[HN Gopher] "Open source" is broken
___________________________________________________________________
"Open source" is broken
Author : todsacerdoti
Score : 194 points
Date : 2021-12-11 18:11 UTC (4 hours ago)
(HTM) web link (christine.website)
(TXT) w3m dump (christine.website)
| swayvil wrote:
| Open source isn't broken. Open source is organic and perfect.
| It's the rest of the world that is broken.
| montroser wrote:
| No, it's not broken -- it's thriving.
|
| Everyone involved has their own incentives, and gets to make
| their own decisions about when and where to invest their time and
| money.
|
| Some devs are in it for the passion, some for the experience,
| some for the challenge, some for the learning, some so their work
| will live on when they change employers.
|
| Startups get to use well-tested community supported libraries and
| don't have to build everything from scratch. Big companies get
| tech branding cred and can attract better talent, etc, etc.
|
| And yes, maintainers sometimes get burnt out, consumers sometimes
| act inappropriately entitled, massively profitable enterprises
| often give back relatively little in return.
|
| But that's all part of the deal going in, and everyone is fully
| aware of all the trade-offs straight from the onset.
|
| What's so beautiful is that there are so many options whenever
| conditions change for any party. A maintainer goes to jail for
| vehicular manslaughter and a bugs needs fixing, no problem. Stand
| up a fork and the project continues on. A company's new
| leadership takes its own source project in a questionable
| direction and consumers are upset, no problem. Community forks
| and the project lives on.
|
| And the result is we have this thriving, organic, creative,
| productive ecosystem which benefits us all in the end.
| CaptArmchair wrote:
| I think this argument massively ignores the underlying message
| of this blogpost: addressing that the human beings that make
| and use software aren't always treated as, well, human beings.
|
| > A maintainer goes to jail for vehicular manslaughter and a
| bugs needs fixing, no problem
|
| The author didn't seem to hint that open bugs in core-js or its
| usefulness to its community of users are / is problematic. They
| hinted that maintainers are people with real life problems,
| whether that's struggling to make a livelihood, or facing
| imprisonment and ignoring that social/economic context is
| problematic.
|
| Stating "well, let's just fork their code and off we go"
| basically ignores the person behind the code entirely. It
| reduces the value of a person to their ability to spend time
| and effort on maintaining code. And that's just a morally very
| questionable way of approaching other people. That kind of
| behavior just doesn't foster any mutual trust or respect which
| are the basic requirements for open source to thrive to begin
| with.
|
| > But that's all part of the deal going in, and everyone is
| fully aware of all the trade-offs straight from the onset.
|
| No, absolutely not. That's not how the original instigators of
| the Open Source movement envisioned this.
|
| Yes, open source licensing allows forking, but that's not
| something you'd do, for instance, because a maintainer fails to
| respond to your issues on GitHub.
|
| Eric S. Raymond can be quoted from his seminal essay
| "Homesteading the noosphere":
|
| > The three taboos we observed above make perfect sense under
| this analysis. One's reputation can suffer unfairly if someone
| else misappropriates or mangles one's work; these taboos (and
| related customs) attempt to prevent this from happening. (Or,
| to put it more pragmatically, hackers generally refrain from
| forking or rogue-patching others' projects in order to be able
| to deny legitimacy to the same behavior practiced against
| themselves.)
|
| > Forking projects is bad because it exposes pre-fork
| contributors to a reputation risk they can only control by
| being active in both child projects simultaneously after the
| fork. (This would generally be too confusing or difficult to be
| practical.)
|
| > Distributing rogue patches (or, much worse, rogue binaries)
| exposes the owners to an unfair reputation risk. Even if the
| official code is perfect, the owners will catch flak from bugs
| in the patches (but see [RP]).
|
| > Surreptitiously filing someone's name off a project is, in
| cultural context, one of the ultimate crimes. Doing this steals
| the victim's gift to be presented as the thief's own.
|
| http://catb.org/~esr/writings/homesteading/homesteading/ar01...
|
| Especially the last taboo is incriminating.
|
| In the past, I kept a handful of tiny open source libraries in
| PHP on Packagist. Someone forked one of those without notifying
| me and started directly competing with mine. I can't express
| how off putting that experience was at the time. It has made me
| quite apprehensive of pro-actively sharing code I write in my
| spare time under an open source license.
|
| Because someone falls on hard times or isn't available for a
| while, that doesn't justify taking their work and presenting it
| as your own under the guise of "having a thriving, organic,
| creative, productive ecosystem."
| littlestymaar wrote:
| Yes it's thriving, but it's also broken. From a tweet[1] cited
| in the article:
|
| > This is the maintainer who fixed the vulnerability that's
| causing millions(++?) of dollars of damage.
|
| > "I work on Log4j in my spare time"
|
| > "always dreamed of working on open source full time"
|
| > "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt"
|
| [1]: https://twitter.com/FiloSottile/status/1469441487175880711
| charcircuit wrote:
| No one is entitled to money. There's nothing broken about
| that. If you want to make money it would be a good idea to
| make a business plan.
|
| Making and maintaining a piece of software and giving it away
| for free isn't a great business plan, or at best it's an
| incomplete one.
| thr0wawayf00 wrote:
| > No one is entitled to money. There's nothing broken about
| that. If you want to make money it would be a good idea to
| make a business plan.
|
| This attitude totally ignores how hard it is to actually
| run a software tooling business and collect when you have a
| free/community offering.
|
| Take the Obsidian note app, for example. It's technically
| free until you start using it for revenue-generating, work-
| related activity per their license, but how do they go
| about enforcing that? If they were to dig through customer
| data to see who is violating the agreement, they'd get
| roasted on Twitter in an instant and risk losing their user
| base. Should they hire attorneys to investigate and shake
| down violators for the $25/mo fee plus damages? Again,
| major risk of losing the customer base.
|
| Software devs have to represent a significant, if not
| majority share of the user base of Obsidian, and I'd bet a
| year of my salary that most of them aren't paying for it
| when they're using it for work. Committing to a business
| plan is an important step, but software's value is directly
| correlated with it's use, and more widely used software is
| inherently more valuable, but achieving that kind of growth
| without giving it away free is a major challenge.
|
| It kinda feels like tipping in the restaurant industry,
| where folks argue that it's to ensure proper service, when
| in reality it's often just a way for the restaurant owner
| to not have to pay minimum wage by offloading that portion
| of a workers wages onto the customer, who often just
| doesn't give a tip.
| suriyaG wrote:
| I mostly agree with your argument. But, if we just de facto
| accept everything for how it has been in the past. Then we stop
| making things better, for everybody involved.
|
| Is Open-Source thriving? yes. Can we make fix the places where
| it's broken? Also, Yes.
| [deleted]
| Operyl wrote:
| > But that's all part of the deal going in, and everyone is
| fully aware of all the trade-offs straight from the onset.
|
| I think part of the problem here, in all honesty, is that some
| people just _are not_ aware of the trade-offs upfront. They
| learn these after getting started, and it bites them in the
| butt one way or another.
| codespin wrote:
| What I see as broken is the expectation that dev tools and the
| entire dev stack should be provided for free. It manifests as
| only using "open source" tools and everything in this blog post
| applies.
|
| As a developer I both expect tools and libraries to be free and
| have been burned by this as someone working on developer tools
| and as an open source maintainer on my personal projects.
|
| The frustrating part to me is that this doesn't apply to apps,
| saas apps, services, or a lot of AI/ML related things. Most
| developers expect to make money off those things while at the
| same time demanding everything they used to build it be free
| because it's just code and they love open source. It feels
| unfair, and in that way I agree, open source is broken, or at
| least unsustainable for small projects long term.
| robertlagrant wrote:
| > is holding people's companies together
|
| This is a pretty unlikely situation.
|
| Someone already thought of all this and made Tidelift, btw.
| quickthrower2 wrote:
| Part of the solution is instilling a fuck it, let it break,
| "left-pad" attitude in the core util maintainers across all
| languages and platforms.
|
| This will be the chaos monkey you'd need to build resilience in
| open source.
|
| I can see in such a scenario the big companies taking more
| interest in paying maintainers or forking and maintaining it
| themselves.
|
| Maybe a open source strike is needed? A year without security
| patches on anything maintained by an unpaid individual or team.
| kello wrote:
| How exactly is it broken? Seems to be working pretty great. Great
| clickbait-y title though!
| tonetheman wrote:
| That tweet listed in that article ... gah. So bad so full of
| stupid.
|
| The moron who wrote it is a GOOG programmer who thinks that 300k
| is what programmers make.
|
| That is a tech-bro who lives in a place of privilege. And from
| the comment I am guessing not a programmer? Or very young and not
| so mature.
|
| Open source is not broken.
|
| Open source has always been a programmer scratching their own
| itch. If other people have the same itch and the code is used in
| more places... and so on until a larger company uses it.
|
| And then god help that company they are evil for exploiting the
| guy at the bottom? Yeah nope.
|
| Would it be great if everyone did pay that dude for his open
| source library? Yes it would.
