India Should Think About Open Source Ecosystems
Software infrastructure is indispensable to our digital lives. Without it, we can’t run any of the applications, websites, or other cloud services present-day societies so heavily rely on. This infrastructure is made up of critical pieces of software, including software libraries, operating systems (OS), and web servers, to name just a few. The model of software that has been most widely adopted when it comes to these critical pieces is open-source software. For example, 85% of the world’s smartphones run on Android, the open-source mobile OS built on the open-source Linux kernel (a central component of a computer’s OS). Also, 60% of the world’s websites are run on the open-source Apache and Nginx web servers. A recent study also suggests that nearly 96% of commercial enterprises today use software that relies on open-source libraries (a suite of pre-written code that can be used to write software instead of starting from scratch).
Broadly speaking, a software is called “open source” if its source code is publicly available. More specifically, open source software (OSS) refers to software that is published under an open source license which allows the public to access, modify, and use the code in their own projects so long as their reuse meets the terms of the license. However, unlike proprietary software licenses (where the goal is to maintain control over the copyrighted software and restrict use by those other than its creators), in the case of open source licenses, the goal is to grant others the right to legally use, modify, and distribute such code. While the terms under different open source licenses allow for varying degrees of flexibility in how one can use OSS, they are more in the nature of obligations that promote transparency, collaboration, and attribution. It is also important to note that just because software is licensed under an open source license, it does not hamper a user’s ability to use that software for commercial gain. Many popular OSS licenses (for example, the MIT license) are extremely non-restrictive in that they allow users to incorporate OSS components within their own proprietary software, so long as the latter includes a copy of the original license.
Therefore, anyone — from multi-million dollar companies, to governments, to individuals — can freely use OSS components to build their own programs and applications. And a lot of people do just that. Although it is difficult to accurately quantify the exact value of OSS, a 2024 Harvard Business School working paper shows how companies would need to spend 3.5 times more on software than they currently do if OSS did not exist.
Similar to other developing economies, India has greatly benefited from OSS. India’s digital economy today is being increasingly driven by factors including high smartphone penetration, expanding mobile apps’ & digital payments ecosystem, and the overall success of the country’s startup ecosystem. OSS has played an important role in bringing to life all these realities. For example, the reduced costs associated with using open source mobile operating systems contributed to its higher adoption, allowing smartphones to be produced at more affordable prices. Nearly 95% of the smartphones used in India today run on open-source operating systems. In addition to having cost benefits, OSS is also an efficient and expedient model of innovation for IT companies across the board. The Government of India has also made extensive use of OSS building blocks in a number of public services; Aadhar and DigiLocker being some of the more popular examples.
Open source software is, therefore, ubiquitous and deeply embedded in our digital infrastructure, and both public and private agents heavily depend on it. Given its criticality to digital activity and innovation, India should strive to be as involved as possible in supporting and contributing to the OSS ecosystem. To this end, India must first engage with existing problems common to OSS ecosystems everywhere — that of fragility and security.
OSS is born out of open-source projects. These involve a range of supporting activities, are maintained by real people, and are capable of falling apart. The strength of an OSS ecosystem is therefore constantly informed by such technical, social, and administrative dimensions. Firstly, “maintaining” OSS projects involves activities that go beyond purely technical work. In fact, 3/4th of the work time of core developers is spent addressing bug reports, installing security updates, reviewing code, and documentation. Secondly, there are people behind the projects. Open-source projects originate from within companies, a community of developers, or individuals. This is also one of the reasons why the support for different open-source projects looks different.
While Big Tech companies are the biggest funders of OSS projects, they often fund larger OSS projects or those they are directly involved with. In contrast, OSS projects with smaller developer communities around them can fall through the cracks, and are often primarily maintained by unpaid volunteers. However, it is often these smaller projects that maintain some of the most-widely used pieces of OSS. For example, a study found that from 133 of the most actively-used projects hosted on GitHub; a developer platform that allows for code to be stored and shared, 64% (two-thirds) relied on either only one or two core developers for their maintenance and management. Such dependencies on primarily unpaid volunteers who contribute and maintain critical OSS projects or components as “labors of love” make the OSS ecosystem fragile.
The problem of fragility can also be framed in terms of the ‘free-rider’ problem. In economic theory, the ‘free-rider’ problem is described as one where people derive benefit from goods or services but get away with either – a) not paying for them at all or b) not paying for them in manners commensurate with the benefit that has been derived from them. If enough people come to enjoy the benefits without paying, over time, one of two ways of thinking can take over — “If there’s plenty of supply, why should only I pay for it?” or, “if there isn’t enough of it anyway, how will just me paying for it fix the problem?” Over time, the ‘free-rider’ problem runs the risk of such goods not being supplied very well anymore (and in extreme cases, at all).
Because basic OSS components (which are akin to the nuts and bolts of software infrastructure) are a free resource that everyone can benefit from, and are not enjoyed to the exclusion of others, there is a lack of sufficient incentives for beneficiaries to support the ecosystem; leaving it for someone else to do so. Such lack of support can then result in security problems within the ecosystem.
For example, on 29th March, 2024, a German software developer reported a maliciously-introduced backdoor code in XZ Utils (a popular OSS library used for making files smaller) which provided unauthorized remote login access. Left unreported, the backdoor would have resulted in a cybersecurity breach impacting millions of people. In 2011, a security bug called ‘Heartbleed’ was included as an update within OpenSSL (a widely-used open source cryptography library used to generate private keys and secure communications on a network), but went undiscovered for years, only to be found in 2014. In the intervening period, servers that made use of OpenSSL were exposed to the risk of hackers being able to access any hosted information including sensitive information such as passwords.
In both instances, the OSS components that were impacted are widely-used in web servers. Additionally, the core developers of both OSS components are primarily unpaid volunteers, and very few in number. In the case of XZ, the core developer maintaining the project did not have sufficient resources in terms of time and money to respond to complaints about the speed and performance of the OSS, and therefore added as a co-maintainer a contributor who had shown eager interest in the project over the course of two years. This same contributor was revealed to be the attacker behind the backdoor.
Any meaningful support and contribution to the OSS ecosystem from India will, therefore, have to touch upon these two concerns.
Thank you for reading. Have a great weekend. As always, for any questions or suggestions, please write to us at digitalrepublic@evamlp.com.
Best,
Shruti Mittal