Don’t Get Rug Pulled by Open Source; Nail It to the Floor with Governance

Open source gives every developer access to technologies that would otherwise require whole teams to maintain. But the whole ecosystem rests on an unspoken promise that the tools we build our careers on will still be there tomorrow.

Unfortunately, we’ve seen what happens when that trust is broken. So, how can communities protect their open-source projects? Neutral governance is the answer, according to Roberto Luna Rojas, Senior Developer Advocate at AWS for the Valkey project.

We’ll start with Roberto’s spicy tech take to set the scene.

It was the moment the music stopped for thousands of development teams. Redis, the undisputed king of in-memory databases, changed its license, introducing restrictions that affected developers who had already built their infrastructure on its open-source “promise.”

This, according to Roberto, was the definition of a rug pull in the software context.

“It’s something that, in reality, the community should have seen coming... a company owns the trademark, owns the code. So, at any moment, they’ll pull the rug out from under you, and you fall, right?”

This was not just a business move; it was a wake-up call. Roberto admits that the warning signs were there.

“They had the company heads in the consortium... So, from there, you already started to notice something fishy.”

The event exposed the deep vulnerability of relying on a project where one company’s commercial interests could completely override the community.

Valkey’s mission is to restore faith in that unspoken contract. Born from a fork of Redis and given a safe home inside the Linux Foundation, Valkey wants to prove that open-source tools are still true community assets, not just products waiting for their license to flip.

“”

“The truth is, a good lesson to learn for open source is that you have to be prepared. When an open-source project is growing, you have to put in certain guarantees for users.”

If rug pulls are the disease, neutral governance is the cure.

This is where organizations like the Linux Foundation and the Cloud Native Computing Foundation (CNCF) are tipping the balance of power back toward the community. They act as neutral, protective stewards for the projects we all depend on.

Take Kubernetes as an example. It was born at Google, and Google handed it over to the CNCF. Developers flocked to it because they trusted it, confident that no single company could pull the plug.

When the community is in charge, it can also get what it wants faster: PostgreSQL had long lacked LDAP support, and as GCP, Azure, and others all have their own internal user management tools, they likely had no motivation to develop it. But then Percona saw the community demand and made it happen (and they even get to benefit by putting their name on the functionality).

“Here comes Percona, and they say, ‘I have clients that this could be useful for.’ We name it, we do it, and we make it open source.”

Similarly, long-requested features by the Redis community that had been “stuck” in development for a significant amount of time were quickly shipped in Valkey once it forked.

The moral of these stories? Neutral governance isn’t just a safety net; it’s an accelerator for building the stuff developers actually need.

And when it comes to DevRel to support their community, the Linux Foundation gets it: They’re even launching a DevRel Foundation to support the people building these communities because protecting code means nothing if you don’t protect the humans making it happen.

Neutral governance does more than just prevent rug pulls; it also enhances security. When a project is truly community-run, it creates a transparent, collaborative system for squashing bugs.

“They’re going to tell us, ‘Hey! You have to update this library...’ And what we do is also collaborate with the other distributions that have the same dependency to tell them, ‘Hey! Fix this too,’ because the users are the same.”

Instead of a single company controlling the response, the entire ecosystem swarms the problem. A patch for one becomes a patch for all.

“”

“A system is as secure as the one who implements it. A paid license doesn’t make something secure, and a poorly managed open-source project is going to be openly insecure.”

This kind of coordinated defense is only possible when no single interest can get in the way. For developers, it means you can build with confidence, knowing that security isn’t just a line item on one company’s budget — it’s the community’s top priority.

”Everything comes from how you implement it and the different mechanisms you have for not only development but deployment, execution, and operation of your system.”

We’re all experimenting with LLMs, but the RAG-based systems that they rely on to solve real problems present a scalability and cost challenge: When every query hits an expensive API, you’re on the fast track to bankruptcy.

The solution Valkey presents is semantic caching using its Vector Similarity Search module. Instead of calling an expensive LLM for every query, the system intercepts a user’s question. If a question with a similar meaning **(like “How do I reset my password?” vs. “I forgot my password”) has been asked before, Valkey instantly serves the cached answer from its super-fast in-memory databases.

“And this is where Valkey Search allows you to have those vectors you create. You look for questions that are similar, and it brings you all those questions that point to the same result. So, if you no longer have to call the result, you avoid that cost.”

The results are wild, and it’s not just about the money.

“”

“If you have a response that you already called once and it took you four seconds to get a response from the LLM, now you do it in 0.001 seconds — 4,000 times faster.”

This also means a smaller CO2 footprint, helping you avoid "burning down the planet" every time you make an AI query.

So how do community and governance factor into this? A feature this powerful requires you to bet your entire architecture on it, and you can only make that bet if you trust the tool’s future. In this case, developers can confidently build these powerful AI systems on Valkey because they trust that while it’s backed by major players, the community stays in control.

Our entire modern dev stack is built on open source, which means we’re all standing on the shoulders of giants. And those giants are all standing on rugs.

The lesson? Choose your tools based not just on features but on community and governance. Look for projects backed by neutral foundations and guided by DevRel principles that put the community first. Because the coolest tech in the world means nothing if an unexpected change wipes out one of the critical components your project relies on.