|
| Figuring out how to pay people all the way down the open source
| stack would be an incredibly hard problem. You could pay the one
| guy who started the project but what about all the other people
| who have worked on it?
|
| I mean if I contributed even 1 line of code to log4j I would like
| a cut of the 300k the GOOG guy is going to donate.
| penjelly wrote:
| this is the second time i see this author... wtf are the
| characters between paragraphs? i guess its to make the article
| more readable or to express multiple perspectives or something?
| Kinda distracts from the main content
| xena wrote:
| Author of the post here. I have found that I tend to insert
| asides in my articles a lot. The characters are there not only
| to help space things out and make it easier to read, there's
| also room for the Socratic Method of dialogue based teaching. I
| also slightly compartmentalize the kind replies based on which
| character is speaking, which allows for people to build
| otherwise unspoken associations about what kind of aside they
| are going to get. Mara with the split keyboard is usually for a
| pedantic aside or another place a concept can be applied, etc.
| This really is a bit of experimentation that I'm doing by
| playing with the writing style in a way that better suits my
| thought processes and allows me to take it beyond text.
|
| Also the more people complain about the furry characters in the
| blog posts, the more furries there will be. I am waiting for a
| few refsheets that I will use in various things in the future.
| kelnos wrote:
| Open source isn't broken. The software will continue to get built
| regardless of funding levels, clearly. But when vulnerabilities
| like this are found, no one -- especially corporate users -- gets
| to complain. Any complainers should be immediately told to fund
| the software they use, or shut their entitled mouths.
|
| Open source is fine. The culture of companies -- nearly all of
| them, including the one I work for -- that freeload off this work
| is what's broken. If you are equating this state of affairs with
| "open source", I think that does everyone involved a disservice.
|
| I work on and release some things under open source licenses.
| I've been doing this on and off for nearly 20 years. None of it
| these days is as remotely as popular as something like log4j (the
| only popular thing I worked on for a while was Xfce, during the
| 00s). But that's the thing: I don't care (and kinda don't want)
| that kind of popularity. And if there's a critical bug in my
| stuff that lingers for a few weeks -- even if it's a security bug
| -- that's just life. If people want something with faster bug
| fixes or to-the-minute security responses, they submit patches,
| or they can pay me. Or, better yet, use an alternative that is
| already better supported, because I don't want to be paid for
| this stuff, and take on the burden of the added expectations.
|
| An aside:
|
| > _Now let 's turn our eyes to log4j2. This project is
| effectively in the standard library for Java users._
|
| Is that really true? All my (professional and hobby) JVM projects
| use slf4j+logback. If I depend on anything that pulls in log4j
| (most of which pulls in v1, not the vulnerable v2), I exclude
| that and add the log4j-over-slf4j library, which replaces log4j
| with simple classes that delegate to slf4j.
| ralph84 wrote:
| > no one -- especially corporate users -- gets to complain
|
| Do corporate users of open source really do all that much
| complaining without contributing? IME the people with the
| biggest complaint/contribution ratio in open source projects
| are individual devs (or trolls) who are not participating as a
| representative of any company.
| KennyBlanken wrote:
| In the case of core-js the issue isn't that "nobody is
| contributing", the issue is that there is one guy with commit
| authority and he's an asshole who reportedly spends most of
| his days rejecting PRs from people he doesn't like.
|
| IBM, Oracle, Apple, Microsoft could submit all the PRs in the
| world and it won't do any good if he says "I don't like your
| coding style" or "this takes core-js in a direction I don't
| like."
|
| Or he ends up in jail. I thought the author was joking about
| him going to jail for killing two pedestrians. They were not:
| https://www.theregister.com/2020/03/26/corejs_maintainer_jai.
| ..
| bshipp wrote:
| But...and bear with me as I'm no JS guy and am unfamiliar
| with that library...how hard is it for the community to
| fork it and go on from there?
|
| Literally every time I find an esoteric library on Github
| the first thing I do before forking it or adding it to my
| dependencies is immediately pull up the "network" tab to
| see if there's are active branch downstream I should
| follow.
|
| Perhaps Github can do a better job of highlighting hidden
| downstream forks to direct people to find more updated and
| supported dependencies?
| eldelshell wrote:
| Log4J is far from being the standard. As a matter of fact,
| JBoss, Quarkus, etc, aren't affected by this because they don't
| use log4j.
| gopher_space wrote:
| I've never run into an issue with open source that couldn't be
| solved by throwing a trivial amount of money at it.
| Relicensing, bug fixes, feature requests.
| rbanffy wrote:
| > The culture of companies -- nearly all of them, including the
| one I work for -- that freeload off this work is what's broken.
|
| Capitalism will always try to extract work at the lowest
| possible cost. If it's possible to use your work without paying
| for it, companies will do it. They'll fund work when funding
| the work can gain them influence or political dividends.
|
| My two open-source projects, a font and pip-chill, are,
| respectively, a work of love and something that solves a
| problem for me. I enjoy working on them. In the past I have
| worked on other projects, but always to solve issues I had.
| wyldfire wrote:
| > I simply do not want to be in a situation where my software
| that I develop as a passion project on the side is holding
| people's companies together.
|
| People love to hate on Richard Stallman but he was really clear
| about the motivation for Free Software (which is not the same as
| Open Source but shares some tenets).
|
| What companies do with the source is their thing. They get all of
| the benefits and all of the responsibilities. But the beautiful
| thing is that if that maintainer is dead or missing or no longer
| interested, you _CAN_ fix it. Which is very difficult / nigh
| impossible for closed source.
| zaarn wrote:
| Except you can't because hundreds of thousands of project have
| "log4j" in their dependency list not "wyldfire-fixed-log4j". If
| log4j broke and there was no maintainer, a fork would not fix
| things.
| jacoblambda wrote:
| Strictly speaking in the Java space that's a perfectly
| reasonable assumption. It's a bit more work but you can just
| substitute the jar/modules for log4j following the build with
| the patched versions.
|
| At the end of the day it is just a bunch of class files in
| jars/zips which makes patching a lot easier.
| zaarn wrote:
| Hot patching a jar is not a scalable solution in the long
| term, especially if you're considering that in a larger
| project there may be multiple unmaintained projects that
| now need permanent hotpatching.
| jacoblambda wrote:
| At least with gradle you can easily add some logic to the
| buildscript to substitute all instances of a specific
| dependency for a java library/application with a fork.
|
| It's only a handful of lines of code and it is
| technically a bit hacky but it's really no worse than any
| of the other jank you are forced to do when building any
| moderate to complex gradle based java project.
| zaarn wrote:
| And when another library is unmaintained and breaks, you
| add those few lines again. And again and again and again,
| until your gradle file is 90% hotpatching your
| dependencies.
| jacoblambda wrote:
| Yep but that's just the breaks. Especially with
| ecosystems that have tall dependency trees.
|
| Luckily those few lines can mostly be shared and you end
| up with a handful of lines and a map from old dep to new
| dep which makes it not too painful.
|
| This whole issue is why I don't like these ecosystems but
| at the very least in the Java space dealing with this
| issue isn't too painful. I can't speak for the JS space
| but this is also a pretty trivial fix in the Rust space
| and it isn't too painful with C++ or C projects. Nix
| (mostly used for Haskell but it's a pretty solid
| universal package manager) has some pretty good tooling
| for modifying upstream dependencies. Spack (package
| manager specialised for HPC and embedded projects) has
| really good support for this as well.
|
| My point being that people have run into these issues in
| the past a lot in certain spaces and as a result those
| spaces have come up with solutions for this problem a
| long time ago. It just so happens that for the most part
| the average dev doesn't see a lot of that because these
| issues get dealt with upstream or just aren't common in
| most industries. The embedded industry is particularly
| used to this considering how much of the kit from
| manufacturers is just outright wrong or broken 3 levels
| deep. The only reason I'm as well versed with this as I
| am is because I've been in the embedded space patching
| over broken HALs and I've bled my blood dealing with
| legacy enterprise applications that were initially
| written in Java 1.1 and haphazardly dragged along over
| the decades.
|
| TLDR: This is an ugly fix but ultimately it's the best
| ugly fix to an ugly problem and every software ecosystem
| eventually gets to deal with it once they get old and
| crusty enough.
| ecnahc515 wrote:
| As others mentioned, for any companies relying on this
| software, that's their problem, and it's nothing more
| funding and resourcing can't solve.
| zaarn wrote:
| This isn't only about companies, people who develop open
| source software on their own are just as affected by
| log4j. Funding and resourcing can at least help people
| and maybe incentive handing the project to someone else.
| blibble wrote:
| the documentation also needs to include the 5 line dependency
| exclusion that you place in your pom to exclude the bad
| version
| zaarn wrote:
| And if you do that everytime an unmaintained project gets a
| 10 severity CVE, we'll have that at 200 lines in no time.
| Proabably petition whatever generates your Pom.xml to auto-
| include those lines.
| mantaraygun wrote:
| > _hundreds of thousands of project have "log4j" in their
| dependency list_
|
| That's on them. They can migrate to wyldfire-fixed-log4j if
| they want, or to whatever other fork they want, or they can
| keep using the old busted shit. It's up to them, there's no
| problem here.
