[HN Gopher] The gift of it's your problem now ___________________________________________________________________ The gift of it's your problem now Author : Tomte Score : 403 points Date : 2021-12-30 13:03 UTC (9 hours ago) (HTM) web link (apenwarr.ca) (TXT) w3m dump (apenwarr.ca) | [deleted] | beervirus wrote: | jaredklewis wrote: | This was a long, thoughtful read. I really enjoyed it and mostly | see things as the author does. | | > So it is with free software. You literally cannot pay for it. | If you do, it becomes something else. | | This is really the crux. Everyone is mad there's no money in | writing free/os software, but if there was money it wouldn't be | free/os software. It would just be like what we do at our day | jobs. | | You can write the code someone else wants and get paid for it | (aka a day job). You also have the option to write the code YOU | want to write, but in this case you'll need to figure out a plan | for making money on your own. | coldpie wrote: | > Everyone is mad there's no money in writing free/os software, | but if there was money it wouldn't be free/os software. | | This doesn't hold up for me. I develop GPL'd software and I get | paid for it. I probably wouldn't develop this particular GPL'd | software if I wasn't getting paid to do it. The issues of | payment and license seem related, but orthogonal. | jaredklewis wrote: | Right, so this is why the article tries to make the subtle | distinction around "free" vs "open," not in the sense of the | license, but in the spirit of the project. | | Different licenses, but working at GitLab or working at | GitHub probably feels pretty similar; you have a boss, there | are probably sprints, you build features, fix bugs, and so | on. | | This is fundamentally different than working on a rust port | of a GNU utility. This is the sense in which the article is | using the word "free." This is idiosyncratic and doesn't | align with its either of free's typical usages (free as in | beer or free as in FOSS), but there really isn't a perfect | word for what the article is talking about. | joe_the_user wrote: | JM Keynes said: "A 'sound' banker, alas, is not one who sees | danger and avoids it, but one who, when he is ruined, is ruined | in a conventional and orthodox way along with his fellows, so | that no one can really blame him." and same applies to software | managers. | | We're had lots of nasty security breaches lately. These | breaches overall have nothing _directly_ to do with free | software but it 's pretty easy to see what they have in common. | | Security breaches grow like hardy weeds on the ground of "I | don't have to face the consequences of bad security, my | customers do". The Solar Winds and Log4j breach/hole came from | wildly different software types but each had the quality of | paying for security at the rate that it might harm you, not at | the rate it might do harm in general. And comes because | security is inherently expensive - since "security is a | process, not feature", done right costs the entire organization | time and money rather than simply involving a purchase. | | Which to say: _" Everyone is mad there's no money in writing | free/os software, but if there was money it wouldn't be free/os | software. It would just be like what we do at our day jobs."_ | seems totally incorrect. | | QT makes money selling open source software. Red Hat makes | money selling open source soft. If there was a market for | tightly secure, verified open source software, people would be | working writing (and especially testing) that. But companies | whatever crap onto their machines, whether barely maintained | java or dubious closed source stuff. | jaredklewis wrote: | I see what you're saying, but just to be clear I'm using | "free" here in the very idiosyncratic way the article does. | | Things like Red Hat, GitLab, or MongoDB from a license | perspective are free/open source. But these types of projects | are a totally different beast than "real" (for lack of a | better word) open source projects like the linux kernel, | emacs, ruby on rails, or lucene. | RicoElectrico wrote: | I think of platonic ideal FOSS as liberal art in the ancient | definition: you do it because you can afford it. | | Having said that, this does not imply FOSS developers shouldn't | have the "product mindset". Quite the opposite, in fact. | PragmaticPulp wrote: | I always wonder how much of the most popular open source | projects are written by people who are actually being paid for | the work by their employers | | Many of my open source contributions came from fixing bugs or | adding features because I needed them for my job. Many of the | biggest open source projects I use come from big companies that | have full-time engineers working on them. | | I've also worked at two separate companies that have hired | developers of very popular