Open source maintainers underpaid, swamped by security, and going gray
(theregister.com)307 points by rntn 2 months ago
307 points by rntn 2 months ago
I receive $0 compensation for working on the D compiler. It's Boost licensed. Everyone is free to use it for whatever they want, and the source code is free to use, too.
I'm fully aware of what I'm doing :-)
The D Language Foundation is a non-profit, has expenses, and is funded by donations. None of it goes to me.
Thank you! I needed a robust algo to enumerate loops in directed multigraphs, and found an implementation of Hawick's algorithm in D. Instead of writing my own implementation in the language I use, I decided to just compile the code I found and call the binary. Went super-smoothly, even though I had never used D. Great work!
I assume, then, that you do it because it's fun :) That's why I do open source.
Yes, it's fun, and I like design work making things better. It's fun seeing other languages adopting D design innovations.
Thank you for your contributions. I believe the world would be a better place if you were paid for them.
The problem with being paid is then the payer gets to call the shots. By not being paid, then D has a chance at a consistent, coherent design.
I sometimes say "hell no" to features popular in other languages (like version algebra, and macros). How do you say "hell no" to your employer?
Yes, but the article is not talking about your scenario. It is talking about commercial software, where people would need to be paid to ensure that the software is supported on the platforms they like.
You have the privilege of being able to develop open-source but that's hardly a sustainable model.
As an Open Source maintainer, I have always considered it something to do when I want to. If it becomes a burden or a chore, then I stop doing it, regardless of demands from users.
I have no expectations of the users, and I expect the same from them.
Many of the most important open source software is developed by paid professionals, not by volunteers. The large open source projects are basically just collaboration efforts between various large tech corps to jointly develop infrastructure that they all need. This is true for Linux, Clang, Kubernetes, KVM, for example. There are some critical bits that are still volunteer work (xz being an infamous recent case), but this is clearly the direction things are going.
If you took a list of every open source project that FANG-type companies depend on, there are small libraries that don't draw benefit/attention from large companies.
Outdated, less optimal, almost-famous code/libraries/frameworks that businesses still rely on for money and don't want to spend money migrating away from that need various updates for new OS versions, security patches, and those are the maintainers that are underpaid and struggling.
> Outdated, less optimal, almost-famous code/libraries/frameworks that businesses still rely on for money and don't want to spend money migrating away from that need various updates for new OS versions, security patches, and those are the maintainers that are underpaid and struggling.
They can just not do it if they don’t want to.
Right, either the company will continue to reap the benefits of the constant updates, accept the risk, or find another way (paid or free) to do it.
Isn't it just a matter of choosing the license properly? To be honest, I find it contradictory:
On one hand OSS authors select permissive license exactly because they want big corps to use their software.
On the other hand - OSS authors are unhappy about big corps using their software in a way that license allows them to.
Just stick to GPLv3 / AGPL.
There is a whole spectrum between AGPL and permissive. MPLv2 or the EUPL [1] basically say "you can use it as a library (and link it without the concerns of LGPL) but if you modify/extend the library, you have to distribute the code of the modified/extended library".
I don't understand why an OSS author would select anything more permissive than that: big corps can use MPLv2/EUPL libraries in proprietary software just fine.
[1]: https://joinup.ec.europa.eu/collection/eupl/how-use-eupl
> I don't understand why an OSS author would select anything more permissive than that:
Honestly? Because many things are too small to be worth paying a lawyer to write a letter to license violators.
If I'm not willing to sue someone for disobeying the license on a library or tool, I just use a maximally permissive license. And at a good lawyer's hourly rate, it has to be a pretty big project before I'd even care.
So for minor projects, MIT or Apache it is. Or I just CC0 it. I wrote the code because I found it useful, and I decided that it wasn't worth the often heartbreaking effort of building a sustainable business around it. So if someone else finds my code useful, that's great!
(EDIT: See discussion below for why I don't bother with a license I'm not willing to enforce.)
I agree with you and I am a fan of EUPL, but even if it is pretty much the same as MPL 2.0, Google, for example, has an explicit ban on it just like it has on AGPL3.
Probably there's no real reason apart from legal saying "meh, we can't be bothered about reviewing this"
As I don't care about Google using my code or not, I choose EUPL, but it's worth mentioning that some companies only accept permissive licenses that grant them the right to do basically whatever they want with your code.
Free software has almost lost, now that MIT has become the default, pushed hard by corporations and its employees.
> Free software has almost lost
Not sure what you mean. GPL-style licensing is still very popular among open source projects. Sure, there are perhaps a lot more projects that are MIT-licensed (and similar), but that doesn't detract from the body of thriving GPL-licensed software.
> On one hand OSS authors select permissive license exactly because they want big corps to use their software.
I think you're reading too much into people's motivations. When I release something under a permissive license, it's because I don't care about it enough to license it under something like the GPL. Or I just don't want to deal with the possibility of there being license violations that I'd feel responsible for dealing with (if I'm not going to, then why bother licensing under a copyleft license?).
For the most part I don't really care who (if anyone) uses the stuff I release. Building a community around an open source project that I started could be fun and rewarding, sure. But honestly I'm not sure I'd even want big corporate users, since they're likely to expect things from me that I'm not willing to provide.
> On the other hand - OSS authors are unhappy about big corps using their software in a way that license allows them to.
Regardless, you're painting all of us with a very broad brush. Please don't assume anyone's motivations or licensing decisions fall under some simple, one-size-fits-all rubric that you have in your head.
GitHub Sponsors seems promising... If one somehow gains a large amount of fans. I gained one last time my work was posted here and I'm really grateful for it. I refuse to advertise my projects though. Simply because I hate ads myself.
I think the best option is to just AGPLv3 everything. You maximize freedom but still own the copyright so if corporations want your software they can simply pay for permission to use it. AGPLv3 gives us our leverage back in an ethical way.
Even asked Richard Stallman what he thought of it. His reply:
> It is my understanding that as the copyright holders
> they have the right to do it without any problems.
> They leverage the AGPLv3 to make it harder for their
> competitors to use the code to compete against them.
I see what you mean. The original developer can engage
in a practice that blocks coopertation.
By contrast, using some other license, such as the ordinary GPL,
would permitt ANY user of the program to engage in that practice.
In a perverse sense that could seem more fair, but I think it is
also more harmful.
On balance, using the AGPL is better.At JustDo we make our source code available for transparency and collaboration, we use a source-available license that ensures fair compensation for our work. This model allows us to maintain the benefits of open development while avoiding the pitfalls of unrestricted open-source licensing, ensuring we can sustainably develop and support our software.
I developed this license https://justdo.com/source-available-license , if someone wants to adopt it for their project, I'd love to provide its Latex form, just DM me. (With enough demand, I might Open Source the Source available license ;) )."
Could you use a PolyForm license instead? They have a set of standardized, source-available licenses that are much shorter and easier to understand.
"The PolyForm Project is a group of experienced licensing lawyers and technologists developing simple, standardized, plain-language software source code licenses. PolyForm aims to fill gaps in the menu of standardized software licenses, like non-commercial, trial, and small-business-only terms."
> allows us to maintain the benefits of open development while avoiding the pitfalls of unrestricted open-source licensing, ensuring we can sustainably develop and support
"allow us", "ensuring we can" ...
You misunderstand OSS, which is about "allow all", and "ensuring all of us can". Of course, the OSS model doesn't always work, nor do its proponents claim it is the one true way to run a project. Though, they do get irked when source-available licenses try to pass off as "almost OSS" but aren't quite.
I wouldn't care too much about what some dudes who don't pay for my software get irked by.
The gp clearly distinguishes open-source and source-available, and I don't think he misunderstands OSS.
monkey paw curls Your AGPL code now only runs on amazon lambda functions.
Stallman et. al. have not worked in big corp since the 80s so they don't understand how misaligned incentives are now. The AGPL is a solution to the issues we were having in the 00s. The issues of the 20s are solved by source available licenses. Or my preferred solution, any open source license which can only be used by a natural person, corporations need not apply.
> "It makes no sense to write amazing software, used by large corporations to generate billions, while you end up poor and bitter."
Lots of us said this in the 1990s by the way. Even back then, the belief that many developers and businesses would reciprocate by freeing their own source or even that enough would reciprocate for FOSS to be self sustaining was clearly, ahem, unrealistic.
