Linkerd's decision to charge for access to stable builds of its service mesh code sparks objections and debate about open source governance, along with an official CNCF response.
A change in the distribution of Linkerd's code this week sparked debate in the tech industry and prompted the CNCF to open a health check on the project.
The maintainers of Linkerd, a service mesh project, said this week that companies with more than 50 employees running it in production will have to pay its commercial support vendor, Buoyant, $2,000 per cluster to access stable releases of its code. This additional funding is necessary to maintain the project long-term, according to the maintainers. In response, the Cloud Native Computing Foundation Technical Oversight Committee (TOC) will subject Linkerd to a health check process, initiated via a newly opened issue on the foundation's GitHub page.
The decision by Linkerd doesn't technically run afoul of CNCF's graduation criteria, according to CNCF CTO Chris Aniszczyk.
"Most open source projects, and even ones that live in foundations ... don't require builds be provided," Aniszczyk wrote in an email to TechTarget Editorial. He made a similar statement in a public post on X, formerly known as Twitter, and cited a blog post on the topic by Matt Farina, a distinguished engineer at SUSE and a former member of the CNCF TOC.
"We do have projects that sometimes become unhealthy over time," Aniszczyk added. The CNCF TOC recently archived three projects after a health check review process: an incubation-stage project called OpenEBS, a sandbox-stage project called Fonio and a project of unclear status called Brigade. Archived projects no longer receive CNCF marketing services, but will continue to be hosted by the Linux Foundation.
it’s not disallowed by any rules currently outside of getting a high passing OpenSSF Best Practices badge… it is a bit surprising that folks weren’t aware this was possible with most open source licenses and foundations https://t.co/RlZsVg3jt7 - the TOC will deliberate on this
"The CNCF TOC is looking at potentially increasing the graduation requirements of projects to make the requirements more clear on what is expected of projects when it comes to builds," Aniszczyk wrote. "Right now, a lot of that comes from [the Open Source Security Foundation] OpenSSF Best Practices program, which we require CNCF projects to adhere to."
One Linkerd user also posted on X that the health check process usually seems to result in archival, which would prompt him to rethink his use of the project.
If [Linkerd] is moved to archive, we will have to migrate to [Istio] as [the] CNCF umbrella ... is part of our acceptance requirements and I have to be ready.
Jorge TurradoSRE expert, SCRM
"If [Linkerd] is moved to archive, we will have to migrate to [Istio] as [the] CNCF umbrella ... is part of our acceptance requirements and I have to be ready," wrote Jorge Turrado, SRE expert at SCRM, a big data subsidiary of Lidl International, headquartered in Barcelona, who emphasized in a separate message to TechTarget Editorial that he was not speaking for the company.
Aniszczyk replied that Turrado wasn't alone in this worry.
"I don't see that type of extreme reaction happening though overnight," Aniszczyk wrote. "A lot of projects take feedback well, make improvements etc."
Linkerd's leader indicated that he expects the health check process to have a positive outcome.
"The CNCF, Buoyant and the Linkerd maintainers have always been aligned around a common goal: ensuring the long-term stability of the project," wrote William Morgan, CEO of Buoyant, in an email to TechTarget Editorial. "We don't expect anything to change about that."
Debate about CNCF graduation criteria deepens
Unlike most of the other projects that have received health check reviews so far, Linkerd is a graduated project under the CNCF, which means it passed specific criteria to receive the foundation's approval as a mature project.
CNCF's graduation criteria state that a project must have committers from more than one company. Linkerd has had code committed by developers outside of Buoyant, the commercial vendor that now plans to charge for stable releases of the service mesh project's code, but all its maintainers -- developers with the authority to push committed code changes to the main branch on GitHub -- work for Buoyant. Buoyant developers also have by far the majority of all-time code commits to the project -- more than 40,000. The next highest number, listed by Devstats as "Independent," has 136, followed by 70 from the CNCF.
Those graduation criteria were already undergoing revision under the CNCF TOC since last year, and among the items under consideration is a requirement that "projects have a healthy distribution of commit author company/organization diversity, targeting less than 40% contributions from a single company/org."
The TOC's graduation criteria discussion thread on GitHub hasn't been updated again in 2024, but Linkerd's move this week renewed calls for a broader discussion of CNCF graduation and governance requirements.
Well, it shouldn't be, if the governing body was really serious about it being a community driven effort, instead of a facade for corporate interests.
Among the most vocal respondents to Linkerd's plans on social media was Dan Lorenc, co-creator of the Sigstore open source software supply chain security project and CEO of Chainguard. Lorenc, among others, questioned whether a graduated CNCF project should be permitted to have all its maintainers from a single vendor.
The Linkerd change "could have been OK ... [if] discussed [and] debated in the open," Lorenc wrote in an X post.
"But because this project only has single vendor governance, all these steps were fast-forwarded," Lorenc added in a follow-up post, "which is sorta the point of the TOC typically requiring graduated projects to have multi-vendor governance."
Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on X @PariseauTT.
Dig Deeper on Systems automation and orchestration
