1. Introduction
Last October, the two creators and maintainers of IdentityServer, Dominick Baier and Brock Allen, announced that their current business model was essentially unsustainable. As a result, they would adopt a paid licensing model under the Reciprocal Public License (RPL) and offer IdentityServer5 under a new company, Duende Software.
Recently, Microsoft announced that their ASP.NET 6 templates would continue to include Duende's IdentityServer dependency. IdentityServer was once a free, open-source product under the permissive Apache 2.0 license and a common tool for ASP.NET developers handling OpenID and OAuth 2.0 tokens. For years, Microsoft's ASP.NET templates included this library by default. Now, the IdentityServer included in Microsoft's popular templates requires a minimum annual license fee of $1,500 for users with annual revenue exceeding $1 million.
The .NET community responded gracefully to this announcement, carefully considering their role in fostering innovation in the .NET open-source ecosystem by supporting independent software vendors. They acknowledged that IdentityServer's move to charge licensing fees annually is commendable, as it's better than maintainers abandoning the project.
However, the .NET community fell into panic, demanding discussions with .NET open-source software managers about the code included in some templates. The worst part is that the true steward of the .NET open-source software ecosystem is Microsoft.
Now, discussions around Microsoft, IdentityServer, and free versus paid "open-source" software are everywhere. Therefore, I've decided to explore in this article what the end of the free lunch in .NET open source means for users.
2. Nothing Is Enough for Some People
Whenever I see people abusing free/underpriced/unauthorized resources, I'm reminded of the saying: "Nothing is enough for some people."
While stealing a candy bar from a small store might not lead to prosecution, robbing a bank definitely will bring legal consequences.
When it comes to open source, costs are low if maintainers only need to support a small number of users with similar needs. But once a project reaches a critical point and user demands exceed what maintainers are willing to provide, someone has to pay the price.
IdentityServer's users have been greedy. Over the past decade, most IdentityServer users have been feasting on a free lunch, and now the bill has arrived.
It's easy to imagine various opinions appearing in Microsoft's post (https://github.com/dotnet/aspnetcore/issues/32494):
- This is an essential service; Microsoft should acquire Duende and make IdentityServer free again.
- No one reads Duende's pricing terms, which state that "any company or non-profit with annual revenue under $1 million can use IdentityServer for free," so many are complaining.
- Contributing to IdentityServer4, still free and open-source under Apache 2.0, is too difficult.
- Perhaps Microsoft should replace IdentityServer with other products, like https://github.com/openiddict/openiddict-core or https://github.com/simpleidserver/SimpleIdServer, so the free lunch can continue until these projects face the same sustainability issues as IdentityServer.
The reaction to Microsoft choosing to include IdentityServer in certain templates—rather than including the core library under RPL terms—is also absurd.
When developers are suddenly asked to pay $1,500, $4,000, or other fees annually for a "business-critical" service, they immediately start crying poverty.
Keep in mind that developers' expertise cannot be bought with money, and purchasing an excellent, battle-tested, well-documented, highly reusable solution like IdentityServer built by domain experts is not only much cheaper than hiring your own developers to do it but also carries lower risk. If critical issues like authentication and authorization errors go wrong in your application, it will cost you dearly.
If you're responsible for this area of corporate software and are worried about Duende's few dollars in licensing costs, please do everyone a favor and resign—you're simply not qualified for the position.
I suspect some online complaints about licensing costs and feigned poverty are not about the cost itself but about procurement departments.
3. Procurement Department Grievances
One of the biggest reasons open-source technology spreads so quickly and generates such immense value is that, without licensing, anyone can adopt, use, modify, and redistribute reviewed open-source software without considering departmental budgets.
But once maintainers start charging fees as compensation for their expertise and experience, developers have to deal with procurement departments to get approval to purchase these products.
The procurement approval mechanism exists to scrutinize the "risk" of every vendor in the supply chain. Usually, procurement agencies don't produce anything meaningful—they only make transactions more expensive and difficult. Software developers hate being caught up in this process.
I'm not particularly sad about this predicament for .NET developers. After all, it's mostly their own fault.
4. The Free Lunch Is Over
While you can always use open-source projects for free, once they decide to charge, you're at their mercy.
In the case of IdentityServer, I think the paid terms for the new version are already quite generous: support for IdentityServer open-source software will continue until November 2022!
In other projects, maintainers might completely abandon them, leaving users to fend for themselves.
Open-source software is becoming increasingly popular in the .NET ecosystem, and this trend will only accelerate over time. Therefore, sustainability issues in .NET will become more common. A few years ago, Microsoft tried to shoulder all costs and provide free libraries, only to leave the .NET ecosystem in chaos. We can't repeat that mistake.
The free lunch is over. Wake up.
When you choose various packages and technologies to maintain and build .NET applications, you should be mentally prepared to pay. This is the only way to avoid future surprises and supply chain shocks: factor in the cost now.
You should develop the habit of contributing value upstream to your dependencies—by contributing to projects you use directly, donating, or better yet, purchasing value-added products and services from maintainers. Alternatively, you can help promote their projects through blog posts, videos, and courses. If you use a product in your business software, you should give back in some way. However, most users haven't done so.
Establishing a good cycle of exchange value with open-source projects is the inevitable result of the "open-source sustainability crisis," and everyone can benefit from it. So start now: contribute to open-source projects, because their continued development ultimately affects your own interests.
Original author: Aaron Stannard
Original title: .NET Open Source: What Happens When the Free Lunch Ends?
Original link: https://aaronstannard.com/dotnetoss-free-lunch-ends/
Translator: Wanyue Editor: Ouyang Shuli Published by: CSDN (ID: CSDNnews)
Translated title: Has the Free Lunch for .NET Open Source Ended?
Translation link: https://www.sohu.com/a/472062543_115128