Introduction
- Thought Leadership: 2022, A Year in Review
- Thought Leadership: Creative Destruction & Open Technology
- Thought Leadership: The Open Source landscape
Literature Review
- Open Source Software Reporting in 2022
- Adoption of Open Source Software
- Focus on Downloads: SCARF
- Focus on Contribution: The OSCI by EPAM & The French Institute of International Relations
The Updated Figures
- What the Octoverse tells us
Global Legislation and Geopolitics
- GeoPolitical Impact of Open Source Software
- Potential opportunity for a centre of excellence
Security
- An ever increasing focus
- The Cyber Resilience Act
- UK consultation on security has been released on 6 February 2022 and includes
- The US driving the conversation
- Thought Leadership: Security Landscape Update
- Thought Leadership: A view on Sustainable Security from the Rust Foundation
Sustainability
Conclusion
- Contributors
- About the Creators of this Report
- Methodology
- Acknowledgements
- References
Introduction
Thought leadership:
2022, a year in review
Amanda Brock
CEO, OpenUK
OpenUK’s State of Open reports began in 2021¹ and have taken a both well-received and ground-breaking approach to reporting, pushing boundaries further each year in the pursuit of quantifiable knowledge about open source software and by building an evidence based approach. This year we are again refining our process further. We start the process with this overview of 2022 (with the odd peek into Q1 of 2023) as Phase One of this year’s report.
We will build Phases Two in June and Phase Three in September from a survey in May, designed to obtain the base data required to update the economic impact of open source software in the UK. From this we may also build a view of possibilities for the future development of this.
My key take-aways from the information OpenUK shares in this Report is that the UK sits at the number one position in Europe in terms of GitHub accounts. This has become the traditional – if fallible – measure of open source software developers, referred to as “developer accounts”. Having established that the UK is Number One in Europe and Number Five globally in terms of these developer accounts, as of October 2022². By January 2023 the number of accounts goes over three million.
This means that the UK starts 2023, with 4.5% of the UK population holding a GitHub account – higher per capita than any other country in the world. This figure substantiates our view of the UK as a global leader in open source software through contribution and number of developers.
This concept of leadership through contribution will also be considered and this and the contribution to the ecosystem, digital public good and paying maintainers will be considered across the phases of this year’s report alongside the economics of Open Source Software.
Our first annual State of Open Con took place in the Queen Elizabeth Conference Centre in February. The outputs of this conference will also form part of our 2023 reporting. We intend to build a distinct document around the business of open source software, as well as our State of Open Reports including case studies from UK based businesses in Phase Two and onwards. All phases will include Thought Leadership.
You will not have escaped the hype around AI, what with the onslaught of Generative AI and Chat GPT related data crossing our inboxes and the UK’s draft AI Bill. These will inspire an AI focus to Phase Two, taking a detailed review of the impact of AI on Open Source and Open Source on AI.
The ongoing discussion of security in a digital world at a policy level will provide focus for a Phase Three in the early autumn. Our UK Consultation on Security comes to an end on 1 May and the consultation itself indicates a more appropriate approach to security and open source software than Europe’s disastrous Cyber Resilience Act. The global landscape is critical and a greater consideration of the US approach “In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation” whilst touched on in this Phase One, will also be included in future phases.
All of the work across our Phases in 2023 will demonstrate the place of the UK as a global power in Open Source Software technology, its leadership in Europe and the economic impact this has on the UK economy.
Our Survey will hit your inboxes in May and we very much need your input into this to allow for this economic analysis.
Thought leadership: Creative Destruction and Open Technology
A combination that drives innovation for good
Professor Eleanor Shaw OBE,
Vice Principal, University of Strathclyde
The Austrian economist Joseph Schumpeter coined the phrase ‘Creative Destruction’ in 1942³ to describe the impact of innovations in capitalist economies. While his views have been much debated, they have been hugely influential on free-market economists and economies globally.
Creative destruction is a provocative term for the idea that in free markets, creativity and innovation lead to new products, services, business models, processes, even views and opinions that ‘destroy’ existing ways of doing things, replacing them with new, improved and often very different alternatives. Schumpeter rightly identified entrepreneurs as drivers of innovation – individuals who spot market opportunities and go on to exploit these through technical, organisational, and other innovations.
Since 1942 our world has changed in unimaginable ways, often driven by innovations that have simultaneous positive and negative impacts. The birth of online streaming services, led by Netflix have, on the one hand expanded the range of onscreen entertainment for billions while, on the other, contributed to the demise of video rental stores and challenged the programming structure of publicly funded providers including the BBC. Likewise, e-commerce giants Amazon have expanded consumer choice and convenience while also being responsible for the closure of local independent shops, making many UK highstreets into ‘ghost towns’.
Away from these well documented examples of the mixed effects of creative destruction, there are multiple instances of innovations delivering numerous benefits for individuals, communities, and societies by improving their health, education, and wellbeing; ultimately enhancing their standard of living. The potential for innovations to be a force for good – to address climate challenges, improve food security, reverse the loss of biodiversity, and many more complex, difficult but very real problems, is enormous.
With the improvements that technological and digital innovations have made to the opening of data, software, and coding, this potential is a real and present opportunity in which entrepreneurs globally are fully engaging to address inequalities, exclusion, poverty, and problems and challenges that have endured for decades, if not centuries.
What distinguishes the innovations created through access to open technology is that they are driven by and achieved through collaborations at all levels: regional, national, and global.
The combination of an abundance of pressing problems, open technologies, and individuals, communities and organisations with an entrepreneurial mindset focused on discovering innovative solutions through collaboration, through the building of innovation and entrepreneurial ecosystems and clusters, and the open sharing of knowledge, data, expertise, contacts, R & D, and other resources essential for innovation for good, has the very real potential to drive transformational, life changing, lifesaving changes.
A superb example of this is the Mojaloop payment platform, spun out of the Gates Foundation allow payment infrastructure to be created in emerging markets whilst the local communities engage in learning how to contribute. Not simply providing a resource but providing skills for the future.
On the open data front, HUB Ocean, an independent, non-profit, non-compete foundation that provides a partner community by developing a ground-breaking data platform, applications, and tools to pilot new approaches to ocean governance. Their mission is, ‘To change the fate of the ocean by unleashing the power of data, technology and collaboration’. HUB Ocean has joined the World Economic Forum’s C4IR Network (Centre for the Fourth Industrial Revolution) and their vision is to become the world’s data collaboration hub. They seek to unlock the power of data, collaboration, and technology by facilitating collaborations between scientists, governments and industries and catalysing innovation through open access to combined data across all sectors made available on their Ocean Data Platform4 which makes it possible (and easy) to share, collect, store and work with ocean data. Another example is provided by the recently launched Gender Index5 – a live, interactive tool that maps every single active UK company (totalling 4.4 million) in every county, region, Local Economic Partnership, and local authority in real-time. Providing free, open access to data on gender, regions, sectors and investment, it is a ground breaking, first-of-its-kind platform which provides data (concrete evidence) that highlights women’s’ under representation in entrepreneurship and is providing practitioners, policy makers and academics with access to evidence to help them better understand the composition of the UK’s business base and inform policies, interventions and actions that can growth women’s’ participation in business ownership.
Like OpenUK, these and other examples of open source software and open data platforms and the sharing of and free access to open source software, open data, and open hardware, are reliant on collaboration and community and are case studies of the innovations made possible when we collaborate together within and across entrepreneurial ecosystems.
By putting in place the necessary legislation and regulations to support these types of innovative collaborations, and by educating governments, markets, organisations, scientists and communities about the multiplier and synergistic benefits of open technologies, creative destruction as a force for good can grow and prosper.
Understanding the nuances of entrepreneurship and business growth in this ecosystem is a dark art, and one which is not yet well documented or built into the curriculum despite the increasing growth of open source software to a point of normalisation and the use of open data becoming increasingly prevalent across our services today.
