Sometimes the smallest decisions lead to big outcomes.
In 2002, I started to play around with code that could compress and optimize mobile apps. Eventually, that code became ProGuard, an open source app optimizer built on Java. Little did I know that my hobby would take off, with adoption by companies like Facebook, Google, and Sun Microsystems.
Today, ProGuard has been downloaded more than 1 million times as a standalone project from Sourceforge, and it is downloaded around 20,000 times a day as the long-time optimizer in Google’s Android SDK. In fact, ProGuard is the inspiration behind Google’s R8 compiler.
Building ProGuard gave me a direct view into how powerful open source code can be when it comes to solving problems. Ultimately, the interest I saw in ProGuard led me to found our company, Guardsquare, which now serves as the sponsor and steward of ProGuard.
Open source is huge. According to GitHub’s 2019 State of the Octoverse Report, 35 of the Global Fortune 50 companies contributed to open source via Github’s platform. And, by Github’s 2019 estimate some 40 million people contribute to open source on their platform alone.
ProGuard is just one example of the billions of lines of open source code that underpin some of the world’s biggest technology products and companies. Over the last decade, individual coders and corporations have created valuable code and shared it freely for anyone to use. Today, even huge public tech companies like Google and Facebook rely heavily on open source code. They also contribute back to the community with their own open source projects.
Open source stewardship is the duty of technology companies to give back to the tech ecosystem. We all benefit from beautiful code that is well-managed and open. Sometimes, the relationship between creators and the community can be tense, as we saw from the recent Rust discussion. But when this relationship works well, it benefits both individual contributors and companies.
However, maintaining an open source project is a lot of work. It’s truly a labor of love, even when the sponsor or maintainer is a corporation like Google or Facebook. This is non-trivial code. It represents thousands of hours of work. Despite the incremental hours, there are many benefits of corporate sponsorship, both for the company and the open source community. Let’s explore these in more detail.
For Companies: Software is complicated, and external users have more creative and varied uses for a piece of code than anyone could anticipate in design and testing. As the steward of the ProGuard open source project, I receive many interesting requests for use cases I never imagined. These requests lead us to update and improve the code.
For Open Source: For the creating company, the benefit of starting and steering an open source project is usually obvious: The product gets better and better. There’s a big benefit for the developers using the open source code, too. They benefit from hundreds if not thousands of others who downloaded the open source code for free, used it, and flagged helpful potential features.
For Companies: Developers often work collaboratively. While most users of open source use code without commenting or contributing changes, there are many active participants. As the steward of an open source project, companies can work to build community. They will also naturally come to understand what their potential audiences want from both non-commercial and commercial products. Take, for example, MongoDB—their open source database is used by large and small tech companies around the world for free, but MongoDB still operates a for-profit company with other offerings.
For Open Source: From the open source community’s perspective, this corporate stewardship of open source projects also has benefits. A corporation can organize and fund projects, devoting employee time and company resources to improving and developing new code. Companies can often devote resources to open source that would be difficult for individual contributors to sustain.
For example, at Guardsquare, our Android team splits time between DexGuard -- Guardsquare’s paid, proprietary product for that operating system -- and ProGuard. These are employees we pay, but a significant portion of their time also goes to benefiting the open source community.
When a well-funded corporate sponsor is shepherding updates and constantly developing new features, the quality and usefulness of the open source code remains high.
For Companies: No matter how rigorous the testing, all code hits bugs once it enters the real world. Some people say “many eyes make bugs shallow,” meaning that the more people who review the code, the easier it is to find bugs.
You would be hard-pressed to find a way of getting more eyeballs on code than to open source it.
Every day, hundreds if not thousands of developers look at open source code. If they spot an issue, they will flag it to the community steward. In fact, GitHub’s 2019 State of the Octoverse noted that over 7.6 million security alerts were addressed by developers and others from the community. This is hugely valuable, as any one corporation’s developers will have many other projects to review. For example, Google has mobilized their open source community by starting to pay developers to find bugs in Kubernetes.
For Open Source: While there is no guarantee that a bug or security issue will be caught quickly, more people reviewing code is a good thing. Of course, bad guys can find vulnerabilities, too. Take, for example, the Heartbleed issues in 2014. Still, open source software overall becomes more resilient the more widely it’s used.
There’s an expression: A rising tide lifts all ships. Open source code started as a trickle, and then became a gush, and is now a massive rising tide that has lifted many, if not all, companies who rely on technology to greater heights. As more companies take stewardship of open source code, software will become more and more advanced. It seems counterintuitive to generate valuable IP and then give it away for free. But there is great value in it on all sides.