| blindmute wrote:
| Code doesn't just "break". It still works the same. If a
| vulnerability is discovered you either update the package or
| switch to a fork. Switching is not really that much extra
| work compared to updating. This issue has really nothing to
| do with open source except that you have the extra option of
| forking.
| zaarn wrote:
| I argue that if your code gets assigned a 10/10 Severity
| CVE, then it broke, even if nothing changed. It just broke
| a while ago.
|
| Switching one library is not much work. But if it becomes
| the standard approach then the first time you fire up your
| java project you either spent 30 minutes to put in all the
| exclusions to provide your favorite forks of dead projects
| or your pom.xml will already be 5KB large on generation
| just for those exclusions and patches.
| IiydAbITMvJkqKf wrote:
| Sure you can fix it, change the "log4j" in your dependency
| list to "wyldfire-fixed-log4j". You can't do that with closed
| source (either because you care about legalities, or because
| you have no way of obtaining a compilable and readable source
| code).
| zaarn wrote:
| Until all hundreds of thousands of projects have changed
| that, it'll take time.
|
| That doesn't mention the fact you now also have to fork
| unmaintained projects relying on log4j to use the new
| version. If you're developing a major java projects, that's
| potentially thousands of dependencies you have to patch.
|
| I'm not suggesting that closed source is the solution, I'm
| saying the current system is not sustainable and neither is
| just forking projects. Because which fork do you follow,
| and how do you make sure all your dependencies follow the
| fork you want and not an unmaintained fork?
| the_duke wrote:
| Some package managers (eg yarn , cargo) have a solution
| for that and allow you to specify a local resolution
| override that will apply to all dependencies.
| zaarn wrote:
| But again, that means _EVERY_ single product, open source
| or not, will have to patch their deployment to use the
| fork instead of simply using the updated version of
| upstream. Permanently no less if it 's unmaintained.
|
| Meaning every single Java product would have to include
| that "if you want to use log4j, you have to include this
| patch line to use a fork, because of unmaintained
| dependencies".
|
| That just ossifies log4j and fixes nothing. Patching
| dependencies in Cargo is not meant to permanently replace
| code, it's to be used while you're waiting for an
| upstream merge.
| IiydAbITMvJkqKf wrote:
| You can fix it for your own applications and libraries.
| The tooling exists.
|
| You can't force other people to use your fork.
| zaarn wrote:
| Correct, all those other people will have to manually
| find some fork or make their own, repeating the same work
| thousands of times and ossifying that some part of your
| java build system now permanently includes a section to
| patch log4j dependencies.
| kristjansson wrote:
| Does it matter that other products don't patch something
| that yours does? Like, sure, it's unsatisfying from an
| ecosystem perspective, and one would hope for fixes to be
| incorporated upstream. But if they aren't, who cares if
| other products are broken after you've patched the ones
| you're responsible for?
| zaarn wrote:
| It does because now I pull in a dependency that
| indirectly relies on log4j instead of my favorite fork of
| log4j and I end up having the same CVE in the project
| anyway. Yes this needs to work ecosystem wide, otherwise
| you have fixed nothing at all.
| the_af wrote:
| > _It does because now I pull in a dependency_
|
| How would _proprietary_ software make this better? You
| wouldn 't even have anything to pull in!
|
| Is your argument "having the source code and the legal
| rights to fix this bug even when nobody else wants to or
| even can fix it is not good enough because not everyone
| will use my fix"? Because good luck with proprietary
| software then!
| [deleted]
| quickthrower2 wrote:
| Thats the problem. If you use say React then you are using it
| as is without any warranty implied. React is the equivalent
| of an aircraft in complexity when looking at its dependencies
| and then the browser stack itself on top!
|
| React gives you a free copy of an aircraft and will probably
| maintain it for years. But maybe they rely on an altimeter
| developed by a poor person who decides they dont have time to
| work on it because they need to help their mum.
|
| Well thats everyone elses problem now.
|
| but the ease of download and use of React and other code
| libraries creates a sense of entitlement.
|
| Yes if its broke and you need it fixed you have to pay
| someone now!
|
| Its still libre its just not gratis anymore
| derekjdanserl wrote:
| That doesn't change the fact that open source users are the
| welfare queens of our times. As long as open source software
| exists, lazy degenerates with no skin in the game will feel
| entitled to keep demanding more and more. That's why open
| source software needs to die.
| unethical_ban wrote:
| I don't know if you're a troll, or if you really managed to
| stuff three different far-right rhetorical tropes into one
| sentence in order to declare the cooperative development of
| software as immoral, because megacorps _can 't_ force people
| to pay for something.
| c-smile wrote:
| > Which is very difficult / nigh impossible for closed source.
|
| Closed source does not mean that the customer has no access to
| it.
|
| In case of my Sciter, for example, customers are getting access
| to SVN server with sources. Some of them are sending patches
| with fixes and features.
|
| Sciter's [1] core customers are antivirus vendors - highly
| professional, dedicated and disciplined teams that know very
| well what they are doing.
|
| It is not an open source but not a closed source either. Rather
| a professional club where members value each other time and
| efforts.
|
| [1] https://sciter.com
| jobigoud wrote:
| > What companies do with the source is their thing. They get
| all of the benefits and all of the responsibilities.
|
| I know this very well and for some irrational reason it still
| makes me anxious to think about the many people relying on one
| of my free-time project that is used in classroom and medical
| settings. When there is a nasty bug found it's hard to shake
| the feeling of responsibility.
|
| I have disabled the counting of downloads for this reason, I
| would rather not know just how many people rely on it and
| instead focus on improving it without pressure.
| phkahler wrote:
| >> When there is a nasty bug found it's hard to shake the
| feeling of responsibility.
|
| I know right? Someone just opened a github issue for a CVE in
| one of our dependencies. It's only relevant if you're opening
| a .DXF file from an untrusted source, so it doesn't seem
| terribly relevant but yet... And updating to a newer version
| would take effort, and we want to replace it with something
| else anyway which would take effort. None of that effort is
| where I _want_ to spend my free time. But I _do_ work on the
| software because I like it and really want it to continue
| being around and useful, and that isn 't going to happen
| unless I (and others) make it happen.
| drran wrote:
| Submit a PR with the fix. It's open source after all.
| MathMonkeyMan wrote:
| Why pay for something that's being offered for free?
|
| I know that there are many good reasons to support valuable open
| source projects with money. But you can also _not_.
| abetusk wrote:
| I get a little nervous when the responsibility of incentivizing
| FOSS is framed as a personal responsibility. Isn't there a deeper
| conversation to be had about how we allocate resources as a
| society to help build fundamental infrastructure instead of
| placing the blame on individual people or corporations on their
| lack of sponsorship or donation?
|
| My apologies if this is flame-bait. I really don't know what the
| solution is. I certainly could admit that shaming people into
| contributing on an individual level is a valid tactic and that a
| good state to be in is to have individual and corporate
| sponsorship for a long tail of FOSS projects. I worry that
| focusing on the failings of individuals to fund projects takes
| attention away from other alternatives.
|
| I really don't know what the alternative could be. UBI? A wide
| array of government grants for FOSS?
| the_af wrote:
| It's not flame-bait. We, as a society that values FOSS, should
| fund it, but not at the personal level of "I use this software
| so I'll pay for its license". FOSS licenses should state
| nothing about _paying_ for the software. You should not feel
| bad because you are not paying FOSS at the individual level.
|
| Taxes and allocation of funding at a societal level _might_
| indeed be the answer.
| IiydAbITMvJkqKf wrote:
| > If log4j2 is responsible for your company's success, you have a
| moral obligation to donate to the person who creates this library
| thanklessly.
|
| That's a big if, log4j is a logging library after all. This is an
| understandable position to hold for other types of dependencies
| (think react, database, UI components etc.) but the logging
| library is very far down in the ordered set of projects I'd
| donate to.
|
| I will however leave a mark and donate to the top 3 dependencies
| I consider most important in my (non-java) side project.
|
| Edited to add: If you offer your software at no charge, you
| shouldn't be surprised if people accept that offer. So I even
| disagree with the "moral obligation" bit. Doesn't mean that
| donating is a bad thing, however.
| ravenstine wrote:
| Open-source is only broken in the sense that we frequently
| conflate it with _free as-in beer_.
|
| IMO, fewer things should be free in general, regardless of
| whether the source is open. Charging money limits the amount of
| low-value users and the problems that come with them, it rewards
| the those contributing their expertise, and it can be a
| replacement for junkvertising.
|
| So I agree with the author, but perhaps not in the sense that
| open-source software needs to charge money. It depends on whether
| the software really necessitates pay and exactly _whom_ should be
| paying. Charging all users a fee can be counterproductive, but
| only charging for commercial use by companies can be a way to go.
| blitzar wrote:
| > Open-source is only broken in the sense that we frequently
| conflate it with free as-in beer.
|
| Sadly many open-source evangelists are advocating for it
| because of the price tag not because it is free.
| mcguire wrote:
| If I had a nickel for every time I've seen an article claiming
| "open source is broken", I'd have enough nickels to live on for
| some time.