open-source projects. It didn't work | out in either case because the company wanted them to | prioritize work related to the company, but they wanted to | continue focusing on the community as before. | | On a micro level, it's surprisingly difficult to arrange to pay | someone outside of a company to work on a project for you. The | amount of overhead that goes into arranging the contracting | agreement, communicating the issue, setting up the contractor | with your environment, and managing it all can quickly snowball | into a massive commitment for even small work. The exception is | hiring contractors or contracting companies who have made a | business out of working in that exact domain and are already up | to speed on the project and have good relationships with | upstream maintainers, but those are rare. | pm215 wrote: | Conversely, on the receiving end, if you aren't somebody | who's made a business out of being a contractor then taking | some company's money to do a specific piece of work also | seems like too much hassle and overhead to be worth it... | WJW wrote: | I think the "dream" of writing FOSS for a living is that it's | like a normal job except for all the non-fun parts like | mandatory HR meetings, boring standups, performance reviews, | having to deal with customers/PMs/etc who don't understand the | technical constraints, etc etc etc. It is just writing code you | want to write with zero other obligations but somehow you get | paid for it. | | When it's written out like that I think most people would | recognize why it is not very realistic to get paid for | something like that, but it is still a very tempting vision. | Kinrany wrote: | It's perfectly reasonable to want to be paid when your work | has positive externalities. It doesn't matter whether you | liked doing the work. | kristjansson wrote: | If you want to be paid for creating value, exchange value | for money. If you want to change society, create value in | exchange for conditions on its use and obligations of its | users. | kortilla wrote: | What does positive externalities have to do with it? The | entire point of volunteer work is to do something with | positive externalities where you don't get paid. | karaterobot wrote: | I wish there was an open source fairy that put money in my | bank account every time someone used my software! Until | then, it's reasonable to _want_ to be paid without having | to deal with the attendant hassles and responsibilities of | participating in a business venture, but not reasonable to | expect that to _happen_. | mjmahone17 wrote: | Starting around the renaissance, we kind of had "open | source fairies" in the form of research grants, | professorships and other forms of patronage. If you look | at 19th century scientists, it seems like most the famous | ones weren't paid to do specific research, but instead | we're given space to do whatever research they could. | | This has gotten more and more restrictive: even in | academia today, it seems rare for open ended grants to be | given, and even when there are, there's a lot more | competition for those grants than we can sustain with | current funding. | | Open ended research doesn't necessarily work in a pure | market system. And most open ended research probably | won't provide any concrete monetary benefit to the person | funding that research. Even Bell Labs wasn't really self- | funding despite having developed some of the | underpinnings of our modern economy. This is an (if not | totally compelling) argument for a basic income: anyone | can focus on fundamental research without worrying about | covering life's fundamentals, so long as they're OK | living a bare bones life while they can't get outside | funding for it. | syntheweave wrote: | The market can work, but I think we've been going through | a particular centuries-long period where the capital- | intensive projects are most celebrated since they bring | together the best of industrialization. However, there | are crowdfunding platforms of various kinds now that let | you sustainably finance small projects or build a | marketing story that can be taken to a larger investor. | When you get some proof, the funding spigot can flood in | rather suddenly. | | I agree that open-ended research still isn't very | rewarded since it goes too far from immediate wants. But | I also suspect we are going to get a quality bump on | "small stuff" in the coming decades, because so many of | our technologies were rushed to market as soon as they | were mature enough, and that was a causal factor in major | quality issues like buggy/insecure software. Those issues | are not cap-intensive to fix, and could subsist on | crowdfunding solutions, but they need awareness. | meheleventyone wrote: | I think that it's less that people _expect_ it to happen. | But that it rudely points out the