With this in mind The University of Strathclyde has supported OpenUK’s State of Open Con 23 in hosting an Entrepreneurship room engaging with founders of open source software businesses and will be building a MOOC, “The Business of Open Source” by OpenUK in association with The University of Strathclyde.
Thought leadership: the Open Source landscape
James Governror,
Founder and Analyst, Redmonk
A few months ago GitHub announced that it now has 100 million users6. Having set a goal of 100m developers by 2025 back in 2019, it has blown through its prediction quite easily. Which makes early 2023 a particularly good time to run a conference about open source and open approaches to software development – see State of Open Con 237.
According to Thomas Domke, GitHub CEO:
“Today, developers are no longer just people building software for technology companies. They’re an increasingly diverse and global group of people working across industries, tinkering with code, design, and docs in their free time, contributing to open source projects, conducting scientific research, and more. In 2015, almost a third of developers on GitHub were from North America. Today, some of the fastest-growing regions are far away from the U.S., for example, in Southeast Asia, Africa, and South America. In India alone, more than 10 million developers use GitHub to build software. And in Brazil, over 3 million new developers use GitHub.
This global exchange of ideas is helping democratize who a developer is, what they work on, and where they live. Developers today are committing code, contributing documentation, and building new solutions to solve new problems on a global level.”
Even given significant caution about counting every GitHub user as an individual developer, these numbers show really impressive growth and traction. I have written before about the difficulty of counting and estimating developer populations8, but GitHub user growth is as good a proxy for real developer growth as any. I have been assuming the world developer population will hit 100m in about 2029. No clever stats, just fairly conservative compound annual growth of about 15% would get us there.
What is obvious, and becomes clearer every day, is that Open Technology generally, and Open Source specifically, drive community growth and adoption. They are accelerators. Open Source makes platforms accessible, makes learning accessible, ideally makes people and communities more accessible. Open Source also drives positive economic outcomes and growth. Show me a geography with strong growth in Open Source adoption and I will show you an economy with a thriving tech ecosystem. That’s certainly the case in the UK – London is ranked number two for start-up activity globally in numerous studies including the Startup Genome Project9.
The UK also leads Europe in Open Source activity, according to GitHub. Open Source activity and economic growth go hand in hand. Sit at a desk at any start-up with the engineering team and you’re going to hear the team talking about Open Source Software projects and products – that’s how they do their work.
The cloud is bigger than Open Source, but couldn’t exist without it. All those SaaS, consumer apps and developer infrastructure services you use daily – all built with Open Source technologies and methods.
Open Source ate software development before software ate the world.
The Open Technology economic flywheel is also increasingly obvious globally.
I would argue that we couldn’t see the explosive growth in tech in African countries without Open Source Software. In fact I did, in this piece Projecting Africa: software growth, ecosystems and the future arriving 10.
Open Source, online learning, cloud services and hustle are really the charm, driving adoption of newer technologies and approaches. While universities are still teaching older programming languages such as C++ and Java, self-taught developers are emerging with Javascript – which is of course the lingua franca of the modern web – and cloud skills. Advocacy, online teaching and learning and sharing are baked into the culture, which is creating a flywheel.
But Open Source doesn’t tend itself. Code and communities need care and feeding, chopping wood and carrying water, in order to be sustainable.
In the UK Amanda Brock had the idea that we needed an organisation to lobby on open technology’s behalf, and to help sustain communities and individuals working here. That idea became OpenUK11, an organisation set up to develop UK leadership and global collaboration in open technology.
That idea has also fostered a new annual tech conference taking place for the first time in London in early 2023 – State of Open Con12.
If you’re interested in open culture and technology this conference is the place to be. Conference Tracks include security, platform engineering, sustainable open source, open hardware, open data, entrepreneurship, and government policy. The 2023 speaker list was incredible but the hallway track is probably what I was most excited about. It was great to see so many of my open source friends, in one place, without having to get on a plane to do so.
You can watch all 65 hours of online content from State of Open Con 23 as unlimited free download.
Literature review
Open Source software reporting in 2022
In July 2022 OpenUK published “State of Open: The UK in 2022 Phase One”. The Report showcased that 97% of UK organisations consume, contribute to and/or distribute Open Source Software in the UK.
Responses indicated that Open Source Software is widespread but interaction – consuming, contributing and distributing – varies according to an organisation’s capabilities.
Findings of the 2022 survey show that:
- 81% of respondents consumed, contributed and distributed products and services based on Open Source Software; and
- 13% consumed and contributed to, but did not distribute products and services based on Open Source Software; and
- 6% consumed and distributed but did not contribute to products and services based on Open Source Software.13
Figure 2 How organisations utilise – consume, contribute to and distribute products and services based on Open Source Software
77% of organisations involved in the distribution of their code as Open Source Software use Github.com, followed by self-hosted Gitlab (12%) and Gitlab.com (11%) 14
- OpenUK. (2022). State of Open: The UK in 2022, Phase 1. Retrieved from: https://openuk.uk/stateofopen/ Question 4&5
- OpenUK. (2022). State of Open: The UK in 2022, Phase 1. Retrieved from: https://openuk.uk/stateofopen/ Question 7
Figure 3 Repositories used by organisations for distribution of open source software
38% of respondents spend 0-20 hours per week supporting and working with Open Source Software15.
When looking at the challenges and benefits over years of engagement with Open Source, the 2022 OpenUK survey showed that governance and good practice knowledge was the biggest challenge overall.
Those using Open Source Software for more than 3 years choose issues relating to maintenance and security as the top challenge16.
In terms of benefits, cost saving in that no licence fees are payable was the main advantage of Open Source Software for both those organisations with 3 years or less and those with more than 10 years of engagement, whereas community contributions matter for those with 4-6 years of engagement, whereas those with 7-10 years of experience in Open Source Software put collaboration at the top of their benefits list17.
The State of Open Report is not the only 2022 report showing increasing organisational interaction with open source software. The Linux Foundation’s recent report, ‘World of Open: Europe Spotlight 2022,’18 indicates that In the last 12 months, 47% of European survey respondents said that the value that they derive from Open Source is continuing to grow. This result encompasses respondents from 42 countries in Europe and includes the UK.
- OpenUK. (2022). State of Open: The UK in 2022, Phase 1. Retrieved from: https://openuk.uk/stateofopen/ Question 10
- OpenUK. (2022). State of Open: The UK in 2022, Phase 1. Retrieved from: https://openuk.uk/stateofopen/ Question 12
- OpenUK. (2022). State of Open: The UK in 2022, Phase 1. Retrieved from: https://openuk.uk/stateofopen/ Question 11
- The Linux Foundation. (2022). World of Open: Europe Spotlight 2022. Retrieved from: https://www.linuxfoundation.org/research/world-of-open-source-europe-spotlight
Echoing the OpenUK findings, the Linux Foundation report highlights that 46% of European respondents felt that there was a notable lack of clear policy at their organisation in relation to contribution to Open Source Software.
In addition, the report notes that Open Source Software is suffering from growing sustainability challenges; i.e. organisations tend to ‘take’ more than they ‘give’.
The Linux Foundation estimates that 31% of its members are European and to reflect their strong involvement, and the leading role of the EU in promoting open source and international standards in the digital world (such as the RGPD), the foundation announced in September the creation of Linux Foundation Europe (LF Europe) based in Brussels, Belgium.
Adoption of Open Source software
Although there are numerous and valuable global reports published, there continues to be limited literature and data in relation to the consumption and distribution of Open Source Software specifically in the UK. Moreover, despite the increasing importance of Open Source Software in the UK, various issues with measurement have prevented researchers from analysing how its impact varies across different businesses and industries.