Android (and to some extent, Chromium) are weird cases of a major corporation weaponising open-source to broaden their already market-dominant position.
Android in doesn't even accept patches from the like of you or I, and future versions are developed almost entirely in secret.
As an open-source developer, my thanks is that I get the program or the change. Everything else is charity, and I treat it accordingly.
I've always seen contributing to OSS as more akin to volunteering as a treasurer at a local sports club than as a job. Just because you do many of the same activities that other people get paid for doesn't make OSS a "job". Making something useful and giving it away for free is laudable charity, but it's not sustainable business strategy.
Surprise safety orientation, we're on an airplane: take care of yourself before others.
A big part of Open Source is not knowing or caring about the intentions of the user. Wherever it may go is magical but also, potentially, terrifying.
I can't articulate it that well, but look back at the whole RSA/military grade encryption thing for references.
I'm lucky enough to be employed full time to work on open source, but I still build my own OSS in my own time because it scratches a different itch. My work on Astro is fun, but it's my job, with Linear tickets and standups and 1:1s and quarterly planning. My own OSS is where I build whatever fun stuff I feel like without pressure. It has enough users that I do get issues, but not too many that they're overwhelming. I think the very fact that I have a job in OSS makes it easier for me to dismiss the entitled users who come to my personal projects demanding support. I build that for fun, and I owe you nothing.
Or maybe accept that we know what we're doing and we're even perhaps happier not accepting money for our work. To me, an exchange of money implies a stronger commitment to timely support and to prioritizing and implementing features or bug fixes that paying customers want. A big part of why I volunteer with open source projects is that I hate that feeling when doing professional software development.
Even if it was strictly a donation model, I'm not sure I'd feel completely comfortable with that.
It's very revealing that this response is so disliked that it's going grey.
But it is the truth. Do you not like the truth?
It is not a job. Nobody asked you to do it. You do not get to be sad when nobody pats you on the head. You are owed nothing.
Thanks for the code.
Often you do get a return, just not necessarily directly monetary. Connections you make, recognition for your work, fame if it becomes really popular, or if nothing else something to have on your resume.
You might not be getting paid, but you also aren't getting nothing.
We like truth. We don't like self-righteous ingratitude.
> You are owed nothing.
You owe them exactly what is written on the license file. If you do not give them what they are owed, you do not have a right to use their software.
Even if we assume they used the most permissive license imaginable, if you used their code you are still obligated to put a copy of their name and copyright notice as well as the license conditions and warranty disclaimer somewhere in your software or product. Typically you are also prohibited from using their name in the marketing materials of your derivative work.
Your "thanks for the free code loser" attitude is why I will AGPLv3 all of my current and future projects. At least the AGPLv3 is big enough to intimidate away people who don't even read licenses.
Maybe open-source as the load-bearing infrastructure of the world will never be sustainable, and maybe that's okay. I think open-source is best when it's empowering people to modify and remix their software, and have free alternatives to expensive commercial programs. It seems like open-source has become so captured by corporate interests, that people's main motivation for contributing is to add it as a bullet-point on their resume.
I haven't yet seen the evidence that it's unsustainable. People are still doing it. It seems to be working. There's no reason to believe people are going to stop doing it or that it's going to stop working.
It might be important to you to get paid for your work. Okay, charge for your work then! That was always allowed. There are many people who are okay with doing certain work for free. Maybe they just want to put it on their resume, or they already have enough money, or they just really like that work. Open source is working fine.
It would probably be more sustainable if the companies that depend on 100s of FOSS OS'/libraries/applications/etc to generate billions of dollars in profit would contribute more significantly.
That's not how companies work.
Individuals have agency over discretionary spending, in other words you can wake up and decide to donate money, hire a OSS dev, and so on.
Because you personally have that agency, and because companies have lots of money, you project that agency onto companies.
But that's not how companies work.
People at companies have very little personal agency when it comes to spending money. Spending has to be approved, justified, and some value has to be received.
FOSS basically is (mostly) incompatible with this model. Some companies do pay staff to work on OSS but it's rare (and exclusively tech companies with a motivation.)
So while your statement is completely true, it's also not possible.
It's important to recognize that donations and corruption are indistinguishable, and company finances tend to be set up to avoid corruption.
> It's important to recognize that donations and corruption are indistinguishable, and company finances tend to be set up to avoid corruption.
Other than the humor in this sentence, I'm not sure why it would be limited to donations. They can hire devs to work on FOSS.
> People at companies have very little personal agency when it comes to spending money. Spending has to be approved, justified, and some value has to be received.
Approved by... people.
> People at companies have very little personal agency when it comes to spending money. Spending has to be approved, justified, and some value has to be received.
seems to all hinge on the justification part, for which ppl that do it for the lulz don't really care
Absolutely, There’s hope in initiatives like https://osspledge.com/ & https://thanks.dev
Also https://polar.sh/, which lets users of the project "vote with their wallets" on which issues should be prioritized. You can see it in action in Starlette's GitHub issues, e.g. https://github.com/encode/starlette/issues/649
This would be nice, but since it hasn’t happened so far, hard to see why it would start happening.
No idea what the future will look like in general in 5, 10, or 20 years but I am reasonably confident that donations to OSS won’t be drastically more than they are now.
They do. A huge chunk of open source software is maintained by companies.
Companies that depend on FOSS would contribute if the license did not explicitly tell them that they don't have to.
MPLv2/EUPL come to mind: they are compatible with proprietary products, but they make it mandatory to distribute changes/extensions of the library, not the whole product.
FOSS authors have a responsibility when they choose a permissive license.
> Companies that depend on FOSS would contribute if the license did not explicitly tell them that they don't have to.
No they won't. They'll only contribute if they're required to, or if doing so will be beneficial to them, and they'll do that regardless of whether the license says they have to or not.
When I've worked at companies that use FOSS, and have needed to modify those sources, I'll contribute back (regardless of license) if I think that change is likely to be accepted upstream, because I'd rather not have to maintain a fork. This would fall under "contribute if doing so will be beneficial to them".
At any rate, no FOSS license (that I'm aware of, or is in wide use) requires users to contribute. At most, they require that changes be made available. There's nothing that says the changes need to be submitted (or accepted) upstream. Often getting a change into a state where it would be accepted upstream is a significant amount of work beyond what the company has already done for their own purposes, so they don't bother.
> No they won't. They'll only contribute if they're required to
Did you actually read my comment before you answered? Because I said that copyleft licenses "make it mandatory to distribute changes/extensions", which means that companies are required to contribute if the license is reciprocal.
> At any rate, no FOSS license (that I'm aware of, or is in wide use) requires users to contribute. At most, they require that changes be made available.
Making changes available is a form of contribution. If you work on a proof of concept for a month and at the end your company decides not to use it in a product (thanks to the learning from your work), do you say that you did not contribute, so you should not be paid?
Feels like you're being pedantic just for the sake of the argument.
Permissive licenses come with strings attached (that most companies ignore): attribution.
With copyleft licenses, nothing say that you have to get your changes upstream: you just have to distribute them to the users. It's not a whole lot more complicated than attribution: set up a repo and put your fork there publicly.
I am not here to shill for Google, but they publish a staggering amount of liberally licenced software. We can much less of that about Microsoft, Apple, and (my personal most dreaded for open source) Amazon.
Also, I stand by my previous comments from other similar discussions: Almost all big corps use Redhat. They are indirectly funding open source. Redhat probably employs more programmers that contribute to a base Linux install than any other company on the planet. (Yeah, I know they were bought by IBM, which gets no love around here.)
> you're not a good person, you don't fool me. Fund open source, it would support young people who were just like you were
Or maybe he knows he's not a good person and has no intention of multiplying people who are just like he was, because he knows people as himself are bad and the world is better without them.
> It's probably too much to ask corporations to dump money into it as it would not be a legitimate business expense.
Um, excuse me?
Ok, let's suppose you've got a product that depends on open source project X. For simplicity let's say it's a direct dependency, though I think everything here applies to indirect ones as well.
Let's consider the options.
Option 1: never pay a dime for it. This works in so far as someone else picks up the bill. So really there are two sub-cases:
Option 1(a): the project is successful enough that it's self-sustaining. What this really means is that someone else (or multiple someone elses) picked up the bill. Congrats, you lucked out.
Option 1(b): the project is insufficiently funded and either dies or has a major security breach. Now you end up paying either for the security breach fallout and/or to replace the component, possibly on short notice, with something else. Or you maintain it yourself and start paying that cost, again possibly on short notice.
