[HN Gopher] Professional maintainers: a wake-up call ___________________________________________________________________ Professional maintainers: a wake-up call Author : FiloSottile Score : 307 points Date : 2021-12-11 19:28 UTC (3 hours ago) (HTM) web link (blog.filippo.io) (TXT) w3m dump (blog.filippo.io) | bluefox wrote: | Maybe businesses should pay a tax that goes into paying a | respectable universal basic income. | | That would make it easier to develop and maintain such software, | and it would make it easier for people doing other things besides | software development (yes, they exist) to open up their artware | without starving. | | Then there wouldn't be a need for the insane "professional" | formalism described in this blog post. | ozfive wrote: | This assumes that large companies are willing to pay in the first | place. In my experience most companies if they can get something | half-developed for free. They will jump on it and think nothing | further of the ramifications in the future however near or far | that is. Any business that operates on that level deserves what | is to come. | vmception wrote: | You can get a closer view of this sentiment in action within | communities built on open source with distributed governance. | Very many communities in the blockchain space routinely discuss | how to compensate the development work necessary, and the | recurring theme is that people imagine a nonexistent cheap | developer: | | An engineer with in Micronesia with specialized skillsets. | | Try to convince these communities about the need for a well | compensated _team_ of people including product managers and | designers all making 6-figures and honestly people just don't | believe you. The truth is that cost of living discussion doesn't | even matter, people should be compensated on the value they bring | (and in those communities that is very easy to quantify.) | | This has wildly slowed down many projects as UI and usability are | completely neglected. | | Its pretty much only been one year that an engineer in this space | can reliably land compensation packages somewhat competitive to a | tour in NAAAM | heisenbit wrote: | Good maintenance requires skills and a steady hand but nobody is | going to pay for it. New software is valued much more and thus is | the resource allocation. If maintenance is done at all and not | shifted to some lower cost organization or country. The Apple App | Shop puts a premium on new over working a long time. | jokethrowaway wrote: | This is happening because we created a culture that glorify an | ideal, Free Software, over practical concerns. | | OSS is communism applied to software: it doesn't make sense and | it doesn't work. After a few generations of idealistic people who | sacrificed themselves and worked for free to give us foundations, | most of OSS nowadays is just: - Advertising to let engineers know | that company X is cool and you should go work for them - Ways to | keep your staff motivated (who doesn't want to become a OSS | rockstar?) - Advertising to sell an actual business | | I'd rather live in a world where companies are building and | maintaining software and reselling it to other companies. | Unfortunately we made it sound uncool, somehow. | | Pay your invoice, get your token and npm install @user-agent- | experts/ua-parser | | I'm not necessarily against open source and I certainly benefit | and contribute to it; OSS also has the benefit that more people | can spot bugs and end users can fix your shit when it's broken. | | Still, I would never maintain something that allows companies to | use it for free. It doesn't make any sense, no matter how much | code the companies are publishing. | throwaway5371 wrote: | no, people should commit security vulnerabilities on purpose; | anarchy and chaos should arise | | reign of chaos | qnsi wrote: | hail eris | rch wrote: | It seems like Stripe Atlas could be adapted to help people | formalize side projects, with invoices and subscriptions, while | providing guardrails to keep from having to worry too much about | the minutia of business, taxes, fees and so on. | fleddr wrote: | Apart from the discussion that nobody will pay, have you | considered that companies aren't even remotely aware of what they | use? | wolverine876 wrote: | Is the lack of a micropayments system the real problem, as with | journalism, art, etc.? If people could pay FOSS projects with a | click, I think they would. They pay Amazon that way, and that's | often for useless junk. | beebmam wrote: | The solution to this, along with many other socioeconomic | problems, isn't going to be solved through voluntarism. | | This is easily solved with a universal basic income. Some of us | would gladly forever maintain and contribute to free software if | we had our basic needs guaranteed. | | I certainly would | wolverine876 wrote: | > The solution to this, along with many other socioeconomic | problems, isn't going to be solved through voluntarism. | | Open source has been incredibly sucessful using voluntarism. | | We could also throw in political movements; the all-volunteer | military, which has existed on and off since the American | Revolution; science (the pay doesn't nearly match the efforts | and value); non-profits; teaching (same as science); etc., etc. | Why do people feel so motivated to sh-t on voluntarism, which | has changed the world with great success. Almost every major | advance in history has been accomplished by volunteers | (depending on how you define it). Declaration of Independence, | Newton, Van Gogh, World Wide Web, etc. etc. etc. ... | qwerki wrote: | It's great to see more discussion in this space. The way I see | it: | | 1) It's really difficult to donate to Open Source; 2) Companies | don't get enough value in exchange for donating - They are | businesses and think in dollars & cents; 3) and, Devs much prefer | to write code rather than chasing companies for donations & | sponsorships. | | As a result of these dynamics, OSS is very mispriced at the | moment. Unfortunately that is going to impact quality and we | shouldn't be surprised by the Log4j bug. | andreineculau wrote: | > Professionalizing the role of maintainer | | My 2c are that the problem is there, not specifically to OSS. The | whole industry is looking down on maintenance and maintainers. | | Keeping things working might not be a great career, but it's | equally important as creating new stuff, and guess what: some | people don't want to create but like to debug and maintain. | | A parallel might be drawn with the right to repair electronics. | When we will get back the culture of repairing stuff, then we | will value more the act of repairing. Because now, it's an art of | repairing that very few afford. | Jupe wrote: | I don't know... I just don't see how OSS will ever be a real, | sustainable business. The moment it does, someone else will | simply subvert the paid-for software with a look-alike that does | 90% of what the original does, but for free. In my view, this is | the birth story of OSS. And I don't see any real market there. | Even if you manage to find a "niche", like some sustainable | software-as-a-service with subscription, there's nothing stopping | someone else from undercutting you... all the way to "completely | free". | | Moreover, isn't this what's happening to most software, | everywhere? Cases-in-point: | | Compilers - when's the last time you actually paid for a | programming language? I know for me: SAS C in the mid 1990's | | Databases - any new solution would likely use a free DB.. and why | not? | | Digital audio workstations - "free" ones seem to come out monthly | | Graphic editors - 2D and 3D alike - the free varieties are | getting better every year | | Developer IDEs - From console editors to full GUIs to online | offerings; all free | | Even the business model of "hoping to make server software so | good that everyone wants it" fails when hosting services just | grab it, re-package with their own branding and profit. | [deleted] | fatcat500 wrote: | If there was a button on Github that donated small amounts of | money to the maintainer(s) of a project, I would press it | frequently for many libraries I depend on. | | For example, donating 25 or 50 cents every time I visit | gofiber/fiber would be fine with me. | | However, there is no way to feasibly charge small quantities of | money without the majority of it getting raked in processing | fees. For example, Stripe charges 30 cents plus 2.9 percent (last | I checked), meaning only ~20 cents would make it to the | maintainer(s). | | The same issue exists with rewarding content creators. You either | donate a non-trivial amount of money (often recurring) like $10 a | month (which means you have to keep track of that expense, which | is arguably an even greater disincentive for donating), or you | don't donate at all. | rubyist5eva wrote: | It's a double edge sword. They can you use your stuff AS-IS | WITHOUT WARRANTY, but if something goes wrong it is AS-IS WITHOUT | WARRANTY. | | We've gotten complacent that open source just exists and is | maintained and it's sunshine and rainbows. We've been able to | build amazing things on the backs of these maintainers, but you | have to factor in that they _don 't owe you anything_. So keep | that in mind when you're just gonna install some random library | from the public package repository because "not invented here" or | something. | nobodyandproud wrote: | For businesses, "free, as in speech" is equivalent to "free, as | in beer" because I as a company developer can build it and use | it. Even better if it's a non-viral copy-left license. | | Why pay for the cow when you get the milk for free? There's no | incentive for anyone to pay and this has become best practice. | | Anyone remember the uproar over CentOS being retired? | | There's this unrealistic expectation that maintainers be paid | without a real business model, but that's what needs to be done. | | Become a business or being part of a business, and find a cost | model that is both appealing to customers and self-sustainable. | | All which comes with non-engineering headaches, but there's no | avoiding it. | | What may help here--and the missing ingredient---is the lack of a | professional, trade organization. | | In fact, this would solve a number of pressing problems in our | industry. | smasher164 wrote: | I agree that appropriate compensation is necessary, but I don't | think it's sufficient. There's a lack of visibility and tooling | for dependency management/auditing. I can't even find a proper | list of critical OSS along with their donation links. | | Moreover, there needs to be a fundamental re-thinking of the | security model of languages and runtimes, i.e. even if I can | eval() user input or load a plugin from the network, it should | not be game over. There should be finer-grained access control in | programs, both at the type-level and with how they interact with | the OS. The global view of "your program can do anything unless | said otherwise" needs to change. | neilwilson wrote: | There is of course another way to do this. | | The state offers a guaranteed job and collects tax. | | Just as it does to maintain the roads. | | Toll roads became public roads . | | Earning six figures is a chore and frankly gets boring after a | while. But if you had enough to keep the wolf from the door ... | pbiggar wrote: | Here's something I wrote in 2018 that could basically be the | exact same thing written today: | https://medium.com/@paulbiggar/how-to-fund-open-source-8790e... | daenz wrote: | I'm an open source author and maintainer of a somewhat-popular | python package[0] (~1M downloads/month) that I've maintained for | over 10 years. I don't recall ever receiving a donation. I am | still maintaining it, but I just don't have time to add the | improvements that it needs to keep up with the ecosystem | (asyncio, for example). If organizations who use it got together | and chipped in some non-negligible amount, I would be much more | serious about keeping up with it, but $0, or $5-20/month, is just | not realistic incentive to compete with other priorities in my | life. I don't know the answer, but that's my thought process. | | 0. https://github.com/amoffat/sh | pdonis wrote: | _> organizations who use it_ | | Do you know which organizations these are? | nopenopenopeno wrote: | Good for you. The welfare queen megacorps have been too | comfortable expecting handouts like open source charity work | and public bailouts. Open source software has served the elite | executive class while leaving working people to depend on anti- | freedom proprietary offerings. I am sick of watching it go down | like that. The never-ending data leaks, dark patterns, lock-in | strategies, and attacks on encryption and freedom of speech, | are all exacerbated by this tendency to yield the commons to | the ruling class. If open source doesn't serve working people, | I don't care a lick for it anymore. Cheers to Stallman and all, | but this is where his proposals fell short. | javajosh wrote: | First, I don't