This is a good article, and 99% of this article I agree with. I'm going to quibble at something very small, not because I think the author is guilty or anything or because they're doing something wrong, but because this is a general pattern I've been seeing over and over again in multiple takes from multiple people: it feels weird to me to have a criticism of corporate behavior where corporations don't know how to ensure the continued success of the commons they build on, and to title this that "Open Source" is broken.
If a bunch of hunters go out and shoot all the ducks to extinction, you don't title an article that ducks have failed as a species, you say that duck hunting is a problem. And I've seen a few different articles now talk about how Open Source devs need to get better about setting up contracts and finding sponsors, or saying that this reveals a fundamental problem with Open Source, and I just don't get why we're laying this at their feet.
The big companies who's stuff broke because of Log4j have both a giant legal department with infinitely more resources than any single developer available to them to figure out how to kick money to these projects. And this is something that article touches on, which it describes completely accurately: there are developers who build this stuff that do not want it to be a professional thing, and they should still be compensated. There are developers who don't want compensation in the form of money, they want additional development resources or dedicated people helping them triage bugs, and that's a legitimate need that companies could start learning to provide. Volunteer developers should not need to learn how to set up an LLC or a nonprofit to get some compensation for their work if their work is important; the idea that compensation is dependent on a very specific model of professionalism and that it's incompatible with people doing something as a hobby is just wrong. The author does a good job of pointing this out that Open Source funding often looks different from commercial funding. A quote even admits:
> Okay, part of this may also be an ADHD thing and not really being able to stick to projects longer term.
But the thing is, that's OK. Like, you should be able to be in that position and to jump around between projects and if a company really cares about it it's still their job to give you money or to invest resources and maintainers into the project to make your life easier. This should not be conditional on you turning your work into a full-time job with years of commitment. But even as I praise the article for that phrasing, and even though I suspect this is something a lot of people agree with, I'm still frustrated that we don't get a bunch of articles that say "corporate financing is broken and unsustainable" or "our culture about funding and who/what deserves money is broken." We get articles that say that "Open Source" is broken.
I know that I'm kind of just quibbling over something small, and I know this is if anything the wrong article to even post this rant under. I don't want to make needless conflict over something where the author is mostly just right and in many cases saying the same things I'm saying. But I do kind of think this phrasing is important. My objection is I think the phrasing here implies to people (unintentionally) a kind of unconscious bias that this is Open Source's problem to solve. But the commercial companies broke and went into panic mode because they weren't willing to invest into the infrastructure that they rely on. That is their problem to solve, they are the ones on fire. They have the resources and they are capable of learning how to give money directly to developers. Maybe it's a cultural problem that they need to work on that's just ingrained in business heads; I somehow doubt we're going to get a bunch of corporate think-posts on LinkedIn about that framing though. Companies should be expected to occasionally evolve themselves instead of having everybody constantly hold their hands and console them that we understand that large direct donations and regular investments are just ever so scary and difficult to do and that this is a systemic problem with the community, not a direct problem with their individual behavior as an individual company.
Funding for Open Source is a serious problem, but I'm kind of tired of seeing article titles and phrasing implicitly suggesting (again, I think completely unintentionally in this case) that it's the Open Source community's problem to solve. You all use our stuff! This is your problem, your stuff broke because projects were underfunded. Why is it our job to make our funding methods more comfortable to you? The company's stuff breaking because their lawyers are irrationally scared of straight no-strings-attached donations is their problem. Let commons be commons, get over the short-sighted thinking that says companies can't possibly invest into making their products not fall over and catch on fire randomly unless they get something exclusive out of that investment. Or if they're incapable of doing that, stop giving them sympathy and treating their irresponsibility like it's everybody else's job to solve. They'll learn to fund Open Source, or their stuff will break in embarrassing public ways that make them look bad, and maybe after a while they'll start learning some heckin lessons from that.
This is something that (outside of the title) the article does a good job of reinforcing: build the software you want to build, and don't let leaches pretend that gives you an extra obligation to them. Particularly don't let leaches argue that your inability to keep leaches away is your fault. Honestly, the Log4j maintainers would have been completely justified in saying, "hey, yeah, we see this critical vulnerability, but it's the weekend, we'll get to it on Monday."
As someone who's pointed 10's if not hundreds of thousands of dollars to open source projects, blaming lawyers is unfortunately not the solution either.