This section reviews some of the most recent reporting efforts to understand the breadth and form of interaction with Open Source Software.
GitHub’s recent report ‘Octoverse 2022: The State of Open Source Software19’ indicates that there are 94M developers on GitHub globally with 20.5M new accounts in GitHub in 2022.
Specifically for the UK, Github suggests a 23% increase from 2021 in the number of UK account holders- that’s a growth of 488k new developers in 2022 in the UK. with a total of 2.8M accounts overall in the UK currently.
Red Hat’s 2022 report, ‘The State of Enterprise Open Software20’ notes that 80% of EMEA IT leaders are increasing the use of Open Source Software for emerging technologies. It predicts that enterprise Open Source Software will see a rise in usage from 29% to 34% in the next two years21.
In a report projecting the proliferation and value of Open Source Software in France and Europe to 2027, CNLL and Markess22 confirm that Open Source Software has become a major factor for organisation’s innovation processes and continues to grow in the UK and wider Europe.
The CNLL and Markess report estimates the market in the UK to be valued at 5.5.billion euro in 202223 (a 8.2% increase from 2021) and notes that cost savings, ease of collaboration and skill development are the main reasons for adoption in the UK. It suggests that overall, the Open Source market in the EU, both in business and government institutions.
The Open Source Kubernetes software and Cloud Native are increasingly seen as the future of the technology driven economy.
- https://octoverse.github.com/
- RedHat. (2022). The state of enterprise open software. Retrieved from: https://www.redhat.com/en/resources/state-of-enterprise-open-source-report-2022
- EMEA includes UK, Germany and UAE
- Markess. (2022). The Open Source Market. Retrieved from: https://cnll.fr/news/2022-survey-the-open-sourcemarket-in-france-europe/#:~:text=Paris%2C%20November%208%2C%202022%20%E2%80%93,its%20development%20up%20to%202027.
- These growth forecasts were based on the analysis of revenues of the supplier present in different market segments analysed and on available public data (macro-economic public data).
“The Kubernetes State of Play 2022” report by Civo24 found that 51% of 1,000 cloud developers are now using Kubernetes and/or containers in their operations. That’s up from 49% in 2021. Civo focused on how cloud developers use Kubernetes across their operations, the challenges they see and the evolving use cases for the technology in years to come. The research aligns with a big picture of increasing adoption across the industry. Cloud Native Computing Forum (CNCF) research highlights that 5.6 million developers are using Kubernetes globally today.
There has been significant growth in enterprise adoption: CNCF’s latest data found that respondents from organisations larger than 5,000 employees are “far more likely to use Kubernetes than those working at smaller organisations”25
Across 2022, Civo research highlighted that 57% of respondents saw an increase in the number of Kubernetes clusters run by their organisations. The majority saw a rise of up to 25% in the number of Kubernetes clusters they were running. There was also a steady increase of businesses running production workloads in containers since 2021 – which increased from 81% to 83% in 2022. Security risks continue to be a point of tension, with 53% of developers citing concerns about the security of Kubernetes.
The 2023 State of Open Source report published by Open Logic Perforce and the Open Source Initiative indicated that 80% of organisations surveyed (of a global sample) had increased the use of Open Source Software in 2022. 42% of the global sample chose maintaining security policies or compliance and 38% chose lack of skills, experience or proficiency. It’s worth noting that the third support challenge, at 37%, is keeping up with updates and patches and maintaining end-of-life versions.
All three challenges indicate the need for curation, maintenance and security26.
In the UK, the top reason to use Open Source Software is the ability to contribute to, and influence the direction of, open source projects. Interestingly, lower costs did not feature in any of the top five reasons UK organisations use Open Source Software where all five were focused on innovation and forward thinking27.
- Civo. (2022). The Kubernetees State of Play 2022. Retrieved from: https://www.civo.com/kubernetes-state-of-play-2022
- CNCF Annual Survey 2021: https://www.cncf.io/reports/cncf-annual-survey-2021/
- Open Logic by Perforce an Open Source Initiative. (2023). State of Open Source Report. Retrieved from https://www.openlogic.com/resources/2023-state-open-source-report?utm_source=OSI&utm_medium=content&utm_campaign=OPL-GLB-2023Q1-CON-StateofOpenSource&utm_content=blog
- Open Logic by Perforce an Open Source Initiative. (2023). State of Open Source Report. Retrieved from
https://www.openlogic.com/resources/2023-state-open-source-report?utm_source=OSI&utm_medium=content&utm_campaign=OPL-GLB-2023Q1-CON-StateofOpenSource&utm_content=blog
Focus on downloads: SCARF
Downloads are one metric of distribution among many including number of developers, number of contributors, lines of code contributed and end user usage, to name a few.
As Avi Press of SCARF suggests,
“Any value that a piece of Open Source Software can provide always starts with a user downloading that software.”
Understanding downloads offers an understanding of the journey users take in consumption of a project even when they are not taking other actions such as a visible contribution to the broader community. The figure provided by SCARF below (Figure 4) illustrates download data in the UK in 2022.
This provides important insights into engagement across the UK and suggests that of 2000 Open Source packages available to end users via Scarf, the UK use of Open Source Software is strong in commercial and government settings where a total of 4.4million downloads, across 553 different organisations is seen across the calendar year.
In particular, the breadth of government use evident in this demonstrates what is already discussed but difficult to value: the extensive use of Open Source Software across the UK public sector.
This will be further explored across later phases of the OpenUK State of Open: The UK In 2023.
Figure 4: Downloads in the year 2022, from 2000 Open Source packages on SCARF
Focus on contribution
Software Power: The Economic and Geopolitical Implications of Open Source Software’, by the French Insitute of International Relations
There is an increasing level of contribution to Open Source software. Contributions are made by the Open Source “community”. In 2022 many of those consuming and distributing Open Source are also contributing to Open Source or are involved in sponsorships of non-profit Open Source organisations funding the “community”.
There are however ongoing demands from the Open Source maintainers and communities for greater contribution from commercial and public sector users. This was considered by the French Institute of International relations, ‘Software Power: The Economic and Geopolitical Implications of Open Source Software’28
The report argues that the way forward globally is to secure software supply chains and to enhance cybersecurity. To enhance and maintain a strong software foundation requires a sustainable solution to funding Open Source Software and to engage and enhance public-private collaboration. In particular, the public sector has a role to play in strengthening critical software infrastructures, including OSS supply chain, and proposes improved training for developers on security issues, and the creation of a public platform dedicated to analysing the risks associated with Open Source components. 29
This form of public private initiative for the public sector to secure and maintain Open Source Software has also been advocated for by OpenUK and will be explored further in later phases of the OpenUK State of Open: The UK in 2023 Reports.
- Alice Pannier, “Software Power: The Economic and Geopolitical Implications of Open Source Software”, Études de l’Ifri,
Ifri, December 2022. - Ibid., p. 3.
The OSCI by EPAM
The Open Source Contributor Index (OSCI)30, designed and maintained by EPAM, seeks to track which global commercial organisations contribute what to Open Source and to demonstrate those that contribute the most to Open Source. It seeks to demonstrate this by ranking overall global contributions to Open Source.
The OSCI defines the active contributors and charts participation in the “community”.
The data used by the OSCI is captured through the use of publicly available GitHub code commit data from GitHub Archive. This includes all commits to public GitHub projects. OSCI measures the active contributors (defined as 10+ commits by the single contributor) and the total community with at least one commit at each organisation.
The OSCI indicates that over the last two years leading technology companies Microsoft, Google, Red Hat, Intel and IBM had the most active contributions/ contributors globally – with employees contributing 10+ commits to GitHub per month.
While these companies consume large amounts of Open Source Software, they continue to contribute by open sourcing their projects and contributing thousands of commits31 per month according to the OSCI Activity date from 2019-2021.
