We've moved! For the latest news, go to the OSS Watch blog

Issue #25 | April/May 2014



Welcome to the April/May 2014 edition of the OSS Watch newsletter!

We've published a new briefing note this month, taking a look at "The Cloud", breaking through the buzzword into the underlying technologies, and finding out what it means for open source solutions.

Scott's post this month provides some further insight into results from out National Software Survey, looking at where change needs to happen to create a level playing field for open source in education.

Finally, the VALS Semester of Code, organised by a partnership of EU institutions and SMEs including OSS Watch, is seeking FOSS projects to participate in the upcoming pilot of the scheme. If you're a FOSS project who's seeking contributions and can offer some mentorship to enthusiastic students, get in touch!

If you want to work with OSS Watch - whether you're a company, a project, a consortium developing a project proposal, or working within the University of Oxford - take a look at our services page to find out what we can offer.

In this issue

Open Source and the cloud


Rowan breaks through the clouds to find out what the industry's favourite buzzword means for open source software.

Open source in education: where does the change need to happen?

Scott analyses the National Software Survey 2013 and identifies where open source procurement can be improved.

VALS Semester of Code – FOSS Projects Wanted


Mark introduces the Semester of Code.


From the Website

Open Source and the cloud

by Rowan Wilson on 27 May 2014

‘Cloud computing’ is a complex and evolving concept. Broadly speaking it consists of the provision and use of computing resources – such as data storage and processing – as services across a network. By commoditizing computing resources, cloud service companies can achieve considerable economies of scale which can be passed on to customers.

Companies and individuals look to cloud services as a means of reducing their IT budgets, tailoring their resource usage to their needs more exactly, and accessing levels of compute power that previously would have been prohibitively expensive.

Free and open source software (FOSS) is used extensively in the provision of cloud services, and so the move towards the cloud could be seen in one way as a victory for FOSS both in terms of implementation and philosophy.

However there are reasons to question whether the cloud, and the reduction of direct control over our core computing hardware that it represents, is a positive step for software freedom.

This document discusses the varying levels of cloud service provision, the free and open source software that facilitates each, and the extent to which cloud ‘philosophy’ supports or undermines software freedom and openness.


Infrastructure-as-a-Service (IaaS)

Traditionally, if you wanted a server, you had the option of buying or renting physical machines and either hosting them in house, or in a data centre through a co-location service. More recently, we have seen these physical machines replaced with virtual machines, allowing several server systems to be run on the same piece of hardware. Again, these can be hosted internally or externally.

IaaS takes this to the next level, abstracting away the underlying hardware from the customer. An IaaS service is typically housed in a large data centre, where servers’ resources are pooled into a cluster. Virtual servers can then be provisioned on-demand, with underlying software taking care of which hardware is actually doing the work.

This model provides excellent flexibility and scalability, as new virtual servers can be provisioned and resources allocated to meet the demands of the services they are running. It also holds the potential for cost saving – different types of customers will have different peaks in demand, which can be balanced across the shared infrastructure. This can lower the overall computing capacity required, in turn lowering costs.

Set-ups like this are one of the reasons we use the term “cloud” – the blurring of division between pieces of hardware to make one ubiquitous “blob” of computing resource.

The best known example of IaaS is without a doubt Amazon’s Elastic Computing Cloud, or EC2. Amazon owns several data centres across the globe. When renting a server from EC2, you simply specify the resources you require and the location (for example, Europe or the US). The system takes care of the rest and presents you with a remote login to your server. EC2 is used by sites like Reddit and Foursquare to give them the ability to scale in line with demand.

Of Course EC2 is not the only player in the space. There are two high-profile examples of open source platforms that can be used to provide IaaS: OpenStack and CloudStack.

OpenStack is produced by the OpenStack Foundation, originally founded by NASA and RackSpace but now comprising a sector-spanning group of technology companies. Several companies in the Foundation run public cloud services on the OpenStack platform, in competition with EC2.