|
| The other side is that _everything else is broken, too._ How much
| should you _really_ trust a package that you cannot audit and
| that is maintained by an unknown group of people with unknown
| skills who are also subject to the whims of quarterly earnings
| reports? Oh, and you 'll never hear what their screw-ups were.
| interactivecode wrote:
| Can you really trust those average 3 engineers you work with to
| build any sort of complex piece of software more reliably just
| to get started with the project you're actually building?
| slooonz wrote:
| Don't you see that one big issue, that I never see addressed in
| this kind of discussion, is the enormous tension between true
| observation 1 :
|
| > Consider something as basic as running an SSH server on the
| Linux kernel. In the mix you would have at least 10 vendors
| (assuming a minimal Alpine Linux system in its default
| configuration), which means that there are at least 10 separate
| organizations that still have bills to pay with actual money
| dollars regardless of the number of users of the software they
| are giving away for free.
|
| And your judgment 2 ? :
|
| > If log4j2 is responsible for your company's success, you have a
| moral obligation to donate to the person who creates this library
| thanklessly.
|
| Let's say that you convince me of 2. I have 603 packages on my
| production server, with no obvious way to know how much distinct
| maintainers this is, or how they accept funding. One node
| application on it developed by my company has 991 dependencies,
| 129 of those "are looking for funding", according to npm.
|
| How do I even start to fulfill that responsibility in a fair way
| ? Just picking the 5 (or, hell, even 10) most "visible" or
| "obvious" projects would be a significant burden, and I don't see
| how prioritizing by visibility is fair or fixes anything about
| "that obscure but important library maintained by that guy in
| nebraska".
| kube-system wrote:
| The broken part is dependency management. People will install
| anything as a dependency, and just because the code functionally
| works today they often assume that they can expect maintenance,
| support, and security into the future.
|
| One of the biggest myths of "open source" is that it can replace
| commercial software in every way, but for free. It simply
| doesn't. Code is code, but nobody buys just code. They buy trust,
| support, a warranty, expertise, and a contract to back it up in
| court. You get none of this when your engineers `npm install who-
| knows-where-this-code-comes-from`
|
| Engineers are kicking the can down the road, and I don't think
| management in most places truly understand the extent of the code
| their companies are running for which:
|
| * they employ nobody who is familiar with it
|
| * they have no vendors on call who are familiar with it
|
| * they have no idea who is committing to it
|
| * if anything goes wrong, there is nobody to help them
| l0b0 wrote:
| Shout-out to Toitu Te Whenua LINZ, the New Zealand government
| mapping authority, for actually funding several projects in the
| geospatial field.
| wyldfire wrote:
| I see lots of sentiment in this thread that amounts to "I didn't
| know you were going to get rich off of my work."
|
| That's anathema to Open Source. How do I know? Check "The Open
| Source Way" [1].
|
| If you feel uncompensated, use a license that prevents commercial
| use.
|
| [1] https://opensource.com/open-source-way
| esarbe wrote:
| I get the feeling that you misunderstand the gist of the
| article.
|
| The gist of the article is not "I didn't know you were going to
| get rich off of my work (and I'm pissed off by that)". The
| premise is - in my reading -
|
| "Don't point the finger at me for writing bad software in my
| own free time, when you didn't even consider contributing to it
| and don't try to shift the blame when you have to face the
| consequences of your own cheap behavior".
|
| At least that's my interpretation.
| blibble wrote:
| my interpretation was a little different
|
| I see the author annoyed that companies don't want to to be
| their patron to just pay them to work on random things that
| they have fun working on
|
| and attempting to leverage this issue to try to draw
| attention to this "injustice"
|
| as someone with a full time software job: I wish I could only
| work on things that interest me...
|
| rather than spending 80% of my time working on boring things
| and dealing with customers who set deadlines and expect to
| receive a specific product that they're paying for
| [deleted]
| derekjdanserl wrote:
| Open source users are the welfare queens of our times. As long as
| open source software exists, these lazy degenerates with no skin
| in the game will feel entitled to keep demanding more and more.
| Open source software needs to die.
| esarbe wrote:
| I know what you want to say, but "welfare queens" is really a
| bad way to phrase it.
|
| > The "welfare queen" stereotype is driven by the false and
| racist beliefs that places the blame of the circumstances of
| poor black single mothers as the result of their own individual
| issues, bringing forward racial tropes such as their
| promiscuity, lack of structure and morals, and avoidance of
| work. [0]
|
| [0] https://en.wikipedia.org/wiki/Welfare_queen
| jrm4 wrote:
| I'd also imagine someone who lost their shirt in the stock market
| (or crypto) might get whiny and complain "Math is broken."
|
| Open source is just a _process._ It never promised you anything.
|
| Either way, this is why, even if annoying, the concept of "Free
| Software" is a better one. Its goal may not be perfect -- but at
| least it has one.
| the_af wrote:
| Fully agreed. I'm not entirely sure if authors like the one
| from TFA fully embrace or understand the distinction between
| Open Source and Free Software (I suspect they are conflating
| the two, but happy to be proven wrong), but if they do, they
| are actually doing good work and showing why Free Software is
| philosophically sounder.
| xena wrote:
| I'm the author of the post in case you have any questions for me.
| rasengan wrote:
| It would be interesting to get feedback from some of the more
| successfully funded projects and understand how they have
| things structured to handle these kinds of things.
|
| I also know there are organizations like the Software Freedom
| Conservancy who helps to handle these kinds of things who I
| would highly recommend [1].
|
| I used to donate to a lot of FOSS projects, most recently
| FOSSHOST. Both the project and myself were heavily attacked and
| accused of all sorts of things for doing so [2]. It has left a
| chilling effect on me and others I have spoken to. Most of the
| people who engaged in the online attack were not even
| developers, but simply "IRC Admins" of projects.
|
| How does a company or individual support projects financially
| with this kind of social ecosystem?
|
| [1] https://sfconservancy.org/projects/
|
| [2] https://fosshost.org/news/freenode
| benlivengood wrote:
| Thanks for the thoughtful article. I've always viewed Free
| software and to some extent OSS as by programmers, for
| programmers, period. Contributing code back supports the other
| programmers who use it. If commercial businesses want to use
| the software then they are free to contribute back (monetarily
| to support programmers or with their own code) or not. There is
| a long history of volunteerism in maintaining the Internet via
| open standards and I see a lot of OS/Free software in the same
| way.
|
| It doesn't make sense that businesses don't invest enough in
| the software they use (paid commercial software or otherwise).
| That is only to the detriment of the businesses that don't care
| to invest (their unique use-cases are not improved). It's not
| quite a tragedy of the commons because nothing prevents the
| people who do care (Google, MS, Amazon, FB, IBM, to name the
| large ones) from contributing their improvements back to the
| ecosystem, and they retain the full benefit of their work.
|
| It is absolutely an unequal exchange of goods for labor for
| most businesses but the near+zero marginal cost of replicating
| software means that it's a negligible loss for the authors, if
| that. The solid benefit for most programmers and system
| administrators is that they get to use high-quality Free/OS
| software in the jobs where they do earn money. At least for me,
| business concerns are secondary; I want to use quality software
| with a good ecosystem rather than know for sure that my
| employer paid money for the software that I have to use.
| fargle wrote:
| A thoughtful piece, and most supporting points are real and I
| think I agree with them. However, I don't think the conclusion
| "Open Source is broken" follows from the arguments.
|
| The most concise counter-example I can come up with is: What
| would change if that XKCD picture had the critical log4j2
| component replaced with closed-source "McA$$hat logj2+
| ENTERPRISE" trialware+commercial $$$$ licensed product that was
| thanklessly maintained by severely underpaid hire-and-fire
| contractors in a 3rd world country? Nothing. Well, it'd be a
| lot worse because you couldn't fix it.
|
| What's broken is larger umbrella projects and products, open-
| source and commercial, not understanding that _they_ own and
| are responsible all the dependencies. All of them. Down to the
| very bottom of the stack. Whether they bought them or got them
| for free. Each and every dependency must be evaluated, and if
| it 's appropriate, you could delegate the risks to a
| trustworthy sub(contractor) or project.
|
| What if that project gets abandoned? What if "McA$$hat Inc."
| goes out of business? Or either just changes direction or
| quality suddenly? Will the security bugs be reported or covered
| up or remain undiscovered because nobody uses the thing?
|
| I currently trust Linux. I trust the "big" distros. I trust a
| lot of larger, well maintained opensource projects. I'm very
| hesitant about things like node.js and others that have very
| fine grained and super-easy automatic dependency management and
| build systems the just pull whatever the latest thing is for
| hundreds or thousands of dependencies. I really don't trust
| most commercial software because it's _always_ just as broken,
| but you can never see it nor fix it.
|
| A lot of the article focuses on getting paid. I totally agree
| and the market will definitely correct when it becomes visibly
| critical. You can get paid to maintain opensource commercially
| and that's probably the best of both worlds. There's going to
| be a lot of people working for a lot of companies getting paid
| to fix or replace log4j2. There's going to be a lot of people
| paid to figure out how to get better control over that XKCD
| picture situation.
