In this episode , Vinay Joosery and Frank Karlitschek, CEO of Nextcloud, dive into the essence of digital sovereignty and the impact of cloud computing on data control. Frank shares insights from his extensive experience in open-source projects.

The conversation addresses the complexities of data sovereignty, touching on the legal tug-of-war between EU data protection laws and US jurisdiction. Frank provides a nuanced view on recent legal developments, including the invalidation of the Privacy Shield and the implications of new executive orders from the US government.

Vinay and Frank discuss the broader implications of digital sovereignty, emphasizing the importance of control over data and infrastructure. They explore the evolution of open-source from a niche concept to a cornerstone of digital autonomy, underscoring the need for true sovereignty in the era of cloud computing.

Key Insights

⚡The Realities of Multi-Cloud Strategies

Multi-cloud approaches are a double-edged sword. Frank discusses that, while aiming to blend the benefits of various cloud services, users may inadvertently multiply their risks instead. This insight challenges the common perception that more providers equal better security and efficiency. Frank suggests a need for a nuanced understanding of cloud services, where the goal should be to optimize benefits while minimizing potential vulnerabilities.

⚡Sovereignty in the Cloud Era

Vinay and Frank dive into the concept of digital sovereignty, particularly in the context of cloud computing. Frank emphasizes the importance of control over data and infrastructure. He reflects on the shift from local computing to cloud-based services, which has complicated the open-source model by placing user data in remote servers controlled by third parties. This shift has sparked a debate on true digital autonomy and the ability of individuals and organizations to maintain control in a cloud-dominated landscape.

⚡The Evolution of Open-Source and its Role in Sovereignty

Frank traces the evolution of open-source from a niche interest to a critical element of digital sovereignty. He notes that while open-source was once a hard sell to politicians due to its nebulous definition, it has now become synonymous with control and autonomy in the digital space. The discussion highlights how open-source has become a key player in the fight for digital sovereignty, offering an alternative to proprietary software and enabling users to retain control over their digital environments.

Episode Highlights

?The Ambiguity of Data Flows and Sovereignty [00:18:30]

Vinay Joosery discusses the fluctuating landscape of data sovereignty, highlighting the uncertainty businesses face due to changing regulations. He points out that despite investments in sovereign cloud infrastructure, there’s skepticism about whether solutions from hyperscalers like Google and AWS truly offer sovereignty or if it’s merely “sovereignty washing.” 

“I think the latter, it’s sovereignty washing…There are two big things that come to mind. The first is it doesn’t really solve the whole CLOUD act GDPR problem ss I mentioned at the beginning; because, the legislation in the US doesn’t really care where the data is located. It only cares if it’s operated and controlled by a US entity.”

?The Illusion of Control in Proprietary Cloud Services [00:40:01]

The discussion touches on the illusion of control within proprietary cloud services. Vinay questions the possibility of claiming sovereignty without an open-source data layer. Frank responds by emphasizing the importance of being able to move applications and data across different vendors, highlighting the limitations imposed by proprietary components.

“If you want to move them around, if you want to switch from one vendor to another… and there is a proprietary component in your application… then this would be a problem.”

?The Challenge of Multi-Cloud and Vendor Lock-In [00:19:59]

Vinay and Frank discuss the challenges of multi-cloud strategies and vendor lock-in, particularly the financial and technical barriers to achieving true sovereignty. They critique the practices of market leaders, such as egress fees and committed usage discounts, which complicate the free movement between cloud services and undermine the concept of a sovereign cloud environment.

“Having a multi-cloud type infrastructure… customers are getting charged quite a bit of money… These things make it even harder to get to a state where we can say this is a sovereign type environment.”

Here’s the full transcript:

Vinay: Hello, and welcome to another episode of Sovereign DBaaS Decoded, brought to you by Severalnines. I’m Vinay Joosery, Co-founder and CEO of Severalnines. Our guest today is Frank Karlitschek, Founder and CEO of Nextcloud. Thanks for joining us today. 

Before we start, tell us a little bit about yourself and what you do. 

Frank: So first of all, thanks a lot for having me. It’s really great to be here on the show. That’s really, really an honor.

Yeah. What do I do? Good question. A lot of things. So, I’ve been doing all kinds of open-source things for 25 years for a long time.

Yes. I’m old. So, at the beginning, like, in the nineties, there were a lot of KDE. I was involved in the KDE open-source  project, then a number of different other projects, from open desktop, open PC, open collaboration services, and other things. But nowadays, I’m probably most well known as founder and CEO of Nextcloud.

And Nextcloud is, for the ones of you who don’t know it, it’s a collaboration software. So it’s software that you can use to work together, between your friends and family, colleagues over the internet, with all the tools you need for that. 

For example, the file signature part to get your files between you and your colleagues on all the different devices, chat, video conferencing, mail, calendar, contacts, notes, project management, and so on. 

So very similar to Microsoft 365, Google Workspace, Slack, Zoom, and so on, with the difference that we are the only, real open-source  alternative. So we are 100% open-source , and you can really run it and host it wherever you want.

So all the other companies I just mentioned are, of course, companies from the US. And if you don’t like that, then you can use Nextcloud to put on any infrastructure, and you have your own local collaboration suite. 

And this really works from, like, small instances. If you want to run it on a Raspberry Pi for your family, that’s fine. But there are also organizations who have millions of users, and this also works fine.

Vinay: Excellent. And actually, you know, true open-source, as you mentioned, real open-source. We’ll get into that because that’s, you know, that’s kind of been a bit of a hot potato. What is open-source and what is not right, and how companies are dealing with that. 

So, let’s talk a little bit first about the more recent changes in the broader sovereignty landscape, right? 

And you talked about, you know, hosters, you know, hyperscalers. And there have been sort of responses from the hyperscalers, right? And we talk about things like, you know, AWS sovereignty and how it handles GDPR. 

It’s a pretty complex question, right? Sovereignty. It’s about, you know, where is your data located? Who has control over it? It’s about, you know, do you have a sovereign stack that you can actually run yourself anywhere you want? 

Do you have control over that? Right? And you know, we are a database company, right? So, we talk a lot about databases. And, you know, sometimes we don’t talk enough about, a lot of the discussion typically is about, you know, legislation and things like that. But, there’s also databases, there’s licenses, there’s services, right?

So, starting off with data and GDPR data transfer from EU to the US right now. We know that the hyperscalers own the lion’s share of the EU cloud market and that puts a lot of EU data under U.S. jurisdiction really, right? And for the last 10 years we’ve been going back and forth. 

Whether it is okay or not. I mean, a quick recap. We had Safe Harbor Agreement which was canceled by Schrems 1 in 2015, Safe Harbor was replaced by Privacy Shield, and that was canceled by Schrems 2 in 2020. And basically at that point, it was basically saying that dataflows from EU to the US under the Privacy Shield is not okay. 

But then about a year ago, we had the Executive Order from Mr. Biden to address these concerns from Schrems 2, basically enhancing safeguards for United States Signals Intelligence activities. And a few months ago, almost like a letter from the post, we saw that there was an inadequacy decision for EU/US dataflows.

So, basically the EU is saying now that data transfers to the USA are not objectionable from a data protection perspective. So, Schrems Redux, right? 

So, what’s the issue here? I mean, we have a presidential order that can be reversed by the next president. But I mean, are we really addressing Europe as a continent? Are we really addressing the heart of the Schrems litigation? What’s your take on this?

Frank: This is a big question. So maybe I can answer, like, specifically about the legal situation and then maybe the second part answers your real question about the big picture. 

So, about the specifics, I mean, I’m not a lawyer, but, I talk with some lawyers, for example, also, we had the honor to have, like, Max Schrems as our keynote speaker at our conference, like, a few weeks ago. 

And, a lot of people think that the latest sort of solution agreement will go the same way as the first two because the fundamentals are the same. The thing is that there are laws in the US that make it clear that, like, secret services and law enforcement and other organizations in the US can access the data if they want to. 

And then there are laws in Europe which say, GDPR, that this is not okay. And this is just a fundamental conflict, and actually all other things that I’ve tried are just fundamentally weaker.

For example, an executive order from the president is a weaker tool than a law. So you cannot really overrule a law with that. Right? It’s just that this doesn’t work in democracy. It doesn’t work in the US.

And also some companies like Microsoft say, no, no problem. We just do special agreements. We just do a special contract between the two organizations. And the contract says your data is secure, but it’s not possible to do a private contract between two companies that overrules the law.

So, that’s fundamentally just not possible. And again, I’m not a lawyer, but from what Max Schrems and other people say that this is a fundamental problem that cannot really be solved. But to answer your real bigger question is a bit, so I find this very interesting because as I said at the beginning, I’m doing open-source  free software for a long, long time, for 25 years, and, I mean, it was always the idea of free software and open-source to give people control over their data. 

Of course, this whole philosophy came from a pre cloud era in a way. And it was just under the assumption that, “Hey, I have my computer, and my computer is on my desk or something or under my desk”, or it is, like, if it’s a it’s a mainframe, it’s in the basement somewhere, I don’t know, and I’m accessing this computer.

And if on this computer, it’s open-source running or free software running, then I can see the source code. I can see what’s happening. It basically means that I’m in full control of my IT. 

But, of course, at the time, we tried to do lobbying to politicians that, hey, open-source  is great, and open-source is great. But it was really hard for them to understand why something like open-source is really relevant because if you didn’t ask, okay, what is it? It’s software licenses, and software licenses are boring. So who wants to deal with software licenses? I don’t know. 

But in the meantime, a lot of things change. So first of all, the cloud came along, which means your computer is not really under your desk anymore. It’s run somewhere on the other side of the planet by another company. And you also don’t really know what’s happening, what’s running on the cloud. Maybe there you uploaded some open-source  software there, sure, but in part of the infrastructure there are also some non open-source  tools, and you don’t really know what’s going on there. That’s the first change. 

And the second change is then that people realize that it is actually important, because we have these espionage scandals and, like, influencing elections and all kinds of things, social media, and everybody understands that IT is very important for our society now, so people care.

And then this is when the new term, digital sovereignty, came along because open-source  somehow did not really work from a marketing perspective because its licenses are boring. But if you say, hey it’s not about licenses, it’s about sovereignty. Do you want to be sovereign? Do you want to be in control of everything?

And this is asking, like, a citizen or also asking a politician. That everyone, yeah, I want to be in control. I want to know what’s going on. And this is where this whole term of digital sovereignty came along. And I think it’s an interesting term.

It’s better to understand than open-source for a lot of people. But it’s, of course, like, there’s a lot of fighting going on because everybody wants to define sovereignty as they want. So as you mentioned briefly a little bit, they’re like hyper scalers who call the offering now sovereign. But the question is, of course, is it really sovereign? Because at the end, it’s just still the same cloud computing as proprietary software.

So sovereignty, of course, means being in control of everything. And, that’s a question. If you use AWS or Azure or something and it’s not suddenly sovereign because of some marketing, are you really in control or not? 

Vinay: Yeah, actually, that’s interesting that you said that open-source is really about control, right? Because open-source means many things. For some people, it means, “Hey, it’s free software”, right? I get to use it. I don’t have to pay.” But this idea about control, actually, how did we lose it on the way? 

Frank: Yeah. I think a big part is the cloud computing era, where it’s running somewhere else. And you see that you actually don’t want to dive into licenses too much, but you even even see the problems in licenses themselves because the GPL is the poster child, open-source  license, free software license, has had this loophole, right, that if the software is actually running somewhere else, then the GPL does not really work anymore. 

This is why an alternative needed to be created to stop that loophole that, if you’re running, if you’re using a software, even if you don’t run it yourself, but if you use it, you should have the same rights. And this is a problem that doesn’t exist if it’s running on your computer on your desk. But if it runs over the internet, then it’s a different thing. And, yeah, it’s interesting that things are changing.

And our legal frameworks, our licenses, all our things need to adapt to it. I don’t want to, like, derail the discussion here, but we have the same situation at the moment with the AI and CI, these tools. We are also AI, because AI is only partly software. The other part is data. Then the whole software licenses are not really enough anymore.

It also needs to be, like, a readjustment of everything, again, to give you digital sovereignty. 

Vinay: And actually that’s, in a way we, you know, we lost control on the way so to speak. And, and sovereignty, as you mentioned it, it’s, it’s a way for people to kind or maybe better realize that, hey, we have control over our infrastructure. We have  control over our data, and, and that’s important. So, sovereignty has it mainly been driven, you would say, by, you know, let’s say privacy and legislation, you know, GDPR? 

Because, you know, when, when the cloud first came around, like, I don’t know, 15 years ago, when actually people started using it, you know, I mean, it was probably around a bit, a bit earlier, but, you know, it was never a question, you know, should I run my infrastructure there? 

It was just really, just you know, just, just, you know, let’s, let’s outsource all the work to this cloud provider. And, you know, like if we have databases, we don’t have to deal with the headache. We can just, you know, give it to somebody else.

Frank: So yeah. I like that you used the term outsourcing because this is what it really is. And, I mean, as a company, as a government, as a citizen, you cannot do everything yourself, right.

I mean, I don’t build my own car, I don’t build my own house, I’m not creating my own water or something. Right? So it’s totally normal to outsource things to other people. And in IT, it also makes sense to outsource things. But it’s important that some things are still there so that you actually know what you’re doing, who is delivering that to you.

If you, what are some safety standards or some privacy standards that are followed? Are there actually different suppliers, or is there only one in the market where there’s a monopoly and a vendor lock-in? And, yeah, it says “sovereignty”. 

And I think if you, I mean, it’s always bad to have compared this with other things. But in your electricity, I mean, there is sovereignty because they’re actually different options that you can get your electricity from and different kinds of, like, power plants. And so there is a choice. 

And there’s also some safety standards that electricity I get is, I don’t know, it’s not killing my devices or something here. Or that I can switch to a different supplier if the cost is too high, and so on and so on. So basically there’s some sovereignty there.

And I think we have to make sure that that’s the same for this outsourcing in IT, too. And it’s a bit of a problem because if you, I don’t know, give all your IT to AWS or something, then there is not really sovereignty, right, because you cannot you cannot move from AWS to another cloud provider because the IP, APIs are completely different. It’s just not possible. You need to reengineer everything if you want to do that.

And, also, the privacy GDPR requirements are not fulfilled as we just discussed. That’s the problem. As a citizen, I want to make sure that it is all, like, compliant and legal, and it’s not. That’s a problem. And, yeah, it’s just not transparent. It’s just not, it’s just not sovereign. 

Vinay: Well, the question is, you know, you mentioned electricity. I mean, the point is, if I change my electricity provider, I don’t have to change my fridge or my microwave, right? 

And also electricity, it is a regulated market, right? As it is, you know, mission critical  infrastructure as we would call it, right? And I mean, the cloud is not there yet. It’s not  really somehow, should it be, you know, sort of, should it be regulated, the same as we do with  electricity or power plants or whatever it is?

I think it should. It is for safety reasons. It should for, that there’s a free, like, free competition. There’s a market there and not just a handful of big players.

Frank: I think it should. It should. It should for safety reasons. It should for, that there’s a free, like, free competition. There’s a market there and not 

just a handful of big players. Yeah, it should.

Vinay: In a way, you know, we talk about sovereign and, you know, sovereignty also because there’s been all this, you know, ambiguity right surrounding these data flows. You know, one year it’s not okay. You know, the next year is okay. Companies, those, especially those who are heavily invested in a hyperscaler, they will wait. 

They will not kind of like, you know, start changing things, right? We have had a guest on this podcast who is doing healthcare data. And actually they moved from, you know, AWS to most of, you know, made-in-Europe cloud, right? OpenStack based. 

But, you know, so some companies are doing it, but then looking at some statistics from Accenture, for example, I see 37 percent  of European enterprises have already invested in Sovereign Cloud infrastructure, right? 

44 percent they are planning to invest in the next two years, right? So…and, almost predictably, we see Google’s Cloud, you know, on Europe’s Terms Initiative, right? AWS, European Sovereign Cloud. And lately we see Microsoft, right? Cloud for Sovereignty. 

So all these new hyperscaler, you know, sovereignty infrastructure solutions, are they truly sovereign? Or is it just as we call it, you know, “sovereignty washing”?

Frank: I think the latter, it’s sovereign washing. There are two big things that come to mind. The first is it doesn’t really solve the whole Cloud Act GDPR problem, as I mentioned at the beginning, because the legislation in the US doesn’t really care where the data is located.

It only cares if it’s, like, operated and controlled by a US entity. And if, I mean, putting a data center, I’m assuming putting a data center in Europe might make sense from a latency perspective or something. It’s closer to the consumers, but it doesn’t make a difference from a legal perspective. So the Cloud act is still, like, active there. So this does not really solve it.

And again, the other aspect that I also just mentioned around, the open standards and the option to shift between vendors. That’s, of course, also not there. Right? All these vendors have strong vendor lock-ins. And so you cannot really shift between them.

So it also doesn’t provide sovereignty, from that perspective. 

Vinay: And, actually this is also one more thing, right? If we want to be sovereign, you know, maybe we want to promote more providers, more competition, free movement. 

And, I mean, looking at the, at the current, let’s say, practices, right. Of the, of the, you know, current market, like, you know. You know, the leaders, the  market leaders, you look at the egress fees, for example, I mean, having a multi-cloud type infrastructure where you’re actually constantly chatting between two clouds, which means even though there is peering and there’s no actual data going to the internet, maybe the data is actually going, you know, between one sub rack to another sub rack somewhere, right?

But, you know, customers are getting charged, right? Quite a bit of money, right? I mean, there’s the egress. And then, and then there’s also the fact that, you know,  nowadays we see more of those commit, committed usage discounts, right? So which means, you know, you, you commit for X number of years. I mean, these things make it even harder, right?

To get to a state where we can see this is, this is a sovereign type environment, right? 

Where we have some edge of control where we can actually move between players.

Frank: So, it’s very interesting that you mentioned multi clouds because that’s all the discussion I have with a lot of people here, also in the German government, for example. And it’s completely unclear what it means, multi cloud. So for some people, it means you can choose between different clouds.

And that’s good. But then the question is, can I choose only once and then I have the vendor lock-in? Or can I also switch between them while using it? This would be the real goal. Right?

Because choosing at the beginning is like actually I heard this at an event that I attended a while ago. They said, like, digital sovereignty means that you have the decision which contract to sign. 

That you basically that your mind is clear, you’re not using any drugs or something, then you’re in a clear mind, then you have this, then you have the Microsoft and the Google contract in front of you, and then you sign one or the other, and then you’re sovereign. 

But that’s, of course, not really true because it would require that you can also switch between them at any point. And that’s, of course, as I said, not possible.

The second thing with multi cloud is some people think that multi cloud means that instead of using one cloud provider, why not use lots of them? But then the real question is, am I combining the benefits, or do I combine the risks? 

Because, I mean, if I have a contract with AWS, Google Cloud, and Azure, just to name the three, and I’m using all the services from them, then I have three times the vendor lock-in, instead of one times the vendor lock-in. 

But what I would really want to have is no vendor lock-in. So in a lot of cases, multi cloud is actually worse than using picking one cloud because you suddenly have three vendors.

And if each of them increases the prices, you have to pay. You have no choice because you cannot really switch between them. There are some things, like, I don’t know, all these cloud providers that provide, like, compute instances, like virtual machines or some containerized environments. 

This is something where you maybe can switch between them or some S3 storage or something. But even in your area, with databases already getting a bit complicated, and then advanced services, like, I don’t know if your payment service or something.

There’s no standard. There’s no compatibility. It’s a complete proprietary APIs. So that’s really a problem.

Vinay: So, most of the talk is about, you know, infrastructure and regulations, but…coming back to databases or, you know, what actually, you know, sovereignty is, which is a function of control, right?

So let’s look at licensing. You know, we, you touched upon it briefly at the beginning. So, you know, open-source has been around for, you know, 20, 25 years. But then recently we’ve seen companies like MongoDB, Elastic and even recently, you know, sort of, you know, HashiCorp, right? Change the license midstream.

Which started off as open-source, but then they actually decided to remove certain rights, rights? 

For example, the ability to, you know, to provide, you know, the product as a managed service, right? So, you know, what are the obvious and not so obvious differences between, you know, these different open-source license schemes?

Frank: This is obviously one of the big discussions in the open-source community in the last few years. The problem is as you described that this product is open-source, software is open-source, everybody’s using it. 

And, like the big organizations, they come to you, probably with a service, support contracts or something like that because they want to have the, yeah, safety that if it’s mission critical that someone can help them if something breaks. And this is a successful business model in the open-source  world, like, for forever. And now we have to challenge that some cloud providers just then host the software themselves for our customers, and they’re providing them the support.

And they’re actually people who actually build the software. They no longer have a business model, and this is, of course, a challenge. And, yeah, as you mentioned, there are a number of organizations who changed their licenses now to some business source or the number of newly invented licenses, which basically say, hey, everybody can still use it, but the big service provider, like, big cloud provider not. Something like that with different variations. 

The problem is that this is no longer open-source. It’s no longer open-source software because it has its restriction, which is not part of the open-source definition. So this is, of course, a problem. I don’t know. I don’t have a good answer.

I understand the companies, the open-source companies, from one perspective that really want to protect themselves from these big tech organizations, taking away their business. 

On the other hand, all these companies that you mentioned, they’re already so big. They already have such a huge revenue customer base team size that you wonder if it’s really a problem. I mean, who is optimizing which revenue there is? 

I mean, from the perspective of Nextcloud, for example, we are fully open-source, and we don’t have any plans to add these kinds of restrictions. And, we are doing fine. We are growing nicely. We are fully profitable. We have happy users. We have a happy community.

We are doing fine. So at some point, as I said, I understand that these big companies have introduced these restrictions. On the other hand, I’m wondering if this is also mostly triggered by some venture capital funded organizations who really want to optimize their profit to 100%. 

So, I don’t have a good answer. All I’m saying is there are actually other real open-source  companies who are still doing fine, Nextcloud and many others.

Vinay: And actually, I mean, many of these, even these hyperscalers, a huge piece of  the business is built on open-source itself, right? I mean, Google wouldn’t be here maybe if  there wasn’t an open-source. I mean, they just build a massive infrastructure. And yeah.

But what does the proliferation of, you know, of alternative licenses mean for open-source, right? I mean, does it mean we’ll see more vendors using open-source as a way to market the software, get the initial traction, build a user base and then change their license midstream, right? Or does it mean it will maybe lead to more forks? 

Which means more fragmentation of user bases and maybe less dev resources for projects. Or would it be that, you know, companies now starting off, maybe they will say, “Hey, we won’t go open-source”.

We’ll, maybe we’ll start with, you know, you mentioned the business-source license, you know, the BSL, we have the SSPL, right, that, that MongoDB built. I mean, what’s your, what’s your thought there?

Frank: This is an interesting question, and it really depends on how it goes in the next few years, I think. I mean, I really don’t like this effect, these licenses, new licenses have on the open-source community because a lot of people might now think that it’s not possible to do an open-source company, which I think is totally not the case. So I’m a bit worried about the negative effects there. 

And I’m also a bit worried about what kind of conversations might happen in some board meetings or some meetings of some VC companies with young start ups. Some people might think that this is actually a great strategy. With startups super open, you basically become the dominant player.

And once you have it, you close down your product, and then you monetize it. I’m really worried that some VCs might think that this is a good strategy. 

Because I’m coming from a different perspective. Because as I said, I’ve been doing open-source for 25 years, and I didn’t start to do open-source because I thought it’s great to do a big company exit at some point.

This was never the never the plan. The plan was to do something that’s to build software that helps everybody. To, like, do something good, to work together with the community, to provide a tool that helps people to to learn, to start it, to innovate, to protect the data, and so on from a more idealistic perspective. 

And I’m, yeah, and a bit worried that this open-source might now look more like a business trick at the beginning to make your company big. 

Vinay: I mean, what is the effect on enterprises in a way? I mean, you know, looking from an enterprise point of view, you know, maybe you would like to use MongoDB, you know, you would, you would like to purchase MongoDB directly from a hyperscaler, right? Now you have to go to a specific service Atlas to get it as a service, right?

So, maybe perhaps before it was possible to, you know, to use the same software everywhere, right? But the license changes and then suddenly you can’t get that software everywhere you want, right? You can perhaps use it, you know, most of these, well, actually the business-source license it, I think you have to pay, right?

You only get two year old versions for free, right? So you don’t get to really use the latest software. I mean, from an enterprise point of view, you know, what effect do you see that having on them?

Frank: That’s, of course, a problem because on one hand, of course, it sounds nice that you have access to these old versions, but old versions are not the same as the new versions, obviously. So the feature set and APIs and things obviously changed, in the last 2 years.

So this is not the same. So as you said, this all leads to a big fragmentation. This just leads to a big fragmentation, everywhere. And in the past, if you want to build an application or something on top of Mongo or some other tool, you can be sure that you can always use it. And that it’s also always the same because everybody can just use the latest version, and that there are no unexpected costs cropping up at some point.

And all these other benefits and freedoms that people like when using open-source. And, yeah, now we’re moving to a world where it’s hugely fragmented.

So you don’t really know, you don’t really know what version it is, and features it has. Is the fork the same as the original and so on. So it just gets chaotic, which is not good for anybody.

Vinay: No, it’s certainly not good for the, you know, for the software itself. I mean, you know, it gets…the resources are more diluted. And you don’t get the same critical mass adoption kind of thing, right?

Because that’s typically what you need, right? You need a lot of adoption because that drives even more, more people using it.

There’s more requirements on the software and there’s, there’s more, you know, innovation. Looking at Postgres, for example, Postgres is an amazing story, right? Looking at how, you  know, the last five, six years have been just pretty amazing in terms of what they’ve been able to deliver in that project. 

So, looking at, you know, let’s say open-source software that you can actually run yourself. And then you have. Apparently the same version, right, which you can run through a hyperscaler, like, for example, take MySQL, you know, you can get MySQL, you know, MySQL 8 or whatever.

And then you can get it through, you know, Amazon, right? You know, AWS. So, one question is whether the software is not modified by the hyperscaler, right? Because can you just take whatever applications you’re running? You know, that was that version, you know, in the cloud and then say, “Okay, now I’m gonna run it.” You know, is it gonna run right? Because sometimes, even if the API is the same, the semantics might not be the same.

For example, you know, Google Cloud SQL. It’s the same API, but it’s a different  engine behind. We don’t know what it is, right? So, you know, then, then, you know, the question is, is it a traditional Database as a Service running open-source database?

Is it open-source? Right? For example, as part of the service, you have a lot of automation  to help run the full thing, right? But if you run it yourself, there is no automation. You had to do all that yourself. How do you see, you know, running services that actually say they are running vanilla open-source software?

Frank: Yeah. That’s exactly the problem you’re I think you already answered yourself. It’s and it’s, that’s, of course, a problem.

And as you said, like, the API, I mean, it’s great that some API might be stable. But in a lot of cases, semantics, the background is actually very important. 

Databases are a good example, because they thought that there is an API called SQL. And then you could say that, yeah, that just works with every database.

But the details are important. The details, especially if you develop a non trivial application, then the details are actually important. I mean, how certain indexes behave or something like that is, you could say, well, it’s not my business, how it’s implemented. 

But if you really have something more advanced, then it is actually important, and you need to know what’s happening there in the background. So that’s a problem.

As I said earlier, the AGPL tried to solve that problem in a way, but unfortunately only solved it half. Because it means that if you’re using a service like a MySQL, operated by a hyperscaler and the hyperscaler does some modifications in the code, and you were using the API over the Internet, then this also needs to be open-source d. 

And so basically, the AGPL, not a lot of the h g p l, unfortunately, but the AGPL basically half, like, solves it probably half. So if there are modifications of the software or the engine or something on the server, then it needs to be open-source d. But what does it mean to be open-sourced?

It usually means that there is some download web page somewhere. You can download this tar file or something. But it doesn’t mean that this goes upstream. It doesn’t mean this goes into the real product.

Because if you’re then a database vendor, if you’re then MySQL, MariaDB, or someone, and then say, okay, “Oh, great. Google released some zip files with some changes.” Good for them, but it doesn’t mean that this will go into the main product because it might not be suitable for that. Or that that might be engineers or architects, which have different design decisions.

So the fragmentation is still there. Fragmentation is still there. This is unfortunately a problem. 

Vinay: Yeah, what’s your thought on, you know, software automation, right? I mean, it’s the same in a way with NextCloud, right? So you have the software, anybody can build it. And then, and then you also have the service where you actually do the full automation, right? And there’s a lot of, there’s a lot of IP that goes into running the service. Should that be open-source?

Frank: I think so. I think so. I mean, it all boils down to what you really want to achieve. If you want to achieve sovereignty, which means you can actually decide to move from one cloud provider to another, or to on-prem, or to some other option you choose, then this should be possible. 

But if the whole tool chain around the software is so complicated that it cannot be easily – if it’s just a few lines of code or something simple, like a Docker image, which it usually never is, then fine. 

But if it’s really complicated, with some kind of secret sauce that prevents people from installing it on-prem or on another service provider, then you have vendor lock-in again, right? 

You can say, well, the source code is free, but actually running the software is so complicated that no one can do it. Then you have the same problem again. So, I think for complicated setups, it should also be open-source. 

Vinay: You know, in a way, we could say perhaps that Kubernetes sort of solves that issue because nowadays you have these types of, you know, for databases, you have operators that you can use to at least take care of the ops. 

Having said that, most of these operators are not full automation – they’re at least part of it, right? But at least you’re getting part of it, and then, yeah, you’ve got to do some work to complete the rest.

Frank: In reality, it’s often not so simple because we have NextCloud, and we have lots of big customers, many of whom use Kubernetes. But that doesn’t mean at all that the environment is the same. I mean, it’s the details, and yeah, the devil is in the details. 

Vinay: On a high level, it always sounds good. Kubernetes is being pushed as this level playing field for everybody, but I think even there, things might not work as we think they would.

Let me ask you this: Can you claim sovereignty if your data layer isn’t based on open-source databases? 

Frank: Again, going back to what you actually want to achieve – if you want to achieve sovereignty in a way that you can move your application, your infrastructure, your company, or your outsourced components, if you want to move them around, if you want to switch from one vendor to another, and there is a proprietary component in your application, the data layer, as you said, then you can move everything but not the super important 2 percent of the stack. Well, then this would be a problem.

Vinay: It comes back to control in a way because, you know, the issue of control is something that maybe the term sovereignty addresses. But I don’t know if those making the decisions really care about control, or if it’s just that, “Hey, we’re being told we need to be sovereign,” so they go and try to be sovereign. That’s the other question, because nowadays, many companies are driven by the bottom line – how much profit we’re making, how much costs we’re cutting. 

They might think, “Let’s get rid of our DBAs and put everything in Amazon,” but it doesn’t really work like that. Even if you run a managed service from a hyperscaler, you still need DBAs and DevOps people to look after the services. So, one thing is to say you outsource, but you don’t really outsource everything because you still need to have your own resources.

So, wrapping up here, data transfer frameworks are weak in a way. For example, with GDPR, if the U.S. is considered an approved third party, we’re not really addressing the core issue, right? We’re going to see another Schrems again soon. 

Frank: Yes I think so. Moving from a complaining mode into a more optimistic mode for a second, I think what we really want in the future is for companies like yours, which provide awesome services and have a lot of knowledge, to be picked by customers – not the ones with strong vendor lock-in, who just run some standard service as everybody else could. But 

“We are AWS” – I’m sorry for hammering on AWS, but it’s like, “We are the big gorilla in the room, and we don’t let anyone out anymore.” This is why everybody’s using it, even if the service is not actually very good.

I would love to live in a world where excellence drives success, not monopoly size. 

Vinay: In a way, sovereign cloud from Amazon or Google is really just token gestures, putting lipstick on a pig because it doesn’t really address the core issue. To have control, you need workload portability, which is based on the entire stack. 

Looking at it from a solutions point of view, sovereignty is a product of control. So, what would you recommend enterprises do? 

One thing is to look at the legislation – what are we being told to do by the law? But this thing about control – how should enterprises actually think about that?

Frank: I think it’s important to make a really informed decision here, not just follow some marketing or do something just because everybody else is doing it. That’s not an informed decision. If you decide to outsource something – doesn’t matter what it is, your CRM, your database, or whatever – think about the consequences. 

Also, plan B, C, and D, so that you’re really sovereign, and you can actually later change your decision. I think this is something sovereignty means. Outsourcing to something where the product is structured in a way that you can move away from this cloud provider to a different one with very minimal or no changes to your business process or application – this is important. If you outsource to someone where you can never move away from ever again, I would advise against it. 

This is the case for, I don’t know, Microsoft 365 or Google Workspace, where there are not even APIs to move away from. And even if there were APIs, there’s no other way to import it because the applications are not standardized in a way that allows a one-to-one replacement.

There’s no way to move from Teams to Slack – you can’t just move your entire history over. I would be very critical of this. If it’s something like a more standardized layer, like a database, then this makes more sense, but really think about the consequences and always have a plan B and C at hand.

Vinay: Excellent. Well, with those final words, Frank, thank you so much for joining us. I really appreciate it. And thank you folks for joining us in this episode – see you for the next one.