Is that really worth it? Do you think so? I'm betting all those costs are higher than it would have cost to maintain it in the first place. Because anything you do in an emergency is more expensive, and you're paying the cost of losing all the context in the development of the project itself (if someone leaves before you start maintaining it).
Option 2: pay for the software in the first place, making the cost predictable and avoiding a low-probability high-impact failure mode. Honestly, given all the risk management companies do, this seems worth it to me. At least if the dependency is critical enough.
Obviously you won't do this with any random open source project. But that's sort of the point: companies are making economic decisions all the time about what they really care about. If they aren't paying, that means they're happy with the inverse lottery[1] of the failed open source project model.
[1]: An inverse lottery is one where most of the time you get nothing, but rarely you lose big.
Companies will continue to take advantage of free and cheap labor just as long as those people continue to serve.
Perhaps after this generation of LBIP moves on, the next wave won’t be so generous.
Also, open source doesn’t have to mean free labor. One could be paid a wage to work on open source.
I think there might be a little different.
New developers with higher level tools don't seem to go low level enough.
And as a result some very talented developers are caught up in the crosswinds of complexity to make things like React deliver html/css, or get people to click on ads, and that same intellect and talent could definitely go towards the meaningful open-source that contributed to them getting access to a lot of opportunities.
The beauty of open-source is that it doesn’t matter what people say, or do, or decide.
The rate of new contributions may be dependant on these factors, but not for what’s already out there.
I don't think there's any other sustainable format to make software that becomes load-bearing infrastructure. Open source is the only player existing.
What isn't sustainable is just the model where some random person takes a huge part of the responsibility for himself without any structure around it. We need different organizations.
Privately owned infrastructure is perfectly sustainable in other fields, and so is publicly funded infrastructure. I think that, if necessary, either of those could be a viable replacement for open source being the infrastructure for tech. Obviously each comes with its own pros and cons compared to open source, but they still ought to be viable.
On a related note: the worst thing you can possibly do as an open source developer is to create a product for the general public to use.
You hate tickets without repro? Enjoy the barrage of “help. Doent work”, “me too” and “HELLO IT’S BEEN 3 DAYS” messages.
I think the problem isn't it being open source but it being GitHub flavored open source. If you're building a product, you probably should not be having it on GitHub with issues enabled.
There are very good reasons why the support processes of commercial entities that build products are the way they are. You do want a lot more friction and you do likely want to limit support to paying customers.
GitHub-style public issue trackers are just a bad idea overall IMO. They only work if the "public" is only "public" because everyone _in theory_ could take part. In practice however, you only want to grant such unlimited write access to vetted individuals. This happened to happen automatically previously (because getting to the point where you even know where to open a ticket _was_ part of the vetting process), but with GitHub as the default for everyone and everything, it needs to be a conscious effort.
If you think about it, it is completely insane how any random individual just has to press one button to publish whatever they want to a super prominent part of what is effectively your products/projects website. That simply shouldn't be a power random individuals have
You can restrict issue creation/comments etc to certain users if you don’t want to open it to the public. You can also use a separate repo: https://docs.github.com/en/repositories/creating-and-managin...
It’s a choice the maintainer has to make.
To me this is mostly self inflicted pain…
Yes and no.
Sure, countermeasures exist, but the issue is that you first need to be aware of what exactly the problem is before you can take these countermeasures.
The reality however is that people just hear "You should do GitHub" and then for some inexplicable reason slowly descend into feeling bad without any clear reason why. After all, they're following all the "best practices" laid out by people that clearly know what they're doing and surely have their best interest in mind.
I think you’ve just argued that devs have a lack of knowledge and just do what other people do with very little agency of their own, despite all the controls being available to them to them to solve problems. I agree with you. Devs need to be stronger willed and have more self respect. You can’t wait for rando users to stop being a-holes.
I can't feel that this stance will could soon evolve into "it is completely insane how any random individual ... can access the source code".
Open source was built on the spirit of openness. Rather than closing it, I think solutions should be proposed to improve it (thinking of it, it's a good place for using LLM-s - you don't need perfection for checking a bug report makes some sense and filtering people a bit).
> Slippery slope fallacy out of nowhere
> Throw magic at the problem to further scale resources to sustain a problem instead of actually solving said problem
I can only encourage people to counter bullshit with minimum resource investment. Full-sentence answers should be limited to those statements deserving of them.
I support a product that have been packaged in many Linux distributions. I have no "ticket" system whatsoever to speak of. I read email whenever I feel like. I delete all email I just dont care about as if it was spam, and respond only to messages which estimulate me.
Why do people feel that maintaining open-source software is stressful again?
You have not maintained popular open source projects for consumers then. There is a reason why the VLC repo no longer has an Issues tab: https://github.com/videolan/vlc
PRs can’t be blocked and you can already see some junk there: https://github.com/videolan/vlc/pulls
No, that's because the VLC GitHub repo is only a mirror and the main repo is on their own GitLab at https://code.videolan.org/videolan/vlc/
Slightly higher friction for reports from the unwashed masses might be a slight side benefit but not having multiple separate issue trackers already is it's own reason.
I’m a young(-ish) dev who used to care a lot about open source but never managed to break into a community. In recent years my view of the whole thing has soured a lot. There seems to be few compelling incentives to actually develop or participate in open-source software.
Open source first felt to me like a way to give power back to ordinary people, and it still is, but it seems like those who get the most benefit from free labor are large corporations. Open source feels increasingly corporate and companies like Microsoft dominate and reap enormous benefits. I’ll work for Joe Neighbor for free but not Sataya Nadella.
Open source was always political but in 2010 (around when I started getting into Linux) it felt like dumb arguments over things like programming languages or “the UNIX philosophy”. Now it feels like a vicious Red vs Blue culture war where not picking a side is just as bad as picking the other side.
Contributing to open source is a thankless job and even if your project is really good, most people won’t care and the few that do might still treat you like crap. I’ve submitted a handful of pull requests and I’ve already run into the classic “Your patch works and provides a feature some people might like, but I don’t like it, go away.”
I’ve donated plenty to organizations like Mozilla, Wikipedia, and GNOME. I then email them with my opinions on what they’re doing. In nearly every case not only am I ignored completely, I see those projects (Mozilla especially) continue to drift in a direction that I disagree with. So, I stopped donating.
For me, the Linux kernel is probably one of the few big open source projects where 1) the project is technically interesting enough that I would learn a lot by contributing, 2) It seems like politics and infighting is kept under control, 3) it actually seems possible to get a patch in while having a 9-5, 4) I use the product myself every day and enjoy it, and 5) the technical direction feels positive in that it is getting regular features & bug fixes that I like
> but it seems like those who get the most benefit from free labor are large corporations.
One factor is the lack of adoption of copyleft licenses. The proliferation of permissive licenses turned into a backdoor for corporations to privatize volunteer work. We should adopt copyleft whenever possible. Stallman is right on this.
The Linux kernel's license is copyleft, which has done all of zip, zilch, nada, zero, to prevent large corporations from benefitting from the enormous amount of free labor put into open source.
Git is GPL, this didn't prevent GitHub from becoming a multibillion dollar behemoth of a Microsoft subsidiary.
The value which companies capture is in using software, not modifying it and selling a proprietary version of the modified code. The only way to sustain this misapprehension is to notice every time permissively licensed software makes a company some money, and studiously ignore it every time copylefted software does the same thing.
> The Linux kernel's license is copyleft, which has done all of zip, zilch, nada, zero, to prevent large corporations from benefitting
You have it backwards. The goal of copyleft is not to "prevent others from benefiting". The goal is to potentially benefit from the adoption. If someone uses your copyleft library and fixes bugs in it, you can see their fixes and bring them back upstream. So you benefit from their work.
There's absolutely nothing wrong with a company using liberally licensed OSS to make money. It's not a zero sum game. The contribution from these companies could be considered to be the benefit to the end user for creating the final product (that includes the OSS), and at a lower price than it would've been had they had to make the equivalent OSS privately themselves.
There cannot be an OSS license where the user of the OSS who don't make money don't need to pay, but a corp that do make money pays.
My experience is that people tend to think "permissive = good, copyleft = baaad" as a first approximation. And then "copyleft = GPLv3".