OSCI’s UK-focused data demonstrates a total of 3,171 contributors in 2022, with 1,681 being considered active making 10+ contributions to a project.
The most active contributing organisations in the UK are:
ARM, Canonical, Linaro, Collabora and the BBC32.
The reports discussed here go a long way in the effort to communicate and clarify the widespread role of Open Source Software and the forms of engagement that are necessary to consider.
OpenUK’s work will continue its focus on the UK’s leading role in this Open Source future with its annual survey in May 2023 and a further series of case studies building on those in its 2021 and 2022 reports.
- https://www.epam.com/open-source
- Evaluating Open Source Trends from 2020 to Today. Retrieved from: https://opensourceindex.io/p/evaluating-opensource-
trends-from-2020-to-today - Courtesy of EPAM
The updated figures
What the Octoverse tells us
GitHub’s recent report ‘Octoverse 2022: The State of Open Source Software’33 estimates that there are 20.5 million new unique Github accounts in 2022 (data to year ending in September 2022).
Out of the major countries identified in that report, the UK accounted for 6.1% of new account growth, making the total number of new accounts 488,000.
This represents an increase in the UK of 23%, compared to 2021, bringing the total number of GitHub accounts in the UK to 2.8 million34.
On 5th February 2023 GitHub shared that the UK had hit 3 million users in data unpublished as yet indicating 3,003,069.
This means that the UK has the 5th biggest number of GitHub accounts registered globally and is by some considerable way the largest in Europe.
Such an increase means that in 2022 4.1% of the UK population35 and in January 2023, 4.5% of the UK population had a Github account.
As per the chart below this is illustrative of the high level of engagement with Open Source Software in the UK, as well as the nurturing environment of collaboration and learning in the community and per capita is more than any other country in the world.
Figure 5: Percentage of population that have a GitHub account, selected countries, latest available data36
- https://octoverse.github.com/
- https://octoverse.github.com/2022/global-tech-talent
- Population estimates and projections | DataBank (2022 UK population estimate)
- Sources: Octoverse 2021, Octoverse 2022, unpublished data for the UK, World population data: World Bank Databank, 2022 estimates
Global legislation and geopolitics
Geopolitical impact of Open Source software
OpenUK began considering the impact of Geopolitical shift on Open Source Software long before most other organisations from its inception in 2019, at a time when the UK faced Brexit. Brexit was in fact one of the instigators of its formation as an organisation in its current format. Rarely in the course of history has there been a more visible and defined moment of Geopolitical shift than Brexit. That moment in time has had a profound impact on Open Source Software in the UK and on the UK’s participation in Open Source Software.
Government interest in Open Source is not new, but it is continuously evolving as a consequence of increased utilisation of Open Source in its digital infrastructure. Governments are no longer only seeking to adopt Open Source or to develop software solutions, but also to contribute to the Open Source ecosystems.
At both a national and global level Governments are taking notice – it is estimated that 80% to 96% of the code that makes up global software – including proprietary software – is of Open Source origin37. As Open Source now sits at the heart of software used by individuals, Government and tech companies38, it’s under continuous scrutiny in relation to security and sustainability (maintenance).
In 2019 the EU’s engagement in Open Source was at an apparent peak with its Open Source Policy in September 2019, at a time when the UK’s long-established Open Source Software first policy aligned to the establishment of the UK’s Government Digital Services was no longer news39. Further legislation was added in 202140. The European Commission updated and expanded its Open Source strategy in 2020, linking it to the ambition of “digital autonomy”. As a result, the Commission created an Open Source Program Office (“OSPO”) whose role is to facilitate the implementation of the strategy and its action plan. While the OSPO was established in 2020, it did not meet in person until September 15, 202241
The European Union passed the Cyber Resilience Act deals with cybersecurity as a whole, provides for the implementation of an equivalent of Software Bill of Materials (SBOMs), requiring software vendors to identify and document the components contained in their products42
- Synopsis, “2022 Open Source Security and Risk Analysis Report”, April 2022; K. Szulik, “Open Source Is Everywhere: Survey Results”, Tidelift, April 12, 2018, available at: https://blog.tidelift.com; T. Herr, “Responding to and Learning from the Log4Shell Vulnerability”, testimony to the Committee on Homeland Security and Government Affairs, United States Senate, February 8, 2022
- Alice Pannier, “Software Power: The Economic and Geopolitical Implications of Open Source Software”, Études de l’Ifri,Ifri, December 2022.
- https://www.theguardian.com/government-computing-network/2011/nov/02/cabinet-office-open-source-procurement-toolkit
- https://portal.ieu-monitoring.com/editorial/eu-commission-open-source-software-to-benefit-businesses-innovators-and-public-interest-areas?utm_source=ieu&utm_medium=web&utm_campaign=portal
- European Commission, “Open-Source Software Strategy 2020-2023”, October 21, 2020, available at: https://ec.europa.eu; European Commission, “EC Open Source Program Office”, no date, available at: https://joinup.ec.europa.eu.
- European Commission, “Open-Source Software Strategy 2020-2023”, October 21, 2020, available at: https://ec.europa.eu; European Commission, “EC Open Source Program Office”, no date, available at: https://joinup.ec.europa.eu.
Despite its attempt to build a solid base through its OSPO, the European Commission’s 2022 draft Cyber Resilience Act43 has been extensively criticised for a lack of understanding of the nuance and meaning of Open Source Software. This has included from the Open Source ecosystem. Criticism has included the Open Source Initiative (OSI)44, and the major Open Source foundations including the Eclipse Foundation45 and via the Open Source Software Security Foundation, the Linux Foundation46.
The full list of criticism has been gathered by the OSI and made public47. The Commission’s apparent misunderstanding of the nature of Open Source Software48 has led to perhaps more criticism of this legislation and its place in the EU’s proposed product liability regimen than has been seen made towards any other legislation in the history of Open Source Software.
A report published in December 2022 by the French Institute of International relations, ‘Software Power: The Economic and Geopolitical Implications of Open Source Software’ highlights the tensions in certain countries between the desire to secure universally used Open Source components and the desire to develop “sovereign” technologies which sit in contrast to the global nature of Open Source Software. Yet the renewed political interest in Open Source in Europe is linked to the declared ambition to build “European Digital Sovereignty”.
At the heart of technological infrastructures, and therefore of this sought-after Sovereignty, are software and technological standards.49 European countries top the Open Data Barometer and Open Knowledge Foundations’ Global Open Data Index50. The main line of action of European public authorities has been to develop the use of Open Source Software in public administrations in response to the needs, and to open the code and data produced by public institutions.
In the USA, the report suggests that states have understood the critical importance of Open Source and are increasingly treating it as a strategic issue. The motivations of states to invest in Open Source may stem from a number of objectives including access to trusted technological solutions in the context of the digitisation of public administration and services, to ensure cybersecurity, to develop a local software industry, to reduce dependence on foreign proprietary software and to preserve the concept of an open, public, common and collaborative digital space.
- https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
- https://blog.opensource.org/what-is-the-cyber-resilience-act-and-why-its-important-for-open-source/
- https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376663_en
- https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376650_en
- https://blog.opensource.org/the-ultimate-list-of-reactions-to-the-cyber-resilience-act/
- Alice Pannier, “Software Power: The Economic and Geopolitical Implications of Open Source Software”, Études de l’Ifri, Ifri, December 2022.
- S. Rolland, “‘Il n’y aura pas de souveraineté numérique européenne sans maîtrise du logiciel’, Bruno Sportisse, Inria”, La Tribune, February 22, 2022
- European Working Team on Digital Commons, “Towards a Sovereign Digital Infrastructure”, op. cit., p. 10.
Security
An ever increasing focus
OpenUK’s previous research findings and Tidelift’s global report ‘The 2022, Open Source Software Supply Chain Survey Report’51 highlighted security as the most common challenge application development teams face when building with Open Source Software.
