Please see the disclaimer.
I don’t know how to introduce this post other than the question in the title: is it even worth working on Free and Open Source Software anymore?
I have been asking myself this for the past week or two, and it’s uncomfortable for me; I believe in the power of Open Source to empower users and to give them control over their machines.
But that belief of mine has been severely shaken by several things happened this week, things which also made me reconsider things that happened further in the past as well.
log4j vulnerabilities happened. The maintainers worked to fix
it, and what do they get?
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. https://t.co/W2u6AcBUM8— Volkan Yazıcı (@yazicivo) December 10, 2021
So, it turns out that most of the development work on
log4j is not funded, and
what is funded is pitifully small.
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.— Filippo Valsorda @filippo.abyssdomain.expert (@FiloSottile) December 10, 2021
"I work on Log4j in my spare time"
"always dreamed of working on open source full time"
"3 sponsors are funding @rgoers's work: Michael, Glenn, Matt"
People, what are we doing. pic.twitter.com/2hAxUWCjuC
And remember, there are people bashing the maintainers for screwing up something they essentially did as volunteers!
This is something that happens all of the time. When a vulnerability is discovered in a critical piece of software, people complain to maintainers whom they have never once thanked, helped, or paid.
Also from this week:
Remember yesterday’s news about TikTok releasing a go live platform? Turns out it’s a fork of @OBSProject— Naaackers (@Naaackers) December 16, 2021
Shoutout to @HunterAP23 for pointing this out
STOP STEALING FROM OBS JESUS pic.twitter.com/kx8ckK3MXS
Yes, it is that simple: TikTok stole code from an Open Source project.
The license OBS Studio is under, the GPL, requires anyone who distributes the code to anyone else to publish their changes in source code, and TikTok obviously did not do that.
This is not from this week.
A company “bought” Audacity and added spyware. The same company also did it to MuseScore.
These things are not just one-off bad things; they are patterns in the software industry. In fact, they’re so pervasive, they have a name: dark patterns.
Here are some more examples.
Ads in Paid Products
Adding ads to software seems to be in vogue, with Microsoft doing it to Windows, even though people pay for Windows.
That also goes for “smart” TV’s. Ads get added later, after you have had it for a while.
Spyware in Paid Products
Windows also has spyware, and you better believe that smart devices do as well, even if you paid for them. Yes, that includes Apple products.
Companies Pushing Subscription Models
Even worse is when companies push subscription models when you already bought their product, or they make it difficult to cancel a subscription.
- Adobe switched their Creative Suite to Creative Cloud.
- Toyota wants customers to subscribe to use remote start.
- A lot of companies allow you to subscribe online, but must call to cancel.
Why do they do this? Easy: because a subscription model brings in constant, endless revenue. It’s exactly what MBA suits like. And they don’t want to lose it once they get it.
Scarcity of Maintainer Attention
Coming back to Open Source, it is obvious that there is a huge deficit of something we need more of: maintainer attention.
It makes sense why there is scarcity; after all, this is work done by volunteers in their “free” time. They may not have much free time at all!
And yet, these projects are critical infrastructure.
Companies that depend on these projects are like runaway logging companies: they are mining a scarce resource and not ensuring its sustainability.
The logging companies learned the lesson, and it’s time the software industry learned it.
If straight up ignoring licenses, like TikTok did, wasn’t enough, there is now another way companies can extract value from FOSS without paying back: GitHub’s Copilot.
I’ve written before about the dangers of GitHub Copilot, and while the hype and bad press have died down, the dangers have not.
I’ve been busy to do something; I have written licenses to make GitHub hesitate before using my code as input to Copilot, and I’m currently trying to find lawyers to help me solidify those licenses.
Unfortunately, I can budget very little, about one hour’s worth of time for the attorney I would have used, and he thought I needed five hours’ worth of work.
I have contacted a couple of non-profits for help, but I don’t expect to get any because they probably have bigger fish to fry.
But even if I solidify the licenses, what stops GitHub from ignoring them by claiming that their Terms of Service allows them to use my code?
This is one big reason I pulled all of my code, except for
bc, off of
GitHub. If they make this argument about anything other than
will be lying.
And beyond that, what stops other companies from using Copilot to launder my code?
Before all of this went down, I was working on Rig, a new build system, one that would scale from small projects, to large projects, to everything in-between, including fully distributed and cached builds.
The ideas are so powerful, in fact, that they can form the basis of a
Nix-like package manager, an event-based supervision system that would be
vastly simpler than
systemd while easier to use than s6, and a DevOps
In fact, to implement the DevOps deployment system, no changes will be needed to Rig at all; it could do that without any outside help.
In essence, Rig would have been able to build distributed systems in exactly the same way it would build a single project: you specify targets and their dependencies, and Rig would do the rest, including parallelization.
But…will it even matter? Would Rig even be a net gain to the world?
The obvious answer is yes, but it’s not so simple.
Since companies steal Open Source software without a care in the world, what’s to stop companies from stealing Rig and embedding it into their proprietary software?
What will stop them from using Rig to spy on users? What will stop them from using Rig to feed users ads and manipulate them?
What’s to stop them from using Rig to backdoor every piece of software that they build with it, or to distribute a version to users that will backdoor whatever the users build with it?
In other words, what’s to stop companies from using an Open Source Rig to harm users more than it would help?
Open Source or Bust
Okay, well, perhaps the best way to serve users is to not release my code as Open Source? Maybe I should just provide binaries.
That won’t work because Open Source has sort of eaten the software industry; other programmers won’t use your stuff unless it’s Open Source.
Of course, those programmers are all too happy to hide their code from end users, who don’t know better.
Since my software will target programmers, I can’t make it closed source, or it won’t get used. Simple as that.
It’s even worse; Linux distros will often refuse to even package your software if it’s not Open Source.
I’m stuck between a rock and a hard place. If I make Rig Open Source, it could very well do more harm than good, regardless of whether I get paid! And if I don’t, it won’t get used anyway.
Ever since I started trying to not write harmful posts (like this one), I have tried to suggest ways of fixing the problems I have complained about in every post.
But…I can’t do that here. I have no solution.
This is depressing, to say the least. It’s depressing because I see no alternative other than to give up on writing software completely. After all, I can’t get a job, I can’t make money from writing Open Source software, and what Open Source software I do write could end up harming more users than it helps.
I had to accept I couldn’t get a job, but I still thought I could write software in my spare time and help the world.
Was I wrong? Is it now impossible to improve the world with Open Source?
I don’t have the answers to these questions. Until I do, I feel like I should default to doing nothing.
If you have thoughts about this, please feel free to contact me.