But there are copyleft licenses that are not viral at all and just force the users to distribute their changes to your library, e.g. MPLv2 and EUPL.
I don't understand why one would use a permissive license versus MPLv2 or EUPL.
MPLv2 and EUPL are actually underrated and freedom-promoting for both developer and users. The true successors to the GPLv2 with loopholes closed.
GPL3 gave copyleft a bad name and everyone decided to give away their labour for free.
MPL/EUPL are the spirit of "you can use it, if you spend half a million writing a completely separate module of course you can keep it for yourself, but if you change the actual source files that everybody uses you have to share, so everyone benefits."
Using Linux as example it means one could write their own proprietary driver for their proprietary device, but optimize, say, the memory allocator, please share it so we all benefit.
> but it seems like those who get the most benefit from free labor are large corporations.
I feel one thing to remember on this front is that large corporations will ALWAYS get the most benefit out of open source / “free labor”, simply because they have the ability to bring massive amounts of resources to bear on using that open source product towards their own ends. Consider the world of hardware emulation. Sure the community has benefited massively from the efforts poured into reverse engineering and understanding old systems and games and preserving what was there. And the big corporations reap huge benefits in the form of continuing nostalgia, awareness of their back catalog of IP, test markets and information about the viability of re-releases and in some cases the licensing (or outright theft) of emulators and emulator code for selling their own retro consoles.
Burn out is absolutely a concern, and the approach of some open source devs (like IIRC the curl dev) of essentially “f you, pay me” to support requests is probably an important thing to have. But for me as an individual, the fact that Atari’s current owners have reaped massive rewards from the fact that the emulation scene keeps their brand alive means nothing to me. I’d rather have the world we have were things are open and the community is there, than one were emulation is closed and insular and getting into it is even harder than it already is just to keep Atari from “winning” the most. And selfishly part of that is because Atari winning also benefits me. Their re-releases and re-masters and dumping of money into manufacturing by hardware retro clones puts money into the market, gives new hardware to tinker with or build on. And their dependence on the open efforts of the community also means bending that hardware to my own needs is much easier than if they had for example just rolled out a bunch of new proprietary SoCs to replace the old hardware with a single blob chip
> I’ve submitted a handful of pull requests and I’ve already run into the classic “Your patch works and provides a feature some people might like, but I don’t like it, go away.”
This might be because they’re not interested in maintaining it for future iterations.
Absolutely! I'm the maintainer of a small Open Source project [1] and this phrase makes me tickle.
I totally get it that a maintainer doesn't want to merge some code, even if it's totally working. Is the new feature a niche case, or has if a wide audience? Is it aligned with the project goal/philosophy? Will it be easy to maintain/evolve/debug? Does it add unnecessary/unwanted dependencies? At the end of the day, the maintainer will be the person that have to work/support with this code.
Please keep in mind that if you've spent an hour on a project, maintainers have have certainly spent hundreds if not thousands more time on it.
I've contributed PRs to several OSS projects, some have been merged, others have not. I'm fine with that.
The reason I open a PR is so that it becomes public.
Most of my PRs solve stuff that I wanted to solve. For example at some point I added simple math expression evaluation in the Start menu of Linux Mint. It worked, I use it in my computer and I published it as a PR. I Think it was rejected because of so e bureaucracy. It's OK. It's there if someone finds it useful, I do t care doing bureaucracy, but I understand why they would want that.
Normally the larger the project the more "bureaucratically painful" it is to have a PR accepted. In small obe person projects, .y experience has been that original devs are surprised and happy to know that someone used their code s d is bui5on top of it.
> Open source first felt to me like a way to give power back to ordinary people, and it still is, but it seems like those who get the most benefit from free labor are large corporations.
As I often do on this topic, I feel compelled to point out that this isn't actually a problem. Software is not a scarce resource, and Microsoft (or whomever) getting huge benefits from a project doesn't prevent the project from doing good for the common man as well. Since nobody is being hurt by corporate usage of open source, there's no problem.
>As I often do on this topic, I feel compelled to point out that this isn't actually a problem.
It is for me, I don't want to spend my precious time helping a corporation like Microsoft increase their dominance.
> I’ve submitted a handful of pull requests and I’ve already run into the classic “Your patch works and provides a feature some people might like, but I don’t like it, go away
Same. I think it is potentially easier to get a well defined change into Linux itself rather than a randomly chosen but largish open source project these days. I don’t really try to contribute to other projects anymore, not because I don’t want to, but because if you’re coding for fun anyway it’s usually better to work on a project you control rather than dealing with the frustration.
I think a huge percentage of open source would be more accurately advertised as “open source but closed contributions”, and being upfront and realistic about this is important. People who are already working for free deserve to have a realistic understanding of whether they will get to merge that simple bug fix they need to unfork the library, or if it’s more realistic that they need to start talking on a mailing list for 5 years and work out how to join a steering committee first.
One issue here is that the main author has very limited resources. Thus can only support a small amount of code.
Your Pull Request makes the project larger and it needs to be maintained - so making the load on the original author larger. If it fixes a bug then it helps the original author and so can be accepted. So it is not closed contributions but rather it has a defined scope and we are not going let the project suffer from scope creep.
One example of this is a project written on Linux - it does run on macOS but not fully correctly. The original author just says I don't have access to a Mac so cannot support it. They are not being a bad person here just stating a fact. The answer here is that there is now a fork that does support macOS, hopefully correctly but I would not be surprised if there are bugs due too differences in the OS - the major ones have been made but I'll bet that a full code review has not been done over every line of code.
I understand these issues and project maintainers don’t owe random people a merge. But they do owe random people a little clarity about what should be expected as a potential contributor.
It’s not that much to ask. Realistically as programmers we should probably solve these problems with data and not waste anyone’s time. If your supposedly open project has never merged a pr by a non-member or a person without a looong history of hanging out on the projects social periphery, then non-members should be warned when they submit a PR that this is the case. Saves 2 weeks of fake requests for tests/documentation/justifications when the real issue is a steering committee that prefers insiders-only. And again, that’s fine, it’s just the missing transparency that’s the real problem.
And yeah, even clearly needed bug fixes can still be in this category, it doesn’t take a major feature that’s going to be a maintenance burden. 3 weeks (or years) of discussion arguing the bug is not a bug, followed by the users saying it’s a bug, and then maintainers asking for changes/docs/tests and then when that’s all in place, maintainers pivot to suggesting it needs to be an extension/plugin or whatever. In some ecosystems this kind of thing is more common than elsewhere.. but if you’ve never seen this count yourself lucky. Naming projects is tempting here but in the end it’s unpaid work that’s a passion project for an army of volunteers. But the volunteers are still just dumb monkeys that really enjoy dumb hierarchies, so what can you do..
> open source but closed contributions
I have seen this so many times. It used to bother me a lot, until I stopped trying to boil the ocean and fix a bug in a project that I do not control.
As someone born in the 70s, I don't have high hopes for the Linux kernel after our generation is gone.
It is hard to keep something rolling after the founders, that managed to steer a project under their ideals are no longer around to steer the boat into the right direction.
Something else will eventually take Linux's place, in some form, it might even be a Linux based like Android, WebOS, ChromeOS.
I don't gp is saying that the following generations is incapable of making their own achievements but rather that individual projects don't have a great life expectancy after the people that made them get replaced. It's much easier for a projects principles to be eroded than it is to tighten them.
> Something else will eventually take Linux's place, in some form, it might even be a Linux based like Android, WebOS, ChromeOS.
So Linux won't be the same because it might start being marketed under a different brand name?
Anyone that has developed for Android, WebOS, ChromeOS is fully aware that the Linux kernel is an implementation detail, full of features not available upstream, like drivers written in Rust, which remains to be seen if it will ever have them.
Also given that the kernel is not exposed to userspace, other than to device vendors, it could be replaced by something else with very little impact to userspace, other than whatever people are doing in their rooted devices or via ADB shell, both meanigless for common consumers.
Do you think the goal of Google's Fuschia project is to replace Linux in Android? I could see it happening, but I cannot seriously seen any OS replacing Linux for SaaS servers. What is the completion? Windows Server? Please.
Reading LWN I don't get the impression that the kernel is immune to "Your patch works and provides a feature some people might like, but I don’t like it, go away" -- even big corporate contributors sometimes wind up in year long efforts to try to get something they and others find useful upstream if the upstream maintainer is unconvinced about the worth of the feature or that it won't have net downsides for the codebase as a whole. The "extensible scheduler" is one prominent recent example.