Especially post the White House Cybersecurity Executive Order and other ensuing government actions, almost a quarter of global respondents, of which 41% are based in Europe including the UK (22%)52 indicate that complying with government requirements is a challenge affecting larger organisations.
According to VMware’s recently published report ‘The State of the Software Supply Chain: the open source Edition 2022’53 94% of global respondents expressed concerns about running Open Source Software in production, with security concerns dominating the list. The top three concerns are all security related, and all show a substantial increase versus last year’s VMware findings.
The solution is not to move away from open source, as it is not inherently less secure than proprietary code, as RedHat’s recent report, ‘The State of Enterprise Open Source ’54 ‘states that 89% of global information technology executives believe that open source is at least as secure as proprietary code, (need a uk stat) but to create an infrastructure and standards that secures the adoption, usage and deployment of Open Source Software. Globally, corporations and government agencies are starting to recognize as they move away from relying primarily on proprietary software, or closed-source systems, toward using more open-source code55 that the issue is not the code: It is the lack of institutions securing the code.
Action is being taken both by governments and leading global organisations, to name a few: recently the Open Source Technology Improvement Fund (OSTIF)56 was founded to provide free security auditing services to open-source projects and continues to grow.
- Tidelift. (2022). The 2022 Open Source Software Supply Chain Survey Report. Retrieved from: https://tidelift.com/2022-open-source-software-supply-chain-survey
- Tidelift. (2022). The 2022 Open Source Software Supply Chain Survey Report. Retrieved from: https://tidelift.com/2022-open-source-software-supply-chain-survey
- VMware. (2022). The State of the Software Supply Chain: Open Source Edition 2022. Retrieved from: https://tanzu.vmware.com/content/ebooks/state-of-software-supply-chain-2022
- RedHat. (2022). The state of enterprise open software. Retrieved from: https://www.redhat.com/en/resources/stateof-enterprise-open-source-report-2022
- RedHat. (2022). The state of enterprise open software. Retrieved from: https://www.redhat.com/en/resources/stateof-enterprise-open-source-report-2022
- https://ostif.org/
Figure 6 Top Security Priorities over 3 years57
- Source: RedHat data
Education, data, and understanding through metrics is vital to the security of our open source projects. Research conducted by Sonatype as part of its 8th Annual State Of Software Supply Chain report looked to compare various quality metrics already available to the community and how they could be improved.
Data taken from 7.9 million releases with Maven Central, 14 million Common Vulnerability and Exposures (CVE) reports, dependency lists of open source projects, and a variety of popular existing metrics showed that not one of the metrics tested in isolation, were suitable to determine vulnerable open source projects. Although no single quality metric had a moderate correlation to vulnerability count, when using machine learning techniques and aggregate methods across all metrics, the model could accurately identify projects containing vulnerabilities with 95.5% accuracy. This shows that using the popular metrics as a collective was a suitable approach to finding vulnerabilities.
Another interesting finding was that although only 10% of the projects had a vulnerability that directly affected their code, 65% had either a direct or transitive vulnerability due to a third-party dependency within their dependency tree, further suggesting that all parties must work collaboratively in tackling these issues.
Due to the transparency of data provided from the Open Source Security Foundation (OpenSSF) Scorecard metric, research was also able to create a model based on secure software best practices that can correctly identify projects containing known vulnerabilities with a reliability of 89%58.
Figure 7: Identifying Vulnerable Projects
Figure 6, above shows that conducting a healthy code review, reducing binary attack paths, and pinning dependencies through dependency management were the three most effective techniques at reducing the risk of vulnerable projects. Branch protection — the practice of not allowing direct push to main development branches — was fourth most effective. This suggests Open Source projects that have a good code review policy, combined with dependency scanning, would be in a much better place from a security perspective than projects that do not follow these practices.
Along with metrics and data, events (such as Cloud Native Computing Foundation (CNCF) Bug Bash and Security Slams) allow open source projects much needed development focus from the grassroots community, keeping organisations in touch with a new batch of potential contributors59, thus keeping open source secure, alive, healthy and a community.
UK consultation on security released on 6 February 2022
The UK’s DCMS issues a “Call for Views on Cyber Security” on 7 March 202360
It recognises that “Software developers generally build on software components built by others. Many of these third party components are Open Source, which is a key driver of innovation and efficiency in the software market, but these components may lack ongoing maintenance due to resource constraints. This means that a vulnerability in one software component could indirectly impact thousands, if not millions, of users. Likewise, the complex nature of the software lifecycle and digital supply chains – including software developers, vendors, resellers, service providers and customers – means that those who would be worst impacted by a breach are often limited in how much they can directly manage the risk. These factors create a complex system which is exploited by those who wish to cause harm.”
Section two of the Call for Views states:
“The Open Source Software community is an important source of innovation, with contributions bringing new ideas, flexibility and agility to the tech sector. Placing additional burden on Open Source developers could restrict this innovation, yet the Open Source community faces challenges in the development and maintenance of secure code, which takes time, tools and skills and could require further support.
The levels of resourcing across the Open Source community are often inconsistent, particularly as participation in Open Source development and maintenance is predominantly on a voluntary basis. It is not unusual for frequently used code components to be maintained by a single person. This means the maintainer might not have the resources to update and maintain the package properly and in a timely manner, or adequately review and quality assure code. There is also a risk of the code becoming unmaintained.
Due to the broad adoption of Open Source software both as stand alone solutions and as components in commercial offerings, the effects of these resourcing challenges permeate digital supply chains. This can result in the introduction of vulnerabilities or prevent vulnerabilities being fixed once identified.
Open Source software is a fundamentally critical aspect of the software ecosystem, and the reliance on these open Source components within digital supply chains is increasing. Many Open Source software packages depend on other Open Source components, and it is standard practice for proprietary software developers to import Open Source software code into the software that they sell.”
The UK consultation closes at 23.45 on 1 May and views are requested via the completion of a survey61.
The US driving the conversation
As discussed in State of Open in 2021, President Joe Biden signed an Executive Order (EO) on cybersecurity62 addressing the software supply chain and the White House called for increased cooperation from the private sector. The order required those companies selling to the federal government to take precautionary measures to identify and remediate vulnerabilities in software and to provide agency customers with a software bill of materials (SBOM)63.
This has been supplemented on March 2 2023 by the White House announcement64 of a Cyber Security Strategy.
The Securing Open Source Software Act65, “moves Open Source from the realm of policy and regulation decisions into federal law. This bill will direct the CISA to develop a risk framework to evaluate how Open Source code is used by the federal government. The CISA would also decide on how the same framework could be used by critical infrastructure owners and operators.”
According to the Open Source Security Foundation (OpenSSF) in its analysis of the Act, the “CISA would produce an initial assessment framework for handling open-source code risk, incorporating government, industry, and Open Source community frameworks and best practices from software security.” The Act will also require the CISA to identify ways to mitigate Open Source software risks. To make that happen, it requires the CISA to hire Open Source developers to address security issues. It also proposes that some Federal agencies start Open Source Program Offices (OSPO).
Conclusion
Considerable concern has been expressed at the potential of multiple regimens on Open Source Software developers.
These efforts reflect a need for global collaboration to combat security concerns, it cannot be accomplished alone, making the development of an institutional response even more pressing as critical projects need to remain sufficiently resourced and maintained.
- Federal Register, “Improving the Nation’s Cybersecurity”, op. cit.
- https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards
- https://www.state.gov/announcing-the-release-of-the-administrations-national-cybersecurity-strategy/
- https://www.zdnet.com/article/whats-what-in-the-united-states-securing-open-source-software-act/
Thought leadership: security landscape update
Dan Conn,
Developer Advocate, Sonatype
A lot has happened since OpenUK CISO Andrew Martin, gave July’s report.