use it, but thanks. (I know, being a maintainer | is a thankless job, but I'm a rebel.) Second, the OP addresses | this issue directly. He's talking about "making OSS maintenance | _legible_ " (emphasis mine) to BigCorps via 5-6 figure invoices | "on letterhead". | | It's a grand idea, and I hope it works. The path to not working | is too achingly obvious though. Budgets are always tight (even | if you're Apple and you have to artificially make money feel | tight). What corp officer with budgetary discretion is going to | greenlight a 5-6 figure payment to someone who's not doing work | directly for the company? I think the key here is that that | person is going to have to a) be principled, and b) smart about | selling it, by emphasizing the fact that the changes were | beneficial to our company, and leave out the fact that those | changes were beneficial to every company. It wouldn't hurt if | BigCorp got a measurable recruitment bump from it, too. | daenz wrote: | If I could figure out for certain which big companies were | using my software, I might try the invoice idea for fun. I | expect it would be ignored, but I would send it anyways to | prove the idea one way or the other. | gumby wrote: | Big companies don't just pay random invoices;* you need to | indicate what project and account (usually IDs from their | CRM). So it would merely be chucked out. | | * In really big companies it's possible for admins to buy | routine stuff below a threshold just to save on paperwork. | So there's a scam in which someone sends out a bunch of | $100 invoices for "printer paper" -- account payable | assumes the department code was left off by the vendor but | it seems legit so they pay it. Seems like a hard way to | collect money. | jsmith99 wrote: | It's called a Purchase to Pay system - whoever makes an | order supplies a Purchase Order number from their | internal system, which the supplier will reference on | their invoice so the accounts team can look it up before | paying it. | | In terms HN would understand, it's a stateful firewall | for invoices that prevents paying orders that didn't | originate from your company. | josteink wrote: | If you hosted the package/library yourself instead of in | closed silos/package repos, you could directly check the | IPs of whoever regularly pulls your stuff. | | We all opted for centralized package repos though, so now | only they know. And they're not telling us. | | Just another "free" opportunity lost to centralization, I | guess. | javajosh wrote: | _> We all opted for centralized package repos though, so | now only they know. And they're not telling us._ | | I'm sympathetic to the view, but there really are some | things that are better centralizing. Reducing code into | binaries is something that a "fair" 3rd party is going to | be better at than the 1st party. Why? The 3rd party | central source is (presumably) mechanically cloning and | building, whereas the 1st party is doing much much more. | Effectively the 3rd party offers a better guarantee to | the end user that this binary corresponds to that | particular source. | | Also, the Way to measure who's using your code is to put | runtime telemetry in there. Distasteful, but so common | now with every kind of software, it's crazy. Yes, even | OSS CLI programs phone home now (heck, ohmyzsh phones | home every time I open a terminal!). For a generic server | library, you'd add a check to make sure it's the most | recent version and print that out to stdout on startup. | | See, it's not user hostile it's to keep them informed of | updates! /s | oauea wrote: | > ohmyzsh phones home every time I open a terminal | | are you talking about the update check that by default | runs once every 14 days[1], or is there something else? | | [1]: https://github.com/ohmyzsh/ohmyzsh#getting-updates | indymike wrote: | Oh, wow. I've used this before. I think the python community | needs to work out how to make it easier for us to identify and | donate to maintainers. When I pip install, I never get a donate | here: some url. When I npm install, I do (arguably too much). | Anyhow, sh is handy. Thanks! | dalke wrote: | > Open Source maintainers graduating to sophisticated | counterparties who send invoices for "support and sponsorship" on | letterhead, and big companies developing procedures to assess, | approve, and pay them as a matter of routine so that they can get | what they need from the ecosystem. | | The first 1/2 already exists. It's the companies which need to | change. | | I say this from experience. I'm self-employed, with my own | company. For the first 15 years my plan was to provide commercial | support for open source packages I worked on. I had an LLC, an | accountant, I paid a designer for a logo, etc. | | I co-founded the Biopython project and offered commercial support | for it, with a couple of other Biopython developers under NDA so | we could work on commercial projects that used Biopython. | | Any interest? No. | | I started an open source package for high-performance molecular | similarity search. This got some funding, mostly from personal | contacts at companies which wanted new features. And people used | it. | | In fact, at one conference a speaker gave a talk based in part on | the results of my software. He commented correctly that it's very | hard for a company to spend money on software they get for free. | | I commented, correctly IMO, that I offered support contracts, and | support is easy to justify to management if they really cared. | | (Over the course of the conference, I learned what they liked | best of "free software" was it is 1) available for no cost, and | 2) doesn't come with string attached - they didn't want to care | about upstream.) | | My story isn't unique. I'm not the only one to try the | "sophisticated counterparty" route. LLCs are cheap. | | The real onus is on the big companies. And since that's not going | to happen, I now offer proprietary licensing for my once FOSS- | only software. | kazinator wrote: | This is completely wrongheaded. | | The people responsible for the logging library security are 100% | the people who decided to integrate that piece, not some open | source person who provides a patch and his three sponsors. | | The Log4j library has a LICENSE.txt with clauses "7. Disclaimer | of Warranty." and "8. Limitation of Liability." | | The wake up call is that programmers should take responsibility | for everything that they integrate, including all that they | recursively integrate. If you put it in the image, it's your | fault. | pselbert wrote: | The only reason I'm able to maintain a reasonably successful open | source library is because it is part of an open core business | model. Without that I couldn't justify the development effort or | relentless support to myself, or my family. Getting a few hundred | dollars a month wouldn't cut it either. | | Building a business on a stack of other people's hobbies isn't | sustainable. I mean, just tell that to anybody outside of tech | and watch their reaction. | julianlam wrote: | Agreed. It is exactly the funding model my project (started | with two colleagues) endorses. We incorporated federally and | keep an open core. | | I can't imagine it would be as clear cut for a "library", but | it can be done... | dkjaudyeqooe wrote: | Why not start a foundation, or even a business where companies | and individuals can voluntarily pay for open source software, | like an online store? | | Different projects have different prices, but you can pay more. | | The money is forwarded to project maintainers was wages, but a | "tax" is applied so that some money is redirected to small but | growing projects. | | Projects that see sufficient income would be certified as having | certain level of guaranteed support, based on the fact that they | essentially have a staff to maintain the project. The entity | would ensure and manage this. Some of the money would be used to | fund this process. | WesolyKubeczek wrote: | You used the word "voluntarily" here, and it's going to be the | singular reason it won't work. | | Corporations ever do anything voluntarily if the alternative is | tangibly worse, evidently more expensive, or existentially | threatening, especially in short to middle term. | thruflo wrote: | Sounds like an opportunity for a seedlegals.com style sass. | | There's tipping and sponsorship infra, but is there a service to | plug an OS project into corporate-friendly licensing and support | invoicing? | mwcampbell wrote: | This post didn't go the way I thought it would. When these | discussions get going, I always feel a little guilty because my | tiny company doesn't pay for all the open-source software we use. | I suppose we should, but it would be hard to make a business case | for that, since the software is already free. It would be easy to | conclude that this is a problem for the big, rich companies to | solve, but I'm suspicious of advocating any action that I'm not | willing to do myself. | reidrac wrote: | I don't know if this makes sense: sponsoring one of the open | source projects your business depends on, could that work as | PR? | | Perhaps this could work for any company size, but I guess it | depends on what is your core business. | DarylZero wrote: | The real solution is to throw out all the crap at the top of the | stack, get down to simpler and simpler code that can be | maintained by the people autonomously without corporate | involvement. | | E.g., Gemini. | baskethead wrote: | If the US government had any sense of strategy, they would employ | these maintainers en masse, not only to create good will but to | make sure that other bad actors don't get to them first. | bhauer wrote: | I feel as if engineers at firms that build systems that use open | source libraries should campaign internally to create budget line | items for paying non-trivial amounts to the maintainers of those | libraries. | | I find it difficult to blame developers individually. Individuals | working at these companies aren't going to see it as their role | to send some of their own after-tax income to maintainers via | GitHub Sponsors unless they are unusually charitable. But I could | definitely see my _company_ sending thousands out the door (pre- | tax) every year to the maintainers of the libraries we depend on. | | For example, imagine your team is 15 people. Have the company | budget for and send an additional one developer's worth of salary | out annually to the open source maintainers, divided among the | libraries in a proportion agreed to by the development team. Yes, | it's an additional cost line item, but it's the right thing to do | and it won't break the bank. | | Open source has reduced costs dramatically for all of us who use | it in our dependencies list. A nominal cost line item on our | annual budgets is more than fair. | DarylZero wrote: | This makes more sense than blaming the developers. | | But ultimately the problem is the same: engineers, i.e. | employees, don't control the money. They don't have agency to | direct the money toward functions other than enriching the | people who have the money. | | They may have more agency relatively speaking than free | software developers, but on an absolute scale, you can measure | this kind of agency in dollars, and it's a pittance. | | Maybe they could donate some of their own salaries. Maybe they | could get employer matching. Still doesn't seem realistic, but | it's closer. | jbk wrote: | > Now is the perfect time for Open Source maintainers to become | legible to the big companies that depend on them--and that want | to get more out of them--and send them five-to-six figure | invoices. | | Well, this is exactly what I've been doing around VideoLAN (VLC, | x264) and FFmpeg for the last few years. In order to do that, | I've created 2 official companies Videolabs and FFlabs (besides | the non-profit orgs) and I've gone through all the hoops to get | paid (PO, billing, invoices, registering to large companies is a | lot of paperwork, tbh, but well..) and we try and bill small to | large companies that depends on those projects. | | And FFmpeg and x264 are the core of the online video. | | So I did exactly what Filippo is saying we should do. | | But the result is really not impressive. Seriously, asking for | money for support from those companies feels like we're pulling | the nails, even if their full business depends on it. Getting | 30-50k$ from those companies for support for one year can be very | challenging, long or leading to nowhere at all. | | So, large SV companies and startup should also start agreeing to | pay for open source, when it's the core of the tech. | bdcravens wrote: | Would following an open core model work better, like it has for | Hashicorp, Sidekiq, Tailwind, etc? Also, would focusing more on | the low 4 figures result in more revenue? I feel the crowd | sensitive to open source has that kind of spending authority, | but once you get into the enterprise amounts, it's out of our | reach to effect change. | ozfive wrote: | At Enterprise levels there is no excuse to be using open | source software and not paying some amount to get support. | Boo!!! Booo!!! To anyone in an Enterprise that exploits FOSS | without diverting funds to it. https://youtu.be/74GdZs2Ilk4 | wpietri wrote: | That could work if the cost per sale were sufficiently low. | But unless companies set up some sort of low-overhead system | for putting that kind of money into open-source projects, I | can't see it working. From what I hear, most devs can't just | say, "We use project X a lot, so I'm going to fill out their | web form right now and expense a $1k annual donation." | jbk wrote: | > Would following an open core model work better, like it has | for Hashicorp, Sidekiq, Tailwind, etc? | | Yes, I think this might be a better model, indeed. | | But I did not start either of those projects, I came on board | later; and those models are difficult to back-fit into an | existing project. | DethNinja wrote: | Why not change the license to a revenue share agreement with a | cap on total amount of revenue? | | For example, if a company uses ffmpeg on their products and | product generates a yearly revenue of 1m then they will pay you | 1k. | | Current open source agreements do nothing to help smaller | companies or the maintainers and honestly I find it stupid and | destructive. | | Charge larger companies more depending on their revenue and let | small size companies with less revenue basically use it for | free. Isn't this more ethical than letting FAANG use these | software for free? | hparadiz wrote: | I really don't understand this mentality. This is what we've | all been fighting for since the 90s. A free (as in beer) and | open stack of software that anyone can pull off the shelf and | use. | | So many commercial platforms rely not just on ffmpeg and vlc | but also on nginx, php, python, nodejs, linux, mariadb, and | everything else you can imagine. We also pay for some very | niche things that are simply not available from the open | source community. | | If my company was liable to have to pay out for each one of | these projects we would be bled dry and our business would no | longer be profitable. A bunch of people would also lose their | jobs in the process. | | At my company we have revenue sharing so the idea of having | to cut out a piece of the pie for an open source project | would not be popular among staff. Most of them aren't even in | tech. | ChrisMarshallNY wrote: | _> If my company was liable to have to pay out for each one | of these projects we would be bled dry and our business | would no longer be profitable._ | | Unfortunately, building a business on a limited resource | that is -currently- "free," is not a particularly wise | decision. | | VideoLAN and ffmpeg are _amazing_ tools, but a lot of folks | have made a lot of money on wrappers (some of which, are | eye-wateringly expensive). I 'd be unsurprised to find a | number of license violations in some of these wrappers. | | History is filled with examples of people making money on | resources that are not sustainable. These folks make a lot | of money, until they wipe out the resources. | | OS is a limited resource. | pizza wrote: | Open source developers can still release things to everyone | for free. Seems fair to say that companies derive value | from open source in proportion to their scale. How about a | $1m value generated threshold before it's considered | impolite for a company to not at least give a little | something back? | hparadiz wrote: | Ultimately these tools have already been released for | free so asking for a rent seeking style payment after the | fact is a little bit like sour grapes. What stops me from | just forking the project? Really nothing. If anything | open source maintainers that want to get paid should look | into a model that mirrors the bug bounty programs. Have | bounties for features. Generally these projects only | really need security updates. | kazinator wrote: | Throwing money at some outside parties will not ensure that | your in-house developers aren't carelessly in including | snippets of code from the wild into your product. | Klonoar wrote: | Wasn't there some YC company that was trying to act as a sales | agent/middle-entity for this kind of situation? If not YC, they | at least were on HN at one point. | | Curious if anyone knows. | hncurious wrote: | What's the largest company that uses FFmpeg and has refused? | What did they say? | H8crilA wrote: | You need a proper "asshole" in such organizations that will go | and threaten complete lack of support if the bill isn't paid. | Of course there is a lot more detail in such negotiations, but | the fact is that he/she will be facing similar "assholes" from | the side of the copros. The entire thing is essentially just a | game of standard capitalism. You have to know how to play that | game, though. | | FFmpeg should be able to pull multiple $M per year easily from | all the major corporations that use it. For comparison, $1M is | the total yearly cost of ~3 average engineers at FAANGs. And | most, if not all of them, use FFmpeg quite seriously. | jbk wrote: | > You need a proper "asshole" in such organizations that will | go and threaten complete lack of support if the bill isn't | paid. | | That's the point, they don't pay, and they don't get support. | But they still complain when there is a major CVE. | | > For comparison, $1M is the total yearly cost of ~3 average | engineers at FAANGs. | | I wish we got that... | bogwog wrote: | 1) Create a funding report newsletter for FFMPEG | | 2) When funding is low, big scary exclamation marks all | over the place | | 3) Include a bulleted list of doomsday scenarios showing | what could happen to YOU if a bug/vulnerability is found | | 4) Add a picture of a sad kitten or crying baby for good | measure | | Now just subscribe all of the non-tech business people at | organizations that use FFMPEG, and wait for them to panic. | (Make sure that they need to call you to unsubscribe from | the newsletter, especially if they work at the New York | Times) | DarylZero wrote: | >Now just subscribe all of the non-tech business people | at organizations | | Ah, if only one could "just" get a mass of people's | attention and send the message | justinclift wrote: | > Now just subscribe all of the non-tech business people | at organizations that use FFMPEG ... | | Don't do that bit unless you're sure it's not illegal in | your (and their) jurisdiction. | | Spam being a thing, and there being laws against it. | infogulch wrote: | Note "yearly _cost_ ". Between administrative and | organizational overhead, taxes, benefits, etc, typically | only 50% of that cost is actually taken home as employee- | visible salary [1] (which the employee then pays income | taxes on...). $175k is still a healthy salary especially | when compared to other locales, but it's not the $333k that | is easy to presume based on GP's comment. | | [1]: From what I've seen this ~50% number seems to be | pretty close to the mark across virtually all industries | and jobs. I.e. it's pretty safe to assume that the total | cost to your employer to retain you is around double your | take home pay. | cma wrote: | It doesn't seem like that 50% number would just keep | scaling with salary. There is a cap on payroll tax [1], | administration stuff around administering health, | vacation, etc. doesn't change that much, office space.. | maybe so with things like the Apple spaceship ($5 billion | with capabilities for 12,000 employees; amortized over 25 | years would be $16,000 per employee so I wouldn't think | so). | | [1] https://en.wikipedia.org/wiki/Payroll_tax#/media/File | :Effect... | watwut wrote: | Do those specific managers and layers really complain about | CVE? Afaik they don't care or know. | bscphil wrote: | > That's the point, they don't pay, and they don't get | support. But they still complain | | You've put your finger on the core of the issue with | FiloSottile's suggestion. The problem is that to sell | something to a big corporation, you need to have something | tangible you can sell. What you have are enormous pieces of | widely used software, being given away for free. Many | companies are going to take that and run with it, and forgo | a support contract entirely. You may argue that they _want_ | support when there 's an issue, but the truth is they're | happy enough with the status quo and just complaining a | lot. | | In FiloSottile's model, a corporation needs to use your | software for something specific, but also expects to need | changes to it or prioritized issue support and approaches | you; you send them an invoice with five zeroes on it as a | bill for your services and they are heavily incentivized to | pay for it. | | Unfortunately that's not the reality for 99.9% of open | source maintainers, a figure that includes most creators of | popular software like VLC. I've personally contributed to a | bunch of projects and maintain some of my own, but it's a | hobby. As far as I know no corporations are even using any | of them. Figuring out some software niche that no one yet | has a product it, building it, and waiting for a | corporation to swoop in and drop me a six figure yearly | check cannot be a career strategy. | nerdponx wrote: | Would it be unethical to refuse to fix bugs reported by | employees of large corporations, unless those | corporations pay a support contract or contribute a patch | themselves? | mfer wrote: | > So, large SV companies and startup should also start agreeing | to pay for open source, when it's the core of the tech. | | Companies usually have a reason to keep their expenses low. | Sometimes they are a public company with fiscal | responsibilities. A startup will only have so much runway and | is likely trying to reduce expenses. | | Given this situation, why will they pay for what they can get | for free? | skinkestek wrote: | > Sometimes they are a public company with fiscal | responsibilities. | | Public companies also have accounts for goodwill in their | books, don't they? | | Also, I'd even say that depending on volunteers for | everything when you aren't in dire straits isn't to | responsible. | watwut wrote: | No, the companies are supposed to generate value for | shareholders. They are supposed to have infinite financial | growth and that is pretty much it. | DarylZero wrote: | That's how it is most of the time but I don't see how you | can say it's "supposed to" be that way. It's | pathological. Essentially it's a form of group | sociopathy. | thedevelopnik wrote: | Yes, you just described Capitalism. | watwut wrote: | Supposed as per economical theory/ideology, legal | expectations and also per "what kind of CEO will get the | job". | | It is not like most of the time randomly. It is like | that, because economic system is designed to work that | way. | OJFord wrote: | Yes, but it doesn't mean what you think. | | Goodwill in that context is _towards_ the company, an | intangible asset comprising the value in its brand etc. | mfer wrote: | > Public companies also have accounts for goodwill in their | books, don't they? | | I've worked for multiple public companies and have yet to | see this. I have seen different models. For example, when | they want a feature in an open source project they may | contract with maintainers to pay for work. Or, they may | have a maintainer for a project on staff. | | > Also, I'd even say that depending on volunteers for | everything when you aren't in dire straits isn't to | responsible. | | Responsible to whom? | | People choose to be volunteers. Being a volunteer and | hoping for hand outs from companies it's working out well | for most folks. Maybe it's time to look at other ways of | doing things. | | Note, I'm not suggesting what the right way to do things | is. I'm just looking at how people are doing things. | Expecting them to behave differently isn't likely going to | bring about a change in them. | wpietri wrote: | It seems like you haven't quite got the concept of open | source. If everybody consumes and nobody contributes, how | long will that last? | | A while back I bought a cheap robot vacuum. Their scheduling | feature didn't meet my needs, so I reverse-engineered the | protocol and open-sourced a cron-friendly CLI tool and a | library so people could do other things with it: | https://github.com/wpietri/sucks | | Honestly, this was a mistake on my part. It was a demanding | audience of home-automation hobbyists mostly without | programming skills. The company was thoroughly unhelpful. | When my vacuum finally broke, I was relieved, as I had a good | excuse for trying to hand off the project. Nobody stepped up, | so I shut it down. I just ran out of interest in doing free | work to support a company worth billions. | | I really admire the community spirit of open source But it's | not sustainable if companies making their money off it keep | depending on the niceness and generosity of others without | giving back enough to keep them happy, healthy, productive | people. | mfer wrote: | A few thoughts... | | I've long known people who modified cars. Sometimes they | did it as