DEV Community

Mustafa ERBAY
Mustafa ERBAY

Posted on • Originally published at mustafaerbay.com.tr

Open Source, Yet Centralized

#sistemmimarisi #software

When "open source" is mentioned, most of us think of freedom, transparency, and a structure that evolves with the community. Yet, time and again in my career, I've seen that even if the code is open, the control mechanism can remain in the hands of a single center. This reality deeply affects our software architecture decisions and carries unexpected risks in the long run.

Last month, while working on the shipping module of a manufacturing ERP, I encountered a critical open-source library used by the system suddenly releasing an incompatible update. At that moment, I once again realized how misleading the centralized control behind open-source projects can be.

Open Code, Closed Control: An Illusion?

This library was a core component for supply chain integration. The code was on GitHub, there were contributors, everything seemed transparent. But one day, the main developer of the library removed an old API without any warning, causing a serious outage in our production environment.

This situation clearly demonstrated that despite the presence of a community, the ultimate authority rested with a single person or company. As a solution, we had to fork that critical function ourselves and integrate it into our internal system. This taught me that "open source" isn't just about the visibility of the code, but also about how distributed the decision-making processes and governance truly are.

Unexpected Dependencies and Hidden Risks

I encountered a similar situation in a module I developed for a bank's internal platform. A popular open-source JWT library used in the security layer introduced an unexpected breaking change. This change led to hours of debugging and deployment processes on our end. I specifically remember one night at 03:14 when a WAL rotation alarm went off, and the team worked until morning because of such a library update. The new version, which didn't support old token schemes, had halted all API communication in the system.

Such situations remind us that we should look not at the project's license, but at the real power dynamics behind it. Sudden decisions by a single center can mean sleepless nights for those of us working on the operations side. Since then, when deciding to use an open-source project, I pay attention not only to its code but also to the number of contributors, the dates of the last commits, the quality of issue management, and most importantly, who funds it. Even in the financial calculators of my own side product, I make sure to keep such dependencies to a minimum.

A Kernel Module Adventure and Security Implications

On the security front, the situation can become even more interesting. While investigating a vulnerability related to CVE-2026-31431 in a system, we had to blacklist the algif_aead kernel module. The open-source nature of this module didn't mean that its underlying security review process was always open. Sometimes, even in open-source projects, the discovery and patching of vulnerabilities can be at the mercy of a specific group. I've seen instances where such modules exhibited unexpected behavior during my auditd log reviews.

This situation pushed me to be more careful when managing my own servers or performing security hardening on a client project. I learned not to assume that a component would always be the most secure or stable just because its code is open. While developing the backend for my Android spam application, I tried to identify potential breaking points of every dependency in advance and consider alternatives with a similar approach.

True Community Projects and the Principle of Trust

So, are there truly distributed and community-driven open-source projects? Absolutely. PostgreSQL is one of the best examples. Its large and active community, contributions from various organizations, and more transparent and participatory decision-making processes increase my trust in it. The fact that a project doesn't depend on a single company's roadmap or an individual's whim is an important factor for me in minimizing operational risks.

My preference has always been to gravitate towards such projects. For example, when we experienced PostgreSQL performance regressions in a manufacturing company's ERP, it was much easier to find a solution thanks to the community's rich resources and extensive support network. While resolving a WAL bloat issue, the detailed discussions and shared best practices in community forums were invaluable. This is far more valuable than relying solely on a single company's documentation.

A Pragmatic Approach: Focus on Governance, Not Just Code

Twenty years of experience have shown me that the open-source world is a blessing, but it also comes with a cost. For me, what matters is not just whether a technology is "open," but also whether it is "distributed" and "truly community-driven." If all direction for a project is in the hands of a single company or individual, that is a potential risk factor for me. Once, when I misconfigured cgroup memory.high limits in a Kubernetes deployment and got OOM-killed, it took me hours to find the source of the error. Such operational errors can escalate when the support and governance mechanism behind the technology you use is not robust.

Therefore, in my system architecture decisions, especially for critical infrastructures, I evaluate not only the project's code but also its governance model, the number of active contributors, and its financial structure. Even the Docker Compose configurations I use for the backend of my side products are closely monitored for potential dependency breakages. Even when considering the economics of self-hosted runners, I take the cost of such dependencies into account.

ℹ️ Points to Consider

When evaluating an open-source project:

  • Who is the main funder of the project, and how does this affect the project's direction?
  • How transparent are the decision-making processes, and does the community have a say?
  • How many active contributors are there, and do they come from different organizations and geographies?
  • What is the project's chance of survival in case of a fork, and are alternatives available?
  • How active and fast is the project's issue/PR management process?

Conclusion: The Fine Line of Singular Control

Open-source technologies are an indispensable part of our lives. However, through my experiences, I've learned very well that being "open" doesn't always mean "decentralized" or "risk-free." Whether on a large Turkish e-commerce site or in my personal projects, when I overlooked this fine line, I usually paid the price with operational difficulties. When making Redis OOM eviction policy choices for the backend of one of my side products, I approached it with similar philosophies.

What are your thoughts on this? Have you ever experienced such centralized control issues in the open-source projects you use? What was your most critical open-source dependency, and how do you manage it? I'd love to hear your opinions.

Top comments (0)