Companies have budgeting and legal solutions laid out, its pretty much a first year problem. Engineering and IT want money to go to those developers. The issue is finding and getting money to these developers in accordance to tax code, jurisdiction/etc, its basically a regulation issue. On top of that, many developers don't want to deal with the tax hassle of getting paid for a $50-200 solution because it opens them up to ID theft and a whole morass of problems.
For the moment the most effective use of my dollars has been to donate to foundations and tag my donation with a "hey, can you use this for $XYZ", and that works. The FreeBSD foundation does a great job of this and thats why I donate money to them every year.
If there was something like this that encompassed more developers, I'd be really keen to see that as well.
So on some level, I agree, and in particular I think that having these meta-organizations and middleperson organizations that essentially act as money-pits and then put in more of the hard work to distribute funds or support -- that's a great idea, and I'd love to see more stuff like that.
And I am grateful for companies that are putting the work in to try and solve these problems, we need more of that, so thanks for the work you have done and thanks for your thoughts on the problems.
I still have a couple of specific, narrow objections overall:
----
> Companies have budgeting and legal solutions laid out, its pretty much a first year problem.
> The issue is finding and getting money to these developers in accordance to tax code, jurisdiction/etc, its basically a regulation issue.
Who's more equipped to solve those problems, companies or unfunded developers building stuff in their spare time? Who has more lobbying resources to change tax laws, Microsoft or Open Source developers? Saying that this is a corporate/business problem is not necessarily the same as saying it's an easy problem, it's just saying that the stuff you you bring up above are company issues, not problems with Open Source. Open Source isn't broken, companies are broken in that they struggle to interact with or support the ecosystem in productive ways.
It's a business problem that budgeting is so rigid that companies can't on-the-fly budget (or never thought to budget in the first place) resources to maintaining infrastructure that they rely on. It's a business problem that businesses don't understand their supply chain well enough to know what they're relying on or how to get in contact with or support the projects that they're relying on to remain stable and secure. These are complicated problems to solve, but let's be clear about where they lie.
Yes, there are tax complications, there are regulations. These are also problems that companies are more equipped to solve than developers are; companies have legal departments that can help navigate taxes, and individual developers do not. It's a business problem that companies don't have mechanisms/infrastructure to distribute support to things they rely on without falling into complicated legal holes. Yes, there are problems of finding the projects that need funding, but once again, businesses are more equipped to examine their own dependencies than developers are to try and figure out everyone who's relying on them and how important their libraries are to those companies.
And yes, you are absolutely correct that not all developers want to get paid traditionally (or even paid at all), and that's a choice we should preserve. But in some ways, that's exactly why this is a corporate problem: it's good that people get into Open Source with different motivations and needs, and it is better for the tech industry to evolve and figure out how to support those developers through nontraditional means (QA volunteering, patches, documentation, attention/promotion, one-off donations, etc), than it would be to try and "professionalize" Open Source. Even in the scenarios where people want literally nothing, and they don't want to be critical infrastructure at all, it's still kind of the company's responsibility to figure that out and to figure out if they're comfortable taking on the risks, or if they need to either use something else or fork the project.
For all of its faults, Open Source works pretty well, that's why companies rely on it. And I think part of that is the messy non-commercial aspects, the accessibility of contributing that means a company might be using a library built by someone who's only 15 (which for sure makes corporate funding complicated), the lack of hard requirements or contracts that mean a developer might walk away from something a company is relying on -- these are not accidents, they're deliberate parts of the system that allow non-professional people to take part in building the commons and solving their own problems. And yet for all of that messiness, Open Source produces software that's good enough that businesses rely on it. So when we have a system that is producing good software that people rely on, but the funding methods and support methods that businesses are capable of engaging with don't always line up with that system -- this is a case where businesses and the surrounding tech industry that should change, not the system that's producing good software that people rely on.
I will note that in the case of log4j, the developers are interested in normal funding -- this specific situation isn't a problem with figuring out in what way to support developers, it's a problem stemming from the fact that businesses don't know how to analyze their dependencies and figure out which parts need support (which is why they didn't realize that log4j devs wanted funding), and that businesses don't know how to donate to those dependencies or that the businesses aren't flexible enough to make those donations using the payment systems that many Open Source developers prefer. So there are broader questions about what projects want support, but log4j is kind of one of the easier examples; if businesses can't figure out how to donate to this project without an invoice process (even if the reason why is complicated and protracted and multifaceted and hard to solve), then businesses really are just broken in this regard.
Thanks so much :) No promises on timing, but sure, I'll do my best to write something up.
