It’s a cool coincidence that a commenter on the e-Literate blog raised a question about whether we should call the Canvas learning management system (LMS) open source or not. Six years ago this week I wrote my first blog post as an Instructure employee on the importance of openness to our company culture and identity. (Full disclosure: I still work for Instructure, though this blog post is my own perspective six years in.)

Canvas is used by K–20 institutions around the world. Even though Canvas was built for the cloud, it’s been open source since 2011 under AGPLv3.

Early on, it was obvious that being open source provided some natural inoculation against being acquired by one of our competitors. It also presented customers with an escape hatch in case Instructure were to fail them. Thankfully, those concerns are less relevant now that Instructure has made it to IPO and Canvas has a proven track record in the market.

Instructure’s commercial success may prompt questions about whether and why Canvas is open source. Let’s start by acknowledging that classifications of “open source” versus “commercial open source” versus “open core” are sometimes hotly debated. I’m not overly sensitive about these labels; Instructure will continue to release new Canvas code to GitHub every few weeks no matter what people want to call it.

That said, I call Canvas “commercial open source” rather than “open core” for two main reasons:

1. Open core usually means a large part of the code base has not been open sourced. The only parts of Canvas that we don’t open source are those related to our commercial hosting, like Vector and Hot Tub. Canvas is a cloud-native, single-version, multi-tenant application, and if we didn’t have proprietary capabilities for automated scalability, burstability, failover across AWS regions, etc., our commercial hosting service wouldn’t have the great reputation it has for reliability. But even modules like Canvas Analytics and our native mobile apps are open source. We just built a new accessibility checker add-on for the content editor that we’re going to open source.

2. Some projects labeled “open core” withhold so much code that it’s not realistic to run the software yourself. That’s not the case here. It is totally feasible to run a Canvas implementation from the Canvas open source code, and there are legitimate examples of this happening. While we don’t require anyone to register or tell us about it when they run Canvas themselves, we do know about those who post to our Canvas Community forums or join us at our user conferences.

Canvas logo

Of course, we’re pleased with how many institutions choose Canvas cloud, and we’re proud of the services and support we give them. And that brings me to what I think is the more interesting conversation: why we make Canvas open source at all.

1. Canvas open source is one way to test whether or not educational institutions think Instructure’s support, reliability, collaboration, etc. is worth paying for. Turns out, they do. 

2. Canvas open source is one way to give transparency or assurance around system security and code integrity. When your source code is open, anyone can test it for vulnerabilities—and talk about it. When your source code is closed, people not only can’t check to see if the code is vulnerable, they can’t verify that you fixed vulnerabilities. But because not everyone knows how to do a thorough security check themselves, Instructure runs an annual open security audit on Canvas, where third-party, independent experts are paid to find vulnerabilities, and then report on it for everyone to see.

3. Canvas open source gives schools, institutions, and even other companies who don’t have in-region AWS or just don’t have the money to pay for hosting the chance to use (we think) the best academic LMS out there.

Just this month I heard a story that once again reminded me why open source is the right thing to do: A small startup called Nucleos is experimenting with a “portable cloud” service to deliver teacher training on Canvas open source in places where even connectivity can’t be taken for granted. I don’t want to steal their thunder or misrepresent their story, but I hear they’ll have a case study out soon.

 

Keep learning,

Jared Stein
VP, Higher Ed Strategy