a business. Sometimes they helped friends out. | Sometimes the work was on nights and weekends. The car | manufacturer never had a responsibility to support them. | They never had to support people in forums. Anything they | did was their choice. Sometimes as a business and sometimes | volunteering. | | You didn't have to open source that work. Once it was out | there, you didn't need to provide support. | | Doing volunteer work and hoping for generosity from | companies isn't working. | phkahler wrote: | >> You didn't have to open source that work. Once it was | out there, you didn't need to provide support. | | That's true. The problems brought up in the article all | stem from companies relying on open source and then | getting into trouble when there are problems with it. | They would pay if they had to. | | The core problem is that everyone wants something for | nothing. Sure companies appreciate that they can get | billions of dollars worth of infrastructure software for | free. Individuals appreciate that they can get useful | software for free (though many don't care if it's FLOSS | or illegally obtains commercial). People will take what | they can, and pay for what they must. Open source is | sometimes better than commercial, and even if the | developers were paid industry rates it would be much | cheaper because companies charge rent for software - not | for development. | bawolff wrote: | > It seems like you haven't quite got the concept of open | source. If everybody consumes and nobody contributes, how | long will that last? | | I think that's a pretty unfair characterization of the | previous post. | candiddevmike wrote: | IMO, I think the golden age of completely FOSS apps (no | open core) is ending/has ended as users expect more | features and apps struggle to meet demands without | effective monetization. I think open source will always | have a place for libraries and tools, but end user | applications will either become open core or no longer open | source. | smorgusofborg wrote: | > as users expect more features | | I think mobile was a reprieve for commercial software and | UX specialists and the increasingly negative comments on | new OS versions indicate it is close to done like | desktop. | | For every user that likes a change there are 19 that | prefer the flow they already learned to stay exactly the | same and at least half are looking for exploitive | attempts to modify their behavior in anything a publisher | changes. | the_af wrote: | > _I think open source will always have a place for | libraries and tools, but end user applications will | either become open core or no longer open source._ | | Very sad if this ever comes to pass. It's a world in | which I would never have learned about computers or | decided to work with them. I think it makes more sense to | charge big companies but keep software free and libre for | individuals. | | (I don't think this future will happen though: I think | it's based on a deep misunderstanding of what drives FOSS | developers to do what they do). | laurent92 wrote: | Shouldn't Open Source be considered the 8th wonder of the | world? | | - OSS allowed an entire industry to flourish, | | - It has had so many contributions that it is easily the | category which is the biggest benevolence of the world, | and possibly the biggest achievement of humanity, | | - It allowed the entire world to go securely on the | internet (launch a Debian and it's secure and up to very | high professional standards without effort, try doing | that in the legal field), | | - Its results are permanent. In 2100, documents written | in Office 365 or Adobe will be lost, but they'll be able | to recompile LibreOffice, Chrome (at least Webkit) or | Wordpress. Benefits of OSS accrue over time, as opposed | to closed-source software which is sold under closed | license and DRM. | wpietri wrote: | Entirely possible. Although I suspect more libraries and | tools will go that way as well. Note that mine was in | theory a library/tool. And the examples mentioned in the | blog post were similarly infrastructural. | | Most of us work at such high levels of abstraction we | couldn't even name all our dependencies. Which in effect | makes us the same sort of consumers app users are: | expecting a lot out but not putting anything in. | usefulcat wrote: | >> Given this situation, why will they pay for what they | can get for free? | | > If everybody consumes and nobody contributes, how long | will that last? | | That doesn't answer the GP question, which is all about | incentives. | | The answer is, at least some parties won't pay for what | they can get for free. So the options are: | | a) deal with it | | b) require payment | | c) come up with some way to incentivize more donations | meheleventyone wrote: | d) stop | | It's not like there is a parable about killing the goose | that laid the golden egg to teach you how to appreciate | these things. | [deleted] | KarlKemp wrote: | In strictly economic terms, it rarely makes sense for all but | the largest users of some upstream project, putting that | proposition squarely in tragedy-of-the-commons territory: | it's better to hope for others to support it. | | That applies even to existing sponsorships, however. Their | existence thus points at more than cold-blooded short-term | business interests being at play here. While corporations are | in theory seeking only shareholder value, corporations happen | to be (made up of) people, who are capable of altruism, and | should be encouraged to use it. Just because US capitalism | has managed to build a not-entirely-failing system on | unadulterated selfishness does not turn that mindset into a | virtue, or even reality: as far as I can tell, the dominant | reason for sponsorship is that some person with a bit of | authority likes the idea. | | They may consider it good for marketing, or recruitment, or | to secure their supply chain, or just morally called for, or | they want to be the fat cat at this years TINYTEC-CON. If you | asked them, they'll give you a reason that totally makes | sense for a business and has little to do with reality. And, | no, nobody ever got sued or fired for these decisions. So go | ahead, do it! You got all the left-padding you needed, it's | right to pad their wallet in return. | | (recycled from earlier comment on the topic) | DarylZero wrote: | Right. Mostly they wouldn't even pay employees if they could | get away with it. We have to make laws about it. | imachine1980_ wrote: | like dual licensees?qt? | DarylZero wrote: | I mean just ordinary employees really wouldn't get paid | at all if not for labor regulations. | | Just look into the amount of simple "wage theft" | (employers forcing employees to work off the clock, etc.) | that exists in the USA. | | Of course, this country fought a war over the issue of | free labor from black slaves. | jokethrowaway wrote: | What you say is nonsense. Companies will try to pay as | little as possible to make more profit. They won't pay | you more than you can make them. Employees will try to | get paid as much as possible. They won't work for | something they can't live on. | | All is good and dandy. | | If employees are not getting paid, they'll go and do | something else (like another job or growing food | themselves) or steal and starve if there are no jobs or | resources. They would never work for free because they | can't live without eating. | [deleted] | jbk wrote: | > Given this situation, why will they pay for what they can | get for free? | | See the article... | mfer wrote: | I was responding to the parent comment not the article. The | article makes great point. It essentially talks about a | services and support business around open source. Some have | been doing this for decades. | | When you have contracts and support at a cost you aren't | doing the work for free. The article is talking about | running open source like a business rather than a volunteer | situation. That means, you're not doing everything for | free. | jbk wrote: | > It essentially talks about a services and support | business around open source. | | Which is _exactly_ what we are doing... | Terry_Roll wrote: | It aint going to happen, have you read some of the contracts | linked to opensource, it will be a minority who make money from | it. For example, I could use opensource internally, add | features to it but I dont have to submit those changes back to | the main source for others to use. Not only that who is going | to police it? Its not like there is some magic open source | police who will police my computer is there?!? So sure whilst | the statement is true that Open Source runs most of the | internet, the companies using it like Facebook or Google are | not under any legal obligation to submit any changes back to | the public domain for the greater good under some of those | contracts. Even MS has some API's which come very close to | mirroring Open Source functionality which makes me question MS | is this legal! | | Open Source is just naive charity, much like the UK Govt | exploited the charity of the public by helping along a Weekly | 8pm clap for NHS workers on a Thursday night during Covid | Lockdowns. A weekly clap aint going to pay the bills and the | rich will say anything to get out of handing over money. Hard | lesson but its the truth, they would spend on PR Image control | than pay bills IMO. | | So sorry, Open Source is something people can practice on and | not get paid for except in a consulting role at best. | StreamBright wrote: | It is really not that hard with the right licensing. | | Offer your FOSS project with the meanest anti-corporation | license you can find (AGPL?) which is not going to bother your | user base but it is going to be a major hurdle for any | corporation and then offer the software with a corporate | friendly license for 100.000 / year. | | Wouldn't this work? | coldpie wrote: | You run into problems when there are contributors other than | yourself. | [deleted] | tomxor wrote: | Unpopular opinion: | | Maybe there is nothing wrong with the "status quo", maybe we | don't need _yet another_ attempt to finance small FOSS projects | where it 's hard to explain how money will actually solve any of | these issues. | | _Maybe_ people just need to be more considerate of what they | depend upon. And in the case that a popular yet well maintained | project has a CVE on day, _maybe_ we need to accept that | popularity does not make them invulnerable to bugs, all software | has bugs. | | </ unpopular realists opinion> | jjoonathan wrote: | "Being considerate" and "accepting" can't fix bugs. Time and | money can fix bugs. We need to get these projects more time and | more money. | rglullis wrote: | No doubt. The question is who should be paying them? | finnh wrote: | Would more time or money prevented the log4j bug? If anything | that strikes me as coming from too much time spent on | overarchitecting something. | jjoonathan wrote: | That's more an argument against old-school "no amount of | architecture is ever enough" Java -- not so much an | argument against the principle that engineer-time can fix | bugs. | watwut wrote: | This bug was not consequence of not enough developers. | And there will never be guaranteed "no security issue" | situation. That level of certainly is simply too | expensive. | taberiand wrote: | Money spent on dedicated testing might have discovered it | earlier perhaps? | mro_name wrote: | I don't think testing is the silver bullet here - it's | about system boundary awareness. | jsiepkes wrote: | I don't really see how the Log4J2 issue would have been | uncovered by testing. It's not really a bug but more of a | design flaw. | | The reason is that the whole JNDI string interpolation | feature by itself opens a door to a whole world of | layered complexity which you can't comprehend. And even | if you could comprehend it all Java could add some | feature to JNDI which introduces an issue which wasn't | there when it was all tested. | brabel wrote: | Exactly, the JNDI feature has been on the docs for | everyone to see for several years: | https://logging.apache.org/log4j/2.x/manual/lookups.html | | Anyone who knows anything about JNDI would've immediately | recognized that this was an incredibly bad idea, as JNDI | attacks are well known around black-hat circles (LDAP is | just one of the things you can do once you have JNDI | available). | | Yet, here we are, several years later, acting surprised | this thing existed and thinking that tests would've | helped!? What kind of tests, exactly?!!? I think I am to | blame myself, as many other Java developers who actually | use log4j, has a good understanding of how it works, | knows JNDI and LDAP, yet never connected the dots and | noticed what this incredibly stupid feature was making | possible. | beiller wrote: | Open source always trails professional software solutions. | Yet always time after time will eventually surpass it as the | bleeding edge moves further. Maybe we can view it in such a | way that major companies have become too reliant on free open | software. If you want secure software, pay for it. The | knowledge will eventually flow down to free software because | it's ultimately run by hobbyists. I like the way it is and I | don't see it changing because so many are just donating free | time to open free software. Maybe something we could do is | make open source contributions tax deductible (if we could | somehow price it accurately) | er4hn wrote: | I would say that this is different from "hard to explain". What | is being proposed is essentially "OSS with a paid model for | premium support / feature development." It shifts the language | from "donations", which companies don't understand, to | "consulting", which companies do understand. | | It's not completely novel, projects such as openssl and sqlite | do offer paid consulting, but it's not normalized among | companies to pay for doing so. If Filippo can normalize having | OSS be treated as paid consulting engagements I think that | would be wonderful for the community. | tomxor wrote: | > OSS with a paid model for premium support / feature | development. | | Adding features do not reduce likelihood of bugs, if anything | the opposite. | | It's very difficult to come up with a paid model that | specifically encourages a preventative strategy towards bugs | and security flaws. Currently the best we have is getting | people who care about those things to build software. | pixl97 wrote: | Yep. Working for a company that makes paid for software and | customers always want more features. It's really fun when | paying mutually incompatible features added and the sales | people and developers go at it for months trying to figure | out how to make it work. | | Then, maybe a year later, that feature is no longer the hot | new thing and it becomes abandonware inside the | application. If you're app isn't cloud based you have no | idea if you can rip the feature out or not as you have no | idea how many people, if anyone still uses it. | brabel wrote: | Quite honestly, I think that if companies paid open source | maintainers to get the features they wanted, the log4j problem | would NOT have been averted at all, it would likely have | happened earlier... notice that the source of the issue | (support for JNDI lookups right into any log messages) was | introduced because of someone asking for that feature (and | getting it for free!)... if a company had paid for it, it | would've been just the same, I doubt very much the company | would have done any kind of security veto on the | implementation. | | What's needed is for open source libraries to somehow get | "rated" by security experts before they get used by businesses. | If those businesses using it paid for that, and then paid | someone to fix any issues found, then I think we would have a | working solution. Just paying for features would just make | things worse... have you ever seen companies paying for | security features, though?? No, I haven't at least... they pay | for business features that will make them money, they hope, | security is kind of just implied (and they might lay the blame | entirely on the developer if they actually had a business | relationship with them - which may be a big nightmare, | actually, for OSS developers - and I am one of them myself... | you can no longer use a license that just says you're not | liable to anything bad that happens). | F6F6FA wrote: | Perhaps OSS has become too sophisticated and professional- | standard for its own good, while still being created and | maintained by amateurs. | | I have an analytics package which is apparently being | evaluated by the military of a large country. Even if secure | code, now the maintainers themselves are under attack. | | For I am definitely a weaker link than a soldier or agent or | gov department. Did not expect such usage when creating this | project. If said government had seen how this was developed | and tested, they would probably physically destroy the | machines it is installed on. | qwerki wrote: | Open market dynamics should in theory change this one way or | another. Long term you can't have some code cost $0 while an | SVE's code costs $300k+ per year... Reality is open source code | is badly mispriced right now. | geerlingguy wrote: | No thanks. | | Maintaining business relationships with $megacorp is one of the | primary reasons OSS maintainers (maybe just speaking for myself, | but I don't think so) do their OSS work, and don't develop | proprietary software and market and sell it around a business | venture. | | If you start writing up contracts or accepting direct payments | with any strings attached at all, the dynamic is completely | changed. | foothall wrote: | +1. | | This can lead to corporate capture. We see this in some | projects already. | WJW wrote: | Not to mention that the dynamic would completely shift in terms | of community contributions. If I submit a patch to a free | project where the maintainers make nothing, I wouldn't even | think of asking for anything in return (even if it is a project | used by bigcorps, such as Redis or GHC). If I know that the | maintainers get paid a full salary for maintaining the | software, it becomes a much weirder thing to send them bugfixes | for free. | kam wrote: | "Sending them bugfixes for free" is both a benefit and a | burden to an open source project. It takes maintainer time | and effort to review the fix, test, make releases, etc, and | that's a thankless job. When a company pushes their patches | upstream, they're gaining a benefit for themselves (avoiding | maintaining a fork), and potentially benefiting any other | users who might be affected by the bug or want the same | feature. But they're also adding to a maintainer's workload, | and that's often the scarcest resource in open source. | WJW wrote: | Fair enough, but I didn't mean sending in bugfixes because | I need it for my employer, I meant sending in bugfixes (or | features) to a project that I wanted to make because it | bothered me. For example, some time ago I sent in a patch | to use better data structures in an event loop library that | I think is cool but otherwise don't use. | | Should OSS devs optimize for my (probably quite rare) use | case? Probably not, but the feeling when making a patch for | something that I like is still different when the | maintainer runs it as a business compared to when they run | it as a hobby. | | (This is what the whole discussion seems to be about btw. | Some people like to program in their free time as a hobby | and other people would REALLY like guarantees about the | software that cannot be made without losing the essential | hobby-ness of it) | KingMachiavelli wrote: | It would certainly help if the IRS did _something_ to encourage | open source. You can donate a work of art to a museum for a | deduction but you can 't donate 20 hours of labor. The IRS is | deliberately becoming more strict [1] so many current non-profit | software foundations e.g. Apache are actually the exception to | the rule. | [deleted] | er4hn wrote: | Filippo, I think that what you are proposing is an unusual, even | radical idea. I hope you are able to follow through on it for | yourself and that you can inspire others to do so by seeing the | path you are marking. | daemonhunter wrote: | Side note: dang there are salary discrepancies in the SWE | community. | 1_player wrote: | There are salary discrepancies everywhere in the world. If you | mean the salaries across countries, you're comparing apples and | oranges. EUR100k in Berlin goes much further than $100k in | Houston (a random big city in the US, I don't think Berlin is | comparable to NYC) | usrbinbash wrote: | Not to mention the person in Berlin has access to state | funded medical support, a state funded pension, paid sick | leave, paid ma/paternity leave, ... | | Salaries are lower, but expenses for essential services are | simply A LOT less in most of Europe. | jakear wrote: | Tech companies also pay for health insurance, sick leave, | and ma/pa leave. Sure pensions aren't a big thing, but | increased savings from increased salary can make up for | that (not to mention 401k). | usrbinbash wrote: | The difference: It's not up to the companies in most of | western Europe. These services are guaranteed by law, and | provided by the state. | | >but increased savings from increased salary can make up | for that (not to mention 401k). | | And huge medical bills can quickly eat up even | substantial savings...that doesn't happen as easily when | medical services are provided by universal coverage. | | Also, state guaranteed pensions aren't lost if some | company in a portfolio crashes. | JJMcJ wrote: | > pay for health insurance | | Have cancer, or a premature baby with 90 days in Neonatal | Intensive Care, in the USA, and get back to me on your | health insurance. | jakear wrote: | The fun thing with healthcare bills is you can just... | not pay them. There's an immense amount of medical debt | in the country, and it tends to get passed around for | pennies on the dollar to people who think they can string | arm it out of you. Ignore them, and they're stuck holding | the bag. | | Your credit score will take a hit. But that's of | relatively little consequence. | daemonhunter wrote: | There are big discrepancies in the US alone. I'm comparing | mine (L6+) to those. | lumost wrote: | Once upon a time, the best way to get a software job was to | demonstrate your ability to build _useful_ open source projects. | 10 years ago the Principal Engineers I would work with had super | sized open source portfolio 's which leant them both credibility | and experience building products people liked. Junior devs would | search (sometimes in vain) for issues where they could contribute | a few PRs | | Now the best way to get a job is leet code, leet code, and more | leet code. Rather than spending <5 hours a week working with real | code and producing real value on open source projects - most | career minded engineers will simply focus on leetcode. | | Not many people patch esoteric software that's been around for | 10+ years because it's particularly fun or because there is | specific business value in it. | ogogmad wrote: | > Now the best way to get a job is leet code, leet code, and | more leet code. Rather than spending <5 hours a week working | with real code and producing real value on open source projects | - most career minded engineers will simply focus on leetcode. | | Maybe more broadly: The only way to prove that you're good at | X, is to do X well. An artist is only as good as his portfolio. | The same is true for all creative jobs. | | I'm thinking that these proxies (see all attempts at | standardised testing) are a disease of our time. | didibus wrote: | I'm not sure I fully agree. Doing open source doesn't mean | you do it well. You have no sense of how quickly, efficiently | and independently they managed to achieve it. I'd much rather | hear from prior experience, and probe about situations and | scenarios they were in, projects and problems they | contributed too, and hear the story of how they went about | it, how long it took them, what they did in the face of | setbacks and pressure, etc. | | I have seen first hand developer that are just okay or below | average successfully deliver on open source, because you have | infinite time, no constraints, no stress and get to choose | exactly what you do or contribute. But in a work environment | they struggle, given ambiguous problems they struggle, given | time constraints they struggle, given changing needs and | demands they struggle, working within a team they struggle, | given something outside their area of knowledge they | struggle, etc. | [deleted] | ignoramous wrote: | Neither of those make for good _filters_ ; though they are | decent enough _indicators_. Most engs can 't be bothered with | leetcode, let alone F/OSS. | didibus wrote: | This might sound weird, but I find every time someone publishes | or contributes open source, they are stealing value from me, | because it is one less thing that a company will need me to | implement, build and maintain for them, instead they'll now | expect me to simply use the existing free of charge open source | one. | | Not only does it feel like I'm stolen value, open source work | tends to be the most interesting, and as more and more is done | and offered for free, my work becomes less and less | interesting, and the job becomes more about connecting and | configuring all these open source systems together. | | Needing to contribute free work in open source before getting a | job therefore sounds like the biggest of scams to me. | loudmax wrote: | I guess in the same way that public libraries steal value | from book publishers and public education steals value from | private tutors. Also, how rainwater steals value from bottled | water companies, fresh air steals value from air filter | vendors, and sunlight steals value from the electric company. | didibus wrote: | Libraries still pay for each copy of a book, and in some | countries royalties are paid out each time the book is | borrowed. The