And thanks for commenting as well; I'm honestly really relieved that this apparently didn't come off as too critical, I was somewhat worried about that. It's a weird situation where your post is one of the better ones about Log4j2 that I have seen today, and there's stuff there that I really appreciated you writing and articulating, particularly around your hesitation to make things that companies would start relying on. But it was also the only one that got up to the top of HN that I saw when I logged in, and... I kind of went back and forth whether it was right to complain about a broader trend underneath it, given that the actual substance of your article really isn't falling into the trap I was complaining about.
Anyway, just reiterating that you wrote a good article and a good take, and it's not even that the title is egregious or worth a rant in isolation, it's fine. It was just the Nth title over X months that I've seen about Open Source funding that happened to be phrased as the Open Source problem, directly after I finished reading a different article that was suggesting that Open Source devs all need to learn how to set up their own LLCs and invoicing departments.
That analogy is a false one. Duck hunting is a self-selecting, non-mandated recreational activity for privileged people, not an activity that forms a critical role in a global pro-business economy.
The correct analogy is:
If the law mandates the indiscriminate killing of animals, you don’t title an article that some animals have become extinct, you say that the indiscriminate killing of animals has caused the extinction event.
The given analogy misattributes the source of the harm based on proximate factors… in effect it’s saying ‘i didn’t kill the animal… the bullet from the gun I fired caused the animals heart to stop’ - it’s a VERY shoddy argument.
What law mandates that companies can't donate to someone on Patreon or help triage bugs or dedicate QA/security time to identifying issues? What law mandates that companies have to ignore maintainer burdens? Each company made an individual choice to use infrastructure that they weren't funding/supporting, to effectively transfer bug-testing and security reviews onto unpaid maintainers. Then the infrastructure they weren't supporting broke.
The mistake I'm trying to point out is in looking at a corporate problem, where corporations are not doing due diligence to ensure the success of the commons that their own products critically rely on, and then implying that it's the responsibility of Open Source maintainers to make it easier to fund them or to alter their culture/projects to better fit company priorities. Well if everyone relies on this stuff, then the people who rely on it can figure out how to support it.
That I'm seeing articles suggesting that the problem is that Github sponsorships are hard to explain to accountants -- well, it sounds like the giant accountant firms that are being paid a lot of money aren't doing their jobs well, and aren't actually able to navigate financial situations that are outside of their comfort zone. But that's not the Open Source community's problem to solve, and the law doesn't mandate that companies be unable to navigate those spaces.
Companies ended up in the situation where an undersupported library that they needed to be stable instead broke because of their individual choices as companies about what parts of their infrastructure they would and wouldn't fund/support.
There is a systemic problem here, but it's not systemic in the exact same way as many other systemic problems that we face -- it's not systemic primarily due to outside pressure or laws, it's only systemic in the sense that companies are systemically and culturally unable to think about infrastructure or the commons in a responsible, long-term way. Sometimes systemic problems are really hard and complicated, but sometimes there are systemic problems that basically boil down to, "a bunch of people are irresponsible, and if they stopped being irresponsible the situation would get somewhat better." I don't think that Minecraft is the victim of circumstances outside of its control, I think it's really reasonable to expect a game bringing in that much money for Microsoft to be able to look at its dependencies and proactively identify/reinforce fragile parts of their infrastructure. Minecraft wouldn't have needed to solve the entire Open Source funding problem to avoid this bug, they would have needed to figure out how to support the extremely finite number of libraries that they rely on and that are directly linked to the success of their product.
And we can talk about wide-scale problems that hold Open Source back, we can get into the weeds on concepts like UBI, or better payment platforms, of IP laws, or whatever. It's not that those conversations are bad to have or that they're not important in their own ways. But they're not prerequisites for Microsoft giving money to people. And even in a world with full UBI or in a fully post-Capitalist society, you still might have Open Source developers making really useful stuff, where those developers don't want to spend all of their time or energy on that project or want to take it in a narrow direction, and that's fine. That shouldn't be a situation that we're trying to eliminate. Open Source is accessible and it allows people to dip their toes in, to solve narrow problems, to pick up and port/extend other libraries without a complicated legal process, to collaborate across national borders, to evolve their priorities and to jump between or even abandon projects -- and it turns out despite everything that is a really great ecosystem to live in. I don't think it's right to try and tear that ecosystem down and rebuild it into something that's purely professional, which is what I think a lot of corporations want. I think it's a lot more reasonable to ask businesses to learn how to interact with and support developers who may or may not be professionally working full-time on each project; I think it's more reasonable to ask why when the Open Source community is building stuff that other people find useful, that it is also our job to figure out how to make funding us attractive. And more directly relevant to your argument, I don't believe that there's a legislative reason why companies like Microsoft/Google/Apple can't get better at this stuff right now.
