The music industry is where the concept began: Selling out was the end of your art, because big-money, big-label record deals would have to appeal to a wider, watered-down audience. Compromises would have to be made. This led to artists being accused by their early, rabid fans of selling their souls for money. But what happens when you sell your underground open-source project, and yourself, to a corporation?
The story is a familiar one in the software development industry, and there is one large company that has gobbled up more open-source companies in the past four years than any other: Oracle.
Indeed, if this were the music industry, Oracle would be the giant record label sucking the cool out of the band. Oracle’s acquisitions of Java, MySQL and dozens of other software projects have often been fraught with peril and complaints from the everyday users of these projects.
Case in point: the Hudson project. When Oracle took the reins after its acquisition of Sun Microsystems, there was an almost immediate forking of the technology to keep it running outside of Oracle’s influence. The Jenkins project picked up where Hudson had left off in the open-source community.
It’s now been three years since that split occurred, and according to Hudson (and Jenkins) creator Kohsuke Kawaguchi, the numbers show that Jenkins has clearly taken the mindshare from Oracle’s Hudson.
According to a survey done by ZeroTurnaround and released in February, the difference between Hudson and Jenkins shows a clear winner in the split: Jenkins. The survey indicated that in 12 months, Hudson had 500 code commits, while Jenkins has had 1,200 commits. Jenkins showed 298 developers contributing code to the project, while Hudson had only 10. The contrast even shows up on Twitter, where Jenkins has 8,060 followers, and Hudson has only 1,176.
Simon Maple, ZeroTurnaround technology evangelist, said the pattern of forking and moving on is repeated whenever a project is swallowed by a larger organization that the community feels isn’t focused on their needs. He said that this is how the community fights back when a less-than-philanthropic company takes over coding duties for an open-source project. As an example, he cited Eclipse Foundation concurrency framework Vert.x.
Vert.x was created by Tim Fox while he was at VMware, but he has recently moved to Red Hat, bringing with him concerns over copyright ownership of the project. (VMware owned the code written by Fox while he was in its employ.)
“When Tim Fox moved from VMware to Red Hat…there was a lot of talk about forking the Vert.x project, and how that would affect the original project,” said Maple. “Although Vert.x and Jenkins are very different, it was very interesting following that to see the comparisons between the two.
“What happened with Jenkins and Hudson meant that the Vert.x community were fine to have a fork if that’s what everyone wanted to do. They realized there’s a massive chance of the same thing happening because…the Jenkins/Hudson split has shown what’s possible in a community.”
Rehabilitating illegal tools
In 2003, HD Moore decided it was time to improve exploit implementations for security audits. While exploits are released for dozens of systems every week, these bug reports typically amount to some sample code and a description of how to use it. That wasn’t enough for Moore.
Moore wanted to build a better gun in which exploits would become customized bullets. After a few years of work, by 2006, the Metasploit Framework was already the hottest tool in the hacker community. Its ease of use and wide variety of dangerous payloads made it the darling of script kiddies and professional hackers alike. As Moore said at the time, “Metasploit both raises and lowers the bar.”
In 2010, Moore was approached by Rapid7, a security penetration-testing firm in Texas. The company wanted to hire Moore and productize Metasploit. He agreed, and for the past three years, Metasploit Pro has been selling like hotcakes.
But in a world where the rules of engagement for punk musicians and the hacker underground are remarkably similar, what happens when you take your punk-rock application and sign up for distribution with Warner Bros. Records?
Oddly enough, Moore said that the experience has been transformative for the project. Chief among the reasons Metasploit has survived corporate takeover is the exact reason many open-source projects aim to found a company: resources.
“We were doing about five to 10 exploits per month and only having 150 unique exploits. Since then, we have over 1,000 exploits, and we add one a day. Sometimes we add two or three a day,” he said.
That comes from having a team dedicated and paid to update and expand the capabilities of Metasploit. “We pay for open-source development by producing a commercial product,” said Moore. “If you look at the framework, it’s a bag of tools. The product is one-click, and 30% of your penetration test is done. Mostly, we have a QA group—a commercial development team—which provides for Metasploit Pro and Express. Then we have a framework team that works on the core and then exploits.”
That’s a lot more developers than Moore had when the project was just him and some friends on IRC. In total, he said he was thrilled to have 20 developers working full time on the project.
“It’s more than I ever planned for. I’m very happy it happened,” he said. “Every metric has been through the roof, and we did it without alienating our open-source community. We keep trying to walk the line between providing things on the penetration-test side and the open-source side, but the hardest part has been trying to find the right balance. This is as good as it gets for the open-source hybrid approach.”
Perhaps what’s more interesting about Metasploit’s acquisition isn’t the fact that a corporation decided to embrace and productize an open-source product, but rather the fact that a corporate entity was willing to invest in what was, without a doubt, one of the most powerful hacking tools available.
“The commercial market for these types of tools has become more relaxed,” said Moore. “We had a lot of pushback saying, ‘Bad people could use this!’ We’d already gone through six years of this battle in open source. We’ve made the case for disclosure, but that war has basically been won. It’s great to say I’ve spent the last 10 years working on Metasploit and I’m not in jail yet.”