|
| But Open Source isn't broken, it's the cure just working it's
| way along by making that picture visible.
| bpfrh wrote:
| I always think about paying for the open source software that I
| use and I try to be more dilligent in paying for it.
|
| The problem for me is, that while calculating how much I
| theoretically should spend on the OS I use for example
| (gnome+fedora+linux kernel,etc), it would be actually cheaper
| to pay for a windows version+microsoft cloud/office suite or
| switch to the apple ecosystem.
|
| Same applies for programming frameworks I use.
|
| Doesn't that mean opensource is inherently impossible to use
| ethically as a private person?
|
| So how do you decide on how to deep and how much one should
| pay?
| TheDong wrote:
| I'm curious on your thoughts about the difference between
| publishing this post and publishing oss/foss code.
|
| To me, it seems like this blog post is something you've shared
| freely with the world, with no expectation of getting direct
| financial compensation for it. You have an idea you want others
| to read and think about, so you wrote it down.
|
| To me, this act of publishing and sharing your thoughts freely
| in the hopes others might find them interesting shares
| similarities to free software. You wrote something that you
| think others might find interesting or useful, and you want to
| share it. That statement applies equally well to FOSS and blog
| posts.
|
| What do you see as the major difference? Is it that OSS rejects
| copyright, so the code can be used for profit, while your post
| can't freely appear in, say, a published for-profit book of
| opinions on OSS? Would you be opposed to this post being
| published by someone else and you not getting money for similar
| reasons that you blog about here?
|
| Is the difference in expectations, that people expect support
| for software, while people expect nothing of blog posts? That a
| blog post is finished and may be thrown over the wall, comments
| ignored, typos uncorrected, and that feels "fine", while
| software thrown over the wall with issues ignored and no future
| changes planned feels "weird"?
|
| Is there some bigger difference?
|
| Is there a way to reduce this difference, to create an
| environment or structure where you would share code, just as
| you currently willingly share your thoughts and writings on
| this blog?
| xena wrote:
| I actually do make a very small amount of money for my posts.
| I make about $120 per month on Patreon (I more accurately
| make $175-ish per month but I also donate back to the amount
| of about $55 per month to other projects) and this blog is
| frequently brought up in interviews, which means that it
| becomes an impetus for people to hire me. I'm not sure how to
| quantify that, but either way it offsets the costs of hosting
| the server, even though I have kind of a ridiculous level of
| overkill (Ryzen 5 3600, 64 GB of ram) for that server.
|
| As for the time to write these posts, yeah I'm making nowhere
| near my market value for this kind of writing. I've
| considered adding ads to my blog, but I still feel kind of
| philosophically uncomfortable with "selling out" like that.
| My job really does make sure that all my needs are accounted
| for and I am blessed to be in a state where I have financial
| excess and can make additional private contributions to other
| projects.
|
| At some level though my blog is really a sink for my anxiety.
| Just being able to put words out into the void and knowing
| that someone is gonna read them helps a lot when it comes to
| making things a lot less scary in the world. I really do just
| throw them over the wall when I'm done though lol. Sometimes
| I'll do a typo pass but most of the time I write well enough
| that my first pass turns out to be the last pass unless some
| critical problem is found. This doesn't happen often though.
|
| I do occasionally make volumes out of my writing and sell
| them on Itch (https://withinstudios.itch.io/), but I have
| only ever made $250 on there in total; nowhere near enough to
| fund the creation of the media in question. I also don't
| advertise my Itch shop very well so that may be partially on
| me.
|
| Mostly though the goal of this post was to make people think
| about the issue. I have succeeded.
| senko wrote:
| You mentioned you don't want your passion project to be
| critical to someone without getting paid for your work.
|
| How do you ensure that's not the case? Careful license choice,
| "you're on your own" wording or something else?
|
| Like, if someone created a unicorn startup rivaling Slack using
| Elemental-IRCd, how would you react?
|
| (I have massive respect for anyone maintaining an ircd, btw,
| having attempted to contribute to one a long time ago)
| xena wrote:
| Careful license choice and intentionally crippling things
| such that they are objectively useless unless you meet the
| exact needs that I have.
|
| I've kind of given up on elemental-ircd and left it
| unmaintained and archived, but I would probably send a job
| application in to that place if said unicorn startup
| happened. A few people have tried to take over elemental in
| the past, but as a whole the IRC ecosystem is on a downturn
| so they don't last long. It's a complicated situation though.
| At some level I'd be shocked that they managed to turn that
| pile of shit into something usable!
| mcguire wrote:
| Are you familiar with Kant's categorical imperative? (https
| ://open.library.okstate.edu/introphilosophy/chapter/the...)
| xena wrote:
| I am now. I'll need to digest it for a while.
| jevoten wrote:
| > This is why I am very careful about how I make "useful"
| software and release it to the world without any solid way for
| me to get paid for my efforts. I simply do not want to be in a
| situation where my software that I develop as a passion project
| on the side is holding people's companies together.
|
| Isn't this the best position to be in if you want to get paid?
| "You've built your company on top of my project and now you
| need this bug fix/feature yesterday? My hourly rate is $$$"
| xena wrote:
| You'd think. You'd really think. This is not the case most of
| the time. They will just work around it for their own needs
| and say nothing.
| interviewer0000 wrote:
| Just a side not but I love the styling and writing style! It
| was a pleasure to read.
| blondin wrote:
| thank you.
|
| it's a well written article and you got me agreeing with what
| you are saying. it's surprising to read comments here that
| start with "open source is not broken" but proceed to repeat
| everything you wrote in the article...
| esarbe wrote:
| The title of the article is "Open Source is broken" and its
| subtitle is "Why I Don't Write Useful Software Unless You Pay
| Me"
|
| And I disagree with both of these statements. Open source is
| not broken and I'll continue to write useful software, even
| if you don't pay me, because it's fun.
|
| The actual problem is concisely present in the article:
|
| > There is this culture of taking from open source without
| giving anything back.
|
| The problem is not with open source, but with how
| capitalistic systems interface with open source - the same
| way the interface with any public good. It's the capitalist
| culture that's broken; the capitalist culture of rent
| extraction and of short-term profit optimization.
| xena wrote:
| You hit the nail on the head.
| kolbe wrote:
| 'Open Source' has no implications about whether the writer gets
| paid or not, but I'll set aside this semantic criticism.
|
| There are many many FOSS projects where contributors get paid a
| great deal of money. Universities sponsor contributors. And most
| contributions to a project like say Kubernetes come from Google's
| employees. Government agency grants. Et cetera. But if that's not
| enough, tech giants throw a lot of money at places like the Linux
| Foundation to ensure that FOSS projects get maintained (and thus
| the maintainers get compensated).
|
| The fact is that a little 'buy me coffee' link is simply an
| ineffective way to monetize a FOSS project. But FOSS is not
| broken. Some of the greatest things in computing today are FOSS.
| neilwilson wrote:
| What happened to those who find it fix it?
| pjmlp wrote:
| Whatever I put out there is mostly to keep HR folks happy to
| check their bullet points, or done under straight GPL.
|
| Valuable stuff, only with commercial contracts.
|
| I also buy books from folks, or do occasional contributions to
| all ecosystems which are valuable to me.
|
| Like myself they have bills to pay, however none of them (buying
| books or donations) is a sustainable business, if only a couple
| of people occasionally do it.
|
| Somehow I think open source has legitimated piracy, in the sense
| that those that would pirate, now feel safe because license, and
| just go on their merry way and don't need to fear that the
| economic activities surprise audit would close down their shop.
| k__ wrote:
| _whispers_ cryptooo~
|
| Gitcoin could really help here.
| rubyist5eva wrote:
| You don't owe anyone that uses your free software anything. If
| they rely on it and something is broken, they can fix it. That's
| kinda the point of open source and it's a good thing.
| Juliate wrote:
| It's not "Open Source" (making code public and free to use and
| modify) that's broken. It's how people rely on it without any
| consideration about the sourcing of it.
|
| It's not that it's free to pick and to use. It's that some/most
| people too often associate "it's free" to be equivalent to "I
| don't need to care about it, like, at all".
|
| It's that some/most people don't understand that, whatever they
| take, they become dependent of, for the better and for the worse
| (insert Marie Kondo cue here).
|
| The interesting thing here is that there's a full new line of
| work for Info/OpSec opening here: ensuring that your software
| supply chain is not only secured, but also properly funded and
| supported.
|
| That's like... common sense in so many "old" industries.
| dnautics wrote:
| > It's how people rely on it without any consideration about
| the sourcing of it.
|
| Exactly this. I think the problem is that OSS consumers often
| have a complex that they are entitled to "good software". But I
| doubt that the solution is to make it so that the producers are
| "entitled" to financial compensation. I can see situations
| where that backfires -- satisfying the producer's "entitlement"
| can exacerbate the consumer's sense of entitlement and just
| create an entitlement arms race, and stress out open source
| producers.
| fivelessminutes wrote:
| Yes 'free' means 'the little people work on that'.