The law that mandates that companies can't donate to someone on Patreon or help triage bugs or dedicate QA/security time to identifying issues is the requirement for CEO's to demonstrate good judgment in managing the company by maximizing profit for shareholders. The law that mandates that companies have to ignore maintainer burdens is similar, but much more obtuse, mainly concerning commercial and workplace agenda issues founded on aversion to risk.
The mistake I'm trying to point out is your analogy is wrecked, it's only a very small, but well scoped rebuttal. Your analogy, granted it has been taken out of the context of the comment, but it's important that analogies used to make a point actually map on to the concrete situation, and your analogy clearly doesn't achieve that. Anyway, let's move on to the substance of your comment. You want to shift the burden of fixing what is a very well documented and well understood market failure (free riding) on to corporates. I get that. You want to do that by shifting the burden of the fix to them. What you fail to grasp are the free market maxims which rule these companies. You are, in effect, asking people to stop writing articles about (say) wearing a face mask in public when faced with a public health epidemic and instead write articles about how animal husbandry practices in a small market in Wuhan is the real story. What your comment fails to capture is the systemic failure of Open Source. In the same way, an article about how a virus that is harmful to human health that focuses on hygeine ina market in Wuhan won't help anyone stay safe once it becomes an epidenic. You are, mistaking an epidemic for a malpractice suit. You don't solve an epidemic by suing the market traders in Wuhan, you write articles about wearing face coverings and public helath policy programmes like vaccines.
So, your argument is bogus.
Open source is broken, as a system, it is meant to be broken, it was designed to be broken in the same way Windows is designed to be broken, because it suits people that promote it.
If you are making FOSS you are perpetuating a broken system and are accountable for that.
If you design your house with no doors or windows and then proudly announce the fact it has no doors and windows and everyone is welcome to take a look around you don't get to blame people who wander in from time to time and take a look around.
The rest of your comment here seemd to flip flop between whether the problem is systemic or not based on ideas of what the system is, and what it is not.
I am not convinced by that analysis because the systemic failure is self-evident here and so to discuss whether open source software production is a system or not, or it is interacts with other systems or not seems naive.
Your point about Minecraft seems to show some naivety around the way production systems interact with economic systems.
Some form of interpretation from either the history of the industrial revolution or the economics corpus would probably be enough to disabuse you of your reluctance to admit the interplay between economic and technological systems.
Your opinions suffer from a widespread tendency for peoples opinions to be wrong. I include mine in that category too, but at least readers may benefit from beinga given a choice as to how wrong they wish to be.
Sorry, I didn't mean 'mandate' as in 'legal', I meant more like 'Social License to Operate' (SLO) which is more at the social/cultural level, although there are of course legal ways to keep corporations away from code... AGPL/Copyleft/Ethical Source/Noncommercial licening and Social Domain licenses all seem to be pointing to a new economic future that, despite outr differences in opinion here, I think we can both agree on, would be more desirable than the current situation?
> The law that mandates that companies can't donate to someone on Patreon or help triage bugs or dedicate QA/security time to identifying issues is the requirement for CEO's to demonstrate good judgment in managing the company by maximizing profit for shareholders
Dows this law forbid them from paying support contracts to Oracle or IBM/Red Hat or anyone else? Hey, if nothing happens that needs support, that money could have gone to the shareholders, right?
And yet, I can't recall ever seeing any stories about shareholder revolts against management because they paid "unnecessary" support fees to software providers. You got any handy links to such stories?
If not, it seems it's your argument that is bogus.
You don't seem to understand the dialectical shape of this argument. You would have to try to understand better how two things that seem opposite could both be true.
For example, Microsoft could pay Red Hat for whatever they like, but this does not contradict the general law of profit maximization. It is possible for a large tech company to achieve both these goals together (support for open source and undermining open source) without undermining the general law, which is to reduce costs wherever possible and maximize profits for shareholders however possible.
You need to think a bit more about the motivations and rules operating here, and if you do, you can't fail to come down on the conclusion that it is open source that is broken, because it reproduces the free rider problem as a well documented and persistent market failure.
> You don't seem to understand the dialectical shape of this argument.
A) No, you don't seem to understand the simple logic of the issue at hand.