I understand the frustration.
> Open source first felt to me like a way to give power back to ordinary people
I think it's the difference of philosophy between Free Software and Open Source Software: Free Software cares about the people, Open Source Software not so much.
> most people won’t care and the few that do might still treat you like crap
That's completely right, people are mean. I do open source for myself, I choose copyleft licenses (I like MPLv2/EUPL), and if people want to fork my project I am fine as long as they honor the license. If they do a good job, I can bring some of their changes back, to my benefit. If they ask me for features, I invite them to fork.
> I’ve submitted a handful of pull requests and I’ve already run into the classic “Your patch works and provides a feature some people might like, but I don’t like it, go away.”
That's where I think you misunderstand open source. It is their right to not take your change, you should not bully them for that. Your right is to fork the project and add your changes. Do it!
> I’ve submitted a handful of pull requests and I’ve already run into the classic “Your patch works and provides a feature some people might like, but I don’t like it, go away.”
Never ever build anything non-trivial for an open source project unless you've cleared it with the maintainer first. No one is obligated to take your contributions. Unless you're building an addition that you plan to maintain yourself (either privately or through a fork), always always always discuss what you want to do with the maintainer before you write your first line of code.
> I’ve donated plenty to organizations like Mozilla, Wikipedia, and GNOME. I then email them with my opinions on what they’re doing. In nearly every case not only am I ignored completely, I see those projects (Mozilla especially) continue to drift in a direction that I disagree with. So, I stopped donating.
In general I look at donations as influence-free. You aren't buying anything with your donation. Sure, an org is more likely to listen to the wants of someone who is a large, noticeable, recurring donator. But in general most people will not be that. Donate to support what they are doing, not to try to influence them. Your decision to stop donating when their values stopped aligning with yours was a good one.
> Open source first felt to me like a way to give power back to ordinary people, and it still is, but it seems like those who get the most benefit from free labor are large corporations.
I think you're looking at it the wrong way. Unless you're going to dual-license your project, you just need to accept that people will use your software in ways that you might not agree with, or to make more money with it than you can make off it yourself. That's always been true, even before you started getting into it.
I do open source because I enjoy it. It's really that simple. I love building things with code, and building entirely for myself behind closed doors is much less fun than collaborating with others, building for a larger audience. If I ever stop enjoying it, I'll stop. If a company ever starts making money off what I've built, that's fine, good for them. If there's anything I've built that I do need or want to monetize, I'll license it in such a way that will make it harder for companies to make money without me getting a piece of it. But this is the trade off with open source: you give it away with no expectations for or reservations against how it's going to be used.
> I’m a young(-ish) dev who used to care a lot about open source but never managed to break into a community.
I think this is the wrong mindset. Open source works best with a "hacker" approach where you fix your own issues / fulfill your own wants and then share the results with others. Sure, this could result in becoming part of a community but that shouldn't be the goal.
> “Your patch works and provides a feature some people might like, but I don’t like it, go away.”
That's an entirely reasonable response. You are effectively asking the project regulars to maintain your code going forward, after expending whatever effort it would take to coach you into making it fit. It's perfectly fine for them to say thanks, but no thanks. Accepting pull requests indiscriminately only leads to project death by scope creep, unmaintanable bloat and eventually maintainer burnout.
> I’ve donated plenty to organizations like Mozilla, Wikipedia, and GNOME. I then email them with my opinions on what they’re doing. In nearly every case not only am I ignored completely, I see those projects (Mozilla especially) continue to drift in a direction that I disagree with. So, I stopped donating.
Understandable and I feel similarly about these (well except I never cared much about GNOME) but they are all run closer to startups than open source community projects.
numpy and scipy are other examples of widely used (esp in scientific community) FOSS packages that are solid, updated, don’t appear to be v political (from the outside). There are others.
I hear you on "yeah, the patch works, but I don't want it" - or..., as I've had a few times "that works, but it's not the way I want it done - redo it my way". Had that happen a couple times, in tech stacks and projects I'm not comfortable in. I'm not an expert in tech X, and don't have time to become one, to learn 'your way' just to make a PR you find acceptable. I found a legit bug, gave you code to reproduce and a suggested fix; please reformat it if you don't like my way.
I also had an opposite experience - submitted a PR with a fix, and the maintainer rewrote it a 'better' way which addressed the problem higher up the stack, meaning it 'fixed' things in a couple other spots I didn't even know about. That was such a great thing to do, and reminded me that projects can be that collaborative, even when you don't really 'work' with the other people all the time.
I might suggest you find smaller and more focused projects to contribute or donate to. The spirit you're looking for is still out there. Your Mozilla donations individually don't mean much to them, and sending some money to GNOME doesn't mean they'll take your emails seriously. A more niche project addressing a more focused problem would more likely welcome your code and donations, and potentially let you have a 'voice' more effectively than at big projects.
Open source misses the point of Free Software. The distinction is important.
I have some tips that might help you develop a better relationship with Free Software.
Try to be egotistical about it. Contribute because you want a change in a software you use. If the maintainers are giving you a hard time, fork it with your changes and be happy.
Stop donating to software foundations, you will be disappointed on how they use your money.
Never sign away your rights with a contributor agreement. Fork it and move on.
Use copyleft whenever possible.
I guess the parent means "do it for yourself". I open source my code under copyleft (generally MPLv2 or EUPL, I've come to like EUPL because it applies to SAAS) because I don't think I would make any money from not open sourcing it. By open sourcing under copyleft, I can potentially benefit from improvements by others.
I don't spend much time accepting contributions: I encourage people to fork. But if they make changes that I find interesting, I bring them back. For my benefit.
I do it for me.
I will get downvoted for this answer. I have similar experiences with open source contributions, including big reports. My solution: Don't do it; it is a waste of your time. It is best, if possible, to run your own open source projects, then you fully control to whom you listen and accept input.
There is a growing culture of microdependencies, where one project can depend on hundreds or thousands of libraries, combined with automated "vulnerability" tracking, which means projects are constantly receiving notifications about issues in libraries deep in the dependency tree, most of the time in a part of the library that is not even used by the top-level application. It's no surprise that "security" is eating up more and more time.
CVSS is not not really meant to measure risk, it primarily measures the severity of technical vulnerabilities. It should be used in conjunction with other factors such as system exposure and threat sources to determine the probability of exploitation. This should then be combined with impact and costing data to fully assess the risk.
Regulatory requirements also need to be contextualized similarly. If they become burdensome, efforts should focus on reducing the exposure of your systems to those risks.
That said, patch and configuration management should be second nature and performed continuously so that when a real issue arises, you're prepared and not worried about your environment falling over because you're unsure how it will respond to an update, or whether your backups will restore properly - which are risks as well.
I saw more than a few organizations struggle with log4j because they only patched server systems when a vulnerability was publicly exposed, and a Metasploit exploit was available.
There is so much self imposed hurt in Open Source. Many maintainers feel they owe something to their project community, even if they are rude, entitled, unhelpful bunch. It is self imposed though. In reality unless you have a Support agreement or similar, you do not really own folks anything.
I wish more Open Source community players to stand up for their interest more strongly.
In the end, whenever you like it or not, few are going to pay for what they can get for free, and it especially applies to large enterprises
> I wish more Open Source community players to stand up for their interest more strongly.
Which IMO means using copyleft licenses. Not necessarily strong copyleft: I mostly use MPLv2 and EUPL, that I find let people use my code in their proprietary software, but forces them to distribute the changes they make to my code. The best of both worlds.
> the only thing licenses help with is discouraging people from using it in the first place
It may discourage people from using it, often because it's easier to go with a permissive alternative. But if there was no permissive license at all and only weak copyleft, then I am absolutely convinced that people would use them just fine.
One important thing I believe you miss is that weak copyleft gives developers leverage to contribute back during their work time. If my company needs this particular library which is MPLv2, then as a developer, internally I can tell my managers that I must upstream my changes. Whereas if it is permissive, then I can try to ask the permission to upstream my changes, and obviously that will be refused (because it takes time which costs money).
By using a reciprocal license, you give developers a legal reason to contribute back during their work time. Ain't that amazing?
Thats the point though, and you're missing it: In FOSS, the maintainer doesnt owe you anything. It doesn't matter what the bug is. Most popular software licenses contain a clause about no warranty etc. for a reason.