|
| There's no real way to secure finegrained node.js or python etc
| deps, since you have no clue if the original author who signs
| his sources should be trusted, or was malicious from the start
| and just biding his time, let alone everyone who contributed to
| every package.
|
| What would help is independent audits and where needed help
| with hardening like fuzzing and asan / valgrind / static
| analysis. Just an extra security-minded eye on patches in
| realtime would be a big help (and maybe would have found the
| logging bug at hand).
| tommek4077 wrote:
| Those audits are your duty. We've did this in programming a
| long time until recently the JavaScript craze took over.
| esarbe wrote:
| I seriously doubt that open-source is broken.
|
| What is broken is companies using open-source to build their
| products, expanding to billion dollars total revenue and not
| giving anything back in the long run.
|
| This will - as shown in the latest example - come back to bite
| them.
|
| It's the _classic_ tragedy of the commons; everyone is willing to
| profit from the public good and nobody is willing to invest
| resources into it.
| uniqueuid wrote:
| I agree. What's broken is liability of those companies relying
| on open source but not taking responsibility.
|
| One way to hold them accountable is to apply regulatory
| pressure in case of security breaches, which has started to
| happen (albeit not nearly enough). Is there any other way I'm
| not seeing?
| mcguire wrote:
| I'm not sure. Wouldn't that mean forcing the companies to pay
| someone to take that liability but not necessarily providing
| any benefit to the original software developers---like
| whatever Red Hat Enterprise Linux is called today?
| esarbe wrote:
| Another way would be to enforce open-source requirements for
| any public spending including/producing code. You want a city
| to buy your traffic control system? Open source the code
| first. You want a state to use your voting machines? Open
| source your code first. Any public money going should
| necessitate that software being released as open source.
|
| Not only would this lower the risk of fatally flawed public
| software projects, maintenance of these systems in the long
| run would also not depend on just one company with an
| artificial monopoly anymore. This would also create a healthy
| ecosystem of paid open source developers.
|
| Just an idea.
| rakoo wrote:
| This is a point I've been pondering about recently, especially
| since the attacks against Free Software and RMS.
|
| I've been convinced of the inherent good that openly available
| software is, both for users and developers, and for society at
| large. I want to continue contributing to the common goods. But I
| am also fully aware that Google, Facebook, Twitter, Instagram,
| Snapchat, Tiktok, and all other platforms exploiting users'
| privacy and controlling so much of our digital lives could rise
| to power that easily because they had a trove of open source
| software to build on, software for which there is no counterparts
| needed. That is what the MIT, Apache, BSD licenses and friends
| allow you to do.
|
| That is why my opinion now is that if you want your work to be
| open, you should not make it open source "only" but fully Libre.
| Use a copyleft license. If other developers don't want to pay you
| in money, at least their production should become a common so
| that the entirety of society can benefit. Don't give FB more
| power to turn elections in the direction they want; make it so
| that someone else can _only_ build a platform where users, and as
| such people, remain those in power.
|
| Open Source Software benefits those in power, and unfortunately
| it is not us who hold this position.
| aeldidi wrote:
| Companies will use whatever is at their disposal to grow faster
| and more efficiently, this is the free market working as
| intended (and isn't a bad thing by itself: see free software
| companies like SourceHut benefiting as well).
|
| I think the core of the problem lies in distribution. We've
| gotten so used to other people distributing our code for us
| (through the use of package managers and such) that we've made
| it hard to actually have a dialogue with our users. Many
| consumers of packages just know their dependencies by the npm
| package name, rather than actually seeing what the person has
| to say about the software, how they plan to maintain it and for
| how long, etc.
|
| Even things like licenses are really just ignored at large,
| with there being a general mentality of "it's on Github
| therefore it's probably MIT". There was something I remember
| reading a bit ago about a Go project whose license was simply
| "you do not have permission to use for any reason ever" which
| was depended on by projects from big organizations such as
| AWS[0].
|
| This is mostly just a rambling and I don't have any concrete
| way to solve this, but I think it should be taken into account
| when assessing whether the problem really lies in the
| individual license choices of developers, or whether this is
| some kind of effort by big market actors to keep open source
| solutions at a subpar level of quality in comparison to
| commercial offerings (for example: some of Microsoft's VsCode
| extensions only work on the proprietary version, not any open
| source forks[1]).
|
| [0]: https://fossa.com/blog/bouk-monkey-importance-knowing-
| your-d...
|
| [1]: https://github.com/VSCodium/vscodium/issues/240
| jevoten wrote:
| A good analysis of what open source enables - Facebook et al.
| were able to build their companies more easily using it.
|
| But you forget to compare it to the alternative, where there is
| no significant open source or libre software available.
|
| You can't run Linux, you have to trust Windows not to backdoor
| you. There is no Signal or Matrix or other encrypted messaging
| - or if there is, you have no way of verifying it. If you want
| to write a .txt file, you must pay for a close-source text
| editor. Or a very expensive compiler, if you're a programmer.
| Is the compiler backdooring your code? Maybe. You must find
| paid alternatives for all the free software you rely on, for
| work, or for your hobbies.
|
| And who builds that paid software? Not a garage shop - they
| could never afford all the compilers and libraries and tools
| necessary. Only billion-dollar+ companies, engaging in
| incestuous cross-licensing, letting each-other use their tools,
| and crushing any upstarts.
|
| If open source (or even copyleft) benefits those in power,
| closed source benefits them infinitely more.
| rakoo wrote:
| Indeed Open Source also benefits Libre Software today. But do
| we really know what the ecosystem would be like today in a
| world where only Copyleft existed ?
|
| Linux itself is GPL, so are some of the distributions. Hurd
| hasn't seen adoption, probably because the alternative is
| good enough. Signal is still there, client and server. But
| maybe it wasn't needed because ejabberd, one of the biggest
| XMPP servers, was already there and powering all messenger
| platforms.
|
| You're assuming that if developers didn't license under non-
| copyleft, they'd license under proprietary instead; there's
| no real reason to believe this. And as many examples have
| shown, many of the tools we use aren't actually made by
| billion-dollar companies but by single developers on their
| free time. The examples in the article show it, Werner Koch
| (the guy behind OpenPGP) has been asking for funding for
| years (decades ?). ssh, curl, ...
|
| Anyway, that world is so different that we'll probably never
| know how it'll work, so here is the area where the optimism
| of people are visible and I myself believe Copyleft could
| have been a success.
| senko wrote:
| Copyleft wouldn't help here. You don't need to do anything if
| you just _use_ the code as-is.
| webmaven wrote:
| While not a complete solution, the AGPL helps close this
| loophole.
| kortilla wrote:
| > If log4j2 is responsible for your company's success, you have a
| moral obligation to donate to the person who creates this library
| thanklessly.
|
| This is absolutely not what open source is about. The author just
| sounds completely against open source, which is fine, but don't
| lecture people for not paying for that which was intended to be
| free.
| xena wrote:
| I'm the author in question. I'm not against open source, I'm
| against the culture of taking without giving back.
| throw10920 wrote:
| Open source is not "broken" - it's working exactly as designed,
| where anybody can obtain the software for no cost, and
| compensation for work done is _voluntary_.
|
| If you want guaranteed compensation for your work, work for a
| company or require payment for your software. Releasing it as
| _free software_ and then complaining when you don 't get the
| donations you wanted is just being entitled.
| blibble wrote:
| > If log4j2 is responsible for your company's success, you have a
| moral obligation to donate to the person who creates this library
| thanklessly.
|
| I doubt there are many companies that this is true for, if any
|
| yes, log4j is good, but there's a dozen other logging libraries
| for Java that do 99% of what people will use log4j for
|
| and the same is true for Alpine
| mcguire wrote:
| And rebuilding your entire company's ecosystem to switch
| logging libraries is practically free.
| blibble wrote:
| as anyone who's maintained a large old java codebase will
| know: there's adapters for all the popular logging frameworks
| so they interoperate
|
| so yes, it can be
| AndrewDucker wrote:
| And your company can invest in log4j or it can invest the time
| and money in switching to another one. Which is cheaper?
| blibble wrote:
| probably switching as there's drop-in adapters for all of the
| popular logging frameworks
| hooande wrote:
| Someone should write a package that goes through your existing
| codebase to see which open source projects you make the most use
| of (however that is measured). Then a company could run it once a
| year, say around tax write off time, and build a list to donate
| to
|
| I would have happily given to log4j, but I didn't know that they
| were in need. Someone has to make it easy to keep track of this
| because it's never going to be a priority for businesses
| ggreer wrote:
| An incremental way to get to this would be to standardize the
| format for payment info in package.json (or equivalent). Then
| you could build donation into yarn, pip, cargo, etc. Just run
| 'yarn donate' and choose the amount to spread over the packages
| you use.
|
| This is a half-baked idea right now, but I think there's
| something to it. A lot of the issues with open source stem from
| the friction of donating. Reducing that would incentivize
| people to work on libraries that are popular but neglected. It
| would also help devs capture some of the value they create.
| sneak wrote:
| More money doesn't always make for better software.
|
| Would millions of dollars of donations over the last decade
| have caused log4j to not have the vulnerability?
