The slow decline of the open source startup

The slow decline of the open source startup
Photo by Tim Mossholder / Unsplash

Welcome to Runtime! Today: why Redis's latest licensing move marks yet another break with longtime open-source practice, GitHub thinks it can plug your code's security flaws, and the latest moves in enterprise tech.

(Was this email forwarded to you? Sign up here to get Runtime each week.)


Sourcing issues

Enterprise software companies built around open-source software projects have been backing away from traditional, permissive licenses for several years now, making it clear that the vibrant open-source ecosystem that spawned an explosion of innovation over the past decade might have been just another ZIRP phenomenon. Redis, one of the first companies to move in that direction, ended its open-source era this week.

Going forward, the Redis Source Available License or the Server-Side Public License will govern all future versions of Redis, the company announced Wednesday. Both of those licenses are known as "source available" licenses, which means they allow users to inspect the code and use it as they wish for personal or internal projects but prohibit companies from using the code to provide commercial services that compete with Redis.

  • Redis had already implemented those licenses for what it calls "modules," or packages of code that add enterprise-grade functionality to the core Redis project, which until Wednesday was available under the Berkeley Software Distribution license.
  • "Future Redis source-available releases will unify core Redis with Redis Stack, including search, JSON, vector, probabilistic, and time-series data models in one free, easy-to-use package as downloadable software," said CEO Rowan Trollope in a blog post.
  • Cloud providers will have to obtain a license to sell managed versions of the core Redis project, and the company announced that Microsoft has already agreed to pay for such a license.
  • Redis customers that are already paying for its commercial version won't see any changes.

Like MongoDB, Elastic, and HashiCorp before it, Redis wants to ensure that it will be the only company allowed to monetize the core Redis project.

  • Most enterprise companies built around open-source projects wrote the vast majority of the code that goes into those projects.
  • Those companies are under increased pressure from their investors to see a return on that expenditure, but the permissive licenses that were almost standard-issue over the last decade allowed anyone to take that code and build a revenue-generating business around it.
  • Companies released their code under those types of licenses for several reasons: they wanted potential customers to test drive the basic features without forcing a commitment, they wanted the marketing goodwill associated with being "free," and they wanted to look like outsiders challenging the status quo of closed software.
  • When growth was the north star of enterprise software investing, that approach worked quite well. Now that revenue is harder to find and profit has become paramount, it does not.

It's getting hard to understand why any company should consider using open-source software released under a traditional license by a venture-backed startup.

  • Companies that decide to retract their permissive licenses always complain that the Big Three cloud bogeymen forced their hand.
  • But it seems inevitable that smaller cloud software companies who don't directly compete with Redis and used the open-source project in good faith could be exposed to legal action if they continue to use source-available Redis, given that some of these newer licenses haven't really been tested in court.
  • That is, of course, the point: most of those companies will likely choose to avoid the legal confusion and pay Redis for a commercial version.
  • Companies that want to use traditional open-source projects now face a choice between company-driven efforts that innovate quickly but could change their licensing overnight and foundation-led projects, which move slowly but promise stability.

Plumbing-as-a-service

It's hard to think of a company that has benefited more from the generative AI boom than GitHub, which took advantage of the Microsoft-OpenAI partnership to build the widely used GitHub Copilot coding assistant. Now it wants to help developers not only write code, but spot and plug the security holes in their code before they turn into a problem.

The company released "code scanning autofix" to GitHub Advanced Security customers as a beta on Wednesday. "When a vulnerability is discovered in a supported language [Javascript, Typescript, Java, and Python], fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss," GitHub said in a blog post announcing the new feature.

In the early days of generative AI, security professionals weren't entirely sure whether the offensive or defensive capabilities of the technology would gain the upper hand. Automated code scanning seems like an easy win for defenders, assuming it works in production and developers treat it as a helpful assistant rather than a crutch.


Enterprise moves

Paul Cormier, Red Hat's former CEO and current chairman, will retire at the end of the month.

Lorenzo Martinelli and Trevor Lanting are the new chief revenue officer and chief development officer, respectively, at D-Wave Quantum.

Stephanie Cohen is the new chief strategy officer at Cloudflare, joining the company from Goldman Sachs.

Paul Farrell is the new chief product officer at SugarCRM, following almost six years in product management at Oracle NetSuite.

Becca Toth is the new senior vice president and chief marketing officer at Hyland, after more than a decade inside the content-management company's marketing division.

Gee Rittenhouse is the new leader of AWS's enterprise security services business, following two years as CEO of Skyhigh Security.


The Runtime roundup

Microsoft paid Inception shareholders $650 million in order to poach basically the entire company for a new consumer AI division, according to The Information.

Astera Labs is worth almost $10 billion after a successful IPO on Wednesday, underscoring demand for new hardware as companies rebuild data centers around AI workloads.

IBM acquired Pliant, a networking and infrastructure automation startup that had raised $15 million.

Google Cloud will build a new data center complex in Kansas City, Miss., with plans to invest $1 billion in the region.


Thanks for reading — see you Saturday!

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Runtime.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.