B) "dialectical shape"... Yeah, use a lot of Big Words flim-flam, that'll surely make your argument so much more convincing. Sheesh.
> Microsoft could pay Red Hat for whatever they like, but this does not contradict the general law of profit maximization.
Exactly. So they could pay Red Hat for support and maintenance on this piece of software, too. Or, waitaminnit... Does this only work for paying Red Hat, specifically; are they mentioned by name in the laws on fiduciary prudence, or what?
Otherwise, one would have thought that if they can pay Red Hat to maintain this code, they can just as well pay someone else for that. Like, for instance, its original author(s).
> You need to think a bit more about the motivations and rules operating here
Yup. Mainly yours.
> and if you do, you can't fail to come down on the conclusion that it is open source that is broken
Oh yes, sure I can. Fail to come to that conclusion, that is. Wake up and adopt my perspective, and you'll see that if this shows anything, it's that it's the corporate model that is broken: It repeatedly leads to exactly this kind of simple-minded attempts to defeat the elegant copyleft judo trick at the root of open source, which repeatedly get the prospective beneficiaries... Exactly fuck-all.
> because it reproduces the free rider problem as a well documented and persistent market failure.
If this shows anything, it's the exact opposite: The habitual corporate parasites have been notified that there is no free support-and-maintenance plan for them to freeload on.
Yeah, the market is full of failures. Assholes thinking there is such a thing as a Free Lunch -- for them, only -- without any obligation for them to do anything for anyone else, is one of them. Once enough of them have failed that way, maybe the rest will learn from that. (Not that I'm holding my breath.)
> the requirement for CEO's to demonstrate good judgment in managing the company by maximizing profit for shareholders.
this is an inanely incorrect urban legend of a claim. The business judgement rule overrides it except in amazingly egregious circumstances, and paying the maintainers of business-critical upstreams would be profoundly unlikely to be such a circumstance.
Not really. Payments made to maintainers of business-critical upstreams are only sanctioned at board level if the failure to pay could result in identifiable additional risk to the business. As a general rule, this plays out as a kind of high level socialist monopolizing for big tech, and low level capitalist competition for everyone else.
> The law that mandates that companies can't donate to someone on Patreon or help triage bugs or dedicate QA/security time to identifying issues is the requirement for CEO's to demonstrate good judgment in managing the company by maximizing profit for shareholders.
People place an over-emphasis on this. Minecraft broke, the situation they ran into is no different than if their engineering team had introduced an XSS error in their own codebase. If this isn't something that's affecting company profits, then why are they complaining? And if it is affecting company profits, then it's in the shareholder interest to figure out how to support the work so their stuff doesn't break. Nobody says that the law mandates that companies can't have a QA team, companies are allowed to care about reliability. So if donating to someone's Patreon or kicking resources their way improves the stability of a product, then that's in a company's interest, it's not violating shareholder rights to take tangible steps to make your product more secure/reliable.
In general, companies are not quite as constrained as you are suggesting by requirements to pursue profit in the first place, but even from that perspective if we assume they are completely bound in that way, this is still either:
A) not a problem they should be complaining about since apparently it doesn't affect their profits, or
B) their problem to solve, since it affects their profits.
----
> If you design your house with no doors or windows and then proudly announce the fact it has no doors and windows and everyone is welcome to take a look around you don't get to blame people who wander in from time to time and take a look around.
I don't think anyone here is blaming people for using Open Source projects for free, that's by design. I'm blaming them for then turning around and saying, "hey, this thing we're using for free without contributing at all broke, something is clearly wrong with your process, why didn't you stop us from using your thing for free?"
It is directly by design that people can use Open Source projects without contributing back. That's not really the issue here.
----
> If you are making FOSS you are perpetuating a broken system and are accountable for that.
See, this kind of gets at the core of my criticism. The log4j devs didn't wake up in the morning with their house on fire. Minecraft did. Log4j devs didn't have a contract with Minecraft, they weren't losing money because Minecraft's house was on fire, none of this had to be an emergency for them. But somehow, not only is this suddenly log4j's problem to solve, but also it's their fault that Minecraft used their code and they're somehow responsible for perpetuating a 'broken' system?
It just doesn't make any sense; if you don't think that Open Source is maintainable or safe, then don't use it in your company. If you think it's valuable, then think more than 3 months down the road and commit to helping it thrive so you can continue to rely on it (and explain to your shareholders that sometimes share price is affected by zero-day vulnerabilities in products). Or don't, but then don't expect us to do a bunch of soul searching over how we can serve you better or change our culture to suite you.
