A slim market for certified open source?

Companies such as Red Hat, SourceLabs, and SpikeSource offer fully validated open source software stacks, but are customers buying?

How certain are you that the systems you've built using open source software will work as advertised? Given the complexity of your average server environment, there's no easy answer. Even the so-called LAMP (Linux, Apache, MySQL, and Perl/PHP/Python) stack is just a starting point. A Web application server built on LAMP is likely to touch many other components and applications, ranging from automated shell scripts and file-manipulation software all the way up to mail servers and LDAP directories.

"In 2005 alone, there were 490 combinations of PHP, Apache, and MySQL that were released," SpikeSource CEO Kim Polese told me in a recent interview. "And then if you add 21 releases of OpenLDAP, you get over 10,000 combinations just for that one subset of the stack. And if you multiply that by Linux kernel versions and updates and distributions, and then add patches on top of that, it becomes a very complex problem."

Conventional wisdom says that where there's a problem, there's a dollar to be made, and this problem is no different. SpikeSource offers prepackaged stacks of open source application components that have been rigorously tested and certified for interoperability. Anyone can download them for free. If you pay for a subscription to the company's Spike Net service, however, you also get regular software patches and updates, all likewise tested and validated. In addition, SpikeSource offers single-source technical support for all of the applications in its certified stacks.

"It's similar to a Norton-style model," said Polese, referring to the popular line of security products from Symantec that offer regular updates by subscription.

SpikeSource isn't alone. In fact, subscription-based patch management for Linux and open source applications seems to be a growing market. The most established player is SourceLabs, founded in September 2004. And, more recently, top Linux vendor Red Hat announced that it would be getting into the game by offering certified open source application stacks of its own.

To me, this sounds like a great idea. What better way to ensure upper management buy-in on Linux and open source in the enterprise than to have a consistent source for up-to-the-minute, tested, and validated software?

In fact, in thinking about it, I was a little bit surprised that it had taken Red Hat this long to get into this market. After all, Red Hat's business model is to offer its customers paid subscription services with regard to software they can otherwise get for free. What are customers really paying for if not some sort of guarantee that the software will actually work?

And yet, when I spoke to IT managers about the issue, I was surprised yet again. It seems that many of them aren't particularly concerned. One CTO who met with InfoWorld editors recently summed up his thoughts about companies such as SourceLabs and SpikeSource this way: "Best of luck to them." In short, he had no intention of paying for such a service.

Can it be? Open source companies would have you believe that open source software is just like any other software, with the added benefit of community support and access to source code. But anecdotal evidence suggests that this isn't the case -- that, ultimately, the real reason for choosing open source still boils down to cost, nine times out of 10. In other words, if customers wanted to pay, they'd have gone with BEA in the first place.

SpikeSource's Polese wouldn't disclose the number of customers her company had when InfoWorld spoke to her in January. So I'll put the question to you. With multiple sources of validated open source software stacks now on the market, is your company buying? And if not, why not?

Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform