Sourcegraph went dark

Thanks for being a fan. And I understand it's a bummer to not have our code be public and open-source anymore. Sorry.

It's a bunch of reasons that add up. I'll give some more details for anyone curious.

(And I know that despite these reasons, lots of HNers probably wish it was not so. I agree! I too wish for a world where all companies could have their code be public and open source.)

- We have a lot of tech around large-scale code graph, indexing, etc., stuff that is very differentiated and hard to build. We were starting to put some of this in separate private repositories and link them in at build time, but that was complex. It added a lot of code complexity, risked bugs, and slowed us down, and if a lot of the awesome stuff was private anyway, what was the point?

- As we've been building Cody (https://cody.dev), our code AI tool, we've seen a LOT more abuse. That's what happens when you offer any free tier of a product with LLM inference. We had to move a lot more of our internal backend abuse logic to private repositories, and it added code complexity to incorporate that private stuff in at build time.

- It confused devs and customers to have 2 releases: an open-source release with less scaley/enterprisey features, and an enterprise release. It was a pain to migrate from one to the other (GitLab also felt this pain with their product) because the open-source build had a subset of the DB schema and other things. It was confusing to have a free tier on the enterprise release (lots of people got that mixed up with the open-source release), and it made our pricing and packaging complex so that lots of our time was spent helping customers understand what is paid and what isn't.

- There were actually very very few companies that were going to pay but then decided to use the open-source version and not pay us. A lot of people probably assume that's why we made this move, but it's not. I think this is because people like the product and see value in it, including all the large-scale code nav/search features that are in our enterprise version.

- Although very very few companies used our open-source version to avoid paying us, we did see it cause a lot of annoyance for devs who were asked by their management to try cloning our product or to research our codebase to give their procurement team ammunition to negotiate down our price. This honestly was just a waste of everyone's time.

- If we got a ton of contributions (we never really solicited any), then it might've changed the calculus. Sourcegraph is an end-user application that you use at work (and when fun-coding, but the primary revenue model is for us to charge companies). For various reason, end-user server-side applications just don't get nearly as many contributions. Maybe it's because you'd need to redeploy your build for a bunch of other users at your company, not just yourself. Maybe it's because they necessarily entail UX, frontend, and scaling stuff, in addition to just adding new features.

- We heard from people who left GitHub that people at GitHub were frequently monitoring our repository to get wind of our upcoming features and launches. Someone from GitHub told me his "job is to clone Sourcegraph". Since then, they obviously deprioritized their code search to re-found GitHub on AI, so we're not seeing this threat anymore. But I didn't love giving Microsoft an unfair advantage, especially since GitHub products are not open source either.

- Since we made our code non-open-source, we've been able to pursue a lot more big partnerships (e.g., with cloud providers and other distribution partners and resellers). This is a valuable revenue stream that helps us make a better product overall. Again, because Sourcegraph is an end-user application with a UI that devs constantly use and care about, we never really had the MongoDB/Redis/CockroachDB risk of AWS/GCP/Azure just deploying our stuff and cutting us out. We're not protecting from downside here, but we are enjoying the upside because now those kinds of distribution partnerships are viable for us. To give a specific example, within ~2 months of making our code non-open-source last year, we signed a $1M+ ARR deal through a distribution partner that would not have happened if our code was open source. This is not our biggest annual deal, but it's still really nice!

We are totally focused on building the best code search/intelligence and appreciate all our customers and all the feedback here. Hope this helps explain a bit more where we're coming from!

> Sourcegraph CEO here. We made our main internal codebase (for our code search product) private. We did this to focus.

> There were actually very very few companies that were going to pay but then decided to use the open-source version and not pay us. A lot of people probably assume that's why we made this move, but it's not.

> To give a specific example, within ~2 months of making our code non-open-source last year, we signed a $1M+ ARR deal through a distribution partner that would not have happened if our code was open source.

So the reason these deals are now possible is mainly because time was freed up by not having the code base opensource?

> So the reason these deals are now possible is mainly because time was freed up by not having the code base opensource?

No, it's that if all the code is free and open source for anyone, we would not be able to charge for it and there would be no deals. Even if, say, 60% of our product was open-source and 40% was closed source, we might still get a lot of direct customers but would struggle to do distribution partnerships because the distribution partners have outsized incentives and capacity to reimplement the subset of the 40% they think their market needs.

I believe the question came up because the original rationale given was “we did this to focus”, not “we couldn’t sell the code for as much if it was open source”.

>Although very very few companies used our open-source version to avoid paying us, we did see it cause a lot of annoyance for devs who were asked by their management to try cloning our product or to research our codebase to give their procurement team ammunition to negotiate down our price. This honestly was just a waste of everyone's time.

Trying to spin that it was "for the devs" is really stretching the bounds of incredulity. We get it, its fine, you have investors to answer to, but come on don't pee on our shoes and tell us its raining.

Both are factors, as I said in my original post (focus and risk).

Fair, I probably didn’t hear from the devs who weren’t annoyed by that. I heard from plenty of devs who were annoyed by it.

“We stopped giving away some of our apples due to risk.”

“Of… liability? Or… uh, what?”

“Oh—risk that we couldn’t sell the apples we gave away, obviously.”

I was thinking business risk. Sorry it wasn’t clear.

Actually this one I get completely. There’s plenty of places or managers with dev orgs that will check if they can install something complex in house with open source. Nothing wrong with it. But it’s usually a huge waste of time.

Risking profit. I wish he'd just say it. The mealy mouthed justifications are just so transparently disingenuous.

Yeah while I'm sure the developers that were asked to just grab the code and make it work wasn't their favorite job, I think the bigger one is further down - Github developers being tasked with reverse-engineering an open source product to create a closed source clone.

I would've respected GH more if they just used Sourcegraph and instead spent those developers on improving the open source product itself. But, I suspect that Github / Microsoft would then need a locked down license that e.g. Sourcegraph would forever remain open source, or that GH gets free licenses if they ever went closed source, or whatever.

>Yeah while I'm sure the developers that were asked to just grab the code and make it work wasn't their favorite job, I think the bigger one is further down - Github developers being tasked with reverse-engineering an open source product to create a closed source clone.

They don't want Github to clone their product. They weren't doing it for the Github devs.

Why? Getting operational experience with the product that you might then pay a lot for seems very important. Especially if you end up liking the product/service but not the pricing changes that might then happen, so doing some exploratory fact finding for a backup plan doesn't seem to be waste of time.

For example when we used Jira on-prem and it was snappy and we were happy ... and it was a rather important point of difference compared to the slow shitocumulus version.

Also, when people are using GitHub issues to ask questions the problem is usually a lack of clear documentation. (And if spending time to link FAQ answers to potential customers is a waste of time ... then maybe it's not surprising that Sourcegraph CEO is doing damage control on HN instead of focusing on focusing or whatever.)

When someone speaks about business risk for a company which might not be breakeven profitable, the risk is not "we don't make enough money to chuckle sensibly into our wine goblets", the risk is "we have to lay off our engineering team and stop making software altogether".

There's nothing mealy-mouthed about trying to provide insight into their decision-making process. They don't owe anyone other than their employees, customers, and investors (in that order) a justification for their decision making on something like this, and certainly after spilling a few paragraphs of text off the cuff can't be called disingenuous.

This chorus of screeching that accompanies any reduction in commitment for a company involved in open-source is extremely off-putting to anyone who wants to try to build in the open and make a business out of it.

It's free. Gratis. Provided without warranty. Do with it what you will, but it was never yours. They didn't take anything from you by closing the repo. It's really cool that it was available, and it sucks that it's not available going forward - but expecting any business-backed OSS projects to adhere to the same behaviors as a volunteer effort is just wishful thinking.

> But it’s usually a huge waste of time.

Is it? I think at this point my company has probably saved millions of dollars by not paying for subscriptions, but hosting everything in-house. The price point of a lot of these services makes perfect sense when you are small, but paying 1M/year in subscription fees when you can host the same thing for 10k/year is just bonkers. I appreciate that someone has to pay for it for them to continue making the product, but there’s a point where it makes more sense for me to spend a year setting it up (and really only costs two weeks).

You make good points, but to be fair, I feel it's more the beating around the bush that people take issue with.

My experience was with things like openstack and kubernetes. The org decided to do “cloud” in house first with openstack and then kubernetes - and run critical services on them that had very strict performance SLA.

The amount of time needed to do the whole thing wasn’t worth it. Sure I enjoyed tinkering with the kernel and drivers and k8s. Also diving into known cgroups and namespaces worked etc. However, from a time to market/stability perspective the solution was nowhere comparable to what public cloud providers offer.

Yeah - the subscription costs more. My experience has been that when things get big and hiring gets tense in house solutions just add stress on the devs maintaining it. At least with public cloud services - it’s clearer - if the budget doesn’t exist don’t run it.

I will add that I don’t use sourcegraph nor am I connected with them in anyway. So I’m not batting for their go private strategy. Just commenting on this one point.

these are good points but there are fundamentals at odds, really.. no amount of "explaining" will make a choice.. there are partisan issues and as said, company survival is related to profitability is related to survival.

also not mentioned so far is - this product has big implications for security by surveillance, with phone-home and instant-audit hooks, non-disclosed search for zero-day vulnerabilities, and more.. by closing the dev process, it appears that this product gets one step closer to a one-way mirror model that some customers will pay really large amounts of money for..

I appreciate this answer -- it clears a lot of things up!

This seems weirdly hostile. He laid out a bunch of points but you’re grabbing on to this one to make it seem like he’s using classic corporate-speak. Do you find it so unrealistic that the CEO of Sourcegraph has heard from devs that their managers asked them to try to clone or investigate the product before buying? That seems pretty likely

I thought the explanation was very good (second comment more so than the first)

This sounds like "I'm angry I don't get free stuff anymore, and I want to lash out", and I expect better from HN

Investigating Sourcegraph's source code as part of procurement is not only plausible, but useful work that a software engineer should be happy to do.

Stating that making such evaluations impossible is a good thing is therefore more bullshit than other reasons to go closed source.

All the arguments are attempts to veil "we're not making enough money."

When companies dangle "open source" projects to get attention, or start off as open source projects then someone decides "I can make money off this", then rug pull them, that leaves a bad taste in my mouth.

>There's nothing mealy-mouthed about trying to provide insight into their decision-making process. They don't owe anyone other than their employees, customers, and investors (in that order) a justification for their decision making on something like this, and certainly after spilling a few paragraphs of text off the cuff can't be called disingenuous.

When you say things like "we did it for the devs" thats mealy-mouthed and disingenuous. They don't owe anyone but their employees, customers, and investors an explanation, but then they start making public statements-- even if they are a few paragraphs and text off the cuff-- acting like they're doing it for _alutristic_ reasons.

Rug pull your open source once you've gotten what business ends you desire out of it and when it conflicts with your open source goals; like you said its your you own it.

people can do things for more than one reason

I don't see any attempt to veil it -- there was specific mention of revenue and competitors

Did SourceGraph make any promises about a community or free support? (honest question)

I think your expectations may be off, perhaps learned from corporate marketing. "Open source" by itself does not mean necessarily

1. you get any support

2. there is a community [1]

3. you're entitled to all future source code by that person or company, whether under the same project name or not.

---

It could be that SourceGraph has broken some promises, and that IS pretty typical of VC-backed companies.

But so far I don't see evidence of that.

Quoting my comment: https://lobste.rs/s/tg5vwi/sourcegraph_went_dark#c_vnaqxu

Even according to Stallman, free software never required any kind of support, open development, or commit history. You can publish a tarball on a web server, and that counts as free software.

i.e. publishing source code doesn’t sign you up for a lifelong obligation. People can fork it, or not fork it.

---

Practically speaking, I might think of SourceGraph as something like Android.

Is Android open source? Yes. [2]

Does it have huge proprietary parts? Yes.

It is designed for collaborative development? Not really unless you work for a big company, and are paid to work on Android. (That said, I'm sure there are hobbyists / "people in their basement" that do meaningful things with Android source code -- and actually I think that is how some open phone companies started)

Is it better than it's open rather than closed? Yes. Multiple competitors to Google use Android source code, e.g. Amazon has built phones off of it. That is good thing IMO.

---

[1] On my own open source projects, there is a community and best-effort support, and I really encourage that! But the point is that there are MULTIPLE valid project models under the name "open source".

Throwing code over the wall is actually valid open source, and it actually benefits society IMO. It's still valuable, even if you STOP doing it, as SourceGraph has done.

It's distinct from "I get free stuff that I like using"

There could be a different name for "unfunded or independently funded open source", but the funny thing is that the term "open source" originated as a corporate-friendly alternative to "free software"

[2] As a tangent, I also think Android has a really suboptimal and cloud-slanted architecture, but for this discussion, let's just use it as a an example of corporate open source

That math only works out nearly that cleanly if you avoid pricing out the engineer time for it.