Feels very weird to be relying on a commons as critical infrastructure by your own choice, and then complaining that the people building the commons are the problem because they're somehow enabling the system.
> AGPL/Copyleft/Ethical Source/Noncommercial licening and Social Domain licenses all seem to be pointing to a new economic future that
I don't understand why it's the job of people working for free to not only give people their code for free, but also to figure out the entire social/economic structure for how to get companies to contribute to the ecosystem.
> it's in the shareholder interest to figure out how to support the work so their stuff doesn't break.
100% incorrect. The motivation is to make as much money as possible which could mean anything... mothballing an investment, firing workers, outsourcing, making code proprietary, buying out competitors... whatever it takes to make money. You really have a very naive view of the profit at any cost rule that makes a corporate run.
Donating to someone's Patreon does NOT improve the stability of a product, so it is not in a company's interest. What they are more likely to do is hire the lead developer.
The corporates motivation is not to make a product more secure/reliable, it's to make their profits more secure and reliable, and very often this comes at a cost to product reliability and stability.
The entire Big Tech model is about creating artificial scarcity in tech and premature product obsolescence.
More money is made from financialization of the company than from products at the highest level. You need to look at that.
My understanding is your position is that Open Source isn't broken, it's all the free riding that's the problem.
The trouble with that is it is an argument from proximate cause. It seeks to eliminate the negligence on behalf of FOSS developers, the negligence of NOT fixing their work to a licensing regime that deters free riders.
> The log4j devs didn't wake up in the morning with their house on fire.
No, but they woke up everyday with a house they made from tinder, and built it in a dry and overheated climate, so how responsible is that?
> I don't understand why it's the job of people working for free to not only give people their code for free, but also to figure out the entire social/economic structure for how to get companies to contribute to the ecosystem.
You need to understand. That's what you need to do.
> Donating to someone's Patreon does NOT improve the stability of a product
Saying this more forcibly doesn't make it true. Demonstrably, a bunch of people's stuff broke because log4j was underfunded. You can't claim with such certainty that funding Open Source doesn't make products more stable after a bunch of companies just had a bunch of critical severity bugs because the project wasn't funded and didn't have enough eyes on it. That's a wild thing to say.
"Locking doors doesn't deter criminals, so our investors aren't going to pay for locks at my business", as you actively watch masked thieves walk out of your office building holding a flat-screen TV. Come on. :)
On the other hand, if it doesn't impact corporate profits, if Open Source stability isn't affecting businesses, then corporations can stop complaining about Open Source bugs, and we can all stop having these hot takes. But I think the reason we have these hot takes coming out corporate mouths is because they recognize that bugs do impact stability and they're interested in trying to make that into someone else's problem.
> You need to understand. That's what you need to do.
See, this is the thing though, I and the Open Source community don't need to understand this. The point I'm making here is that the log4j developers were not affected by this bug, it wasn't their stuff that was on fire, and nobody had a contract with them forcing them to care. Donating something to a company is not an obligation to service that thing.
Nor would it be "irresponsible" for the log4j maintainers to leave companies in that state. The Open Source community could just ignore all of this. The Open Source community doesn't benefit from Minecraft using their stuff for free, the Open Source community could turn over and go back to bed when people start panicking about Minecraft bugs. The Open Source community does not need to worry about anything other than the Open Source community, it is an act of both social and personal charity that people release code under permissive licenses, and doing so does not open them up to any additional obligation for support or any additional responsibility to guarantee stability.
If you want that support, then pay for it. And if you're not willing to pay for it, then fine, but then don't complain or expect sympathy from the Open Source community if your stuff breaks.
----
> My understanding is your position is that Open Source isn't broken, it's all the free riding that's the problem.
My position is not that free riding is the problem, free riding is a big part of Open Source, free riding is fine. My position is twofold:
- First, when you give someone something for free, and they come back with additional demands or complaints that it doesn't work as well as they want it to because they're not engaged in support -- it's not your problem or your job to devote additional work to making it easier for them free ride.
- Second, that at a systemic level people giving stuff away for free does not give them some kind of additional obligation to individually overthrow Capitalism or rework our entire economic system, and I think it's wild to look at arguably one of the most successful Anarchist spaces in the entire modern world and say, "it's not the businesses that are the problem, it's these people, because they haven't done enough to overthrow the entire tech industry."