Maintainers owe you absolutely nothing for just using their software.
Go pay them if you want them to work for you, and see if they want that.
If a public software is very far off from working as advertised, effectively demonstrating bad faith, if its code is being hosted on a social hosting site, you can bet that I will complain about it to the site, and get everyone else to complain as well. If the software is no longer being developed and has been dead for years, then it's a different story, and the intent then is to move elsewhere. The license file is not an excuse using which to hide lies.
Did you pay for the software? Do you have a contract? No? Then they owe you literally nothing. You are lucky that they give it to you for free. You can open issues if you find a bug, and hopefully the maintainers will fix it, or somebody else will. But if they don't, then you are lucky that it's open enough that you can fix it or pay somebody to. But they are under no obligation to do anything.
The only thing the authors owe the users of their open source projects is fulfilling the terms of the license. Anything else is extra. Additional support is not guaranteed.
You are forgetting something, which is that if the code is hosted on a social site, e.g. GitHub, many additional rules apply.
Gross misrepresentation of one's software will earn complaints to GitHub. It is the responsibility of the author that the repo's readme does not ovepromise and underdeliver.
This for me yields a more general "generational" discussion:
It seems to me that the current youth generation is less "giving" than previous ones. 70s , 80s and 90s where full of "sharing is caring" mantra. We had people like Stallman, a lot of "crackers" removing copy protection and people just sharing their stuff on an individual level (via edonkey, soulseek, imeem, etc). Same with software, I would never feel "underpaid" for software I release as open source. It's just some code I share, with some open license. If I keep building it, is because I enjoy it.
But now, everyone is driven by monetization so much. Maybe it's the fact that it had gotten more difficult to make ends meet, and everyone is looking for a way ti squeeze a cent.
I just miss those days.
I would say the opposite happened but maybe it depends on how long you've been using Linux or been in those types of circles. Throughout the 90s and maybe until the late 2000s seemingly all free Windows software was released as shareware or otherwise closed source. Now open source utilities are a lot more common as people became more aware of open source, although there still remains some freeware that only makes money from donations where the authors still refuse to release the source for some reason (e.g. Nirsoft tools)
Feels a lot less joyful to be involved in open source than it used to be when there's just not as much of a culture of respect/"respect" or even the knowledge that you're making the world a better place for individuals.
It's difficult for me to point to any one specific cause of this. I want to say the reduced control over your own computing environment, far greater propensity for litigation and control, and the reduced or eliminated means of using social media website APIs to curate your own online experience.
Everything's feels so helpless and the primary reasons to solve these don't feel like they're technical in nature. They used to always feel technical in nature.
I have to wonder how much of the problem space of individual empowerment is even left for technology to fix?
Creating value doesn't automatically get you any money no matter how much value it is. You might get some by adjacency. Businesses capture and raid value.
I think it’d be interesting to see what happens in a few decades if the population of open source maintainers continue to dwindle. Will companies step up to maintain libraries in a sort of cooperative manner? Will everything become closed source and bespoke?
Now this probably won’t happen but it’s still interesting to think about.
I think germany is already doing something great with the Sovereign Tech Fund [0]. The support(ed) a lot of OSS projects so far.[1]
> https://www.sovereigntechfund.de/tech
Funding "American" GNOME instead of KDE? Weird choice.
It's not about subsidizing, but about support for projects they deem important. Gnome is just one of many projects. And they have to apply for funding. It's not simply given to some projects. I'm from germany and use Gnome. So supporting Gnome is a good thing from my point of view.
To answer the question of the future of open source, I think it's important to consider why open source has existed for so long. Is it a matter of cost to develop closed-source systems? Or is it about the quality and efficiency enabled by open source development?
From my experience it’s about cost and efficiency. By cost I mean my cost to them for my time coding. Customers don’t factor in the hidden costs of open source.
I preferred developing minimal-dependency software but my customers demand fast good-enough results. The only way to deliver that is to glue together open source dependencies.
My experience is that the 0% interest on credit time for large companies enabled open source to thrive: open source maintainers were flush with cash and time. Large companies with ample cash let their staff do anything to keep them happy (and away from their competitors!), including allocated time for OSS contributions.
Now that 0% interest has ended 'regular' people like me are not flush with cash. Any time I have I need to spend on activities that will bring in money. Why would I waste that on open source?
(Another aspect is the McKinsey-ification of the work place in the last ~10 years or so. Managers are making decisions in tech now, not tech people. all my life I was told that OSS contributions will look great on my CV. So far nobody who has made a decision to hire me has had the background, interest, or knowledge to judge, or even care, for my OSS contributions.)
It hasn't existed for so long! Jeez, kids these days. As a movement it's really only about 30 years old, and that in two separate phases:
1. The GPL/GNU period. The software is mostly called "free software-as-in-freedom". The community is small, volunteer driven, highly ideological and focused primarily on cloning UNIX for commodity PC hardware. Most developers aren't using this stuff at all and work with entirely commercial toolchains.
2. The Apache 2 period. The software is mostly called "open source". The community is huge, frequently driven by corporate donations, not particularly ideological anymore and focused on developer tools / libraries rather than operating systems and desktop apps. Developers now regularly incorporate open source libraries into their commercial programs.
The transition was slow but I'd pick 2008-2010 as the crossing over point. Before that time if someone said they wrote open source software you'd make a weak assumption that they worked somehow on Linux related projects in their evenings/weekends. After that time you'd probably assume they were writing some library and had even odds it was their job.
It's important to remember that 2008+ is ZIRP territory. Money was "free" for investors, so investment piled into a lot of stuff that often wasn't revenue generating because there was nowhere else for it to go. This era was also shaped by a historical aberration - a handful of hyper successful advertising companies whose founders were able to remain in control whilst still selling much of their stock thanks to dual voting classes. Modern developer's understanding of the open source ecosystem, along with their expectation that powerful tools are all free, is very much shaped by the combination of Fed policy and a handful of super rich patron companies that weren't under any pressure to return capital to shareholders.
Thing is none of these factors (ideology, free money, stock with dual voting classes) is historically normal or arguably sustainable over the long run, whereas ordinary capitalism is. So we might well see a reversion to the mean where things like compilers, libraries, operating systems etc become commercial again as relatively high interest rates pull funds out of tech and the supply of Stallmanists devoted to the cause of desktop GNU/Linux continues to dwindle. The recent death of a man who reverse engineered a lot of networking hardware for Linux is an example of this - how many 25 year old hackers want to do that sort of thing any more? They're all writing JS frameworks that only work on AWS these days.
If that does happen though it'll be quite slow. I think the industry would need a kind of Steam for libraries to emerge first, and it's pretty unclear what the next equilibrium phase looks like.
30 years is the majority of the existence of personal computers have been available. It’s a long time
> how many 25 year old hackers want to do that sort of thing?
A lot! More than 30 years ago, that’s for sure. The sheer number of all programmers have increased so much since then.
A few years ago, when I was 25, I was getting into hardware hacking and I found 2 books on the subject.
It’s just hard to find learning resources on reverse engineering hardware, since that isn’t the entry point for programmers anymore.
My hope is that some greybeards will write some resources on how they made harfbuzz or eMacs or whatever.
I’d pay for that knowledge. I’d gladly pay for technical biographies of open source projects.
Open source has existed for as long as the Internet has.
And both were called by different names previously.
It is not wrong to say that open source grew up in parallel with the Internet. I see no reason to worry that they will not continue to evolve together.
There is another major aspect not discussed here and that is the proliferation of OSS libraries developed in academia which become widely used.
I don’t understand why this isn’t framed as an Economics problem? If a large group of people stop doing something that someone else depends on then that’s an Economic problem. No?
I don’t mean in the narrow of sense of exchanging things for money. If society wants some undefined group of any kind of people to do something but they are not (or they are about to quit) then that’s a resource allocation problem of sorts. That’s the bare problem. This problem does not immediately prescribe a solution like paying someone in dollars and cents. That’s only one solution.
Same if a country is having a fertility issue. The problem is sort of an economic one. But the answer doesn’t have to be paying would-be fathers and mothers. It could for example be to provide more free services that parents benefit from. Or it could mean reducing the hours in the “standard work week”. Or it could be to improve the pension of part-time workers (mothers are often part-time workers). Or it could be to more child-friendly urban planning. Or it could be to improve the public transportation and road infrastructure for households where the two partners work in different parts of the city/municipality/county.
