Depending on where you stand, 2016 was either the best year ever for open-source software, or it was a year of controversy and danger. While it’s undeniable that 2016 saw more contributors to open source and more open-source projects than any prior year, it’s also true that this was a year of strife for communities, developers and users alike.

Chief among those problems would have to be the Dirty COW local privilege escalation attack, a major vulnerability that seems to have been hiding inside the Linux kernel for the past nine years. The discovery of this exploit isn’t necessarily a knock against open-source software as a whole: The bug might never have been found if the sources weren’t also available.

The Dirty COW bug, however, highlighted one of the most difficult problems challenging open-source software ecosystems, and one that in particular affects Android. How does one even begin to comprehend how to patch this hole across the Android ecosystem? With billions of Android phones out there, and a huge number of them no longer supported or updated by their manufacturers, it would appear that the Dirty COW will be a going concern in Android until the heat death of the universe.

This is just another part of the perpetual fragmentation problems Android has had to deal with from day one. It’s a dramatic difference from the world of servers and desktops, where patches were issued within a month of discovery. Here, Linux has solidified into a reliable platform with long-term support vectors and emergency patch routines and channels. But the Android ecosystem doesn’t even have a concept of long-term support.

Elsewhere in the open-source world, the Apache Foundation pushed Jonathan Ellis out of his position as chair of the Apache Cassandra Project. While Ellis’ involvement with the project will in no way decrease, the move was indicative of a larger concern within the Foundation over increasingly blurry lines between commercial enterprise software offerings and their open-source, free counterparts under its jurisdiction.

Even the Free Software Foundation saw some waves of controversy this year, with its general counsel Eben Moglen stepping down on Oct. 27 and leaving a vacancy still unfilled in the position. While he did not respond to requests for comment, multiple sources have intimated that his departure came at the behest of Richard Stallman himself, who felt Moglen was no longer in sync with the Foundation and movement. Moglen had been the FSF’s general counsel for more than 20 years.

Fortunately, 2016 also saw some major updates to open-source projects. Open-source efforts in the JavaScript world, such as Angular 2, Node.js and Meteor, all grew and expanded their feature sets in 2016.

Yet in keeping with the theme of controversy in 2016, Node.js had its own problems. When left-pad, an 11-line bit of code in the NPM repositories, was removed due to its developer becoming irate, it broke thousands of applications around the world, some of them mission-critical.

For 2017, you can expect the Node.js and NPM community to continue to mop up after this embarrassing failure. In fact, NodeSource has already taken up the reins by offering an enterprise-focused service that blesses NPM packages as worthy of corporate use.

Still, no amount of controversy or success could cover up the biggest open-source news of 2016: Microsoft. In the past, Microsoft had been outright hostile to open source. Even its attempts to make up with the open-source world were ham-fisted, like the company’s CodePlex efforts in 2008, which created what it called an “open-source museum” of look-but-don’t-touch software.

Today, however, Microsoft is a veritable pillar of the open-source community. Whether it’s supporting Linux on Azure, or building the next revisions of C# and the .NET platform in the open-source community, Microsoft’s movement to open source has to be the biggest and most dramatic story of the year.