Open Source 'vs.' the Cloud

From DevSummit
Jump to: navigation, search
  • Folks feel like there's a choice: the cloud vs FOSS
  • What is "the cloud"?
    • Many folks use it to refer to anything that's hosted anywhere, but it's not, right? It implies something different.
    • There's a sense of software in the cloud, e.g. Salesforce & Salsa
    • "cloud" is a buzzword
    • cloud development is also a new field, ways to write code, send data up to providers who then put it on the web
  • It's important to unpack what the cloud means; it means different things for different people.
  • CRMs: Salesforce vs CiviCRM, which is not local, it's hosted, but you install it yourself, you configure it yourself. People think of it differently; Salesforce or Salsa is installed by someone else, maintained by someone else. CiviCRM is different, you need to think of different things
  • The cloud wouldn't exist without open source software; the infrastructure would be too expensive to maintain with licensing fees to run on proprietary software.
  • Narrative around the internet: most of what runs the internet is open source, but the story has been commercialized so that it seems that everything good comes out of for-profit, commercial environments
  • For some people, "the cloud" means "I don't have to deal with that" -- it's managed for them. But it's an odd definition.
  • One person thinks of managed web hosting as a cloud service; some sort of extra service implied, someone is providing more of a service, taking care of more of the problems, maintenance, updates
  • Pantheon: a Drupal cloud development platform. You push a button, they install Drupal with a git repository; you do your development locally, push your changes up, you can set up develop, testing, and live environments; updates are all done through git. It's slick, but it does have some real limitations. It's designed for developers. A number of other cloud development platforms, like Heroku (Ruby on Rails). The benefit is no server administration.
  • Pockets of the WordPress community are moving that way, more managed hosting where they take care of your updates for you, etc. Different degrees of limitation with the various options.
  • Definition of cloud might be a) it's not local and b) someone else sets it up/installs/maintains it for you.
  • The cloud vs FOSS
    • Some say that the cloud is more proprietary than other paradigms; you're limited in what you can look at, see, touch. A way to keep things even more closed.
    • Lots of venture capitalist types say that going to the cloud is a way to preserve their intellectual property more, since it's so locked down.
    • The cloud exploits the web services loophole of the GPL; you can take all of this amazing open source development, compile it into a service, and never have to give it back.
    • Questions about whether the GPL3 addresses that loophole, or tried to address it.
    • GPL: GNU General Public License, an open source license that requires you to share software in the same way it was shared with you. I.e. if you take GPL licensed software and modify it, you need to share it under the same license (GPL.) GPL is the most strict open source license.
    • Apache license has a LOT of leeway for getting stuff out on the web.
    • Affero GPL (sp?) closes the web services loophole.
    • The loophole: if you take GPL licensed code and modify it, you don't have to share your modifications under the GPL unless it's distributed. The problem is that hosting the code via the web/web services does not count as distribution, so you don't need to share the code modifications you're hosting.
    • Some cloud providers do a lot of giving back, e.g. Pantheon and Heroku.
    • Cloud has many benefits, but what are people giving up for those conveniences?
    • Privacy and data issues--using a cloud-hosted service vs something you install and host yourself, what are the tradeoffs? Certain organizations may need to think about.
    • Unless a company has a philosophical approach to it, it's always in a company's best interest to give something up to the FBI rather than withhold it. There's no incentive to say no to the FBI, because it costs them money. Private companies can be sued by shareholders for spending money on that.
  • There are folks who think about this, e.g. May First/People Link, Electric Embers
  • May First/People Link has hosted Drupal where you can install Drupal with one click from the control panel and they maintain the core software updates, but you still have command line access and aren't locked out of the system. They're trying to offer other open source software that way. Gives you the ease of installation and maintenance (to a certain degree) with a provider that's trusted and without being entirely locked out of the guts of the system.
  • A reproductive rights organization had to make decisions about where their data was hosted; wasn't immediately at the top of their radar, but they realized they had some potentially sensitive information in their database and had to consider where that should be hosted.
  • What is the test for whether your data is at risk?
    • Cynical answers: there are two types of data: private and digital. Even if it's encrypted, it's at risk (though less risk).
    • If you have a client, and they're trying to make decisions about their data, how do you analyze their risk?
    • Undocumented immigration, drug policy, reproductive rights, anti-nuke orgs; organizations trying to make active change in areas that are in some ways contested
    • Risk assessments involve understanding who you have data on, who might want to get that data, and what would happen if those people got that data
  • Is there more risk in the cloud or not?
    • Even MF/PL had a server seized by the FBI.
    • If you have something local and don't secure it very well, it's just as risky as having it in the cloud.
    • It depends on the cloud service, e.g. some cloud data storage services let you have control over your own encryption key, so only you have access to it at any time.
  • Where do people put their data?
    • PassPack - encrypted web-based password manager, recommended
    • SpiderOak: "zero-knowledge encryption" for data storage
    • BackBlaze -- online backups
    • networked shared drive, accessible via the internet; kind of like a private cloud, but it's still a single device & single point of failure
  • There's an intersection between data privacy & disaster recovery; disaster recovery can be more devastating than unauthorized access to data
  • What do people think about Gmail?
    • major issue: organizations should have their own domain name so they can switch away from Gmail if they need to
    • two-factor authentication on Google is pretty solid and not available
    • It's really hard to get people to not use Google Apps!
    • Gmail's machines are doing some analysis of your email no matter what; you don't know what's in the profile that's being created for you
  • There's OpenSaaS out there (Drupal Gardens, WordPress.com, hosted CiviCRM) -- provides cloud ease of startup, but it's relatively easy to switch to your own self-hosted installation of those services if you need to.
  • Important to have an exit path before starting use of any service