It’s a Thursday, which means: .NET open source drama.
Last October, Dominick Baier and Brock Allen, the two creators and maintainers of IdentityServer, announced that IS’s current business model was inherently unsustainable and they’d be moving to a paid licensing model using the Reciprocal Public License (RPL) and under a new company, Duende Software, beginning with IdentityServer5.
Last month Microsoft announced that they were going to continue to include Duende’s IdentityServer dependency in their templates for ASP.NET 6 - IdentityServer had, historically, been a free open source product licensed under the permissive Apache 2.0 license and has been a popular choice among ASP.NET developers for handling OpenID and OAuth 2.0 tokens, hence why they’ve been included in so many of Microsoft’s default ASP.NET templates for years and years. Now the version of IdentityServer being included in Microsoft’s popular templates requires that users earning more than $1m per year pay license fees as low as $1,500 per year.
The .NET community responded to this announcement graciously; they took a moment to recognize their role in making the .NET open source ecosystem more innovative by supporting independent software vendors; and agreed that having IdentityServer maintain itself through recurring license fees was a highly preferable alternative to having the maintainers abandon the project.
Just kidding. The .NET community collectively freaked out and demanded to speak with the manager of .NET OSS - over what’s included in some templates. Templates. The worst part is that apparently the .NET OSS ecosystem does still, in fact, have a manager: Microsoft.
However, since this thread and discussion around Microsoft, IdentityServer, and the role of free vs. paid “open source” software refuses to cease - I think it’s worth exploring the “end of the free lunch” for .NET OSS users.
Little Piggies vs. Hogs
In the context of people exploiting a free / under-priced / unauthorized resources, there is an expression I love: “little piggies get to live another day; hogs get slaughtered.”
When it comes to theft: someone who shoplifts a candy-bar from a convenience store probably won’t be prosecuted with the full resources of the plaintiff and law enforcement but someone who robs a bank might.
When it comes to open source software: it’s inexpensive for maintainers to support a small number of users with relatively similar demands - but once a project achieves critical mass and the demand on the maintainers exceeds their desire to supply, something will have to give.
IdentityServer’s users are hogs and it’s off to the chopping block.
A less grotesque analogy: most IdentityServer users been dining greedily on Dominick and Brock’s tab for the better part of 10 years and now the bill has come due.
Inevitably, the thread with Microsoft is full of hogs squealing:
- This is an essential service and Microsoft should just buy Duende and make IdentityServer free again;
- No one read Duende’s pricing terms, which makes IdentityServer free for any companies or non-profits doing less than $1m per year, thus it’s easier to complain about that;
- Contributing to IdentityServer4, still free open source under Apache 2.0, is too hard;
- Maybe Microsoft should just use one of the other free alternatives to IdentityServer, such as https://github.com/openiddict/openiddict-core or https://github.com/simpleidserver/SimpleIdServer - so the free lunch can live on until one of those projects suffers from the same sustainability issues as IdentityServer.
The hysterics over what Microsoft chooses to include in some templates, not a core library that will render the RPL terms viral for end users, is as absurd as it is inevitable.
Suddenly when asked to pay $1,500, $4,000, or whatever per year for a service that is “essential to our business,” per the words of some of these commenters, these developers suddenly plead poverty.
You can rarely buy developer expertise with a credit card - paying for an excellent, battle-tested, well-documented, and highly re-usable solution like IdentityServer built by domain experts is not only significantly cheaper than paying your own developers to do it but it’s also inherently lower risk. The failure costs of getting something as critical as authentication and authorization wrong in your application can be catastrophic.
If you’re in charge of this area of your company’s software and you’re agonizing over the dollar-cost of a Duende license, please do your company a favor and fire yourself from that position: you’re not qualified for it.
I suspect the reason the chumps on the thread are squealing about licensing costs and playing poor has nothing to do with the cost and everything to do with dealing with their procurement department.
One of the greatest reasons why open source technology spreads so quickly and accrues so much value: it is permissionless - anyone can adopt, use, modify, and redistribute a vetted piece of open source software without having to encounter the department budget.
But once maintainers affix a dollar amount as the entry fee to benefit from all of their institutionalized knowledge and expertise developers now have no choice other than violating the license terms (legal won’t stand for that) or dealing with the procurement bureaucracy to allocate company money for the purchase.
The raison d’être of the procurement bureaucracy is to thoroughly vet every vendor in the supply chain for “risk” - a largely performative song and dance that involves Dun & Bradstreet numbers, certificates of general liability insurance, and insisting on getting the governing law of the statement of work changed from wherever the vendor is to wherever the buyer is. The procurement bureaucracy typically does not produce any meaningful outcomes other than making it more expensive and difficult for both parties to transact with each other, hence the disincentive for software developers to engage it. It is a slow-going experience that requires developers to engage in frightening acts like “cost / benefits justification” and “writing emails.”
Thus the white-hot rage in the Microsoft “I want to speak to the manager!” thread - Duende has now put these .NET developers in a position where they must justify a frankly trivial dollar-cost to the procurement bureaucracy and Microsoft doesn’t care. “HOW CAN YOU NOT CARE?!?!”
I’m not particularly sad at the plight of these .NET developers - this is mostly their fault, after all.
End of the Free Lunch
You can only be a free rider for so long before the tab-payer takes notice - and when they do, you’re at their mercy.
In the case of IdentityServer, it’s being asked to pay for new releases of the product under (my opinion) very generous terms - with OSS support for IdentityServer ongoing through November 2022 still!
In the case of other projects, total abandonment and leaving you holding the bag.
I’m personally dealing with the latter scenario with DotNetty, a critical part of our networking stack now abandoned by Microsoft once their technology choices for Azure IoT (the product it was built for) changed. It’s unpleasant but we have the resources and expertise to migrate to / create something else to fill that gap. Most companies do not. Yours very likely does not.
OSS is becoming increasingly popular in the .NET ecosystem and that trend will only accelerate over time - and so you should expect the sustainability problem to become more common in .NET, not less. Begging Microsoft to answer every possible question any user with any amount of money might ask with a free library is what turned the .NET ecosystem into a flaming pile of dogshit years ago. We’re never going back.
Your free lunch is already over - this is your wake-up call.
When you select packages and technologies to maintain and build your .NET applications, start pricing in the expectation to pay money for it - because that’s the only way to avoid surprises and supply chain shocks in the future: by pricing them in today.
Get in the habit of sending value back upstream to your dependencies. That value can be in form of contributing to the projects you use, monthly donations, or even better: buying value-added products and services from the maintainers. Other projects might want to help promote the project with blog posts, videos, and PluralSight courses. Maybe a testimonial from your company might help! There are lots of ways to give value back to the people who build the components you use to help run your business software - and most users choose none.
Creating virtuous cycles where you continuously exchange value with OSS producers is the inevitable conclusion to the “Open Source Sustainability Crisis” - and everyone will be better off for it. So you should start the conversation with your team and find some projects to support - because it’s in your own self-interest to see them sustained.