CloudStack was originally developed by Cloud.com, who were bought out by desktop virtualisation giant Citrix. Citrix subsequently open sourced the CloudStack system through the Apache Foundation. CloudStack is used by big name brands such as BT and GoDaddy, as well as some smaller ones.

If your infrastructure is being provided as a service, it might not be immediately apparent why it matters if the underlying technology is open source. Your primary concern is likely to be what software you are running on the servers that you are renting. However, it certainly warrants some consideration.

The first aspect to look at is the choice it affords you. If you want a solution running on OpenStack, there are numerous companies for you to choose from, while knowing you are getting the same product backed by the same group of vendors. These companies will still want to compete between themselves, be it on price, the types of server they offer, or the management tools they provide. Also, as the underlying system is the same across vendors, you avoid lock-in.

Another factor that shouldn’t be overlooked is that you don’t have to use OpenStack or CloudStack as a service from someone else. If you have a data centre in your organisation, you can run your own, private IaaS system. While this option will not suit everyone – and might be said, strictly speaking to not be provision as-a-service – you can still think of it as a service provided internally. Rather than having to provision virtual machines in response to individual requests, running a private IaaS system allows users to scale solutions to meet their needs at any given time.

Private IaaS systems can have a disadvantage however: systems running side-by-side on a private cloud are likely to have similar peaks in demand, reducing the potential for cost savings.

Platform-as-a-Service (PaaS)

PaaS provides a way of provisioning development environments and tools on top of an IaaS system. PaaS allows you to easily deploy the tools required for developing and running applications; languages, runtime environments and testing tools, with the inherent flexibility of resource allocation that comes with running on IaaS.

For example, you might want to start developing a Ruby on Rails application. Without PaaS, you might create a new Virtual machine, set up the operating system, install a database, Ruby, Rails and all their dependencies, configure remote access to the machine, and so on. With PaaS you can simply use the provided tools to deploy a pre-configured Ruby on Rails platform as per your specifications.

The key benefits here is that developers can focus on developing applications rather than setting up their environment and managing server resources, and that custom-built applications can scale easily to meet demand.

You can get PaaS solutions from many differing vendors. Windows Azure offers PaaS tools to run on top of its IaaS offerings, while Google App Engine allows you to develop and run your software from the search giant’s infrastructure. Both of these systems are proprietary, purely sold as a service.

Open source PaaS offerings are also emerging. RedHat’s OpenShift and Pivotal’s CloudFoundry are both platforms providing similar features to the proprietary competitors, but are available under an open source licence. RedHat and Pivotal both offer their respective solutions as a supported commercial service, but as is the nature of open source, there are other companies selling services based on the same systems.

The key differentiator touted by the open source solutions as opposed to their proprietary competitors is freedom from lock-in, although OpenShift and Cloud Foundry present this benefit differently. OpenShift focuses on support for portable technologies such as Java and Open Source languages as a means of allowing you to take your applications elsewhere if you choose. Cloud Foundry provides support for similar technologies, but focuses on avoiding lock-in to a single IaaS platform. This means that Cloud Foundry will run on VMWare’s vSphere infrastructure, OpenStack, or even Amazon’s EC2. The OpenShift website does make mention of OpenShift running on Amazon Web Services, but most of the documentation refers to running on OpenStack.

Of course, the other benefit of open source solutions is that you’re not tied to using a commercial service at all. If you’ve got a supported IaaS system running in house, or rented infrastructure from an external service, you can deploy your own PaaS atop it and let your staff spend more time developing and less time setting up platforms.

Software-as-a-Service (SaaS)

Software-as-a-Service is usually presented to the user as a web application. It is distinct from a standalone web application in that each customer has their own instance of the software, rather than just having an account on a larger system (this is sometimes referred to as multi-tenancy).

For example, LinkedIn wouldn’t be considered SaaS since by using it you do not receive control of a copy of the LinkedIn software, just a user account. However, signing up for a blog on WordPress.com does give you your own WordPress instance, on its own subdomain, with its own set of users. This would be considered SaaS.

