Limits of Corporation-Sponsored Open Source

Recently Google announced that they are limiting Chromium’s access to private APIs meant for consumption by the Chrome browser.

Chromium is the free and open source “upstream” project that Chrome overlays proprietary features on top of to create their final commercial product. It contains code for consuming private apis. However, Google never intended for any third party distribution of Chromium browsers to ship with the binary pre-authenticated to these APIs.

To be clear, end-users can always build their own version using their own api keys to enable these features. Anyone can acquire these keys from Google for free. Additionally third party distributions are not blocked from having an end user supply their self-obtained keys to use in their distribution. The big sin was baking a set of keys into the distribution.

As a result Google has announced they “are limiting access to our private Chrome APIs starting on March 15, 2021.” I assume this means that they have canceled the offending keys. Including commercial product integration in open source software is a common practice. It is always preferable to the alternative. That is, limiting such integrations to propriety software.

Overall, this incident and the incredulous, annoyed response from Google employees has generated bad optics for Google. It’s not their fault that people view their actions as taking away some rights that they are entitled to. It is remarkable how easily people conflate a free service with a positive right.

Private APIs cost money to maintain and providing them for free does not mean they have an obligation to keep doing so. They do it because it suits their business case. There is no mystery surrounding that fact. I think imposing these limits as a statement is a dick move, but that is just my opinion. They provide these APIs at their own pleasure.

It is worth noting that Google are remedying the “problem” through non-aggressive means. These limitations are implemented purely at their own gates, not from within the Chromium project itself. Most importantly, they are not seeking to brandish the sadistic justice hammer of intellectual property at the offenders. They are simply refusing to provide a service which no one can force them to provide.

Though Google is a massive government-protected corporation riddled with the endemic natural “evils” that comes with that obligation, their early decisions to make Chromium open-source has been mutually beneficial for themself and the public. They have yet to use their status to threaten the open source community as far as I know, or change the openness of the license in response to an entity taking full advantage of that license. But I say this doing exactly zero research.

In contrast, Elastic recently decided to nerf their OSI license for Elasticsearch and Kibana changing it to the Butt-hurt That Other Corporations are Actually Treating it as Free Software License (SSPL). This was in response to Amazon continuously offering managed Elasticsearch hosting without “collaborating” with Elastic.

The idea of open source licenses has always seemed to me a last resort method of using IP laws to keep things free from IP laws. The ‘legal’ aspects of requiring attribution, while vain, is intended to keep the intentions of freeness transparent. By keeping a lineage of contributions it is harder to erase those intentions and close off the code. It is ironic to use coercive measures to ensure freedoms because it is not fully free if you have limitations on how to use it. As a result, the intentions can be misunderstood. It seems that nothing is truly free as long as we rely on the law to qualify freedom.

While I find this sort of interpersonal pettiness at the corporate level funny, nevertheless it is a good thing to support your average uncompensated package maintainers. Maintaining these codebases is a thankless unprestigious job that most developer-consumers take for granted. I recommend reading this blog post by François Zaninotto about deciding to stop maintaining the popular PHP Faker package to get an idea of what they go through.