----
You seem to be dipping your toes into a very cynical take on the tech industry that I'm not going to argue for or against. What I am going to say is that if I take your position, if I assume that the tech industry doesn't care about stability at all, that it only cares about rapid growth, that security vulnerabilities are acceptable to investors, that this all and elaborate shell game to monopolize and undercut competitors and choke down on the market and its workers -- from that perspective, it makes even less sense for us to have an earnest conversation about how Open Source can become more "professional" or how it can encourage companies to give back.
If I start from your view of the tech industry, then I am even more convinced that Open Source bears no obligation to these companies and that it's fine for the Open Source community to go off and do its own things and leave them to figure out their own problems. It doesn't make sense to have such a cynical view of how companies work, and then to say that Open Source developers are now somehow responsible for cleaning up this mess that companies caused. You seem very cynical about the potential stability of corporate products in general; but if they're so fundamentally broken then why not let them break?
It is a very strange philosophy for you to have where you're pointing at corporations and investor mentality as a fundamentally broken system, and then saying that Open Source devs are being irresponsible because they're somehow "enabling" these people. If someone sets out a bowl of Halloween candy and some kid comes up and takes the entire bowl, who is the primary person that you blame in that situation?
But sure, whatever. If I understand you, the central problem is that free riding is baked into our industry, and yet somehow it's individual unpaid developers building software outside of that profit-maximizing system that are to blame for all of it. So instead of holding companies to task, or trying to support the people building commons that aren't designed to monopolize or grow at all costs, or reworking economic systems to improve incentives, or even just acknowledging that Open Source devs don't have an obligation to support the industry, what we should actually do instead is criticize the Open Source community for not being itself Capitalistic enough. That will definitely help, and definitely won't just result in cementing the very systems you criticize. /s
> Donating to someone's Patreon does NOT improve the stability of a product
>> Saying this more forcibly doesn't make it true.
Sorry, my intention was to emphasize some basic economic logic, not enforce it.
Let me try again. Unless there is agreement between the financial donor and the recipient that the donation will be reciprocated with demonstrably more fitting outputs for the donor, do not expect to see any positive correlation between levels of funding and product stability.
Apache already has the model for log4j... and I'm not being facetious here, but for the sake of clarity only they call it 'governance' which is a comprehensive regime of massive corporate sponsorship, and volunteer 'PMCs' who are drawn from elite engineering backgrounds and participate mainly for social status, not money.
This is because people like myself, and people that like 'The Apache Way' see individual philanthropy and good science as a very complex relationship... and people like me would say... 'bad relationship'. Good science tends to be funded socially... through government organizations and civic institutions, Apache Foundation is one such institution. They accept private donations but it just goes into general funds AFAIK, most of the work done there is sponsored by Big Tech. We can argue that, if you want?
So, underfunding of log4j was not the issue at all. Apache projects I believe are generally well resourced and well managed. No?
> ...the reason we have these hot takes coming out corporate mouths is because they recognize that bugs do impact stability and they're interested in trying to make that into someone else's problem.
So, no... the reason is because corporate mouths are connected to corporate hands, and they have been dishing out money to Apache from the beginning. They believe they are owed something... and to some extent they are. You don't sh*t on your donors. That's the rule in the third sector.
This is why the log4j team are being held accountable. They trade off Apache reputation and the foundation they work for takes the money off many big corporate sponsors.
When you see the history of these issues it all makes sense and although your sentiment might appeal to lots of people, that is all it is... just like 'we shouldn't feck with cats'. That is the sort of argument you are involving yourself with. Sure, in an ideal world no one would feck with cats, but my argument is... when you see someone fecking with a cat, you don't just let them do it, sure, lock them up and rehabilitate them or get them to do some community service or whatever but mainly you want to be thinking about making sure that cats aren't so vulnerable... so you do stuff like make sure breeders are registered, make sure owners look after them properly and don't let their cats stray and so on.
You don't seem to have a very good grasp of the what The Open Source community actually is... it's about big corporates. All the millions of individuals, small and medium sized developers and end users are basically bystanders.
It might be worth coming back once you've got a clearer picture of the landscape. It's not what you think it is. It's not a pastoral idyll of happy, flourishing code crofters, it's a highly industrialized and monstrous tyranny dominated by surveillance capital...
When you see that, tell me if you still care if some prestigious Apache PMC engineer who chooses to work on something for free is really surprised when additional demands or complaints come in to the Brand he is trading off.
That's the deal here.
The systemic level is elite engineers on good salaries and high social standing working on high profile projects on the understanding that their reputation rides on being professional.