If you’re paying $1M/year in fees, I would be shocked if you don’t have a whole team to support the open source version. Oncall, system upgrades, the usual stream of tickets about things not working right and people wanting to integrate, etc.

I do believe it can be cheaper to self-host, but I really doubt the difference in cost is 2 orders of magnitude. I’d be surprised if it was a single order of magnitude. I would wager it’s less than the sellers profit margins because of economies of scale; I would guess in the range of 10%-20%.

Well that obviously doesn’t apply to Sourcegraph because their self-host offering requires paying a subscription. You can’t use any form of Sourcegraph on private code, (at least not without all the important features being nobbled) without paying a subscription. So there’s no saving to be made from self-hosting sourcegraph

If we ignore the final sentence of his reason, then you might have a point. But given his reason ends with:

> This honestly was just a waste of everyone's time.

Makes it pretty clear that the benefits to Sourcegraph (I.e. not wasting time negotiating with companies acting in bad faith), was a large part of this rationale.

Besides, if you had ever tried using the OSS version of Sourcegraph, you would realise that OSS Sourcegraph is a shadow of its enterprise version. Trust me, Sourcegraph didn’t loose any sales to people running OSS Sourcegraph, and anyone who’s willing to rip out the licensing system, so they can use the enterprise features without paying, obviously isn’t going to become a paying customer either.

You clearly never actually looked at Sourcegraph OSS. The OSS version died a very long time ago, the vastly majority of Sourcegraph most valuable features were never OSS, and Sourcegraph has always been very transparent about this.

All that’s changed here is that a non-OSS, but public codebase, is now private. From a customers perspective, nothing material has changed. Only those who want something for nothing are seriously impacted by this.

It's both hostile and, worse, boring. I know it sucks to be intrinsically less interesting than someone you disagree with passionately, but it is the case here that the CEO of the company explaining their policy shift is much more interesting than your rebuttals, which seem superficial and rote by comparison.

Someday somebody is going to be intrinsically more interesting about, like, supporting DNSSEC than me (maybe Geoff Huston will sign on and start commenting), and I'm going to want to claw my eyes out. I have empathy for where you're coming from. But can you please stop trying to shout this person down?

When a software business makes decisions in the name of "focus", they're usually implicitly saying the "on the stuff that will make the company more money" part. Focus implies product/market fit.

He took the time to write out a detailed explanation of why they made a decision they did. Giving us more transparency than 99% of CEOs or companies. There is a whiff of spin there, but come on compare it to every other product decision ever made and we're getting so much more transparency.

Behavior like this means the next time a CEO will be marginally less motivated to do this. You're shitting in the commons.

> So there’s no saving to be made from self-hosting sourcegraph

That may have been true in the time before LLMs, but I'd argue that any sourcecode exfiltration nowadays runs the very real risk of "oh, sure, we won't use your code for training our model ... wink, wink"

>I don't see any attempt to veil it -- there was specific mention of revenue and competitors

Here you go:

>Although very very few companies used our open-source version to avoid paying us, we did see it cause a lot of annoyance for devs who were asked by their management to try cloning our product or to research our codebase to give their procurement team ammunition to negotiate down our price. This honestly was just a waste of everyone's time.

There's enough open source code available that the hassle of other code probably isn't worth it. LLMs aren't insightful enough to benefit from any differences you'd see between open and closed source code corpii.

Many organizations will accept defacto 90% SLA if internal vs 99.99% If external

Unbelievably generous insight. Nice one, mate. Thanks.

> - As we've been building Cody (https://cody.dev), our code AI tool, [blahblahblah]

You could have decided not to jump on that bandwagon.

> - It confused devs and customers to have 2 releases

You could have decided not to do that then.

> For various reason, end-user server-side applications just don't get nearly as many contributions.

Maybe it had something to do with the opensource builds being nigh-unusably restricted, turning away anyone who might be interested. Or the confusion that you created between the OSS and freeware builds giving a bad taste.

You have, however, left yourself unprotected against real innovation in open source products which are value-aligned

What I mean is: I totally agree that Sourcegraph's practices and architecture made it seem much more like a closed source company. Once it failed to create an open and welcoming community of contribution and ideas, the path to source closure was likely inevitable

you have misused the Stallman quote .. the idea is that the code is always available to rebuild and recompile.. the commerce between vendors or users is not specified. In the case you apparently defend, the source code is no longer available to build the complete product.