Straight off the bat at the end of July, we saw a data breach involving 5.4 million Twitter accounts being sold in a database from criminal hacker, devil. This was a reminder that security will affect all of us. It also requires thought, investment and intelligence to get right. A point further compounded by Check Point Research66 showing a 38% increase in cyber security attacks in 2022. I don’t think it would be risky to bet on 2023 making a further increase.
The devastating conflict in Ukraine continues to ravage. One unexpected, related event resulted in Montenegro, a NATO ally, attributing Russia for a sustained cyber security attack attacking their government servers. This was later claimed by the Cuba ransomware group (not thought to be related to the Republic of Cuba). As Longeren and Smith tell us67, attribution is a very difficult subject for any cyber threat intelligence analyst. I hope Open Source Software initiatives such as the EU based OpenCTI project68 can help provide more data in these areas.
Along with 9.9 million records breached in October 2022 (thankfully not personal data this time69, one thing that is for sure is the overwhelming amount of cybersecurity attacks that occur and continue to do so.
So how does this fit with Open Source? Well, as was witnessed through the inaugural OpenUK State Of Open Con 2370 a lot! The security track was filled with discussion on how to secure supply chains, how SBOMs will help with that, and that Open Source is not immune to this challenge. As quoted in some talks at the conference, statistics from the Sonatype State of the Software Supply Chain report71 show that 6 out of 7 project vulnerabilities come from transitive dependencies and request volumes from package ecosystems (Maven, PyPI, npm and Nugent) are estimated to have reached 3.1 trillion for 2022, meaning work is needed here to ensure our Open Source projects are not vulnerable for those that use them.
On day one, a keynote from Anjana Rajan, Assistant National Cyber Security Director, Technology Security Directorate, The White House, announced a collaborative project called the Open Source Software Security Initiative, combined with the work CISA were doing to encourage the use of SBOMs in the community, and a push towards memory safe languages, can help our Open Source cyber resilience. The Department for Culture, Media and Sport (DCMS) Head of Cyber Resilience Policy, Naomi Gilbert, explained that a call for views has been published on software resilience and security, and Open Source is expected to play a unique role in this area.
Day two started with Sal Kimmich’s keynote “Regulation by Telemetry: How to Fix OS Security by 2030” with some very bold ambitions, which I believe we can achieve. Throughout the two days, ways of improving our Open Source security posture came out: dependency management, code review, threat modelling, penetration testing and the need to secure cloud and Kubernetes infrastructures. It is a tall ask, but by coming together and collaborating in the unique way Open Source does, fostering relationships with governments and organisations such as Linux Foundation, NCSC, NIST, OWASP, OpenSSF, CNCF, Apache, and others, means that nothing is insurmountable.
- https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/)
- https://politicalviolenceataglance.org/2022/09/21/who-attacked-montenegro-the-moral-and-strategic-hazards-of-misassigning-
blame/), - https://www.ssi.gouv.fr/en/actualite/opencti-the-open-source-solution-for-processing-and-sharing-threat-intelligenceknowledge/)
- https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-october-2022)
- https://stateofopencon.com)
- https://www.sonatype.com/state-of-the-software-supply-chain
Thought leadership: a view on sustainable security from the Rust Foundation
Dr Rebecca Rumbul
Executive Director and CEO, Rust Foundation
Security in the Open Source Software space has never been more prominent than it is today. While the world has suffered numerous serious security issues over the past 20 years, real global and cross sectoral momentum to solve key security issues has only gathered pace over the past year or two.
This momentum prompts the need for a considered and sustainable approach to achieving common security goals that allocates obligations, responsibilities, and accountability appropriately. This means identifying what work is being done, by whom, and how that work is directed and remunerated. It also means investing in changing that process. Anyone even tangentially associated with Open Source Software development knows that unpaid maintainers often bear the brunt of elite decision-making, which can result in disillusioned, overworked and under-compensated communities of developers that have neither the time nor the inclination to undertake the substantial work demanded of them.
Moves to regulate the security of the software supply chain are currently underway in the EU, UK and USA, and there is general agreement that this is a positive driver for improvement. Regulators are not, however, experts in Open Source development. The majority of regulators have little knowledge or expertise in how or where to plug the existing gaps, nor a clear strategy of how to fund this vital work.
Corporate organisations have long engaged with governments and influenced regulators, and these actors will have a necessary and valuable impact upon regulation development. The corporate voice alone cannot, however, be relied upon to ensure that security regulation or practice is fit for purpose, as business interests will always take priority over the interests of the common good. Corporate approaches to security also cannot be relied upon to benefit the digital commons as a byproduct of securing their own activities. It is clear to see across multiple spheres of private sector activity, from health provision to data connectivity infrastructure, that corporate interests inevitably leave significant gaps that either remain neglected or are filled by unpaid or underfunded interest groups. If there is genuine commitment across the stakeholder spectrum to improve supply chain security, a reliance on corporate actors alone to do this will not yield the results desired.
The actors that can implement meaningful beneficial impact are critical to consider in how a global approach to securing the digital world is built. Who can advocate for that common good? Who can identify the key issues and gaps? Who can mobilise to build solutions? And who can do this in a neutral and sustainable way that balances the needs of the myriad stakeholders in this space? OSS foundations, like the Rust Foundation, are the only actors that can take on this role. This is because these non-profit organisations are constituted to support the common good in OSS ecosystems. They are close to, and often run by, maintainer communities, so they know exactly where the issues exist. They are supported by corporate bodies, so they understand too the needs of end users and product developers. They are ultimately neutral, not for profit, able to take a balanced approach that prioritises the wider benefit, and critically, they are able to do this work collaboratively in the open. Security work funded by stakeholders and managed by relevant foundations is the best option.
Funding this activity sustainably will be one of the biggest challenges. For too long, too many organisations have taken advantage of free Open Source code without giving anything back. While a number of tech organisations are hugely supportive of OSS work, there are thousands more that are net beneficiaries. Until the work conducted by the OSS community is valued as a core public service, and funded as such, it cannot be expected to be responsible for propping up government systems or multinational technologies. Just as companies in the UK processing personal data are required to register and pay a fee to the regulator, so should organisations using Open Source code in their products be required to do something similar. Such fees could be used to sustainably fund OSS security activities run through OSS foundations.
Meaningful and impactful improvements can be achieved in OSS security engineering and development across ecosystems, if the work is directed by non-profit foundations and financially supported by a plurality of public and private bodies. In this way, all stakeholders can be engaged without holding a monopoly, maintainers can be fairly compensated, and the benefit will be felt by all.
Sustainability
Leanne Kemp,
Founder and CEO, Everledger
As the recently appointed Chief Sustainability Officer of OpenUK, I am excited to take on the challenge of leading the company’s sustainability efforts and building upon the foundations established. 2023 presents the perfect opportunity to capitalise on the progress made and to set the stage for even greater successes leading into 2030.
One of the key areas OpenUK staunchly focuses on is Open Source Software and its impact on sustainability. While Open Source initiatives have the potential to promote sustainability, it’s important to consider with a balanced view, if not sometimes play a contrarian role to truly explore, discover and resolve the potential downsides.
According to the World Economic Forum’s Davos 2023 risk report, the cost of maintenance and security of coding technical systems is a top concern. Additionally, the OpenUK State of Open 2022 report notes that the top 3 challenges for Open Source initiatives are ABC. All of which: require positioning and alignment under Mother Earth spectacles of Environmental, Social and Governance (ESG) and Sustainable Development Goals (SDGs).
OpenUK collective goal is to work closely with the community and to continuously evaluate, improve, and ensure that our initiatives align with our sustainability goals. This includes being transparent and considerate of the deficiencies that exist, aligning with the ESG, SDGs, and addressing the potential downsides of Open Source initiatives such as the environmental impact of Open Source software and the lack of alignment with environmental, social, and governance (ESG) and sustainable development goals (SDGs).