There are more complex examples such as Sourceforge, which gives you an account within their system, but also instances of software for your project such as bug trackers and wikis. Google Docs also blurs this definition.

SaaS providers will usually offer multiple tiers of service, ranging from a highly limited free account to a well provisioned or even “unlimited” paid account.

There are two key advantages of SaaS. Firstly, it completely removes the administrative overhead of deploying software. Usually a few clicks of a web interface is all it takes to “install” your SaaS instance, and the provider takes care of the computing and storage resources required. Secondly, you can access the software from anywhere. As long as a machine has an Internet connection and a web browser, no further setup is usually required for end users.

There are of course potential issues to be considered. Unlike having software deployed locally, or a web application deployed in-house, you are unlikely to have direct access to your data (and depending on the terms of service, you might not even own it). All data will be stored by your SaaS provider and presented through the application. This makes backing up or archiving data locally difficult if not impossible, and requires absolute trust and confidence in your provider and their security policies.

When considering SaaS solutions, a key factor to look for is the portability of data. WordPress can publish your data in standard RSS formats, and Google Calendar uses the standard ical format. Some products will have an “export” feature, allowing you to download a copy of your data. In these cases, you realise additional benefits of choosing a SaaS product, as you can easily move your data to another provider, or in the cases of open source solutions, an in-house copy of the software.

Open source software appears in the SaaS world in several guises. Some SaaS products may be built using permissively-licensed components, but with some proprietary code sticking it all together.

Of course, a complete open source software product may be offered as a service. WordPress is released under the GNU General Public Licence (GPL), but is offered as both a free and commercial service at WordPress.com and other providers. ownCloud is released under the Affero General Public Licence (APGL) and available as a service from owncloud.com and other providers. The terms of the AGPL, unlike those of the GPL, mean that even when the software is used to provide a service, the service provider must allow you to download the source code to their version of the software.

The benefits of choosing an open source product when selecting SaaS is perhaps not as clear-cut as for lower layers of the “cloud” stack. If the product is not released under a ‘cloud-aware’ licence such as the AGPL, the service provider does not have to distribute the source code. If the software is released under a different open source licence, you will probably be able to download the software elsewhere and run your own instance locally as a contingency. However, without access to your data, the utility of this contingency is limited.

SaaS solutions using a combination of open source and proprietary components, as far as the customer is concerned, may as well be entirely proprietary. The provider may be developing and releasing the open source components, and these may be useful in other systems. However, in terms of the service being provided, the fact that some parts are open source does not directly benefit the customer, only the provider.

Cloud, openness and freedom

As we have seen, free and open source software is used and available at all levels of the cloud computing hierarchy. Major, widely used cloud infrastructure platforms are released and developed under permissive open source licences, with contributions from across the technology sector. It could be argued that open source is becoming as core to cloud services as it has always been for web technologies.

So why might the cloud be a problem for the free and open source software movements? Firstly, as Richard Stallman has pointed out many times, the cloud offers convenience in exchange for a fundamental loss of control over your software and data. Stallman has described the entire cloud as a ‘trap’ designed to give corporations access to individual’s data and prevent them from processing it freely and privately. As the Edward Snowden NSA leaks have shown us, even where cloud service providers are not making free with our data, its very presence on the internet tends to mean that it can be intercepted and retained by third parties.

While it is not a complete solution, storing your own data on your own server, possibly using FOSS you compiled yourself goes a long way to frustrating surveillance, whether legitimate or illegitimate. After all, the concept of ‘software freedom’ encompasses not only the free exchange of software but also software’s ability to protect our personal freedom by only doing what we want. Where the cloud replaces our ability to protect our personal freedom through personal computing and personal storage, it could be considered detrimental.