absurdism and | structural inequality involved in building free software | within capitalism. | | Not just from the perspective of individual compensation | but that billion dollar corporations can be completely | exposed due to their reliance on people's hobbies. | kmonsen wrote: | I want there to be world peace and all dogs to be happy and | I think that is reasonable, but I also understand that it | is not likely to happen. To be honest I feel that is pretty | similar. | | If someone wants to get paid for something, it needs to be | explicitly charged for. Can always set up a patreon or | something and only give it to backers or whatever. If they | give something away for free I think it is a stretch to | expect to be paid for it just because someone else finds it | useful. | mcguire wrote: | It is certainly reasonable to want that. It is | unfortunately not reasonable to expect it. Sorry. | | I hope you like what you're doing. | tomxor wrote: | > It doesn't matter whether you liked doing the work. | | It matters hugely, a lot of the good FOSS is good because | the people who wrote it were passionate about what they are | doing. You cannot create this passion with money, which was | one of the largest points the author is making. | Kinrany wrote: | Is being averse to having good things a prerequisite to | passion? | tomxor wrote: | I did not say that, I only said it _matters_ that you | like doing the work. | | If anything, wanting good things and being dissatisfied | with what you have is a pre-requisite to having the | passion to creating something new. But none of what I am | talking about are liquid, they are tangible - you can't | have bad money, it's just money. | thewakalix wrote: | Sounds like you might like dath ilan. | Kinrany wrote: | I would :( | WJW wrote: | I agree, but there are two obstacles to actually getting | paid: | | - The amount you can be paid for any sort of work has a | range. The ceiling of the range is the value you added, the | floor of the range is how expensive it would be to get | someone else to do it. Since in open source the competition | costs zero, this sets a very low floor for how much you can | charge. | | - Wanting to be paid is indeed reasonable, but just wanting | it is often not enough when it comes to companies. There | will be contracts involved, minimum time commitments, | purchasing processes if the company is big enough, etc. | Navigating all that is what will turn open source back into | a job, if you really make work of getting paid for it. | __s wrote: | To be fair you can greatly reduce the necessity of those | other things you list if you take on a role of contributing | to FOSS dependencies used by where you work. Because you can | have a significant portion of your time devoted to that work | & it won't involve those things. You also then gain a passive | political advantage as feature requests to that dependency | will fall under your responsibility as the contact point | between the project & company | | Note that I may be totally wrong, as I've never found myself | in too bureaucratic a team, so have generally found myself | able to do whatever I want _(within reason ofc, but I try to | be reasonable)_ | cardosof wrote: | This. Money and accountability are directly related. So are | accountability and processes/controls, the "boring" part. | | I think the developer dream isn't really FOSS, but something | along the lines of "very popular, stable API in an API | marketplace made by a single person". | dblock wrote: | I work at AWS on opensearch.org, literally to do this as | described. | pm215 wrote: | I write code somebody else wants and get paid for it as my day | job. It happens to be open source. Some people write the code | they want to write, but keep it closed-source. So I don't think | your contrast quite works. | | I think some of the "no money in open source software" unease | isn't because people would like to get paid to write whatever | code they feel like, but a desire to retain the benefits of | having a massive amount of open source code out there (less | reinvention of the wheel by multiple companies, low-cost low- | friction way to bootstrap whatever actually interesting/novel | software your company is doing, etc) but put it on a more | sustainable footing where money is directed reliably enough at | the people keeping it together that we can avoid the xkcd "one | person in Nebraska" failure mode. | treis wrote: | IMHO the underlying problem is value based pricing. Roughly | that means you take how much money your software generates | for your clients and try to capture as much of that as you | can. That leads to huge incentive for companies to not depend | on commercial software since as soon as that happens the | vendor will take them to pound town in contract negotiations. | | That fear makes it nearly impossible for