library is not allowed to make additional | copies of a book and borrow them either. Public education | pays its teachers. | | But overall I'm not in disagreement with you, you could say | open source is done as part of the greater good and | advancement of technology and computer science, and not for | personal capital gain. That also means that it isn't meant | to be a sustainable career path, or job that you can do | full time though. | wolverine876 wrote: | I can understand the perspective. But it goes both ways: | Aren't you (and I) 'stealing'? How much do you use open | source, as a developer and as a user - and just to post his | message: try enmuerating all the open source that goes into | it. | | We benefit far more than we can ever repay. | didibus wrote: | > How much do you use open source, as a developer and as a | user | | As a user I agree, things would probably be more expensive | if nothing was open source. But as a developer, I disagree, | my employer would simply need to pay for the stuff I use, | or they'd pay me or another developer to build them one. | And this is precisely what the article argues, that | companies should pay for it. If there wasn't any open | source logging library, the maintainer could either work | for a company that offers a paid one, start his own | company, or work for a company that pays him to maintain | one for them. | wolverine876 wrote: | > But as a developer, I disagree, my employer would | simply need to pay for the stuff I use, or they'd pay me | or another developer to build them one. | | Good point, but you would have a much smaller industry | and platform without FOSS, and there is no way you could | build all the libraries, tools, etc., yourself. Even | FAANG depends on FOSS. If everything had to be paid for | and professionally developed, licensed, etc., there would | be much less around, and nobody could fork and innovate - | there's a reason people develop and use FOSS. | didibus wrote: | I think that's the counterargument, and I can imagine it | being true, but I also think we just don't know. Maybe | there'd be just as much advancement but more developers | would be properly compensated. It's hard to say exactly | what would have happened because we're talking an | alternate history. | | Lowering the barrier to entry by being able to leverage a | lot of free stuff probably helps make the industry bigger | in having more startups, but I also can't say for sure | there wouldn't be more jobs or higher paid jobs | otherwise. | | In the end, I'm not trying to push to end FOSS, but I'm | trying to bring to front the contradiction I'm seeing of | people wanting FOSS but also wanting FOSS developers paid | a full wage. It seems fundamentally at odds, if you want | people working on logging libraries to be paid full | wages, stop making FOSS logging libraries. | wolverine876 wrote: | > I think that's the counterargument, and I can imagine | it being true, but I also think we just don't know. Maybe | there'd be just as much advancement but more developers | would be properly compensated. It's hard to say exactly | what would have happened because we're talking an | alternate history. | | Yes, valid and important point. We could look at how | other industries develop. Software + Internet is | especially condusive to 'free' products. Other industries | must at least share knowledge, which arguably is embedded | in software. | | > I'm seeing of people wanting FOSS but also wanting FOSS | developers paid a full wage. It seems fundamentally at | odds, if you want people working on logging libraries to | be paid full wages, stop making FOSS logging libraries. | | An unarguably logic ... | Scarblac wrote: | We benefit far more than we can repay, but "stealing" is | too strong. It's what the author who adopted an open source | license explicitly intended to allow. | wolverine876 wrote: | Agreed. I use to term to compare it to the parent | comment. | Scarblac wrote: | That's a good point. We as developers trying to make a living | doing it are competing with an ever-expanding sea of OSS. And | therefore we'd be mad to contribute to it, for free even. | | On the other hand, from the viewpoint of all of humanity, it | is great that there exists a huge amount of software that is | useable by everyone for free. | orangecat wrote: | This is just the broken window fallacy. Hobbyists giving away | schematics for unbreakable windows are not stealing from your | window repair business. | | Yes, having open source competition means you'll have to | either build a superior product that customers are willing to | pay for, or find another niche. That's a good thing. | didibus wrote: | > That's a good thing | | Good has many dimensions. I'm saying that as a developer, | FOSS means people don't need to pay you to build those | things, only to use them, and that's why FOSS developers | themselves don't get properly compensated, because they | chose to build it for free. | | You could say FOSS is a good thing if you talked about | computing progress, or barrier of entry for a startup | wanting to build an app, or as a great source of example to | learn from, etc. | | As for your comparison, I don't think it holds, because | very rarely are FOSS contributors hobbyists, most of them | are professionals. So it is much more akin to a | professional window engineer giving away free schematics | for unbreakable windows, which means that companies | manufacturing unbreakable windows no longer need to pay a | professional window engineer to make schematics for them. | watwut wrote: | I don't think there was ever such time. Only a tiny minority of | developers ever has open source projects and some companies | even actively discouraged that. | | Moreover, with industry moving towards agile, having project | and developing in a company are massively different kind of | work. | jeffbee wrote: | I don't know if that is objectively true. There are numerous | small companies who will leetcode every candidate. Then there | are Google and Microsoft and the other bigs who hire thousands | of people every week, where the best way to get hired is to | have a Ph.D and get referred by insiders. | | Mediocre candidates getting leetcoded by mediocre companies may | be a highly visible pattern but on industry scale I am not | convinced it is the dominant mode. | pcwalton wrote: | Having a Ph.D. and getting referred by insiders in no way | reduces the amount of LeetCode you have to grind for Google | interviews. | pixiemaster wrote: | well written. | | One thought: i disagree with the classification of (senior) | software engineer. | | i think it's more comparable to a VP of Engineering in a company | with n engineers (n = count of committers/involved), so salary | estimate are even higher. | jedberg wrote: | When I worked at eBay, our policy was that we had to use RedHat | and that any open source we used had to be provided by RedHat or | we had to get a support contract from someone else who would be | willing to 1)Support the software and 2)Accept legal liability if | it failed. | | #2 was the big sticking point. RedHat made a lot of money | accepting that legal responsibility, but very few others were | willing to do so. It made using software difficult (and a lot of | us just ignored the policy). | | But if you follow this advice, you may end up accepting legal | responsibility for the software, and that may be bad. | rightbyte wrote: | Heh ... I recall somewhere in a Emacs manual it says "prints | the non-warranty, or the warranty if you version of Emacs comes | with one". | | I thought that was a joke. What did the warranty disclaimers | say on your system? | AnotherGoodName wrote: | That edit to the XKCD image is pointless since it's the same joke | but worse. | | https://xkcd.com/2347/ | philosopher1234 wrote: | There should be an umbrella company that takes ownership of a | large number of major projects, charges a single licensing fee | and grants access to all of them or none of them. It should | remain free to amateurs and should be free or cheaper for small | businesses. | the_gipsy wrote: | Please define "unsustainable". | | It has worked great for decades, both for the free market side, | and for the FOSS community. | fivelessminutes wrote: | It has certainly 'worked great' for leeches, if you ignore | bombs like this logging bug destroying Western civilization. | | Can you explain a bit more how it worked great for the bulk of | maintainers / authors who don't see any return on their work, | burn out and have to do something else? | yjftsjthsd-h wrote: | > It has certainly 'worked great' for leeches, | | And for communities, and for sponsoring companies, and for | some (although not all) authors. | | > if you ignore bombs like this logging bug destroying | Western civilization. | | ...yeah, no; a library had a bug. Somehow, Western | civilization is still here. | | > Can you explain a bit more how it worked great for the bulk | of maintainers / authors who don't see any return on their | work, burn out and have to do something else? | | Can you explain why you think the majority of | authors/maintainers burn out? | nosianu wrote: | > _authors who don 't see any return on their work, burn out | and have to do something else?_ | | I don't understand this argument. Nobody starts an open | source project - and posts it in the open to share freely - | expecting to make any money. Are there even any significant | amount of projects with a donation or a Patreon page? | | Webnovels I read on RoyalRoad all have it and are much more | successful that I would ever have thought given that the | stories are all coimpletely free and all any one who pays a | story author gets is a few chapters ahead of others, but I | can't remember any of the numerous OS projects I use one way | or another to even try to make any money. | | I _did_ see burnout in some projects. I once joined as co- | maintainer of a medium sized project and was left as the sole | maintainer because the main author just up and left and was | unreachable (we only heard of him again over a year later, | and he never touched that particular project again). | | All the stories I saw had nothing to do with money at all | though, just getting fed up with the expectations. In "my" | project's case it also was the large amount of complexity and | technical debt that made the original owner's attempts at | adding and/or refactoring a huge time sink, and he probably | would have been better off to start again from scratch (it's | what happens after adding more and more features in a complex | cross-mobile phone platform library project's code). | | None of those "disillusioned open source maintainer" stories | I saw ever included any attempt of making money with it. | Disappointment of not being able to get money from anyone | only ever comes from people starting a commercial project (a | new company), if that kind of disappointment exists for | freely shared open source software then I must have missed | all instances of such a thing happening. | | > _It has certainly 'worked great' for leeches, if you ignore | bombs like this logging bug destroying Western civilization._ | | All of life and especially commercial life in anything | slightly sophisticated or at scale is "muddling through" to | some degree. The same as biological life actually. | | So overall I agree with the previous statement that it worked | quite well. Nobody should be called a "leech" for using | projects that were meant to be shared openly and freely, | given the license and method of distribution (e.g. freely on | Gitlab or Github). | rglullis wrote: | Do you pay for every piece of Open source software you use? | How much? What is the criteria you use to determine how much | you want to give them? | | Yes, it would be _very good_ if more people started to | contribute to software they depend on, but to call them | "leeches" is not only against the spirit of free software, it | is counterproductive as it will probably lead people to the | idea that proprietary/closed source is better. | [deleted] | bryanrasmussen wrote: | there is no past tense for unsustainable, so if one wants to | indicate something was unsustainable in the past they say it | 'was unsustainable' but if they want to indicate something will | be unsustainable for the future they just say it is | unsustainable, one of the downsides of English; also, past | performance is no indicator of future performance applies to | many things outside investing. | | In other words open source as it was practiced was sustainable | up until the point it got taken advantage of too much by big | players not putting things back into the system. At this point | it has become unsustainable. | uniqueuid wrote: | At the very least, it's unsustainable to maintainers as people, | because many are burning out (I have no data, so this is an | assumption). | | As a result, it's also unsustainable to other coders because | the OSS ecosystem grows replete with broken and stale code that | is no longer maintained and which creates cognitive cost to | ignore/prune. | | Both