Secondly, most traditional free and open source licences were written to promote sharing of ideas and code in the context of software being distributed and run locally. Their requirements for attribution and licence-communication are triggered by distribution of the software itself. Of course this made much more sense before the advent of the cloud; now, it is quite possible to gain a lot of value from a piece of software, and sell that value to others, without ever transferring a copy of the software itself. As mentioned above, the Affero GPL tries to deal with this change by adding a new trigger for responsibilities – use of software for service provision over a network.

However this new condition will always be harder to enforce than its distribution-centred predecessors. When we receive a copy of a piece of software, even if it compiled, we can closely analyse it to try to ascertain if it is based on other FOSS that might require attribution or licence-communication. When we are only communicating with a program across a network we have far less ability to discover whether it is fulfilling its responsibilities to the authors of software it may reuse.

Finally, the combination of the growth in cloud services and closed – often mobile – platforms presents a third threat. Free and open source software development thrived and grew as a result of the personal computing revolution that began in the 1980s. The PC allowed anyone to develop and run software. The resulting code could be given to others who could also run it without the need to have it signed or approved by the PC’s manufacturer.

Increasingly however, the PC is being supplanted with more portable and usually more ‘closed’ client devices such as tablets, games consoles and phones. To make up for the computing power these devices lack, cloud services are used to supplement their capabilities. If this trend continues, we are at risk of losing the ability as individuals to easily create and run code without needing third party approval, whether from our cloud provider, our device manufacturer or both. It is questionable whether the free and open source software movement would ever have attained its present near ubiquity if it had been forced to develop under this emerging model.


So while the move to the cloud shows how useful free and open source solutions can be in implementing technologies, uniting technology companies and preventing lock-in, it also ironically threatens the conditions that permitted FOSS to develop in the first place.

The cloud opens great possibilities for individuals and small companies to access resources that would previously have been impractical to acquire and use. At the same time, it offers a model of computing that subtly shifts control away from the individual user. In a free market it is appropriate that consumers should be able to choose a solution that fits both their desire for convenience and their tolerance to mediation between themselves and their computing resources. Like most technological innovations, the cloud brings both opportunity and risk.

From the Blog

Open source in education: where does the change need to happen?

In our recent survey on free and open source software in the UK education sectors, we asked colleges and universities for their main reasons for not selecting an open source solution according to 12 criteria. Below you can see how important each of the criteria were rated for software running on servers:

Interoperability and migration problems 80
Lack of support 71
Poor quality software 60
Not what users want 51
Lack of staff expertise, training needs 49
There is no open source solution for our needs 43
Legal issues including licensing 30
Time costs of identifying relevant software 29
Migration costs 25
Existing contractual obligations 18
Poor documentation 15
Solution does not scale 14

The question I’d like to pose today is – if we were to consider these as representing the barriers to greater adoption of free and open source software in education, are the barriers to be found within institutions, or are there issues with the available supply of software and services to the sectors?


To answer this I’ve split the criteria into two groups – supply-side and demand-side. Lets look at the supply-side first of all.

Supply Side Factors

Supply-side factors

Three of the top four criteria are supply-side considerations: lack of support, poor quality software, and not offering what users want.

We could also consider “There is no open source solution for our needs” as being largely the same thing as not offering what users want, which would place it as the top concern.

This would imply that, from the perspective of colleges and universities, the open source software community just isn’t offering the kind of software products the sectors need.

From our experience in compiling the Open Source Options for Education list, this would seem a bit curious. Perhaps the issue is one of awareness and marketing? Or are there significant niches in education where there really are no open source options? We also know that the procurement processes in many institutions would likely exclude open source from consideration – is this also a factor in this lack of awareness?

The second major issue on the supply side would then be the provision of services and support. As we’ve seen in the public sector, having commercial partners is a crucial factor in getting solutions adopted. (There is a chicken-and-egg issue here is that there has to be adoption to support a services market, but lack of services hampers adoption.)

Finally there is the quality issue – are open source solutions aimed at education really poor quality? Or is it that the kinds of solutions being considered are not mature?

Now lets look at the demand side.