something like Log4J | to charge anything. Even if it's a penny per year per server | you don't want to build on it because they can come back next | year and make it $10 a year. And what are you going to do | about it? | | FOSS removes that threat but it also makes the path of least | resistance to not pay anything. The ideal solution is | something like "You have to pay a little bit but it's | guaranteed that it will never be more than a little bit". But | I don't see how to do something like that. | cromulent wrote: | It is, isn't it. The article talks about "open source is | communism" but not authoritarianism, real communism. Which | made me daydream about if the various licenses for FOSS | required profit making companies to pay 100$ per year for | all you can eat FOSS. And then it got distributed on some | usage based basis. Would things be better? Not practical | though. | jimhefferon wrote: | I think the question can be a little more subtle than that. I'm | involved with an organization that does a lot of Free software. | But sometimes money is involved. | | For instance, we have collected some money and funneled it to | developers to give them time to do what would otherwise either | take many years of nights and weekends, or just be too hard to | get done without time to focus on it alone. This software is | still Free, though. | r_hoods_ghost wrote: | One of the problems is that if your target market is other | devs, there is a knee jerk demand that your software should be | foss and free (as in beer). | | I hope that we'll see a move away from foss licensing to source | available licenses over the next few years and an increased | acceptance of this model in more areas. | | Dropping the non discrimination clauses in open source licenses | while giving licensees the right to view and modify the source | and integrate it with their own software, but not the right to | redistribute, is to me a good middle ground for a lot of | projects. This would allow developers to charge different rates | (or not charge) depending on the licensee and ensure that they | can capture more of the value from their work if they need to | do so in the future, or if their project becomes popular. It | works for Epic with Unreal Engine and more generally in the | game industry where it is common to have source available | licenses. | | While free software has its place in certain areas (academia, | government, hobby projects), and I agree you should be able to | audit and fix the software that runs on your own devices, it | also has downsides and I don't think foss licensing should | always, or even usually, be the default outside of these cases. | mcguire wrote: | " _...giving licensees the right to view and modify the | source and integrate it with their own software, but not the | right to redistribute, is to me a good middle ground for a | lot of projects._ " | | Licensees have that right with (most) free software licenses. | | The downside of this is that, if the owner, Epic say, is not | interested in changes you need, then you cannot distribute | those changes no matter how valuable they are to you or | anyone else. Further, you will have to maintain those changes | in the face of whatever architectural differences the owner | decides to introduce.[1] You are in the same position as the | good old days of proprietary software (Believe me, you could | absolutely pay IBM to make changes its OS's. If you were, | say, Ford.) except that you get to see the source. Yay. | | [1] Yes, you should be expected to maintain your own changes | if the original maintainers don't want to. However, that's | significantly more difficult if the owner is uninterested in | your features or is actively trying to break you. (Microsoft | waves in the distance.) | ignoramous wrote: | > _One of the problems is that if your target market is other | devs, there is a knee jerk demand that your software should | be foss and free (as in beer)._ | | The problem with source-available COSS licenses like SSPLv1, | BSLv1, Perimeter etc is that, it almost to the point of | insulting developers who care about FOSS, wants to have its | cake and eat it too: That is, the benefits of both, open and | proprietary software. That's a hard sell, and it remains to | be seen if they'd be as successful as FOSS for developer | tools: http://dtrace.org/blogs/bmc/2018/12/14/open-source- | confronts... and https://steveklabnik.com/writing/the- | culture-war-at-the-hear... | | Another popular strategy is to open source just enough bits, | but not all of it: Previously named "open-core", pioneered by | Elastic (who have since moved to SSPLv1) and GitLab, but is | now accepted as open-source, anyway. Tailscale falls in this | category. https://www.heavybit.com/library/video/commercial- | open-sourc... | | > _I hope that we 'll see a move away from foss licensing to | source available licenses over the next few years and an | increased acceptance of this model in more areas._ | | Nouveau open source strategy is to have a strangle hold on | the software itself (think Chrome / Android) by keeping the | development tightly guarded along with the business interests | of the original sponsor. Typically, these projects are open | sourced to commodotise competitor's advantages | (Symbian/Blackberry in the case of Android, IE in the case of | Chrome): https://www.joelonsoftware.com/2002/06/12/strategy- | letter-v/ | | The traditional way of being in a F/OSS business was through | associate services like deployments and consulting ala RedHat | for Linux / Acquia for Drupal: | http://dtrace.org/blogs/bmc/2004/08/28/the-economics-of- | soft... | | Open source, in particular FOSS (free-as-in-beer), in itself | is a business strategy (but not a business model) if one | knows how to use it to their advantage (as the author points | out, many startups doing so these days): | https://a16z.com/2019/01/22/what-comes-after-open-source/ | panic wrote: | _> I read a book once which argued that the problem with modern | political discourse is it pits the "I don't want things taken | from me" (liberty!) people against the "XYZ is a human right" | (entitlement!) people. And that a better way to frame the | cultural argument is "XYZ is my responsibility to society."_ | | I don't know if it's the book he's talking about, but Simone Weil | makes this argument in the beginning of The Need for | Roots[+]--that the correct way to think about our relationship to | society isn't "rights" (someone else's problem) but obligations | (our problem). | | [+] https://antilogicalism.com/wp- | content/uploads/2019/04/need-r... | kortilla wrote: | That's pretty lazy thinking. Those are the same things. Your | "rights" are everyone's "obligations". | sophiebits wrote: | From the post's author, the mentioned book is: | | > The Future of Capitalism by Paul Collier. There are a lot of | insights in there but beware that the writing is kinda | problematic in some ways, so it doesn't get my full | endorsement. | | https://twitter.com/apenwarr/status/1476590932619567104 | a9h74j wrote: | I don't recall which of Simone Weil's works this is from, but | in terms of suggesting the ineffectiveness of rights, she | presented this dialog of one person pleading with a much more | powerful one: | | Pleading: But sir, you must respect my rights. | | Reply: I do not see the necessity of that. | WalterBright wrote: | There aren't any fundamental rights which require someone | else to provide them to you. For example, your right to free | speech does not oblige others to provide a platform for you. | | Now, "rights" can be created by law, but those are a | different meaning of the word. A more apt word would be one | of "privilege", "license", "obligation" or "power". | | For example, it is often said that the President has the | right to veto legislation. No, he doesn't. He has the _power_ | to veto legislation. | | The words right, privilege, license, obligation, and power | are probably the most misused words in the English language. | arminiusreturns wrote: | What Ive noticed on this topic as a staunch proponent of | individual rights from their enlightenment and renaissance | roots is that far too many people pontificating on this | subject don't even know the difference between a negative | right and a positive right, nor do they understand the | perils and antithetical nature of _collective rights_. | notriddle wrote: | Your post isn't really an argument. It's just | contradiction. | | The whole point of calling rights "ineffective" is to say | that this idea of fundamental rights that other people | aren't obligated to provide to you has no utility. Your | definition doesn't really contain any evidence to the | contrary. | titzer wrote: | > There aren't any fundamental rights which require someone | else to provide them to you. | | This is, of course, totally false. From the moment of birth | your parents have to provide sustenance and safety, or | you'll die. Similarly, someone must teach you a native | language, if only indirectly, or you'll be unable to | communicate or acquire skills. If a parent neglects a child | and fails to provide them "services" (or whatever), the | state will absolutely take the child away and punish the | parents. | | As an adult, you have the right to a system of justice that | allows you to argue grievances against others. You have the | right to police and fire fighters. Those are all services | provided to you. | | I used to think this way when I was a hardcore libertarian, | but I'm not anymore. There are bazillions of things that we | take for granted that are just table stakes in a modern | society, like the rule of law, an educational system, clean | air and water, and yes, healthcare. A