Open Source Devs, Wary of Microsoft’s Pending GitHub Takeover, Consider a ‘Plan B’ – InApps 2022

There was a time not very long ago when Microsoft, one of the greatest capitalistic success stories of the 20th century and still one of the world’s major patent holders, declared itself the defender of free enterprise against the open source movement. You can’t blame some folks for being skeptical when a company by the same name, though headed by different people and refocused on the cloud hosting business, announces its intent to acquire the most prominent brand in collaboration and automation for version-controlled, open source software.

But as of now, that skepticism is more of a slow simmer than a raging boil. Open source contributors who rely upon GitHub as their virtual supply chain are wary that any corporate owner — be it Microsoft, Google, or Starbucks — might have an interest in maintaining some line of visibility into private repositories. It has happened before, albeit in a different setting: In March 2016, a developer named Azer Koçulu had posted a JavaScript module named kik to his npm repository. Somehow, this act attracted the attention of a company that had registered “Kik” as a trademark for an instant messenger. When that company contacted the developer, asking him to rename the module, he refused out of principle.

Then after the argument got out of hand, and certain genitalia were referenced, the developer unpublished his kik, along with all his other modules. The result was an avalanche of broken software within hours, on account of all the dependencies that other firms’ code had upon Koçulu’s.

Although that problem was quickly repaired, the incident shed light on how deep the interdependencies between open source components had become — even as the era of commercial containerization was just beginning.

A Standby Exit Strategy

Monday, after Microsoft’s and GitHub’s joint announcement, members of the Go language’s general discussion list golang-nuts gently brought up the issue of whether they should think about protecting themselves against a similar contingency with GitHub going forward. Several commenters there expressed confidence in statements by outgoing GitHub CEO Chris Wanstrath that the repository system will continue to be operated independently. That said, some are advising Go contributors to keep their options open.

At issue: If a development organization should decide to move its repository to any new location, can it avoid breaking the code of others who rely on their ability to import the modules in that repository? At least one contributor is considering using Fossil, which includes bug tracking and an integrated wiki in addition to version control.

Another long-time contributor named David Skinner, who says he has begun warily looking into alternatives, suggested that developers begin using a technique called vanity imports. Essentially, it’s a way to replace the github.com sourced package name from the import path of your source code, to your own domain. There, your index page would include an HTML meta tag that contains a pointer to the present address of your source code repository. The Go command line tool go get knows to look up that index page before accepting any URL as the sole source location for a dependent module.

” I will not leave GitHub just because Microsoft buys it.  But I do want to have an exit strategy.  It is only prudent.”

If a developer or organization felt it did have to make the move, all it would need to do is edit the meta tag to point to the new repository location.

This method of indirection is what could give GitHub users a way to silently slip out of the system, should Microsoft’s present leadership peel off their wax lips and face masks to reveal Steve Ballmer and Jim Allchin were hiding there all along.

Wrote Skinner, “I have personal reasons not to trust Microsoft going back to 1980. I have friends that work there and I worry about them. I will not leave GitHub just because Microsoft buys it. But I do want to have an exit strategy. It is only prudent.”

Skinner’s prudence may be shared by contributors to well over 100,000 repositories, according to competitive service GitLab. Those contributors have begun importing their GitHub repositories to GitLab just in the first three days after the purchase rumor began spreading.

Yet at the same time, Skinner’s comment is indicative of the more mature, mindful tone taken by professional open source developers today. For them, the whole purpose of a “stack” is to enable options for coupling and connectivity of services, that can be decoupled and reconnected later whenever the conditions warrant.

The Hail-Mary Option

Some of the Go developers in the golang-nuts group are discussing the possibility of leveraging a project called Interplanetary File System (IPFS), perhaps coupled with a blockchain element, to devise a kind of peer-to-peer language repository system. Written in Go itself, according to its creator Juan Benet, IPFS “seeks to connect all computing devices with the same system of files.

Unlike GitHub, which relies upon the Web as its addressing system for resources, IPFS would utilize its own distributed hash table, along with what Benet describes as a “self-certifying namespace” to deploy a single Git repository like a massive, ongoing BitTorrent.

While IPFS is an attractive technology, or at least a prospective one, it may be missing the point altogether:  Microsoft’s forthcoming $7.5 billion stock transaction was not so it could own a piece of Linux, but to have a handle on a healthy business that now collects $200 million in revenue annually. GitHub’s business model is its enterprise-grade, private software repository service. The public service builds the community, but the private one keeps the lights on.

“Companies are never altruistic. That’s not what they’re designed for,” remarked Randy Bias — one of the open source community’s leading advocates for the past few decades, presently the vice president for technology and strategy at Juniper Networks, and a long-time friend of InApps. “They’re designed to generate profits and return shareholder value. The idea that any company, anywhere in the universe, can operate in an altruistic way is naïve beyond words.”

Bias told us he believes Microsoft’s move will benefit the open source ecosystem as a whole. There will be some veterans from the past who remember Microsoft’s past stance and the way it managed to douse grassfires with gasoline with its incendiary comments toward the community. That company, in his view, no longer exists.

Still, he suggests that we view the transaction in a much broader context: Though GitHub may have become the de facto source for all version-controlled source code, it has not always succeeded in taking that next step of building an ecosystem — of either building or enabling other tools to establish orbits around GitHub. Case in point: Although GitHub has made its own efforts to incorporate bug tracking, the vast majority of users, as Bias perceives them, prefer to use Atlassian’s Jira.

“The GitHub capabilities beyond the source code repository haven’t really done a great job,” said Bias, “of building outside of their core foundation. And if we look at Microsoft, they’ve had multiple forays trying to build developer hubs online, and have largely been unsuccessful outside of the Microsoft ecosystem.”

Microsoft’s history and experience with building superb developer relationships based on end-to-end toolchains, said Bias, should mesh well with GitHub’s existing value chain. But in the process, it creates an opportunity for GitHub to take the next step in its business model — “to get to this modern CI/CD pipeline that’s designed to allow the average enterprise application developer to build a next-generation, cloud native, microservices-based application, from their laptop into production, without touching or even needing to understand, all the parts of that release pipeline.”

One of those developer hubs to which Bias was referring was CodePlex, Microsoft’s 2009 effort to establish what it then called an “independent” cooperative source code exchange, to compete against the largest such effort at that time, SourceForge. It hasn’t escaped notice entirely that one of the board members for that early effort was Miguel de Icaza, the developer of Mono (the first open source .NET implementation) and the co-founder of Xamarin. Microsoft would acquire Xamarin in 2016, and in so doing, officially hire de Icaza and the other co-founder, Nat Friedman… who now is being appointed CEO of the new GitHub.

Leverage Buy-in

Based on data collected throughout last year and compiled by Google’s BigQuery engine, Microsoft employed the highest number of GitHub contributors for 2017, taking part in the second highest number of repositories worldwide, behind Google. Its own most active repository is VS Code, for the Visual Studio Code editor, which recently displaced its namesake predecessor Visual Studio as Stack Overflow users’ most popular developer environment.

That’s a statistic that Marko Insights principal Kurt Marko finds impossible to ignore. “Microsoft sees the value in community repositories and the GitHub platform,” Marko told InApps. “It also understands the power of automated development processes and tool chains, which is where buying GitHub comes in.”

The company’s pre-existing Visual Studio toolchain still has its strong supporters, he noted. But those folks are mainly Windows developers, where modern methodologies such as CI/CD have taken a bit longer to catch on.

“I think at least part of the long-term strategy with GitHub is building out a full set of CI/CD and infrastructure-as-code (IaC) services for Azure,” he continued. “While GitHub is the well-known public platform, it can obviously be used for private repositories as well. I suspect Microsoft will continue to support the public site for open source projects and repackage the technology as a metered Azure service for private repos.”

If that prediction holds true, Marko advised us, “don’t be surprised if Microsoft also acquires or repackages other CI/CD products like Jenkins, TravisCI, or Atlassian.”

To be an open source “community member” today is not necessarily to have joined some political movement or adopted some moral dogma. Indeed, open source is software development in the modern age, as Microsoft itself has demonstrated.

“We have been on a journey ourselves with open source and the open source community,” remarked Microsoft CEO Satya Nadella, during Monday morning’s joint analyst call with GitHub. “Today we are all in with open source. We are active in the open source ecosystem, we contribute to open source projects, and some of our most vibrant developer tools and frameworks are open source.”

Then Nadella delivered a stern and decisive message, directed to anyone who may still have a hair-trigger reaction to any business move his company makes in the space where Linux now dominates: “When it comes to our commitment to open source, judge us by the actions we have taken in the recent past, our actions today, and in the future.”

Microsoft is a sponsor of InApps.

Feature image: A Windows XP-inspired theme for GitHub by Martin Bjork, available now on GitHub.