Demand Side Factors

Demand side factors

The top issue is interoperability and migration problems – if we also add in the respondents who considered migration costs, then it is by far the most cited reason why open source isn’t selected.

We’ve noted before that there is no simple relationship between open source, open standards, and interoperability; while in principle open source affords the adoption of open standards and greater interoperability, the practice is a lot less clear cut.

However, what we haven’t untangled here is whether the issue is with open source options lacking interoperability features or standards compliance, or whether the issue lies with the incumbent systems they would replace.

The next ranked issue is lack of staff expertise; again we haven’t untangled whether this is a lack of expertise amongst the potential users of the software, the IT operations staff, or the staff involved in the procurement so its hard to interpret precisely. Given the question relates to server software it could be any of these groups.

It may also be the case that this issue goes hand-in-glove with that of lack of support from the supply side; often for server-side software the complexity of configuration and operations can be overcome by contracting a supplier to deal with it on your behalf. For  open source options, if there are no suppliers of services available then its up to the institution’s staff to figure it out.

Finally, the rest of the issues here fall under the category of contractual, legal and procedural issues with procurement itself. While each individual item is not ranked highly, taken together they suggest there are significant barriers still in place in procurement. This is something we’ve been looking into recently in more depth, for example in our Decision Factors for Procurement briefing.


Taken altogether, the demand side and supply side issues of open source adoption in education carry pretty much equal weight from the viewpoint of the institutions themselves. But what are we to make of it?

I think we can distill it into five challenges:

  1. We need to tackle the interoperability question. Is lock-in a problem? Is lack of standards a problem? This is something our friends at CETIS could take a lead on.
  2. We need to improve awareness of existing open source solutions available within the sector;  lists like our Open Source Options for Education are useful here, but projects also need to be more proactive in raising awareness, and may need a higher profile at events such as the UCISA and ALT conferences.
  3. Institutions need to improve software procurement processes so that they can consider open source solutions effectively and equally with closed source.
  4. We need to build up the open source services market for education. ULCC have been very effective with their Moodle hosting, but companies supporting other major open source software solutions don’t seem to have much of a presence in the education sector. (As I mentioned earlier though, this is a bit of a chicken-and-egg problem)
  5. Bootstrap projects in areas where there are no existing open source solutions. Of course there are well known problems with funded projects, but there are alternative approaches, for example the Jisc Co-Design programme could play a role here.

VALS Semester of Code – FOSS Projects Wanted

The VALS Semester of Code is an upcoming project that will work with universities and FOSS communities to give students real-world experience working in software projects.  Unlike Google Summer of Code, Semester of Code students will be participating for academic credit as part of their degree courses, and we hope that after completion of their project will go on to be effective contributors to the FOSS community.


The VALS initiative is a partership of European universities and SMEs who have been working for several months to plan the pilot of Semester of Code, which will run during the next academic year.  We have now reached the stage where we are signing up FOSS projects who are willing to provide mentored projects of students. We have already seen interest from smaller, single-company projects to larger software foundations, and would like to see more.

If you are part of a FOSS project, large or small, that would be willing to provide one or more mentored projects, we’d love to talk to you about joining Semester of Code.  In return, you’ll get an enthusiastic student providing a valuable contribution to your project.  The VALS team will be on hand throughout the project to answer any questions and help unblock communication issues between mentors, students and academic supervisors.

If you’re interested in taking part, you can email me on mark.johnson@it.ox.ac.uk, or you can sign up to our mailing list directly by emailing listserv@jiscmail.ac.uk with the following message:

SUBSCRIBE VALS-SOC <Firstname> <Lastname>

(You should recieve a confirmation within 24 hours).
More detail about the Semester of Code are available on our FAQ page. If you have any other questions, don’t hesitate to ask on the mailing list, and one of the VALS team will get back to you!

This newsletter contains Creative Commons licensed photos by Flickr users Donald Judge (CC-BY), Kate Haskell (CC-BY), Kentucky Science Center (CC-BY) and John McStravick (CC-BY).