Why Open Source is growing in Russia

Against the backdrop of Western vendors of general-system and specialized software leaving Russia, the Open Source development segment began to actively develop in the market. According to the Institute for World Market Research (IIMR; surveyed more than 100 large Russian companies with and without state participation), the share of commercial code is Commercial Open Source Software; COSS) in Russian companies in 2023 reached 12%, while a year earlier the figure was 4%. Kommersant figured out what the pros and cons of open source development are, as well as what benefits a business can get from using such developments.

What are the specifics of Open Source?

Open Source is software that is provided to the end user with open source code under a free license. This means that a specific program can be modified to suit your needs, purchased and made available for free access, and this will not violate anyone’s copyright. Open Source solutions are essentially the product of a collective author – developers from all over the world work on programs. “Open Source is developing because the development of serious products requires enormous resources, so some kind of cooperation is needed, including between competing developers,” explains Alexey Smirnov, Chairman of the Board of Directors of Basalt SPO (developer of ALT Linux and Simply Linux OS ).

The most famous example of Open Source is the Linux operating system, which was created in response to the virtual monopoly of Microsoft products by Finnish programmer Linus Torvalds. Thanks to him, a computer based on a modern operating system (OS) became available to everyone, because Torvalds posted the source code of his OS on the Internet.

The TCP/IP protocol, on which the Internet operates, was also created on the basis of free source code, although money from the US budget was spent on its creation. The most popular CMS in Russia, WordPress, on which most websites are made, is also written in free code. The Android mobile OS used in most smartphones is based on open source code. This allows almost every smartphone manufacturer to create their own version of the system – MIUI, Color OS, Oxygen OS, Lineage OS, Yandex.Kit and others. Even Microsoft Windows has functionality implemented using open source code.

Thus, today Open Source is not limited to just the OS: the segment includes special software, engineering software, DBMS and much more. These solutions are distributed under different licenses, the most famous being GNU/Linux.

Pros of Open Source:

• free distribution;
• cross-platform (most programs are released for all types of Linux, macOS and Windows);
• frequent updates (more often than proprietary software);
• developers use their products themselves and promptly fix errors if they appear;
• the developer community is large and open, most often the end user will be helped with solving current problems on thematic forums;
• Most solutions are created for Linux, switching to which significantly reduces the risk of viruses infecting the company’s computers or servers.

How is Open Source useful for business?

Firstly, it is cheaper: you can buy computers and laptops without pre-installed Windows OS and install any Linux on them. Secondly, the OS already comes pre-installed with the most common programs: the Mozilla Firefox browser, the LibreOffice office suite (or OpenOffice), video and audio players, the GIMP image editor (analogous to Adobe Photoshop) and many others. Thirdly, during installation in most cases you won’t have to look for drivers for the hardware: everything works out of the box. Finally, fourthly, Linux is designed in such a way that it is impossible to accidentally launch any virus in it: installing any program requires an administrator password, which does not necessarily need to be shared with every employee.

Russian developers make up a fairly large percentage in the Open Source environment, some of whom take part in the development of the Linux kernel, among them – Basalt SPO (developers of ALT Linux and Simply Linux OS, members of The Linux Foundation), Arenadata (development and support of control systems DBMS databases), Lacmus (neural network for searching for missing people, collaborates with LisaAlert), Postgres Pro (DBMS), etc.

Key risks

If we talk about risks, then most often we are talking about so-called backdoors, or bookmarks in the code that developers can leave. According to Angara Security, after February 24, 2022, cybersecurity specialists observe Protestware – the addition of malicious functionality to open source code that is activated only in Russian cyberspace. The company’s specialists discovered a property in the package, which improves the performance and functionality of JavaScript code: by determining the time zone in which it works, the package displayed political slogans on the screen. In addition, a Log4Shell vulnerability was discovered in one of the free libraries back in 2021, which allows you to connect to a user’s computer and transfer confidential information (personal data, passwords, etc.); this is unsafe in client fintech, banking and e- commerce applications. Finally, there are also supply chain attacks, where the backdoor can be obtained with an update: Angara Security claims that the practice of supply chain attacks is only increasing. Thus, in 2022, the number of hacking incidents through contractors was about 20%; in the first half of 2023, this tactic was already recorded in 30% of cases (more recent data is not yet available). Attempts to introduce vulnerabilities into the code by external developers are confirmed by Arenadata co-founder and CTO Alexander Ermakov: “Such malicious actions were carried out quite actively in 2022, and gradually they became fewer.”

Profiscope’s CodeScoring solution detected about 200 open source dependencies in “server” projects (Java, Python, C#, etc.). This means that when installing an important package or update, you will have to analyze all its dependencies, and this can be several levels of depth. “When developing a project, IT specialists use an open source code component (for example, from GitHub; a trusted repository for developers from all over the world.— “Kommersant”) from some available library, for example password checking. And this library uses another library, which is not directly used in the project, but is downloaded automatically because the first component depends on it. Therefore, it is important for developers to understand not only which open source code library is used in the project, but also the libraries of the second and third dependency levels,” explains Ilya Polyakov, head of the code analysis department at Angara Security. You need to understand which libraries the required component depends on and check whether there are vulnerabilities in the entire chain, he says.

The second frequently discussed risk is the possibility of Russian developers being disconnected from the international Open Source community. There is such a risk, but it can happen rather on our side, says Alexey Smirnov. Alexander Ermakov is convinced that, in a technical sense, it is impossible to cut off Russians from international repositories: “As long as there is the Internet, it will not be difficult to obtain the code. But politically it is possible, for example, within a community or project, to change the license, prohibiting, for example, use in Russia. Or by banning commercial use.” The second option, according to Mr. Ermakov, is to close the community for the developer: everyone can be identified and everyone can be denied access. But so far this is not the case, although the expert does not completely exclude such a risk.

The future of Open Source in the Russian Federation and the world

Open Source is already developing so actively that it is overtaking proprietary software. According to DB Rankings, in the world the share of Open Source licenses in 2023 has already exceeded the share of closed software licenses and will continue to grow. In Russia, with the departure of Western vendors, there is virtually no alternative to Open Source. At the same time, it is extremely difficult to assess the real financial potential: there is no unified calculation system, no common base.

According to the IMMR, the volume of the global Open Source software market in 2022 amounted to $25–28 billion (there are no separate data for the Russian Federation, but there is a forecast of a doubling of the volume by 2027). Speaking separately about the OS, there is data from developers on the number of licenses sold: according to Basalt SPO, for example, in 2023, a total of 1.5 million licenses were sold on the market as a whole. However, the company does not specify how many of them were installed.

The Center for Strategic Research Foundation conducted research on the cybersecurity market in 2022–2023, which showed the gradual dominance of Russian software products in the DBMS market (in 2022, the share of domestic software was 66%, in 2023 it grew by another 15–18%) . However, analysts do not give estimates in monetary terms.

ANO TsKIT annually monitors software purchases. According to their data for 2022, Russian operating systems were purchased for 464.21 million rubles. But this is generalized data on purchases within the framework of Federal Laws No. 223-FZ and No. 44-FZ, everything else was not taken into account. Also, the costs of technical support and services for adaptation and modification of software were not taken into account. The leader in procurement was domestic software for automating business processes – it was purchased in 2022 for 6.9 billion rubles. Total expenses on domestic software based on Open Source for 2022, according to ANO TsKIT, amounted to 102.5 billion rubles. The monitoring results for last year have not been published.

Khoren Grigoryan