Are professional economists working on this problem? If not, why aren’t they? This seems like it should be their domain. Am I being totally naive here?
> Are professional economists working on this problem? If not, why aren’t they?
Because right now the impacts aren’t particularly noticeable, even for people “in the know”, let alone professional economists who have never heard of the software supply chain
It's a global/international problem where each country efforts will improve the situation (OS ecosystem) for everyone equally. At this point it is clear that the humanity is terrible in solving problems like this (just see how climate change is going so far)
There are few points:
- there is no FLOSS culture in most people, so the classic model "I publish and maintain my code, others get it from free and give back their improvements equally for free" does not work anymore in most cases. Collaboration culture seems to be very diminished, some try be moral police, some simply do not care etc;
- mere widespread lack of competence mixing, in the past with usenet newcomers and gurus was together, interact and share visions, doubts etc, make all people involved learn. Today with Reddit and co people are divided, gurus with gurus, newcomers with newcomers, these are Indian castes with extremely little "social mobility" and that's a large part of why the mean culture is collapsed and almost all new projects not only in FLOSS but in the whole society are failures;
- lack of a good software base, modern software designed by commercial/managerial needs are CRAP, even the finest one, not because the code is crap, but because the environment is. An OS need to be a single application where anyone can automate their small bits at their competence level, this mode was killed because compartmentalizing anything means more products to sell, this is technically unsustainable and most modern people works in such environments and many young have no idea of the old mode and it's power, as a result good tools left behind, those who know them isolated, newcomers suffer from the lack of proper tooling and can't progress;
- finally the "slavery flat line with a dot on top", meaning only few nowadays do things, the giants, others are essentially their slaves. Most companies have no iron, no operation in house, just sitting on the shoulders of giants, using their iron and operation through their interfaces/services. This means the social FLOSS ecosystem does not exists anymore.
More and more people burned by this model try to go FLOSS, off the cloud etc, but they lack tools and competence and resurface from such disaster it's damn not easy since still the largest part of the world is in the barbaric land of the giants where even damn simple things are complicated because that's makes the money for someone.
For the only significant upstream OSS contributions I've made I was being paid a pretty good tech salary to make them. The first major contribution happened because the organization I worked for was still in an incubation mode and wasn't on the hook to show any P&L results. The second and third major contributions happened because they shipped on a proprietary platform that was built on top of an OSS release, and the company didn't want to maintain those parts in the proprietary layer.
After I left the first company they provided zero maintenance support for the major upstream feature, and I won't maintain it on an individual basis because life moves far too quickly for that. Occasionally I'll happen to run across exasperated posts along the lines of, "Help this is broken for me! Why is my patch being ignored? Is this even maintained any more??"
Chances are you only care because the company you work for wants it done so they can make some money off a product they're building with it. Half an hour dealing with some random patch and/or bug report for an upstream thing I did 10 years ago is half an hour less I have to spend with my daughter before she leaves for college. Nope, fuck you and your bug report.
No, you can't even pay me to fix it. I have a job, and it's already taking more of my limited time on this earth than I want it to take. The email address I used to submit those patches was deactivated when I left that company, and I ain't handing out my current one.
For any minor contributions I made I had to convince the powers that be that there was no real IP or competitive value in maintaining the patch ourselves, and they after much hand-wringing and delay they finally let me push a few small patches up to the maintainers. In hindsight that ended up being more trouble than it was worth because I wouldn't have been the one needing to maintain that patch in the long run. I should have just submitted it to the company-internal repo and let the next guy deal with maintaining that patch.
In spite of all that, my contributions are still there. They still provide tons of value to both individuals and to companies that mooch off of them. Somehow at some point someone somewhere steps up after enough time has passed to review and merge a patch or fix a bug. Or the bug report just withers and dies, and the world keeps turning.
As I have said before, here and elsewhere:
I would love to work on open-source full time, but I exist in a capitalistic hellhole which employs violently coercive methods - the constant threat of homelessness, destitution, and even death - to ensure I remain “sufficiently profitable” to someone else who already has more wealth than I could ever spend in a dozen lifetimes.
If UBI is ever implemented in Canada to an effective degree, you can bet both your left titties that I would be able to afford the time to contribute. But now? I’m just struggling to tread water.
Hm, sounds the same as the concerns about the fields of teaching, nursing, eldercare and childcare. Interesting parallel.
I've long wondered why FOSS developers of successful software don't offer some kind of financial bounty for whistleblowers who reveal that a given legal entity is violating the terms of their license.
Like, I release pretty much everything I create into the extended public domain (CC0/the Unlicense/0BSD), so I very intentionally have no dog in this race, but for those who make different choices for me regarding their public contributions, it just seems logical. Maybe it's just impossible to sue someone for violation of the GPL in a way which makes it easy to come out financially ahead, though.
How would you pay for the bounty? It seems hard to argue that you sustained any damages in the violation, and that's usually the only thing you can ask for in a civil suit. Additionally, you just invented another thing for developers to maintain.
Yup, as hinted at in my comment. Seems tough.
They could sue or try to settle out of court to get the company's own code to get licensed under the GPL, which seems like something they'd want as well.
In that sense an open bounty is like putting a price tag on how much you really care, in terms of hours of your life you're willing to spend (indirectly) enforcing the rules you have set.
Man, I actually went looking for that. I bet some of us here could've made a killing bringing violators to justice if such a thing existed.
Underpaid FOSS devs offering financial bounties so they can attempt to sue offenders sounds to me quite surreal.
as an inexperienced, thankless issue-raiser in this world, i can give my 0.02 on this.
a lot of open-source today seems like the charitable organizations of the world. the idea is to give selflessly, but a lot of it has become about lowkey entitlement, just because "nobody else is doing it" or will do it without our support.
on the other hand, i do empathize with the double-edge nature of accessibility to open-source platforms. while using git can still be a daunting task, raising issues or "contributions" has become easier than making a ticket in most teams' Jira. again, you can choose to adapt to the platforms or just have a simple one that you control. i might raise well-thought out issues once in a while when it affects my work projects, but i will not even consider using the mailing list for a linux kernel issue. maybe that is a good way to get rid of the noise.
i envy those who could generously give and also enjoy the process of just coding for its sake. those who don't do open-source with these ideas should not be asking for anything in return. we are not owed anything, no matter what good can come out of our work.
Open source maintainers get a kit of "clout" and respect, and they can use this experience to get high paying jobs at big companies. I know of a few people who clearly do this.
> Small wonder then that the maintainer population is aging – not enough newcomers want the undercompensated, unappreciated job.
Small wonder that some might not want to do that, but it doesn't explain why fewer people than previously would want that responsibility, especially if the population of developers has increased.
My guess is that people are less interested in taking over other people's projects than in starting their own.
> and have become less trusting of contributors following the xz backdoor
That's almost certainly a good thing. Over the last decade plus of my using GitHub on three different occasions I have wandered into a project, submitted a pull request, and the author has simply given me full write access to the repo without my asking. I didn't want it. I didn't ask to be a maintainer of this project.
People can be really weirdly not unconcerned about security.
And openly attacked, derided, and pushed out by organized gangs of activists who will use your community like cannon fodder to virtue signal and push their ideology.
I don't know how we resolve this. Some things are excellent because open source allows an individual to make what they want without answering to a boss or whatever and then if it gets popular, it comes with responsibilities but probably little or no pay.
As someone who did a lot of volunteer work, these issues resonate with me -- painfully so.
That's probably my primary motive for reading such articles when I'm not really a programmer.
What's to resolve? You either do something for the love of it or you don't. There's nothing to solve, it is what it is. If you want to get paid for writing your software get a job, start a company. OSS is neither of those things.
I'm far from the only person who feels people should get paid for their work if they add value to the lives of others or this article wouldn't exist.
Some people know how to add value and don't know how to turn that into an income and if they desperately need income and everybody wants their work but nobody pays them, it's extremely infuriating and crazy making.
Then they should ask for it.
"I give my software away for free and no one pays me for my work."
Your argument makes no sense.
Also OSS maintainers bear the brunt for interoperability projects while the startups built on those same libraries get handsomely VC funded without ever contributing back.
Any institutionally funded project should be forced to take a percentage of the raise and pay it to the OSS projects/dependencies (even the deep ones they dont see).
thanks.dev is a good platform that does this well.