We are all believers, contributors and disciples of Open Source movement and Open Technology as it’s long been recognised for its ability to promote collaboration and inclusivity, but it also has the potential to lead the way in sustainable technology. The Open Source community’s values of transparency and community-driven development align closely with what is needed to address the complex and interconnected issues of sustainability.
As a driving force for good: one of the key areas where Open Source can make a difference is in the optimisation of digital technology to use electricity more efficiently. Sixty percent of the world’s electricity is still generated by burning fossil fuels, despite the increasing capacity for renewable energy generation. By developing and implementing Open Source solutions that use less electricity, the carbon emissions generated by the tech sector can be reduced.
However, it’s important to note that simply making technology more efficient may not be enough to address the root causes of climate change and sustainability issues. The Jevon’s paradox states that making something more efficient often leads to using more of it, not less. Therefore, it’s crucial to have deeper conversations about the relationship between society and technology, and to consider the impact of technology on marginalised communities and ecosystems.
Open Source can also play a role in addressing these issues by promoting transparency and accountability in the supply chain of digital technology. By using Open Source solutions, companies and organisations can better understand the environmental and social impact of the materials and resources used in the production of their technology.
Additionally, the Open Source community leads by example in terms of equity and inclusivity. By sharing the wealth generated by digital technology equitably and ensuring that the benefits are enjoyed by all members of society, not just those who are most privileged, we can promote sustainable development and create a more just and equitable world.
However, the elephant in the room today is OpenAI. OpenAI is facing criticism for its lack of transparency and its potential negative impact on the job market as it is a for-profit company and not in fact Open Source as it does not allow access to its source code nor license it under an OSI approved licence. This raises concerns about accountability and transparency.
In conclusion, Open Source initiatives have the potential to promote sustainability, but it is important for OpenUK to look beyond itself and ensure other worldly initiatives like OpenAI are continuously evaluated and supported to improve their strategies to ensure alignment with environmental, social, and governance goals and sustainable development goals. Transparency and accountability must also be prioritised to address potential downsides such as the environmental impact of Open Source Software and concerns about the job market. It is crucial to have deeper conversations about the relationship between society and technology, and to consider the impact of technology on marginalised communities and ecosystems. Open Source can play a key role in driving sustainable technology and promoting equity and inclusivity.
We will again be leading on agenda setting with our OpenUK Open Technology for Sustainability Day in Edinburgh on 14 September72.
Conclusion
Need for a Joined-Up International Conversation
Dr Jennifer Bath
Research Director, Symmetry
With every State of Open report published OpenUK explores new ways to show the value of Open Source Software to the UK economy.
This time the calculation is simple and powerful: by January 2023, 4.5% of the UK population had a GitHub account taking the lead per capita among selected other countries with high growth rates in GitHub accounts.
The UK continues to build its Open Source Software capabilities and OpenUK continues to bring attention to this growing ecosystem.
Throughout 2022 we have seen increasing accounts of and interest in Open Source Software consumption, contribution and distribution. This is encouraging, as is the increased attention global reports are giving numbers and conversations, barriers and drivers to adoption. We still can’t always obtain extensive data focused solely on the UK but available data is growing and that, alongside the willingness to collaborate on this endeavour, is encouraging. In particular, burgeoning businesses and communities that consider metrics like downloads and contribution allow us different ways to cut the data and therefore a multitude of ways to understand patterns of uptake and productivity.
The current cost of living and energy crises may enable new communities and Open Source ecosystems to grow and flourish both in the UK. And, importantly, it’s becoming a global and geopolitical conversation. Those politics are specifically the issues of financing, governance and collaboration – that is international collaboration as well as locally and, of course, a maturing focus on security. These moves will create opportunities for committed individuals to expand, and get paid for, the brilliant work they do each day.
Committed individuals also need to be sustained and there will be a necessary focus on maintainers and funding as well as the economics of Open Source in the UK and the impact of ongoing Security legislation and the need for “Curation” of Open Source.
To sustain people is one part of our commitment to Open Source Software. Sustainability on a broader scale encapsulates even more. We continue to weave sustainability into every aspect of research so that it does not become a silo, sitting separately beside the business and community objectives of Open Source Software adoption but rather runs through everything we do and everything we support.
The question for later phases of 2023’s OpenUK State of Open reports is to consider the paradox of growth and sustainability – both the longevity and maintenance of existing interactions and the focus on environmental sustainability.
You can find all of these pieces of an intricate and enticing puzzle at the State of Open Con 2023 where policy, value, government, people, law, experience and innovation come together to continue to move the conversation forward.
Contributors
Amanda Brock, CEO OpenUK
Amanda Brock is CEO of OpenUK the UK organisation for the business of Open Technology – Open Source Software, open hardware and open data – with a purpose of UK Leadership and International Collaboration in Open Technology and she is the Executive Producer of State of Open Con https://stateofopencon.com/
She is a Board Member of the Open Source Initiative; appointed member of the Cabinet Office’s Open Standards Board; Member of the British Computer Society Inaugural Influence Board; Advisory Board Member, Sustainable Digital Infrastructure Alliance and Mimoto; and European Representative of the Open Invention Network. A lawyer of 25 years’ experience, she previously chaired the Open Source and IP Advisory Group of the United Nations Technology Innovation Labs, sat on the OASIS Open Projects and UK Government Energy Sector Digitalisation Task Force Advisory Boards. She was General Counsel of Canonical for 5 years from 2008 and set up their legal function.
Amanda is a judge in the IDG Foundry CIO 100 2023 having been a Judge in the We are Tech Women Rising Star Awards 2020-22. She was awarded the Lifetime Achievement Award in the Women, Influence & Power in Law Awards UK 2022, and included in Computer Weekly’s Most Influential Women in Tech Long list in 2021 and 2022 and in their UK Tech50 Influencers longlist for 2022. She was included in the 2022 https://heroes.involverolemodels.org/ Involve HERoes list of 100 global women executives driving change by example.
She is the editor of Open Source Law, Policy and Practice (2nd edition) published by Oxford University Press in October 2022, with open access thanks to the Vietsch Foundation https://amandabrock.com/books/.
James Governror, Founder and Analyst, Redmonk
James is co-founder of RedMonk, the developer-focused industry analyst firm. Research and analysis into tech trends and directions. Enjoys working with anyone that wants to better understand software developers and what makes them tick. Came up with the term Progressive Delivery. Lives in London with his wife and 3 kids. Specialities: Developers, developers, developers. @monkchips on twitter.
Dr Jennifer Barth, Founder and Research Director, Symmetry
Dr Jennifer Barth is an experienced ethnographer and social researcher with a DPhil from the University of Oxford. Her work is informed by empirical research on the intersections of emerging technologies and socioeconomic change. She provides companies with thought leadership and research led business solutions on media engagement opportunities on global issues impacting and shaping our current and future socio-cultural lives.
Dan Conn
Dan Conn is a Developer Advocate for Sonatype. Having worked as a developer for over 10 years, whilst also having being cyber security adjacent for just as long, Dan likes to sit in between the two spaces and offer advice where and when he can on software development, cryptography, AI, threat modelling and other areas where the two worlds meet. Along with being an OpenUK Ambassador, Dan is also a member of BCS, ACM and OWASP. When not in front of a computer screen, you can find Dan running, skateboarding, DJing or making music!
Professor Eleanor Shaw OBE, University of Strathclyde
A values-led, inclusive entrepreneurial leader with more than 25 years’ experience of working with entrepreneurs, complimented by a portfolio of entrepreneurship research that has informed the design and delivery of entrepreneurial education, influenced entrepreneurial policy, and guided the development of successful growth interventions which have supported the scale up of numerous Scottish ventures. Eleanor is a senior leader within the Higher Education sector and is passionate about using her knowledge, expertise, and networks to unlock entrepreneurial potential across Scotland’s economy. She holds an MA and a PhD from the University of Glasgow and was awarded an OBE in the New Year Honours List 2022 for her services to Entrepreneurship and Education.
