Open source licenses and large companies

Darn it, and here I just moved from Vagrant to Docker! :laughing:


Lol, just use OVF for your virtual machines and you will be fine…

Docker went all corporate with less than stellar support for enterprise.

Why pay the middleman when I am just mounting a dev machine for something only to later (sometimes seconds later) destroying that image.

Ends up being, really costly if you want to be license compliant.

Its great if its open source, its terrible if your an enterprise environment and you need to stay within a certain ROI to justify your department.

To my understanding Docker CE (Community Edition) is free for any sort of use, including commercial production servers. Am I off on that, or did you require features from the Enterprise version of Docker? I do know there are many monetized versions of Docker, but I was pretty sure anyone can install Docker CE on a Linux VM and go to town.

anyone can install docker on anything.
anyone can install virtual box, or vmware or hyper-v, kvm, citrix xen, open xen, so on and so forth and use an ovf.

In commercial space, yes, licensing compliance is a thing. The bigger the organization, the bigger the target the organization is for a software audit.

sure, smaller shops can eat their heart out with docker, but comerical space, who owns the IPO rights on community software.

The devil is in the details and which legality you operate in.

If your company provides the device, the materials and pays for said materials and device, and then for a nominal fee gets tracking data. So that say, you use that device, and material to bake a cake and eat it for non work related purposes, like side steping the business for starting your own bakery. If the company said, well you expense the materials, you can use our oven and then you baked and sold the cake, you depending on location, may actually stand a chance in court not to be sued to oblivion. This concept holds true with open source. Now if the same company provides everything, and has video footage of you baking the cake and selling the cake, its a whole other legal issue.

Its why not all products fall into the opensource model as easily as others. Each open source product or service is written differently and each offers its own legal challenges.

Example, Microsoft Visual Studio Community Edition. Its free, but if you read the fine print its for very small organizations making less than a million a year and even then it lacks some functionality. Now for a nominal fee, you get all the features plus once again you get full ownship and telemetry on the enterprise side, so even if your devs build a cake, you can force said cake to always be printed with “Made by Company X” if not on the surface, then on a hundred other places and the the cake will report every calorie being digested. Bad analogy but you get the idea. Telemetry is security.

1 Like

I guess I’m missing something. I understand what licensing compliance is-- but the Docker CE license (Apache 2.0) so far as I’m aware doesn’t have any restrictions. I know Docker Desktop specifically has fine print that applies to large companies, but not the Docker engine itself.

So analogies side, can you show me where in the Docker CE licensing, a company of any size would be non-compliant to use for commercial production servers? I’m totally open to the idea I’m incorrect, but I’ve just never heard of that. Are you being compliant with the actual letter of the Docker license, or just the general notion that maybe somewhere it doesn’t allow you to use it?

Now perhaps you’re part of a company with over 250 employees or more than $10 million in annual revenue and while you can run the Docker engine in production for free, you don’t; want to pay for your developers to use Docker Desktop for local development. Or perhaps your company wanted to use a hosted Kubernetes environment on Azure or AWS that is a paid product that configures and runs Docker for you. Those would be a legitimate situation, but if they are your case, I wanted to be clear on where your cost was coming from. Otherwise, saying things like “Linux is costly because I don’t want to pay for REHL” is a little misleading.

I am part of an enterprise company, so even open source offerings are combed through with a fine tooth comb nit picking every little thing.

Sure, I personally can use docker desktop, Microsoft Community Edition Visual Studio, and a bevy of other free or opensource products under my own guise and nobody else has to answer for that.

However, during “working” hours, on company resources (time, equipment, ectra) I can not just do what I want. We are a fortune X company with thousands of employees.

So even if I wanted to install just 1 instance of 1 software, such as Docker Its not just me tossing docker on my machine and calling it a day.

Even though I could, the normal path would be to go through a complete workflow, list its usefulness, evaluate its security threat, allocate a budget to it, roll it into a budget or make a proposal and get approval for a one off. Even if its just a 1 off, it still ties up at least half a dozen people (in my organization) as lets say I just expense it. Now I have to put it on a separate security container, so that’s an added cost, then I will want to get reimbursed, so that is the cost to myself, then the finance team who has to put through the expense report, then the security audit that comes down the line is yet another cost, and then have someone take the license in what ever format it comes in, read it, send it to legal, get it “recorded” as an asset. All of that for a “free” software for a normal non commercial or non enterprise user.

Now lets say I want to actually use the software, well I have my choice of open source OS or the company image. Either way I have to bug someone to do something with any of it. Either I have to allocate server resources, or allocate laptop resources to it.

Now lets take it a step further.

Lets say I decide to do just that, why not, I can authorize and break any rule I set forth, after all agile management in the face of a pandemic. So I build something cool on my laptop using opensource Docker Desktop, with a custom image.
What does that custom image contain, well maybe is nothing more than a wordpress site listing off my favorite restaurants or maybe its closer to what I do and it contains a blend of commercial software, and custom code. What happens if We are audited? What happens if the laptop is stolen? What happens if I decide to pull the latest image and start my own rival company? Or what happens if my container is hacked and someone else using my credentials gains access to processes and services they shouldn’t have access to but its all under my account? Boy, that extra few bucks for tracking sure looks better now…
What if it just crashes a few hours before I need it for something important? Sure I can go ask the internet, but if I had a support contract I can say, where here is the support ticket XYZ.