There used to be a culture of respect for talent and work in OSS. That is gone in many projects. Python for example is now run by repressive bureaucrats who abuse the infrastructure to intimidate and coerce people. Those who do not obey are slandered, libeled and banned, so they have no recourse to defend themselves against the libel.
Python is a great example how OSS can be stolen by a small dominant clique that is active on Twitter (now Mastodon) and markets themselves as leaders while having done very little actual work in the past 15 years.
All of this is enabled by Python's propaganda arm, the PSF, which is filled to the brim with mediocre members, most of whom haven't done anything at all but who brag with @psf in their Mastodon and GitHub bios.
It is all smoke and mirrors now.
> [Linus] also said it's far too early to give up on Rust in the kernel as it's still early days.
Did I miss something? This sounds like they’re thinking about giving up on rust.
Edit: this from the lead working on it:
> "I am retiring from the project," Filho declared. "After almost four years, I find myself lacking the energy and enthusiasm I once had to respond to some of the nontechnical nonsense, so it's best to leave it up to those who still have it in them."
It truly is the most toxic community. I’m just glad I’m not to feel like the only seeing / be affected by it.
I wish there was a better solution to this crisis. There should be a corporate tax on software companies solely to fund open source efforts or something of the like.
Some open source projects have merged into one umbrella organization to better solicit sponsors but I don't think that will lead to anything fruitful, more so lead to a thing like Canonical where there's a profit motivation to the project
This is a wider problem than just software. We need to find a way for people to be able to afford doing things they want but don't profit them directly. Pure capitalism has too many bad incentives for enshittification of software, entertainment, food, and so much more.
Want to just briefly mention, since the article doesn't mention it at all, the blatant conflict of interests:
> open source project maintainers are not being paid for their work, spend three times as much time on security than they did three years ago, and have become less trusting of contributors following the xz backdoor, according to open source package security firm Tidelift.
> Tildelift: Reduce security risk from bad open source packages
Old open source maintainers think they are more important and replaceable than they really are. It's the same in any job or company. We are all very replaceable. Boomers thinking they hold the world together is typical and hilarious.
Edit: At my current job I replaced a 65 year old retiree that the company thought was an irreplaceable lynchpin. I learned his job in 2 weeks.
It's the same reason why it's difficult for single men to find a partner. Life has become too individual. Didn't Rick Beato just talk about this...
https://www.youtube.com/watch?v=h_DjmtR0Xls
I have a project. I'm willing to spend time to help someone learn how to contribute, and in return they'll gain experience they can use to earn money elsewhere. How do you find those people? It's the sales. We have saturated our tolerance for advertising. We just assume everyone who approaches us wants to sell us something right away.
When I started development on my accounting application, I decided to go around town and talk to businesses to figure out what features I should add. I had nothing to sell, I just wanted to talk to people about my own personal initiative. Never mind everyone on the internet screaming that an ERP system can't be done by a single person. No one wants to talk to me, no one cares.
And you all know the best of us are introverts because we focus on the problem and not the sale.
YCombinator: learn to do sales on your own, don't look for sales oriented co-founder. Seriously? Every day it's getting harder and harder to do sales. It's not even sales but social engineering. You hear words like "funnels" and "CPA".
I reached out to my network, I know about 7 people capable of helping me. None had the drive to lift a finger cause they're all too comfortable with their day jobs. I don't blame them, I would be too if I was being paid $100k to change background color of buttons every two weeks.
Yes, what I'm building is of commercial nature, but I have other interests too, like creating mesh network with ESP32 which to me has no commercial value and would be done purely for fun. I'm sure there's people with similar interest exist, but they're being kept guard by social media companies that work against collective initiative. Cause if they didn't, it would be too easy for people to find what they're looking for.
I have interview on 24th. If I get the job the progress on my project stops. I'm 1/4 ways through to production, that's three more years of development. If I had few people to help me, we could complete it in six months and end up with jobs maintaining it.
Like many people pointed out - time is precious, "you couldn't even pay me to do it", "I have a family".
So you have to find people just at the right time who have overlapping free time.
I've run out of money, gotta go back to work.
Increment this counter if you gave up on open-source: 1
Rewrite of https://news.ycombinator.com/item?id=41591692
To summarize the programming toolsets used in open source are not the kind that hobbyists and volunteers should be using, that is why I mentioned the use of Lisp and other higher level languages compared to C and C++. If you are going to write non-trivial programs and utilities in C and C++ then you should absolutely be paid for it.
Most of the people burned out developing for Linux should focus on a cut down system developed for end users and small businesses in mind.
You clearly haven't heard those jokes about C and C++ have you?
You are talking about unpaid people using the wrong languages to do difficult things and that never works.
http://harmful.cat-v.org/software/c++/I_did_it_for_you_all
The Unix Haters Handbook
http://harmful.cat-v.org/software/c++/linus
http://harmful.cat-v.org/software/c++/
Not only that the industry ignores the foundations and principles of correct and sound programming in low level programming languages like C and C++ which makes things even worse.
Going back to the start Linux did not start of with an intention to be an operating system developed for enterprise users.
Commercial interests took it over and decided to go with it. The simple truth is unpaid hobbyists and hackers should not be involved in the development of enterprise operating systems. Windows NT was not developed by unpaid hackers. Why should that apply to Linux? Unix was developed by corporate employees, and it is only when the GNU project decided to replicate the toolsets it used that Linus decided to build a kernel of his own, after which corporations jumped on it because of the GPL.
Those days are long gone and hobbyists and part timers shouldn't be really involved. It is OK to write and develop programs to gain a sense of achievement and pride from them, but when the need to maintain it kicks in that is when it all starts to south.
Their involvement should on simple utilities for end users. That is what free software development which is not well remunerated should focus on.
Solution is to stop using languages low level like C except where it matters, and improve the UI capabilities of higher level like Lisp.
Most of the problems in free software are rooted in the use of C and C++.
When you are doing things for free you shouldn't be using slow, difficult tools.
What on earth are you talking about? The problem is corporate interests thinking that 'open' means 'free labor'
The choice of language has absolutely nothing to do with it. Not in the slightest.
This cargo cult nonsense does not make you smart or cool. Try some critical thinking next time instead of regurgitating catch phrases you haven't even bothered to analyze.
Most of the people burned out developing for Linux should focus on a cut down system developed for end users and small businesses in mind.
You clearly haven't heard those jokes about C and C++ have you?
You are talking about unpaid people using the wrong languages to do difficult things and that never works.
http://harmful.cat-v.org/software/c++/I_did_it_for_you_all
The Unix Haters Handbook
http://harmful.cat-v.org/software/c++/linus
http://harmful.cat-v.org/software/c++/
Not only that the industry ignores the foundations and principles of correct and sound programming in low level programming languages like C and C++ which makes things even worse.
Going back to the start Linux did not start of with an intention to be an operating system developed for enterprise users.
Commercial interests took it over and decided to go with it. The simple truth unpaid hobbyists and hackers should not be involved in the development enterprise operating systems. Windows NT was not developed by unpaid hackers. Why should that apply to Linux? Unix was developed by corporate employees, and it is only when the GNU project decided to replicate the toolsets it used that Linus decided to build a kernel of his own, after which corporations jumped on it because of the GPL.
Those days are long gone and hobbyists and part timers shouldn't be really involved. It is OK to write and develop programs gain a sense of achievement and pride from them, but when the need to maintain it kicks in that is when it all starts to south.
> Solution is to stop using languages low level like C except where it matters, and improve the UI capabilities of higher level like Lisp.
This is my conclusion too. None of the reasons C/UNIX won are valid anymore and it's essential kludgyness has cost us incalculable time, money and brain space. Imagine what the open source community might have achieved with a real high-level language. Instead we've given them layer upon layer of inadequate tools and told them that if they can't manage the mess they are too dumb. So we spend more and more time in maintenance than in development. Who wants to juggle pointers, increment counters, and do their own garbage collection in a Jenga tower when they could just write their own nouns and verbs in Lisp? I'll be working on exactly this.
Open source is one of the most thankless jobs. People who do it should still think about other ways to make money, or find a way to earn while contributing. It makes no sense to write amazing software, used by large corporations to generate billions, while you end up poor and bitter. No, it’s not fair, and no one should allow themselves to be taken advantage of in that way. Open source is a gift, but before giving to others, you should ensure you have enough for yourself.