| jrpt wrote:
| Stuff like that already exists. Companies barely donate. In my
| opinion, more packages should require licensing fees from
| companies.
| senko wrote:
| I like opening the code I write. I don't plan on having two
| customers paying me $5/mo each for my super obscure piece of
| code.
|
| Are we really going to blame log4j2 authors who, for all we
| know, don't care if someone else is using their project?
| mcguire wrote:
| Because the corporate purchasing system works _so_ well....
| wisty wrote:
| Or they could get a list of deps, and just get their engineers
| to occasionally keep tabs on a few random deps. Random would be
| almost as good as systematic if a few companies did it.
|
| Check the security of the infrastructure (is it one guy?),
| check whether some the code is correct (either randomly or
| systematically, not just checking the first file you see), etc.
|
| What's the incentive? Well, checking your dependencies is a way
| to upskill. You learn as much reading code (especially the code
| you are relying on) as you do writing code, and most of a
| programmer's job is learning.
| yumaikas wrote:
| I mean, `npm donate` is a thing, I'm pretty sure. Just need to
| build it for other ecosystems.
| anxrn wrote:
| A tool that inspects a company's software dependencies and
| generates a report of open source dependencies, state of support,
| and easy ways to fund (direct corporate funding, or even employee
| + corporate match) would be super useful.
| hgs3 wrote:
| There are already strategies for monetizing OSS, like selling GPL
| exceptions or support, but it's up to the individual developer to
| figure this out. The OSS ecosystem could do more to encourage
| monetization. For instance, GitHub could add a "buy" button with
| payment processor for maintainers to easily sell closed source
| licenses. Package managers could include payment options too.
| It's not just about payment either, but they could also offer
| prewritten contracts and other legal templates for maintainers. I
| can easily envision a world where maintainers are properly
| funded. I suspect, however, that enterprising forces would prefer
| OSS remain charity work.
| seqizz wrote:
| Well, I agree but no solution in the horizon yet. Yes, the
| companies which profit from open source "should" fund the open
| source. But nothing forces (or even reminds) them to do so.
| mborch wrote:
| The problem is that many projects (open or closed source) don't
| respect the exponential cost in bringing in a new dependency,
| i.e. code that's not under your own management.
|
| Bringing in a shitty old bloated logging library with
| functionality you don't need or want compounds the interest even
| more.
| bluefox wrote:
| You can also write useful software without getting paid. Simply
| don't share it. Indeed, that's one way to spend your time when
| you're not seeking employment.
| alwaysjoe wrote:
| The other side is that if a large company like Google had to pay
| the maintainers, they would've rather done this themselves, and
| the rest of us wouldn't have access to a free piece of code
| that's literally good enough to be the backbone of the internet.
|
| I don't want the maintainers to work for free. But I don't know
| if we at large would benefit from the alternative.
| gweinberg wrote:
| The strange thing to my mind is not that people will use things
| for free given a chance, because of course they will, but rather
| the developers of popular open source packages are having trouble
| getting jobs. Back when I was a CTO, if any of my applicants
| could claim to be developers / maintainers of popular open source
| projects, I would consider that to be a major plus. Wouldn't
| everyone?
| lomereiter wrote:
| If you think of the world as a giant corporation, in the short
| term it's more efficient if these workaholics are not paid at
| all. Think of a typical workaholic who's always happy to do
| more and take on more responsibility - why would you increase
| their salary if they don't ask for it?
| joemazerino wrote:
| Open Source maintaining critical projects and not receiving
| funding is by design. It isn't right or good for the ecosystem
| but that's how it is.
| b3morales wrote:
| I don't follow this...whose design?
| jchw wrote:
| Any time there's a big vulnerability in an open source project, I
| brace myself for the inevitable barrage of reactionary statements
| making the same claims about open source maintainers,
| compensation, etc.
|
| But while there's some truth to the factual information, I simply
| disagree with the notion that open source is broken because of
| this. And there's one specific pull quote I'd like to draw
| attention to:
|
| > If log4j2 is responsible for your company's success, you have a
| moral obligation to donate to the person who creates this library
| thanklessly.
|
| This is an interesting statement. I happen to disagree with it in
| a fairly vehement fashion; open source works specifically due to
| the lack of moral obligations. Part of what I am intentionally
| doing when I release code is waiving any legal obligations, and I
| in no way want to imply that I am replacing them with unspoken
| moral expectations. I just release software because I feel like
| it, and offer best-effort support (not great!) because I want to.
| For free. For other people to benefit off of, and for me to
| benefit mutually from in the form of bug fixes. (And if I even
| cared about it, GitHub stars.)
|
| But the other reason it's interesting is because it actually
| knocks at another truth:
|
| Most users of a logging library like log4j have collectively very
| little credit to give to log4j for their success. As great of a
| library as it may be, it's simply a tertiary concern for most
| software, which, most of the time, will be using very little of
| its functionality.
|
| Instead, log4j offers the applications the ability to have better
| logging facilities at a relatively low cost thanks to open source
| and the lack of obligations it gives users. It's usually not that
| important, but the collective quality-of-life improvement across
| the industry was evidently of great importance, seeing how much
| use it garnered.
|
| Am I saying people shouldn't go and donate to log4j? Absolutely
| not. But no, I disagree that you really have a moral obligation
| to pay maintainers for libraries you import. It's extremely good
| that the maintainers of log4j are selfless enough to tirelessly
| provide support during this obviously volatile moment, but they
| are not required to, anymore than anyone is required to donate.
|
| In any case, reactionary action every time something goes wrong
| sure as hell won't fix anything that might be broken about open
| source.
|
| If you want to be paid for something, consider not using the open
| source model, or using a dual-licensing model. Not all software
| simply must be open source. But: The largest net benefit to the
| world for something like log4j could only be seen with open
| source, and that is literally because of the lack of obligation,
| not in spite of it.
| sneak wrote:
| > _If log4j2 is responsible for your company 's success, you have
| a moral obligation to donate to the person who creates this
| library thanklessly._
|
| This is false. Free software is given away by those who produce
| it. When you receive a gift, no moral or ethical obligation is
| created.
|
| This idea that you can do things with free software that are
| contrary to the spirit (such as create a profitable company
| around it and not pay the original author) is a false one. It is
| free as in beer, too.
|
| You don't owe anyone anything when you receive a gift freely
| given.
| webmaven wrote:
| _> This is false. Free software is given away by those who
| produce it. When you receive a gift, no moral or ethical
| obligation is created._
|
| The ethical obligation is to your own users: you should be
| making a reasonable good-faith effort to ensure that your
| software's dependency projects are healthy as a transitive
| consequence of ensuring the health of your own software
| project. This has nothing to do with the ethics of accepting a
| gift, and everything with professional ethics (which raises the
| debate of whether writing software should be a profession).
|
| Arguably, the dependency projects also have a similar
| obligation, or at least the obligation to make the health
| status of their project explicit.
| rspoerri wrote:
| What are the licenses that force the licensee to:
|
| - share money earned (support or sales)
|
| - share theyr time to support the project (writing docs)
|
| i do know it's illusionary that everybody does theyr part, but
| not asking for something back might be just wrong.
|
| what are other ideas that do not require the developer to create
| a support ecosystem around his library to earn money or the
| possibility to work on the project full time?
|
| Is it an idea for a startup to support developers earn money with
| theyr products?
| rvense wrote:
| Open source software is free to take is a practical measure as
| much as anything. It's because having the left-pad package
| surrounded by a paywall would suck, and would create all kinds of
| weird incentives to mess with both the software and the
| ecosystem. And we absolutely want an ecosystem where one person
| makes left-pad, and someone else builds on top of that and in the
| end you have React, or whatever, and that doesn't work if
| everything is an app store.
|
| We (programmers) need to explain this to the money people
| somehow. No company I've worked for in my 10-year career would
| have been able to exist without open source. They would have had
| no product. If you're extracting significant value from this
| ecosystem, you should help fund it, even though there isn't a
| toll booth on the way in.
| GenerocUsername wrote:
| I feel like code security blogs are always loaded with
| Furry/Anime avatars, memes, artwork, etc...
| politelemon wrote:
| Yes it's in a bad state and unsustainable, especially with the
| recent (and welcome) focus on security these days. I wouldn't
| consider it broken however, that's implying an unrecoverable
| state. There do exist sponsored projects in the open source world
| which have been running successfully, though those are few and
| far between relative to the number of 'Nebraska' projects.
|
| Those outliers aside, consider the alternatives. The first one I
| can think of is to put trust in closed source software, in many
| cases written by MAMAA. We have enough historical evidence to
| know that represents a nightmare scenario that we should actively
| be working to get away from.
|
| That's why I agree, we should be trying to make the open source
| ecosystem sustainable. What I think we'll need, as a bunch of
| normal users, is a way to present these cases to our $workplaces,
| to get the funding or sponsorship in place. And an easy way for
| companies to do that, which slots in with their own practices.
| randmeerkat wrote:
| Maybe UBI would be a good use case here. People could focus on
| their passion projects and wouldn't need to worry about begging
| for money from the corporations that profit off of their labors
| and give nothing back.
