead open source engagement programs on behalf of a large corporation, contributing funds and engineering time; or, as a standardiser, you could put in place corporate policies that prioritise use of open source for your own company’s R&D.

Don’t get me wrong: in my career, I’ve learned that magic happens when we can align our personal motivations and values with our professional goals. So, on that note…

2. What company goals does this support?

If you wanted to build open source software professionally in your big-tech job that could have significant impact on adoption of open source projects—especially if working for a company that is an established champion or maintainer (Google, IBM, HP, and so many more). But we are here because you believe this is important for your startup company—so what is this for?

Is it because of Linus’s Law: "given enough eyeballs, all bugs are shallow"? In  other words, is your main interest to build a robust and resilient piece of technology?

Is it because more people contributing to your project makes you a center of gravity, like the way more people using Llama2 makes Meta more powerful and its models more robust?

Is it that it’s a proven and effective go-to-market in your field (e.g. converting single users to enterprise customers)?

Is it because your talent acquisition strategy calls for it (e.g. you want to hire engineers with expertise in open-source LLMs)?

Is it because you’re building a public good—like Climate Policy Radar, Clay, and many others—that should not be controlled and closed-down by a single for-profit corporation?

Is it because it comes up as important on the "Who Cares about your OSS" matrix (a 2x2 grid and my invention, patent not pending)?

There are numerous reasons that are far more accurate, honest, and future-ready than “it’s the right thing to do”. If you tie your own Why to specific and tangible company goals, you will have done half the work already.

3. How will you survive and thrive?

This one is cheating: it's actually two questions hiding under one umbrella, because they are connected.

3a: How will you outswim the sharks?

It can be a cynical world out there. Large tech corporations are driven by profit considerations above all. Even if they hire the most ethical developers, and contribute en masse to open source, they are primarily concerned with the firm's long-term financial success. I hope this isn't news to you.

Buckets of digital ink have been spilled over the struggles and tribulations of vendors such as Elastic, Docker, and Hashicorp in their attempt to defend their open-source-based business from hyperscalers. The most obvious arena where this has played out is license choice; specifically, vendors switching between permissive, restrictive, or just plain weird licenses—and triggering backlash from the communities that helped them bring their technologies to market in the first place.

My very strong opinion is that founders in 2024 that want to develop out in the open, cannot ignore this data. They have to build a long-term plan that recognises the predatory risk as well as the need to keep their communities fully engaged (more on this in 3b).

And if the result of that thought experiment is that they have to bootstrap for much longer, or raise more money to expand faster, or that open source is not a viable path—so be it.

Or, you could even create a new game. Take a look at Clause 2 of the Llama2 license from Meta:

Additional Commercial Terms. If, on the Llama 2 version release date, the monthly active users of the products or services made available by or for Licensee, or Licensee’s affiliates, is greater than 700 million monthly active users in the preceding calendar month, you must request a license from Meta, which Meta may grant to you in its sole discretion, and you are not authorized to exercise any of the rights under this Agreement unless or until Meta otherwise expressly grants you such rights.

By creating its own license with a commercial gatekeeping clause (effectively for hyperscalers), Meta is trying to keep #Llama2 within a Free realm for everyone who is using it for non-competitive (towards Meta) purposes. It's not really in the spirit of copyleft licenses, but it's an approach that acknowledges the risks that exist in the world that we live in, and arguably results in the same engaging experience for the community of contributors.

3b: What about the community?

Saving the best for last. All that was discussed here—a consistent license choice, building out in the open, being clear and transparent on your values—comes back to the most important thing, community. This isn't just about building in the most resilient, ethical, and efficient way; truly savvy commercial sponsors of open source understand that in the end, a strong community can be part of your competitive moat.

Any "shark" could take your open source software, fork it, rebrand it, and sell it off as a managed service with a slightly different name. But if you've invested in a community built around long term relationships, clearly defined values, engagement mechanisms, a value exchange, clear and transparent governance—could that pay off in a big way? I think so. So ask yourself some tough questions—and then if you like the answers, go build the next Ubuntu community, or the next OpenTofu, and let's keep moving this ball forward towards a more Free world.