Metasploit As Case Study In Selling a FOSS Project 50
coondoggie sends in a Network World interview with HD Moore on the occasion of the commercial release of Metasploit by Rapid7, the company that bought it half a year ago. The pseudonomous author uses the occasion to explore the question of what happens to a vital open source project once it is sold commercially. "Metasploit might become one of the first examples of how a completely FOSS project grows up to be successful. It is the venture capital model without the startup money (though VCs are funding plenty of OS startups these days, too). Build it. They will come. Someone will buy it. And if you want them to stay, the FOSS project better remain as well supported as the eventual commercial version. This isn't the first open source project to have been bought by a big guy. And the jury is still out on on most of them. I could argue that Metasploit is a bit unique in that it didn't have a commercial arm when Rapid7 acquired it. That could not be said about SUSE or MySQL or even Gluecode (bought by IBM), etc."
How? (Score:1, Interesting)
Re:How? (Score:3, Interesting)
Sounds like basically the name plus some core devs. It's BSD-licensed, so in theory they could've made their own proprietary version without even buying it, but in that case it might've been harder to get any attention or traction, and they might have had difficulty finding people familiar enough with the codebase and willing to write proprietary-licensed additions/extensions.
a sad story (Score:3, Interesting)
Metasploit used to have nice GUI and web-based interfaces. Once it was purchased, they were immediately dropped.
Also, a project like Metasploit can't live without community contributions, and we have yet to see if these are sustained. When contributing to a noncommercial open source project, the feel is one of peers collaborating. When contributing to a commercial product, the feel is more like working without a paycheck...
Re:Sustainable open source? (Score:3, Interesting)
A revenue sharing license limits the contributor base for your project based on increases in accounting overhead to track and disburse monies over time.
And that page you linked is scary. They claim to pre-define growth rates on participating code-bases to protect against devaluing of contributor shares. WTF.
Re:Sustainable open source? (Score:1, Interesting)
Prior to the acquisition, all of the developers also had full-time paying jobs (with a couple exceptions for students). The difference is now we a half-dozen getting a salary to work on it full-time, in addition to the normal community contributions. Since all of the core code goes back to the BSD-licensed public source tree, the acquirer has a strong incentive to continue maintaining it in order to prevent a fork.
Re:sounds like a decades-out-of-date argument (Score:3, Interesting)
"Debian, a whole OS without any paid devs?"
1. Debian is not an OS. It is a distro.
2. No Linux Distro I know of is free of code from paid devs! RedHat, IBM, Novell/SUSE, Intel, and many more pay people to develop code and then contribute that code to Linux. So any Distro that includes say.. The FOSS Intel video driver is using the code of paid devs.
Even RMS states the F in FOSS does not mean unpaid or free as in beer.
And I disagree about a crisis of sustainability. FOSS has not been wildly profitable as a whole. It has not inspired a huge numbers of vibrant projects. For every FireFox there are tens of thousands of projects that never get past a page on source forge.
Even some really good FOSS software just sort of lingers on the fringe. One great project IMHO is DeVeDe which is a super simple and easy to use DVD creation tool.
"I am not the dev but I use it"
Without a clear source of revenue projects will fade.
BTW the problem is getting worse for closed source software.
Most people have found software that frankly is good enough so they are not buying new software as much.
Also people have found free software on the internet both in the form of FOSS and in the form of piracy.
That is why you see so much interest in mobile apps. It is still possible to make money and maybe even grow large in that space. On the PC it is just too crowded.
Re:sounds like a decades-out-of-date argument (Score:3, Interesting)
Fair point, but look at some of the contributors to Linux: IBM, SGI, Hewlett-Packard, Oracle. They contributed largely in the spirit of openly contributing (highly commendable) but they also contributed because they were going to get some sort of return on that investment, no matter how indirect or long-term it might be. This was certainly not the reason Linux became what it is, but to ignore the fact that they help sustain Linux would be plain folly. Indeed, there was quite a dramatic pick-up of interest after the IBCS patch showed that the kernel was as capable as any commercial offering, albeit minus a few "Enterprise" features. (IBCS is how Oracle first ran on Linux, as a Linux port didn't exist at the time.) That's when pressure for such extras built up and the itches got scratched.
Similar things could be said of Apache. SGI has contributed much, including a high-performance accelerator that the Apache team rejected. (Interestingly, the next generation of Apache web servers was dramatically slower. Probably coincidental, but pissing off people with the arcane skill in optimizing is never a good idea.)
What of the GNU compiler collection? Well, I'll be generous and not say too much about the disastrous folly that caused EGCS to form, or the equally disastrous failures in Gnu Fortran which resulted in large-scale defections to the G95 project. I'm also deeply concerned about the whole PGCC fiasco (Intel's patches were superb on Intel hardware, great contribution from that perspective, but why the hell was it working worse on non-Intel hardware?), the bit-rot that caused various older compiler back-ends to be dropped from GCC, the huge maintenance problems being faced by people like the D frontend for GCC, and so on. It is superb, it's a magnificent testament to Open Source that GCC is =THE= benchmark to beat by compilers at the Supercomputer conference (you don't benchmark against things considered junk), and it is progressing. However, there is clearly a long history of conflicting egos and conflicting goals that have been as damaging to the product as productive.
And the BSD kernels? Very good development, but again a lot of fragmentation due to clashes. Individuals doing superb work, I'm not going to question the amazing technology that is inside FreeBSD, NetBSD, OpenBSD, DragonflyBSD, or any other *BSD. But there's way way too much bitterness, hostility and rivalry that goes well beyond the spirit of competition. They're all perfectly self-sustaining, I'm not going to even try to dispute that. The developers are highly passionate about what they do and what they do is magnificent. But, frankly, there have been times when I wish someone would slip some Prozac to those guys. The *BSD effort started TWO YEARS before Linux, it should be running the world by now, but it isn't. The kernels are all good, are all worthy equals to Linux, but damnit they had huge chunks already done AND a two year head-start. There shouldn't be any commercial UNIXes any more. Why does Solaris still exist? Why was all of this advantage squandered?