Spotify is no exception. After two years as an open source project, the music-streaming behemoth has open sourced a number of its projects, including Backstage, which was recently accepted as an incubating project at the Cloud Native Computing Foundation (CNCF). In addition, the corporation recently joined the Open Source Security Foundation, established an open source program office, and is now developing a fund to promote independent open source projects.
In other words, Spotify is stepping up its open source initiatives. There are a variety of motivations for a corporation to open source its internal technology or contribute to those maintained by other organisations or individuals. For starters, it can be used to engage the larger software development community and as a recruiting tool. A firm may also give resources to community-driven projects when it is a crucial component of the critical infrastructure, such as to help strengthen security.
Backstage, on the other hand, focuses on creating customised “developer portals,” which bring together a company’s disparate tooling, services, apps, data, and documents into a single interface through which developers can access their cloud providers’ consoles, troubleshoot Kubernetes, and find all the documentation they require in their day-to-day work.
Backstage is utilised by dozens of firms now, including Netflix, American Airlines, IKEA, Splunk, HP, Expedia, and Peleton, in industries such as retail, gaming, banking, and transportation. But, at the end of the day, what benefit does Spotify gain from open sourcing Backstage? For starters, because to the project’s community-driven structure, it obtains a better version of Backstage for itself.
Furthermore, the fact that Backstage is being adopted by some of the world’s largest corporations benefits Spotify indirectly by ensuring that its own offering is among the de facto “developer portal” tools.
Spotify has joined a long list of organisations in establishing a dedicated open source program office (OSPO), which is supposed to bring formality and order to all of their open source initiatives, connect OSS project goals with key business objectives, manage licence and compliance issues, and more.
For the better part of a decade, Spotify has had an OSPO of sorts, but it was more of an informal group of employees who had other full-time jobs at the firm. Moving forward, the company has hired Per Ploug as a full-time OSPO lead and is actively recruiting for more positions.
Because open source software overlaps with everyone from engineering and security to legal, HR, and beyond, Spotify’s OSPO is housed under the company’s “platform strategy” unit. However, it will eventually span several teams and departments.
Security is a key component of any OSPO, as it ensures that any open source component in the company’s tech stack is secure, up-to-date with the newest version, and compatible with the open source license’s conditions. Spotify’s recent membership in the Open Source Security Foundation (OpenSSF), a pan-industry initiative founded by the Linux Foundation over two years ago to strengthen the software supply chain, is perhaps timely.
Spotify is in good company, with existing members such as Google, Microsoft, and JPMorgan Chase, and its decision to join came after the serious Log4j security flaw was discovered late last year. The OpenSSF also emphasises how open source has become the de facto model for cross-company collaboration – everyone benefits from more secure software, so it’s only natural if everyone pitches in.