For them, it is not about overthrowing Capitalism or reworking our entire economic system, quite the reverse. Open Source for these people is about working to extend that system around the world. I'm using linux now and am under no illusion that almost all of it has been commodified... made alien to the people that worked on it... in the exact same way proprietary software is... the kernel included.
Open Source is capitalist, not Anarchist. I hope that much has been made obvious.
You misstate my position, I said big tech only cares about stability as far as it impacts on profits. Very often it will seek to make a product less stable in order to make money. Dishonesty is not a bug, it's a feature of all corporates.
Open Source is one big corporate hussle. Maybe you will want to look into that a bit more before you assume that Open Source is anything else? Thanks.
If a bunch of hunters go out and shoot all the ducks to extinction, you don't title an article that ducks have failed as a species, you say that duck hunting is a problem. And I've seen a few different articles now talk about how Open Source devs need to get better about setting up contracts and finding sponsors, or saying that this reveals a fundamental problem with Open Source, and I just don't get why we're laying this at their feet.
The big companies who's stuff broke because of Log4j have both a giant legal department with infinitely more resources than any single developer available to them to figure out how to kick money to these projects. And this is something that article touches on, which it describes completely accurately: there are developers who build this stuff that do not want it to be a professional thing, and they should still be compensated. There are developers who don't want compensation in the form of money, they want additional development resources or dedicated people helping them triage bugs, and that's a legitimate need that companies could start learning to provide. Volunteer developers should not need to learn how to set up an LLC or a nonprofit to get some compensation for their work if their work is important; the idea that compensation is dependent on a very specific model of professionalism and that it's incompatible with people doing something as a hobby is just wrong. The author does a good job of pointing this out that Open Source funding often looks different from commercial funding. A quote even admits:
> Okay, part of this may also be an ADHD thing and not really being able to stick to projects longer term.
But the thing is, that's OK. Like, you should be able to be in that position and to jump around between projects and if a company really cares about it it's still their job to give you money or to invest resources and maintainers into the project to make your life easier. This should not be conditional on you turning your work into a full-time job with years of commitment. But even as I praise the article for that phrasing, and even though I suspect this is something a lot of people agree with, I'm still frustrated that we don't get a bunch of articles that say "corporate financing is broken and unsustainable" or "our culture about funding and who/what deserves money is broken." We get articles that say that "Open Source" is broken.
I know that I'm kind of just quibbling over something small, and I know this is if anything the wrong article to even post this rant under. I don't want to make needless conflict over something where the author is mostly just right and in many cases saying the same things I'm saying. But I do kind of think this phrasing is important. My objection is I think the phrasing here implies to people (unintentionally) a kind of unconscious bias that this is Open Source's problem to solve. But the commercial companies broke and went into panic mode because they weren't willing to invest into the infrastructure that they rely on. That is their problem to solve, they are the ones on fire. They have the resources and they are capable of learning how to give money directly to developers. Maybe it's a cultural problem that they need to work on that's just ingrained in business heads; I somehow doubt we're going to get a bunch of corporate think-posts on LinkedIn about that framing though. Companies should be expected to occasionally evolve themselves instead of having everybody constantly hold their hands and console them that we understand that large direct donations and regular investments are just ever so scary and difficult to do and that this is a systemic problem with the community, not a direct problem with their individual behavior as an individual company.
Funding for Open Source is a serious problem, but I'm kind of tired of seeing article titles and phrasing implicitly suggesting (again, I think completely unintentionally in this case) that it's the Open Source community's problem to solve. You all use our stuff! This is your problem, your stuff broke because projects were underfunded. Why is it our job to make our funding methods more comfortable to you? The company's stuff breaking because their lawyers are irrationally scared of straight no-strings-attached donations is their problem. Let commons be commons, get over the short-sighted thinking that says companies can't possibly invest into making their products not fall over and catch on fire randomly unless they get something exclusive out of that investment. Or if they're incapable of doing that, stop giving them sympathy and treating their irresponsibility like it's everybody else's job to solve. They'll learn to fund Open Source, or their stuff will break in embarrassing public ways that make them look bad, and maybe after a while they'll start learning some heckin lessons from that.
This is something that (outside of the title) the article does a good job of reinforcing: build the software you want to build, and don't let leaches pretend that gives you an extra obligation to them. Particularly don't let leaches argue that your inability to keep leaches away is your fault. Honestly, the Log4j maintainers would have been completely justified in saying, "hey, yeah, we see this critical vulnerability, but it's the weekend, we'll get to it on Monday."