| shrubble wrote:
| When I look at https://apache.org/foundation/thanks I see a huge
| list of Big Name Tech companies who are presumably donating a lot
| to Apache.
|
| So, what exactly is the issue? Perhaps one of allocation of
| existing resources?
| joshtynjala wrote:
| Apache funding goes to stuff like infrastructure and
| administrative stuff. Developers writing code for Apache
| projects are volunteers and are not paid by Apache. If they're
| lucky, their employer might pay them to contribute to the
| Apache project.
| betwixthewires wrote:
| I don't think it's that big of a deal honestly.
|
| If some guy in Nebraska maintains some library that is very
| useful and your company relies on it and does not pay him, you're
| asking to wind up relying on an unmaintained project eventually.
| If I maintained something extremely valuable and found out a core
| google product relied on it, I'd stop maintaining it.
| marktani wrote:
| may I ask why you would stop maintaining it in this case?
| aren't you then limiting yourself in your self-expression?
| ohgodplsno wrote:
| Getting Google to waste time and money would be the best
| self-expression someone can ever have.
| WJW wrote:
| Presumably their wish to cause google some inconvenience is
| greater than their wish for self-expression, and/or they have
| other means of expressing themselves so they don't care about
| any particular project.
| hn_throwaway_99 wrote:
| I think the issue, which is so well depicted in that XKCD
| cartoon, is that transitive dependencies can make it nearly
| impossible to _not_ depend on some low-level, unmaintained
| library.
|
| It's not like tens of thousands of projects decide to pull in
| left-pad. But tens of thousands of projects do decide to use
| React, which (I'm guessing through its own gaggle of many
| dependency layers) happened to pull in left-pad.
|
| Taking the option of "I'll just build everything myself" then
| is not really a viable process in today's world, where all of
| your competitors will be using tons of prebuilt stuff (unless,
| perhaps, you have the productivity of someone like Fabrice
| Bellard, but the reason he's so well known is because his
| abilities are so rare).
|
| I think the real fix is that dependency management tools like
| NPM and Maven need to make it much easier to "override"
| dependency package names so that, if a critical issue is
| discovered, you are _not_ at the mercy of the current
| maintainers of that package to quickly get a fix into
| production.
| fileeditview wrote:
| > Taking the option of "I'll just build everything myself"
| then is not really a viable process in today's world, where
| all of your competitors will be using tons of prebuilt stuff
| [...]
|
| It obviously depends on the scope of things but I tend to see
| a future where this building everything yourself might be an
| advantage again. Because most of "this prebuilt stuff" adds
| layers of complexity because of generalizations you don't
| need and other abstractions.
|
| In my experience this gets worse and worse every year. We
| software developers are already drowning in a flood of
| languages, frameworks and so on. How often do I see a
| framework Y built on top of library/framework X to abstract
| away something from X. Not only you have now both
| dependencies but at some point Y lacks a feature you need
| (which is provided by X). Now you have to pull up X and mix
| with Y and everything just got worse than just using X from
| the get go..
|
| I more and more think we need some back to the root movement
| and also keep in mind to always choose the simplest solution.
| nyanpasu64 wrote:
| > Taking the option of "I'll just build everything myself"
| then is not really a viable process in today's world
|
| I want it to be practical to build software which only
| depends on a small number of trusted individuals or
| organizations beyond the OS and compiler. C++ manages it
| better than newer languages with built in package managers,
| and dependencies rarely depend on transitive dependencies,
| though it comes at the cost of adding dependencies
| (especially transitive dependencies) being extremely
| difficult (I hear Meson subprojects help, and CMake has their
| own worse version I didn't try).
| j-bos wrote:
| "I think the real fix is that dependency management tools
| like NPM and Maven need to make it much easier to "override"
| dependency package names so that, if a critical issue is
| discovered, you are not at the mercy of the current
| maintainers of that package to quickly get a fix into
| production."
|
| I'm probably mistaken, but I thought in maven
| managedDependencies was exactly this. Please correct me if
| I'm wrong.
| ohgodplsno wrote:
| Maven/Gradle does exactly that. Provided the dependency
| you're replacing is compatible with the new one (same
| packages, same methods, etc), it's fully transparent. It's
| just that once again, the web world is running with awful
| tools that keep making the same mistakes that have been
| done years before them.
| TheRealPomax wrote:
| You say that as if you even know your full dependency chain.
| Reality doesn't quite work that way. No one knew their codebase
| even relied on leftpad until it broke millions of applications
| the world over when it got pulled.
|
| Some projects have the benefit of notoriety (log4j falls in
| that category) but plenty of projects are just "plumbing" and
| the only thing you know is the name of the dependencies you
| have in your dependency list. I can guarantee you that except
| for security audits, no one knows their full dependency tree,
| and that they have a deeper dependency with itself a dependency
| on a utility that depends on a thing that no one's even heard
| of, and no one's looked at for years, and you would never have
| looked for. While also being one of the critical pieces that
| your software runs on top of, capable of bringing down your
| entire product even if _what it does_ is literally trivial.
|
| Best case, it fails. Your product/server is now broken
| (hopefully, for only a short while). But worst case, it has a
| 0-day exploit. And now your entire company is at risk to the
| tune of "depending on how bad, you may have just gone out of
| business because you can't afford what is necessary to both
| legally and professionally deal with the fallout".
|
| (Did your product/service have a database that comes with
| rather massive fines for leaking that data? Good luck, that
| might bankrupt you. Does your company have contracts that are
| void on significant service interruption? Good luck, you may
| have just lost all your big clients. Etc.)
| ohgodplsno wrote:
| > plenty of projects are just "plumbing" and the only thing
| you know is the name of the dependencies you have in your
| dependency list.
|
| Maybe in the web world. .Net/Java/C/C++/etc projects have a
| well understood dependency chain, most of the time. Mostly
| because there is an actual stdlib and having dependencies
| upon dependencies upon dependencies is very rare. Projects
| I've worked on with over 150 dependencies (which is an awful
| lot for an Android project as it was) had a dependency tree
| that wasn't that deep (5 at most), and all of that was on
| standard, well known modules (androidx, etc.)
|
| The shitshow that is JS dependency management is a self-
| inflincted wound. Knowing your dependency tree _is part of
| your job_ as a software engineer.
| [deleted]
| whateveracct wrote:
| > You say that as if you even know your full dependency
| chain. Reality doesn't quite work that way. No one knew their
| codebase even relied on leftpad until it broke millions of
| applications the world over when it got pulled.
|
| We're professionals - we in fact simply can do that with some
| elbow grease. Doesn't take a genius to understand how
| software is built.
| charcircuit wrote:
| There is too much information out there to know all of it.
| Sure everyone knows how to do it, but it's often not worth
| the time to do so.
| armchairhacker wrote:
| This is what I was thinking: it seems like any security and
| reliability vulnerabilities from OSS are at least as bad, if
| not worse, in paid software or closed-source.
|
| You can pay someone a lot to make a product and they can do a
| shitty job. You can have a company install a backdoor in a
| closed-source software for whatever reason. You can have a
| well-trusted organization with competent developers mess up a
| single line of code, creating a huge bug or exploit.
|
| OSS actually gives you a benefit that you can see the code and
| technically discover any bugs or exploits (even though of
| course nobody will). There are plenty of open-source libraries
| where contributions are seriously reviewed for any accidental
| or intentional errors.
|
| Serious hard-to-patch exploits are discovered in closed-source
| software every day. They might be harder to discover and easier
| to reveal without revealing how to trigger, because you can't
| directly see the source code. But this isn't a fundamental
| problem of OSS, it's something OSS users and maintainers need
| to look out for.
| indymike wrote:
| > This is what I was thinking: it seems like any security and
| reliability vulnerabilities from OSS are at least as bad, if
| not worse, in paid software or closed-source.
|
| This is wrong: it's better in open source land. Closed source
| means you, the user have to wait for the vendor to ship a
| fix. With closed source, the answer sometimes is the version
| you are on is no longer maintained, and you must buy a new
| licenses to fix the vulnerability in your closed-source
| product. Other times, the answer is, sorry, we discontinued
| that product and will not be patching it.
|
| With open source, you have options when a maintainer says the
| version is too old: fix yourself, use a patched fork, or
| migrate. Any way you go, the situation is substantially
| better than closed source.
|
| > OSS actually gives you a benefit that you can see the code
| and technically discover any bugs or exploits (even though of
| course nobody will).
|
| People can and do find and report bugs and exploits in OSS
| all the time. It's what makes open source work so well.
| gorgoiler wrote:
| The market value of an open source library is the price you'd
| have to pay to replace it.
|
| How much would it cost Google to hash out a minimum viable
| rewrite of log4j2? Probably not much.
|
| Why don't they? Because the cost of just using log4j2 is 0...
| until it isn't.
|
| The externalities of the damage caused were never priced into
| that zero dollar price. I think about this every single time I
| depend on a third party library. Free now, but potentially pay
| very dearly later.
___________________________________________________________________
(page generated 2021-12-11 23:00 UTC)