AWS hits back at open source theft allegations

Amazon Web Services (AWS) has accused the New York Times of publishing misleading information, after the newspaper published a 3,000-word article on the public cloud giant’s misuse and exploitation of open source.

During 2019, there have been a number of reports about how open source software providers have had their business models undermined by AWS taking the free version of their software and making it available as a fully managed cloud service.

The New York Times article describes how, in 2015, AWS copied and integrated open source software from Elastic into its new Elasticsearch service. This effectively meant that Elastic was competing with AWS to offer a managed service, based around the open source software it had spent time and money developing and supporting.

As Computer Weekly has reported previously, MongoDB and Redis have both changed their products to differentiate between the freely distributed version and a licence that explicitly covers organisations that want to use the product in a managed service.

In February, Ofer Bengal, founder of Redis, told Computer Weekly: “We were the first company to come up with a semi-open source licence.” Its Redis Source Available Licence applies to any organisation building a database engine based on Redis.

In October 2018, Eliot Horowitz, chief technology officer and founder of MongoDB, changed the open source licensing used for MongoDB to reflect the risk of the company’s service revenue being gobbled up by public cloud providers. In response, AWS introduced a MongoDB-compatible service, DocumentDB, in January 2019.

Although an open source software product is generally free, open source companies tend to build revenue by charging a support fee to enterprises that want to use the software. This fee mirrors commercial software maintenance contracts, providing customers with updates and bug fixes.

This may cater for some customers, but the software still needs to be installed and managed in the customer’s datacentre. However, with the availability of public clouds and, in particular, AWS, open source software providers have been able to develop new business models, based on offering a fully managed service for their products, where the software is hosted on AWS instead of within a customer’s datacentre.

The New York Times spoke to a number of industry experts who claimed that AWS was undermining open source projects by “strip-mining” developers’ open source code onto the AWS platform as a service. In doing so, AWS is able to offer software that it claims is compatible with the original open source project, but fully managed as a service in the AWS cloud.

Heikki Nousiainen, CTO and co-founder of Aiven, said:“There has been a shift in the monetisation of open source in recent years. After large cloud providers started to offer the same services as open source software providers, the original business models of open source were put at risk.

“However, in the end, it is the users who are dictating what the future will hold – and these users have a strong preference for true open source technology and look for licences that reflect the tradition set forth by open source.”

In his “setting the record straight” blog post responding to the New York Times article, Andi Gutmans, vice-president, analytics and ElastiCache, at AWS, wrote: “Open source projects enable any company to utilise software on-premises or in the cloud, and build services around it. AWS customers have repeatedly asked AWS to build managed services around open source. As we shared with the author, the argument that AWS is ‘strip-mining’ open source is silly and off-base.

“AWS contributes mightily to open source projects such as Linux, Java, Kubernetes, Xen, KVM, Chromium, Robot Operating System, Apache Lucene, Redis, s2n, FreeRTOS, AWS Amplify, Apache MXNet, AWS SageMaker NEO, Firecracker, the OpenJDK with Corretto, Elasticsearch, and Open Distro for Elasticsearch. AWS has not copied anybody’s software or services.”

Many of the projects aim to make it easier for developers to build on top of AWS services. SageMaker is its machine learning cloud service; Greengrass extends the AWS cloud to the internet of things (IoT) edge and Firecracker is its kernel virtual machine.

However, the s2n project is an open source implementation of the TLS encryption protocol, which AWS made publicly available under the terms of the Apache Software License 2.0. 

By comparison, IBM has been a major contributor to open source and the Java ecosystem. It spent $31bn on acquiring Red Hat this year. Google is known as the original developer of Kubernetes and MapReduce, while Microsoft spent $7.5bn to acquire GitHub in 2018.

In April, Google Cloud CEO Thomas Kurian talked at length about the important role open source and supplier partnerships will play in its bid to win more customers in the enterprise space. Similarly, Microsoft has shifted from being known as the company that makes Windows, to one that supports and contributes to the open source community.

Enterprises’ expectations of the public cloud have matured. No one really wants to risk being locked into the products and services of a single IT provider. Organisations are increasingly looking at hybrid and multi-cloud deployment options for enterprise applications to avoid lock-in and de-risk their IT infrastructure. According to some delegates at the recent AWS Re:Invent conference, AWS avoided any references to multi-cloud, discouraging its business partners from mentioning rival cloud offerings.

It may seem logical to buy into the AWS strategy of being able to supply all enterprise IT requirements from a single public cloud platform, but the reality is that enterprise IT increasingly runs across a complex, heterogeneous environment. Even for a CIO who is comfortable to deploy most enterprise applications on AWS, the open source software companies provide a way to limit the risk of being locked into a single supplier.

Paul Miller, a principal analyst at Forrester, said: “Some try to maximise flexibility and choice by only using the most basic features of their chosen cloud. They will rent storage, compute and networking from the cloud provider, but then install and manage everything else themselves. They will select a database and install it on their rented bit of the cloud; they will select a firewall and install it on their rented bit of the cloud.

“This approach makes it relatively painless for them to move from one cloud to another, or from the cloud back into their own datacentres. But it requires teams of knowledgeable staff, it slows down the development of applications, and it means they are not benefiting from most of the R&D effort that all of the cloud providers pour billions of dollars into.”

According to Miller, the fastest-possible time to market for a new application means accepting some of the proprietary features of the preferred cloud provider. “Achieving the greatest level of flexibility means accepting that your applications will take longer to develop, and your cloud management teams will need to be larger,” he said. “Both of these are perfectly OK, if they are informed decisions.”