November 2025
Free like a puppy, times fifteen
A product assembled from open source is not the sum of its components. It is the resolution of their disagreements.
The first failed install told the whole story. One component of our data platform ships its schema migration as a hook that runs before anything else, on the sound theory that you bring your own database. Our installer creates that database itself, several steps in. So the migration fired into a void, the deployment wedged, and no code anywhere was wrong. The component’s model of the world did not include us.
I build a data platform assembled from best-of-breed open source: an identity provider, an ETL platform, a workflow engine, a metadata server, the databases beneath all of it. Open source is famously free like a puppy, but the puppy line is about owning one. Compose fifteen and you discover that every project ships, alongside its code, a set of assumptions about the world around it: who creates its database, who owns its secrets, what importing configuration means, who else lives in its namespace. Each assumption is reasonable alone. Composed, they contradict, and the contradictions are most of the work.
The disagreements hide inside words everyone believes they share. Idempotent, for instance. The identity provider’s operator imports configuration once and considers the matter settled forever: updating the resource does nothing, and deleting it to force a re-import only adds objects, never corrects them. Idempotency that promises “I will not break what exists” quietly also means “I will not honor your changes,” and the second clause appears in nobody’s documentation. The metadata server reads its settings from the environment exactly once, copies them into its own database, and ignores the environment thereafter, so a changed value on upgrade is a silent no-op. The workflow engine assumes it may create its own databases at startup; a managed database, on equally defensible security grounds, refuses to issue credentials that can. And components that assume they live alone hardcode their resource names, so two installations in one namespace overwrite each other’s credentials.
My favorite of these failures involves no mistake at all. We put single sign-on in front of every component, which is correct, and the platform’s interface embeds some components in frames, which is ordinary. Together they fail twice over: the browser’s cross-site cookie rules refuse to send the session into the frame, and the identity provider’s clickjacking protections blank whatever survives. Two security policies, each a best practice I would defend in any review, composing into a white rectangle. The resolution is a deliberate, documented exception.
A resolution that lives in one engineer’s memory does not survive upstream releases. Durability comes from treating each fix as a contract. Every override passes through a seam the platform owns, an interface to the upstream package rather than a patch smeared across it. Render tests assert on the actual generated output, so an upstream version bump that rearranges internals fails loudly in CI instead of silently in production. And the whole platform installs in one step, from nothing, every time, which turns “it installs” from a claim into a fact the build checks and forces every latent disagreement to surface before a customer does.
Once the disagreements are resolved, the behavior of the whole belongs to us: ours to support at two in the morning. White-labeling, replacing fifteen project names with the product’s own vocabulary, gets dismissed as paint. A renamed surface can no longer point at an upstream and shrug.