might grow in a non-linear fashion, which would be really | bad news. | dash2 wrote: | I maintain a tiny, tiny, unimportant open source package. It gets | about 10K downloads a month. Assuming that each of those | downloaders saved one minute of their time on average, and their | time is worth $15/hr, I'm providing a service worth $2500/month. | | I'm starting to think, how could my next project provide the same | value, and get paid for it? | JJMcJ wrote: | Hmm, 25 downloads at $100 per month would do it. | WesolyKubeczek wrote: | There's a whole old elephant in the room, but we're not really | talking about it because it's an elephant everyone loves to hate. | And yet. | | This is a model that MPAA and RIAA use. And their equivalents in | countries that have functional copyright legislation. Most first | world countries have one. Don't get me wrong, they are mostly | rent-seeking racketeers, but if you try to weasel out of paying | for stuff you're using for your own profit, you're bound to get | one. | | Either some law pertaining to maintenance of "digital | commonwealth" or some other nice name is passed in enough | countries so other countries have to follow suit if they want to | be in good company, and organizations with teeth, one per | country, are set up to make sure the "digital commonwealth" tax | is collected from everyone, big and small. They will even | distribute money among creators, by usage or something. | | Microsoft would probably love to be such an arbiter. They have | Github. They have all the stats. They know if your company had | been naughty or nice, how many times they downloaded your stuff, | and how many times their employees were demanding shit in issues. | It's child's game to join the party, just have an account with | them. | | Or we just piggyback on the existing copyright legislation and | give RIAA and their likes more power and custody of making sure | OSS maintainers don't starve. They will surely protect their | interest with eagerness, who wouldn't like more profit? | | Of course, companies will try to fight tooth and claw. They will | tell you all sorts of doomsday scenarios, how the poor | megacorporations won't be able to afford it, how they will have | to raise your subscription fees. Gee, haven't we seen those | crocodile tears when free roaming in EU was going to be | established? We also know how it ended: they all sucked it up, | complied, maybe their profits took... well... not a hit, but a | nudge maybe. Companies who have to buy music know how to pay the | music tax to copyright racketeers. They will get used to that. | | They will also be happy to pay just one entity and be done with | it. And if you dare start a company using F/OSS, you're in for | the largest financial hit. The little man always suffers the most | in such schemes. | [deleted] | skeeter2020 wrote: | Everything stated about the risks and current deficiencies is | true. Meanwhile the OP works for Google on OSS, one of the | "untenable" approaches to funding it that is lamented. Nothing | else presented is close to an alternative solution; there's no | "ask" that would fix the situation, let alone an attempt to lead | by example, so what's the point of this post? | wutbrodo wrote: | > This is what I hope to see happen more and more: Open Source | maintainers graduating to sophisticated counterparties who send | invoices for "support and sponsorship" on letterhead, and big | companies developing procedures to assess, approve, and pay | them as a matter of routine so that they can get what they need | from the ecosystem. | | In what way is this not an ask? | moksly wrote: | The alternative to what we have now is not going to be a healthy | OSS community. The alternative is going to be big companies | insourcing more of their libraries. | | The only reason why OSS has seen the up-pick it has is because | major companies profit from it. Microsoft didn't embrace open | source because it had a change or morals, it embraced open source | because it started making so much more money from enterprise orgs | switching to Azure compared to selling us licenses for on-prem | alternatives. Facebook and Google don't share their massive front | end-libraries and extensive tools because they are nice, they do | so because it helps them dictate web-development and being able | to on-board new hires who are already familiar with their tech. | | If anything, I think it's more likely that we are going to see a | big player pick up a NPM alternative and make sharing packages | much harder. I think the fact that no one has done this, should | tell you all about how little the enterprise industry worries | about the status que. | | I don't think it's necessarily healthy, and I sympathise with OSS | maintainers who don't get paid for their work, but I don't think | it's a massive issue either. The OSS world is still better than | it ever was, and your tech stack isn't actually in danger if you | review that code you use. | creamytaco wrote: | Reviewing code is the elephant in the room. Filosotile -perhaps | out of ignorance or disconnect- fails to mention that the vast | majority of open source projects (log4j being a great recent | example) are absolute shit. Nobody should be building anything | on top, nevermind giving the maintainers more money. | | In-house development, software BOMs, rising of standards and | multiple rounds of code review are the processes that the | industry is shifting towards and for good reason. | the_af wrote: | > _In-house development_ | | ... keeps resulting in shit code, too! There 's no evidence | standards of quality are rising. In my own extremely limited | view of in-house software -- i.e. my own professional | experience -- code quality is crap, standard quality | practices are very low and actually _worse_ than in FOSS | projects (I 've seen someone mention more than once that | "this crap PR simply wouldn't fly if this were an open source | project, it's so bad nobody would want to review it!") | | In-house code is just code you don't know is garbage because | you cannot look at the code. | wpietri wrote: | I would be fascinated to see your evidence that in-house code | is any better on average than open-source code. | | I haven't done a lot of consulting lately, so I haven't seen | much in-house code in the last few years. But my experience | is that the average in-house codebase is worse. And that | makes sense from the incentives. Open-source projects that | want more than one contributor need to be approachable enough | that people join in. Whereas with most in-house code, people | commit to working on it without ever seeing it. Switching to | work on another open-source project is easy; switching to | another job is hard. Open-source authors get to decide when | to release; in-house code is generally driven by execs. And | so on. | creamytaco wrote: | I worked at engineers-call-the-shots fintech and later SV | shops for many years. No, their in-house code is not worse | than open-source. | | In fact one can safely say that top companies that attract | top talent also have methodologies in place that lead to | better than average code quality. | the_af wrote: | If you are comparing the top engineering shops to open | source, you should also pick the top (quality) open | source projects. Apples to apples. | | Most in-house code is crap. | pixl97 wrote: | As someone that has to support a lot of in-house code, yea, | it's a bunch of crap too. | | "Works good enough" is how our world generally operates | unless under strict regulatory guidelines. | watwut wrote: | The industry is nor moving towards multiple rounds of code | review. Nor towards in house development nor away from using | open source. | creamytaco wrote: | Every engineering-driven fintech company I know of (having | myself worked there or having friends who work there) is | doubling down on every single one of the processes I | mentioned. | geodel wrote: | Yeah, and that is about 0.1% of total amount of software | assembled and deployed in the world. It is like saying | all my friends drink Evian water so that's the way we | handle clean drinking water shortage in the world. | nopenopenopeno wrote: | The welfare queen megacorps have been too comfortable expecting | handouts like open source charity work and public bailouts. | Open source software has served the elite executive class while | leaving working people to depend on anti-freedom proprietary | offerings. I am sick of watching it go down like that. The | never-ending data leaks, dark patterns, lock-in strategies, and | attacks on encryption and freedom of speech, are all | exacerbated by this tendency to yield the commons to the ruling | class. If open source doesn't serve working people, I don't | care a lick for it anymore. Cheers to Stallman and all, but | this is where his proposals fell short. | simonw wrote: | "Your tech stack isn't actually in danger if you review that | code you use." | | Tell that to everyone who depended on Log4j for the past 8 | years! | bawolff wrote: | Companies barely spend money on their own internal security dept. | It seems like it would be a hard sell to convince them to spend | money on improving an external projects security posture. Maybe | if it was core to their business, but investing to imorove the | security posture of a logging library seems like a hard sell. | usrbinbash wrote: | > _But! Maintainers need to be legible to the big company | department that approves and processes those invoices._ | | I imagine this could be a hard sell to people who just want to | build some cool software and maintain it. Setting up an account, | okay, that may be possible, but that's not the end of it. | Companies pay invoices FOR something. That something means | contracts, potentially about substantial sums, that means getting | legal support to navigate said contracts & obligations. | throwaway894345 wrote: | We have software licenses and yet every open source project | doesn't employ a lawyer. The solution is probably the same: | canned, off-the-shelf contracts. If a company wants to | negotiate a custom contract, then the maintainer can decide | whether or not it's worth hiring a lawyer. | b3morales wrote: | Even if the contract itself might be commodified, the | _relationship_ won 't be. Business will want what it wants, | regardless of what the contract says. Maintainers will | certainly be subject to influence campaigns by business, | which will sometimes conflict with other "clients". Even | saying "no, read the contract" to a persistent VP has a | psychological and social cost. I can't really imagine this | decreasing the pressure on maintainers: it's basically | turning the project into a startup. | throwaway894345 wrote: | I think the idea is to provide a middle ground option | between full-on startup and doing free work for | corporations. That implies meeting in the middle both on | compensation and on work delivered, but it's possible that | we'll find new non-zero-sum opportunities. | jpeter wrote: | MANGA should pay them. They have enough money | [deleted] | qnsi wrote: | Can someone help me find whos idea was it? | | Basically kill free open source. Make every "new open source" | (NOS) program dual licensed, free for non commercial use and paid | for conmercial use. | | He proposed companies paying 1% of revenue to license this | software. But it would all go through a proxy company that would | gather payment and send it to participating companies, I dont | remember how it would be split. | | I think this is actually a way forward. I would feel better | building on top of this kind of stack vs npm ecosystem | rgrmrts wrote: | Doesn't answer your question but something I've wondered about | as well. I don't maintain any open source software (yet?) but | if I were to start a project I'd likely use a permissive | license. | | I don't want to start a philosophical flame war about licenses, | but this idea makes sense to me. The details will likely take | work to iron out, but why not have open source licenses with a | clause for companies with over a certain amount of annual net | profit. Does anyone have examples of this in practice? As far | as I know, licensing models like Mongo or Elasticsearch are a | bit more binary. | | I'd be fine letting individuals, small businesses, and startups | use the software for free in perpetuity unless they hit some | metric like "greater than $x in annual profit" or whatever. I | guess a counterpoint to this might just be that companies that | get to that scale would just develop the same thing in-house | instead. | ralph84 wrote: | It's a bit dubious that paying maintainers more will make them | write more secure code. Certainly professional developers who | write closed source have produced plenty of vulnerable code in | exchange for their six-figure salaries. If you're really | concerned whether a particular open source package is secure, | it'd make more sense to pay a third party to audit it than the | maintainer. | F6F6FA wrote: | I feel this is a problem of companies being cheapskates, not of | OSS