A key value of open source is the ability to switch to a different supplier if your first becomes unavailable or unattractive. Forgerock is apparently withdrawing that value, on which it relied itself for its inception.

After leaving Sun I was pleased that a group of former employees and partners chose to start a new company. Their idea was to pick up the Sun identity management software Oracle was abandoning and continue to sustain and evolve it. Open source made this possible.

We had made Sun’s identity management portfolio open source as part of our strategy to open new markets. Sun’s products were technically excellent and applicable to very large-scale problems, but were not differentiated in the market until we added the extra attraction of software freedom.  The early signs were very good, with corporations globally seeking the freedoms other IDM vendors denied them. By the time Oracle acquired Sun, there were many new customers approaching full production with our products.

History showed that Oracle could be expected to silently abandon Sun’s IDM portfolio in favour of its existing products and strong-arm customers to migrate. Forgerock’s founders took the gamble that this would happen and disentangled themselves from any non-competes in good time for the acquisition to close. Sun’s practice was open development as well as open source licensing, so Forgerock maintained a mirror of the source trees ready for the inevitable day when they would disappear.

Sure enough, Oracle silently stepped back from the products, reassigned or laid off key staff and talked to customers about how the cost of support was rising but offering discounts on Oracle’s products as mitigation. With most of them in the final deployment stages of strategic investments, you can imagine how popular this news was. Oracle become Forgerock’s dream salesman.

With Oracle doing lead generation, Forgerock had little trouble finding customers for its new support deals on the products they were already deploying. The open source license meant they had all the rights necessary to just carry on as if nothing had happened. While they were initially nervous trading with such an unorthodox company, customers were reassured by the competence of the experts Forgerock hired and quickly became comfortable they were in safe hands. As I explained at the time (there is even a shirt) I felt this was a great demonstration of the business value of software freedom and as soon as my obligations were discharged I joined Forgerock as Chief Strategy Officer and a board director in 2010.

Towards the end of 2011 I increasingly came into conflict with other board members over open source issues, especially in the context of a funding round and the expectations of the VCs. I was forced out of the company at the end of the year, and it soon afterwards received significant VC investment followed by the inevitable executive changes. Since then I have mostly ignored them.

It was not too surprising recently when I heard about unrest among their customers and partners over a steady closing down of their formerly open development. It was confirmed when I heard about a project to fork Forgerock’s code. As that site documents, public trunk access was closed off in November 2016, the GitHub repos were rolled back to stable in December, losing 8 to 12 months of changes, Maven was closed for public use in March 2017, and in April the last vestiges of open development were erased with a static web page replacing the community site, JIRA write access removed and the public code versions rolled back even further.

It’s hard to read this any other way than a betrayal of the very freedoms Forgerock leveraged to bootstrap itself. They seem to be becoming OSINA (open source in name alone). Why would they do this? I’ve written to their PR contact to find out, but some possible explanations are:

• they are preparing for exit (an IPO, or more likely an acquisition) and the VCs want to make sure buyers are immunised from the same strategy that allowed Forgerock to exist; or
• an investor believes that the former strategy leaves money on the table and is using their board leverage to suppress the approach used by the founders; or
• the founders never actually believed in software freedom and now they have a firm enough grip on their customers and partners they feel it’s time to snuff out the troublesome principle.

I don’t know which of those, if any, is true, but it’s clear that TimeForAFork.com is both welcome among Forgerock’s customers and partners and a timely expression of the concerns many of them feel. Let’s hope Forgerock’s management wises up before it’s too late.

(This post was made possible by Patreon patrons. Please become one!)