Leanne Kemp, Founder and CEO, Everledger, and OpenUK Chief Sustainability Officer
Leanne is Founder and CEO of Everledger. In her role as CEO, she inspires and steers the team of Everlegends to increase transparency and trust with technology, in close collaboration with our industry partners.
She is a prominent figure in the technology sector. Leanne co-chairs the World Economic Forum’s Global Future Council on the Future of Manufacturing and takes part in the Global Future Council on Blockchain. She also leads workstreams at the Global Blockchain Business Council, co-chairs the World Trade Board’s Sustainable Trade Action Group, and is on the IBM Blockchain Platform Board of Advisors.
Dr Rebecca Rumbul, CEO and ED, Rust Foundation
Rebecca is the Executive Director and CEO of the Rust Foundation, a global non-profit stewarding the Rust language, supporting maintainers, and ensuring that Rust is safe, secure, and sustainable for the future. She holds a PhD in Politics and Governance, and has worked as a consultant and researcher with governments, parliaments and development agencies all over the world, advocating for openness and transparency, and developing tools to improve digital participation. In addition to her full-time and consultancy roles, Rebecca is a Non-Executive Director and Council Member for the UK Advertising Standards Authority, and a Trustee of the Hansard Society.
About the creators of this report
OpenUK
OpenUK is the organisation for the business of Open Technology in the UK, being Open Source Software, open source hardware and open data. As an industry organisation, OpenUK gives its participants greater influence than they could ever achieve alone. Open UK’s purpose is to promote UK leadership and global collaboration in Open Technology.
OpenUK is committed to promoting UK leadership in Open Technology and supporting collaboration between businesses, public sector organisations, government and communities to expand the opportunities available to all around Open Technology on a global basis. OpenUK creates a visible Open Technology community in the UK, and uses that community’s impact to ensure that the UK’s laws and policies work for Open Technology whilst encouraging the future community in the business of Open Technology through learning.
OpenUK is a not-for-profit company limited by guarantee, company number 11209475 with its registered office at 8 Coldbath Square, London EC1N 5HL, www.openuk.uk, contact admin@openuk.uk
Symmetry
Symmetry looks beyond the surface and behind the curtain of the fundamental innovations and trends shaping our society, markets, culture, and values. We are academics and researchers looking at the intersections of emerging technology and socioeconomic impact, producing independent research for thought leadership and business solutions.
Symmetry’s mission is to share and grow knowledge about everyday lives. We want to understand the past, present, and future of human interaction with emerging technologies and socioeconomic changes—from behaviour to context, nature to nurture, origin to experiences—helping our clients engage their clients and public imagination.
Methodology
The research team undertook a literature review of current industry and academic reports to build upon a deep understanding of the current state of Open Source Software in the UK economy in 2022.
Straightforward calculations in this report using the Github Octoverse Report numbers gives us a strong indication of the number of account holders and allows the assumption that there is strong innovative activity and take up of Open Source Software. This allows us to consider general engagement with Github, as a proxy for the uptake of Open Source.
The number of accounts does not indicate economic activity as it is difficult to find evidence that each account holder is a unique economically active developer73. For instance, some account holders are students who may only use it to practise. In 2021, for example, students held 27.9% of all accounts. There also may be individuals with multiple accounts74, and there are likely to be idle accounts, or accounts with negligible activity; as a result, not all these accounts are contributing to economic activity. To do this calculator requires more information and we are always interested to collaborate on this project to identify the value of Open Source Software in the UK.
Acknowledgements
The research was led by Dr Jennifer Barth, CEO and Research Director at Symmetry in partnership with Amanda Brock, CEO OpenUK in 2022. Thank you to our team of economists, psychologists, data scientists and social scientists. Thanks to all who contributed, and in particular to Michelle Angert and Zin Nwe Zaw Lwin.
OpenUK has a large number of financial and in kind supporters to all of whom it is grateful and the following major supporters Arm, Google, Microsoft, OVHcloud, Red Hat, Devtank, Opus VL, and OpenCredo along with many other sponsors without whom OpenUK’s work would not be possible. Particular thanks to GitHub for their support with this report Phase One.
OpenUK’s report Survey will take place in May. Anyone interested in taking part in our survey or in a case study should contact admin@openuk.uk
- Evidence by Statista confirms that there was an increase in software developers in the UK, bringing the total to 466
thousands# in 2021, meaning that approximately the percentage of developers in the UK population is 0.7%. - The State of the Octoverse explores a year of change with new deep dives into writing code faster, creating documentation
and how we build sustainable communities on GitHub.
References
- Civo. (2022). The Kubernetees State of Play 2022. Retrieved from: https://www.civo.com/kubernetes-state-of-play-2022
CNCF Annual Survey 2021: https://www.cncf.io/reports/cncf-annual-survey-2021/ - European Working Team on Digital Commons, “Towards a Sovereign Digital Infrastructure”, op. cit., p. 10.
- Evaluating Open Source Trends from 2020 to Today. Retrieved from: https://opensourceindex.io/p/evaluating-open-source-trends-from-2020-to-today
- Github. Octoverse 2022: The State of Open Source Software. Retried from https://octoverse.github.com/
- Markess. (2022). The Open Source Market. Retrieved from: https://cnll.fr/news/2022-survey-the-open-source-market-in-france-europe/#:~:text=Paris%2C%20November%208%2C%202022%20%E2%80%93,its%20development%20up%20to%202027.
- https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
- https://ostif.org/
- https://www.epam.com/open-source
- https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards
- https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
- Open Logic by Perforce an Open Source Initiative. (2023). State of Open Source Report. Retrieved from https://www.openlogic.com/resources/2023-stateopen-source-report?utm_source=OSI&utm_medium=content&utm_campaign=OPL-GLB-2023Q1-CON-StateofOpenSource&utm_content=blog
- OpenUK. (2022). State of Open: The UK in 2022, Phase 1. Retrieved from: https://openuk.uk/stateofopen/
- RedHat. (2022). The state of enterprise open software. Retrieved from: https://www.redhat.com/en/resources/state-of-enterprise-open-source-report-2022
- Rezillion. (2022). LogShell 4 Months Later: Are You Still Vulnerable? Retrieved from: https://www.rezilion.com/lp/log4shell-4-months-later/
- Pannier, Alice “Software Power: The Economic and Geopolitical Implications of Open Source Software”, Études de l’Ifri, Ifri, December 2022.
- S. Rolland, “‘Il n’y aura pas de souveraineté numérique européenne sans maîtrise du logiciel’, Bruno Sportisse, Inria”, La Tribune, February 22, 2022
- Tech Crunch. (2022). Decentralized discourse: How open source is shaping Twitter’s future. Retrieved from https://techcrunch.com/2022/12/13/decentralized-discoursehow-open-source-is-shaping-twitters-future
- The Linux Foundation. (2022). World of Open: Europe Spotlight 2022. Retrieved from: https://www.linuxfoundation.org/research/world-of-open-source-europe-spotlight
- Tidelift. (2022). The 2022 Open Source Software Supply Chain Survey Report. Retrieved from: https://tidelift.com/2022-open-source-software-supply-chain-survey
- VMware. (2022). The State of the Software Supply Chain: Open Source Edition 2022. Retrieved from: https://tanzu.vmware.com/content/ebooks/state-of-software-supplychain-2022
- ZDnet. (2022). What the Securing Open Source Software Act does and what it misses. Retrieved from: https://www.zdnet.com/article/whats-what-in-the-united-states-securing-open-source-software-act/