The point its, Enterprise companies all have gone through all of this and in the end, saving a few dollars upfront NEVER works out unless you make a commitment to fully support it. Fully supporting it is allocation of resources, be it money, time, personal (which again, is a nice way of all saying profit loss or operational cost)

So when it comes to FreeBSD vs Linux vs Os2Warp vs Windows Vista (hah) or whatever, on the surface for the individual IDC.

On the hard most bang for my buck and if it was my baby, I want to WIN. If its pure processing power vs performance and does not require microsoft windows, Go with what works for you. I tell new NIX users to go with what they feel comfortable with, but if they want to not screw with things, OpenSuse, Suse or Debian all upgrade without issue. If you need or want hand holding, please, spend the money on Redhat, as their commitment to hand holding is lackluster but they at least will email you a long document to make your compliance officer happy.

Again, though back to winning. if you want the fastest, more secure installation you can create without spending a fortune, FreeBSD hands down. Learning curve is a bit much but hands down its old, its stable and its used by every streaming service or proxy saas company.

At the enterprise level, its not about $$ its about what works. At some point even enterprise companies just cant throw money at problems as management will want result.

So on the small scale it might save a user a few bucks a year in terms of price to performance.
On the large scale you take those few bucks and leverage that over thousands if not tends of thousands of instances and you quickly see the benefit of it.

A better example would be Command box.

I submitted command box to be evaluated in the beginning of 2020, right before the pandemic hit the US.
On the surface, it does everything I want, it even works on a thumb drive which is awesome as I do not have to screw with security templates.

That all being said, it was flagged as a NO GO, not by me but the security team pointed out the status of some of the libraries in question. I was able to work with the security team to eliminate their concerns, this only took a year of back and forth.

Then one of the developers who was evaluating the tool lodged a complaint with HR about the tool making a religious contextual remark. Now, per our own internal policies, the tool would need to be refactored to clean up any offensive language in the source code or executable. This would require a full time developer to maintain, all of that for just a handful of developers. Yes, I know I could hire ortus or many others to clean it up, but in the end its an ongoing expense that becomes a political talking point that I want to avoid. That and it is far more cost effective just to allocate resources for dedicated servers running various versions to test against and continue down the old methodology of software development, even if some of the books we have on it are old enough to legally drink, buy a gun and or gamble.

The issue always comes down to minor details, be it legal issues that arise from software development to someone having a fit as their laptop only came in one color. Someone, somewhere will be offended and while personally, I say let them be offended, its not my departments place to become a legal liability for the organization.

Windy, long,absolutely.
You wanted it explained, I hope that helps you understand what a fortune x deals with. Everyone is offended, nobody really wants to do anything and I am the glue and whipping rod trying to herd the cats past the fields of catnip. :slight_smile:

1 Like

Ah, I understand what you’re saying. I’ve worked with large corporations and I know how long it can take to adopt a new software. I misunderstood your original statements to mean that Docker itself had an expensive license.

I realize you’re just reporting things other people said and did, but allow me to be the first to say this is petty and highly hypocritical of your company. If you’re not allowed to use any software by any developers who hold a religious or political stance, your developers may as well all go home because there is no software you can use, lol! It never ceases to amaze me how large companies have no qualms wading into pollical activism themselves, but only if it is on one side of the political isle.

Can you please send me a list of the “offensive” language your company claims they found? Firstly, religion is not “offensive”, but that aside, I’m not aware of any religious references anywhere in the actual CommandBox CF or Java source code nor am I aware of any situation in which a religious reference would even be visible to a user of the tool (Note, our readme doesn’t ship with the product). I call B.S. I would also assume your company has a policy against religious discrimination that they’ve forgotten about.

Again, I know you can’t speak for your company (and I’m speaking against them, not you), but I believe in standing up against this sort of behavior. I once worked for a company and my manager told me someone complained to HR because I wore a T-shirt from my church to work that had the word “God” on it… I challenged HR and asked to see the actual company policy and it turns out there was none. They were just bending to whomever seemed offended at the moment and making up fake rules on the spot. I wore the shirt many more times and they did nothing. Sometimes, you just need to have a backbone or you get pushed around. I would be very interested in seeing the actual wording of your company’s policy which they used as an excuse to not use CommandBox. I would be surprised if it actually applied.

I’m going to break this into its own thread since it’s quite off topic at this point :slight_smile:

1 Like

First off, the company in question is a multi-national company so all religious works are per the new cant say bad words group of weather related white frozen falling particles may be offended, and all religoius works, unless of course its Islam, then islam magically gets a pass.

I didnt bring it up until you asked, personally, BE OFFENSIVE. Its beyond mentally defunct to be offended by something, grow up, but that is the current state of the world. Nobody can handle not getting their way.

Could I change the int script so it just quotes random starwars quotes, yup… Will I, no its not my baby and I like it as is. At the end of the day all I can do is TRY to avoid the silliness and add my perspective as a “IT Guy” (parody on family guy…google it) on what some of the craziness happens at the global scale.

We are literally in the middle of a pandemic and people cant just be a TINY bit adult. Oh this will save me 7 figures over 3 years and help onboard faster, Yeah but its offensive to someone, somewhere who literally thinks its a big bag of chips and all that to marry their second cousin who is age 10. Yup, that is the enterprise space.

We can both agree, its crazy stupid, and bs.
We both know the whole “oh you cant find coldfusion developers” is a bold faced lie. Any junior developer in any language can be trained in Coldfusion.
We both know that coldfusion ultimately compiles into java bit code, which again can be captured and output so instead of source code you have java bit code.

Rant aside, if it seems off topic I apologia, as its not meant to offend you in any way, if anything keep up the good work and keep commandbox as is, even if on a technical level I question your choice of java engines :wink:

1 Like