maintainers. So do not make it their problem. I do not make | OSS for companies, but for enthusiasts, contributing to building | cool stuff, students and researchers. | | Don't really want a commercialization of OSS maintainers. Does | not seem in the spirit of OSS, but a convoluted way to contract a | single dev to work on your stack. If you are this big company, | ping your developer advocate, set aside a budget, and have them | go through your dependancies and reward accordingly. | | What bothers me way more, is when companies take OSS and then do | not adhere to the license. Not as in forgetting to attribute you, | but publishing a patent based on your code and approaches. That's | easy enough to kill your motivation if you are doing it for free | in the first place. | | If money becomes an incentive for OSS maintainers, then they will | start replying to the emails they constantly get, to buy their | extension or use their CDN. Your company bet the house on a poor | Polish CS student for logging or useragent parsing? Your, and | only your, problem. OSS keeps on working. | indymike wrote: | > I feel this is a problem of companies being cheapskates, not | of OSS maintainers. So do not make it their problem. I do not | make OSS for companies, but for enthusiasts, contributing to | building cool stuff, students and researchers. | | I'm starting to do something different at my company. I'm | finding the package maintainers for the non-commercial stuff we | use in our product and making a donation. I'm also going to | start asking the maintainers to invoice my company for support | where that is possible to do. | F6F6FA wrote: | If this becomes a cultural thing, part of OSS, then more | employees inside big companies will start to advocate for | funding the OSS they rely on. Companies found to be profiting | of OSS, while keeping a closed wall, complaining, but not | contributing patches or funding, will lose market mind share, | and a percentage of the best developers. | | Seems doable, but still hard without centralized control and | PR. | ttyprintk wrote: | What do you think of hiring maintainers to audit? Answer | specific questions about usage and security, with some | visibility into your codebase? We've talked this over and hit | risks concerning access to code where we'd like an NDA that a | consultant may dislike. | F6F6FA wrote: | Consultants sometimes dislike NDA, because as a consultant, | you are already expected not to disclose. It is strongly | implied, like patient-confidentiality. Airing dirty laundry | or competitive advantage as someone visiting many companies | a year, is like a doctor amputating the wrong leg. You do | this once, then you are out of a job and reputation. | | Risk is on your end, so you pay for it. A 10k contract | becomes a 12k contract. You clarify your risks, your | mitigation method (NDA), and that the extra money is for | the legal liability the consultant takes on. | wakeupcall wrote: | As a maintainer of several OSS projects, I could work full time | on them and have time for nothing else. Yet, I'm pretty sure that | even if these projects would be 100x more popular, the donations | I would receive wouldn't even pay my daily expenses. | | I refuse all donations/tips for three reasons: | | - as per above, your donation is generally insignificant. it's | just overhead in tax accounting | | - people donate "with strings attached": AKA "here's $2, but I'd | really love this feature" | | - receiving donations wouldn't be fair to any current or past | contributors that made the projects what it is | | The last point is especially true in the OSS landscape. The most | front-facing programs get the donations, but the low-level | libraries and infrastructure that make them possible get nothing. | Heck, I've seen forks with a few superficial tweaks receiving | donations and reaping the benefits while the original projects is | chugging along slowly at the hard-to-build infrastructure that | nobody else wants to do. | | Bug bounty sites fall almost universally in the last category in | my eyes. | slooonz wrote: | > - receiving donations wouldn't be fair to any current or past | contributors that made the projects what it is | | Hard disagree on that. Maintaining (bug triage, pull requests | review, bug fixes...) is actually the hard work and the part | that deserve the reward IMO. | | When I contribute to an open source software to fix a bug/add a | feature, my reward is that the software I use has an annoying | bug gone/the feature I want. I don't need any reward. On the | other hand, the thankless maintainer deserve it. | DarylZero wrote: | Just fixing a bug isn't making the project what it is, | though. | bogwog wrote: | Everyone does open source work for different reasons, and I'm not | sure if more money is always enough of a motivator. I have a | handful of projects that you couldn't pay me to provide | commercial support for because I no longer have any interest in | them. Working on boring projects for money is what full-time jobs | are for (and most full-time eng jobs are much easier than | maintaining a popular open source project). | | With that said, I could totally see how paid OSS work as the norm | would be a catalyst to improving the status quo. It would | certainly lead to more and better OSS projects. Even if the | current OSS ecosystem doesn't like it, it will 100% lead to new | projects and new devs pursuing the money. | | Maybe part of the solution is to form agencies which work with | OSS devs to pursue contracts/sponsorships/donations from | commercial users of their projects? The legal/business/sales part | of the process is non-trivial. This makes me think of "content | creators" on social media that make a ton of money producing free | videos/streams. OSS devs are maybe like the B2B version of that? | :P | Jsharm wrote: | Are the salarys on levels.fyi accurate? Looking at Dublin | salaries, they seem very high? | didibus wrote: | I feel like the examples of log4j and ua-parser aren't that | great, because it would be relatively easy for any other similar | lib to take their place, as it's mostly straightforward to | implement, even though it still takes time. | | But there are some things like Kafka, PostgressSQL, Spring Boot, | Tomcat, Apache Math, ZooKeeper, the OpenJDK, and all that which | are definitely non-trivial and a huge amount of time and effort, | and you couldn't just take an extra month or two and have a dev | on your team implement a replacement, unlike log4j and ua-parser. | | I think those would be better example to discuss, and my | impression has been that those things often have a company behind | them offering support or offering them as a service that in some | ways pays for some real devs to contribute to them, but maybe I'm | mistaken. | | Like for example, the author mentions working on the GO team at | Google, and Go I would consider one of those big open source | projects that truly are foundational and would be non-trivial and | huge effort to replace. So that shows that the really big pieces | do have companies hired and paid staff behind them. | tobltobs wrote: | First those developers don't get any money for their work, now | you also telling them that the work they are doing isn't really | valuable anyway? | | Did you consider the fact that half of your examples of worthy | things are using the unworthy log4j? | WJW wrote: | Quite a few managers I have spoken to will use the exact | reasoning ("we could rewrite this in two weeks or so, why | should we worry if it disappears?") and do indeed seem to | think that the fact that because the OSS dev did not get paid | for their work implies that it is low value work. If it was | in fact high value, they would have gotten paid for it you | see. | didibus wrote: | As a developer, if there were no free open source logging | library, then I'd be paid to implement one at my work. It be | a fun project, but because someone is willing to do it for | free, and give it away, it's hard for me to justify to my | employer that we should build our own. | | This is how the value is measured. | | But if you take a much harder task, like building a | performant and safe JIT language runtime like the OpenJDK, | you'll see that even in the open source model, people can't | actually deliver it effectively for free. It often starts out | from a company that later open sourced it, or it's backed by | academia, and contributions require deep expertise, so | sometimes companies had to have their own staff contribute to | it on their own payroll. | javajosh wrote: | _> I feel like the examples of log4j and ua-parser aren't that | great, because it would be relatively easy for any other | similar lib to take their place_ | | Log4j is a good example, anyway. It's an old library, very old. | And a lot of other software depends on it. So the effort of | replacing log4j is not proportional to it's feature list, but | rather to the feature list times the number of projects already | depending on it. (The replacement exists, btw, called slf4j, | usually with logback, written by the same author as log4j.) | | Java Logging is a subject in itself (I won't say "interesting | subject" although it _is_ interesting, in the same disturbing | way the lifecycle of a tapeworm is interesting.) but I would | argue that these logging libraries are old and have evolved | over time in ways that are hard to anticipate or recreate. | (Rewriting things also leads you to the xkcd "standard | proliferation problem" - https://xkcd.com/927/) | | The real problem is that it takes time, like real calendar | time, to understand an implementation fully enough to fix it, | and no-one wants to do that, because it's a job as critical as | it is thankless. | f311a wrote: | There are some maintainers for Postgresql that get paid. It's a | part of their job in consulting companies (they specialize in | postgresql). Not sure about the other projects though. | ItsBob wrote: | Does this not mean it's time for a new open source license? | Perhaps one that stipulates all the freedom current ones have up | to a point? | | I am not a lawyer and know little about open source but is it | possible to create a new license that allows free use up to a | certain revenue level? | johnny22 wrote: | sure, and I think I've even seen one. The problem is, your | software won't be included in any distribution repositories | anymore because it is no longer Free Software under whatever | definition they use (likely based on Stallman's "Four | Freedoms") | | Some similar things have happened to mysql (to mariadb) and | mongodb (to whatever the fork is called). | | Dual licensing it like MySQL did is one way to approach it, but | plenty of people were happy enough with what it did that they | didn't pay for it. | ChrisMarshallNY wrote: | One thing that I constantly think, when reading about these | Jurassic-scale disasters, is "where are the wise, conservative | stewards?" | | I've been appalled at the way that older, more experienced | developers are treated, and am not surprised at this. | | There's a really good chance that many of these bugs were | _introduced_ by developers that are now older, and more cautious. | In some cases, these may be the harsh lessons that caused these | developers to become more conservative, these days. | | A conservative (not political "conservative," _practical_ | "conservative") approach is generally best, when maintaining | infrastructure. Be careful, test well, don't "push the envelope" | too much, and, for God's Sake, _don 't add new stuff, until you | have the old stuff completely tested, documented, and supported_. | | New stuff can be added via forks, and introduced via carefully- | vetted PRs. | | I keep thinking of the Linux core kernel project as an example of | how to do it right, but I am not very involved in that ecosystem, | so it may be a case of "the grass is greener on the other side of | the fence." | | I can tell you that I take each of the tools I make, _very_ | seriously. A quick shufti at any of them will tell you that. No | one really uses them, but that 's fine with me. I write them for | myself. | trinovantes wrote: | Even if you dual license your software with AGPL/Commercial | license, there's still companies that just plain ignore them. I | was doing some scripting on my PDF bank statements and discovered | they were generated using iText (AGPL version). Imagine a | multinational bank blatantly violating copyright laws let alone | expecting them to pay for open source. | imglorp wrote: | I liked that analogy to paying a law firm. | | Most of these companies spend more on greenhouse services to keep | plants in their offices than they spend supporting the F/LOSS | stuff that they built their product around. That's how it should | be viewed. | | The Faangs probably have on the order of 100m boxes running Linux | etc. It would be totally reasonable to expect they would pay | someone $1/year/box to help maintain all the F/LOSS in there. ___________________________________________________________________ (page generated 2021-12-11 23:00 UTC)