It’s a cool coincidence that a commenter on the e-Literate blog raised a question about whether we should call the Canvas LMS open source or not; six years ago this week I wrote my first blog post as an employee of for Instructure on the importance of openness to our company culture and identity. (Full disclosure: I still work for Instructure, though this blog post is my own perspective six years in.)
Early on, it was obvious that being open source provided some natural inoculation against being acquired by one of our competitors. It also presented customers with an escape hatch in case Instructure were to fail them. Thankfully, those concerns are less relevant now that Instructure has made it to IPO and Canvas has a proven track record in the market.
Instructure’s commercial success may actually heighten questions about whether and why Canvas is open source, however. Let’s start by acknowledging that classifications of “open source” vs “commercial open source” vs “open core” is a sometimes hotly debated topic. I’m not overly sensitive about these labels; Instructure will continue to release new Canvas code to GitHub every few weeks no matter what folks want to call it :)
That said, I personally call Canvas “commercial open source” rather than “open core” for two main reasons:
1. Open core usually means a large part of the code base has not been open sourced. The only parts of Canvas that we don’t open source are those related to our commercial hosting, like Vector and Hot Tub. Canvas is a cloud-native, single-version multi-tenant application, and we if we didn’t have proprietary capabilities for automated scalability, burst ability, failover across AWS regions, etc, our commercial hosting service wouldn’t have the great reputation for reliability. But even modules like Canvas Analytics and our native mobile apps are open source. We just built a new accessibility checker add-on for the content editor that we’re preparing to open source.
2. Some projects labeled “open core” withhold so much code that it’s not realistic to run the software yourself. That’s not the case here. It is totally feasible to run a Canvas implementation from the Canvas open source code, and there are legit examples of this happening. While we don’t require anyone to register or tell us about it when they run Canvas themselves, we do know about those who post to our community forums or join us at our user conferences.
Of course, we’re super pleased with how many institutions do choose Canvas cloud, and we’re proud of the services and support we give them. And that brings me to what I think is the more interesting conversation, why we make Canvas open source at all:
1. Canvas open source is one way to test whether or not educational institutions think Instructure’s support, reliability, collaboration, etc is worth paying for. Hey, it’s working :)
2. Canvas open source is one way to give transparency or assurance around system security and code integrity. When your source code is open, anyone can test it for vulnerabilities — and talk about it. When your source code is closed, people not only can’t check to see if the code is vulnerable, they can’t verify that you fixed vulnerabilities. But because not everyone knows how to do a thorough security check themselves, Instructure runs an annual open security audit on Canvas where third-party, independent experts are paid to find vulnerabilities, and then report on it for everyone to see.
3. Canvas open source give schools, institutions, and even other companies who don’t have in-region AWS or just don’t have the money to pay for hosting the chance to use (we think) the best academic LMS out there.ability, collaboration, etc is worth paying for. Hey, it’s working :)
Just this month I heard a story that once again reminded me why open source is the right thing to do: A small start-up called Nucleos is experimenting with a “portable cloud” service to deliver teacher training on Canvas open source in places where even connectivity can’t be taken for granted. I don’t want to steal their thunder or misrepresent their story, but I do hear they’ll have a case study out soon.