hospital can't refuse | you emergency care if you can't pay, and that's absolutely | a right established in the social contract. | | Rights are a mix of inherent and acquired capabilities as | well as courtesies granted by a social contract. Until you | start paying back every person from whom you've learned a | word in the English language, yeah, you are getting tons | and tons of things for free without realizing it. | stavros wrote: | How is an "obligation" not the exact same thing as a "right", | just from the other person's perspective? | | Pleading: But, sir, you must fulfill your obligations. | | Reply: I do not see the necessity of that. | hdjrudni wrote: | You didn't flip the dialogue, you just substituted | different words. | | Replier: I should fulfill my obligations to society. | | Pleader: _le suffering_ | | Replier: Ya..I should really do that now. It's my duty. | | That's the difference, the perspective. You aren't asking | someone to fulfill their obligations, people are taking it | upon themselves because the mindset has shifted. It's now | upon you to do the right thing, not hand-wave say "you have | rights..but it's someone else's job to realize them" | stock_toaster wrote: | I think the whole point is that it is from the other | perspective (they are "jural corelative"?)[1]. | | Example: https://en.wikipedia.org/wiki/Noblesse_oblige | | [1]: https://en.wikipedia.org/wiki/Corelative | VWWHFSfQ wrote: | > the correct way to think about our relationship to society | | This is where it falls apart. There is no correct way to think | about our relationship to society. | | For instance, I don't think it should be illegal for a private | citizen to own an AR-15 and take it out to a field and shoot up | some soda cans once in awhile. But, as we know, sometimes | owners of AR-15s take them to a church or school and shoot up | some people. Are the lawful owners of AR-15s incorrectly | thinking about their relationship to society? Are they the | responsible party? | | edit: this coming from an American perspective on civil | liberties, obviously. | zby wrote: | I have only one question: is his blog a gift? | unnouinceput wrote: | I don't like hair trimmers. I have no use for them and they | only occupy space and eventually I return them when I get them | as gifts. And yet, every 2 or 3 years I get one as a gift. | | His blog is a hair trimmer, now I have to kill the memory it | occupied in my brain (return the gift). | fmajid wrote: | The hair trimmers are not a gift. They are a pointed | commentary on your grooming, or so I would assume. | tarsiec wrote: | "Everything I don't like is communism!" | zaphar wrote: | That isn't even close to what the author wrote. The "quote" | reflects nothing of substance from the article. | xg15 wrote: | From log4j to Communism vs Authoritarianism in less than 400 | words. Gotta admit, that is impressive even for internet | standards. | mirkules wrote: | What's more is that the author is wrong. Free Software is | libertarianism, not communism. | | "Free" refers to the freedom to modify the software, the | liberty of one person to (legally) do whatever they want with | the thing they own. Common ownership, or community control of | means of production has nothing to do with Free Software. | Nobody owns free software and nobody controls it. | fmajid wrote: | More precisely anarchism. The ethos of Stallman is completely | at odds with that of libertarians. | jrm4 wrote: | I can't help but think _so much_ of this could be solved if we | simply had real and effective product liability rules and | consequences for things that use software. | | You give it away for free, no guarantees and such? Great, we | appreciate it. | | You sold something to someone? Okay, well, like with food and | buildings and cars and airplane rides, we understand that if it's | done wrong it can be really harmful, so we have real legal | consequences for getting it wrong. Where you sourced your inputs | is _not my problem_ when it does -- whether that input was "free | software" or "rotten ingredients" or "faulty concrete." | EGreg wrote: | Actually, cryptocurrencies and DAOs were supposed to be | socialism. The network was going to be owned by the people. The | natural way to monetize open source. | | Well, minus the whole one person one vote part, but still better | than the surveillance capitalism of Big Tech companies funded by | VCs buying shares, propping up their "free to lockin" model and | dumping them on the public, who then made them extract rents | forever to satisfy wall street earnings. | | In my opinion, cryptos were seduced by the dark side of profit, | and buyers failed to care that the emperor (blockchain) has no | clothes (scalability). | | I am focused on micropayments and local currencies with actual | utility, and moving past blockchain. I am going to link to | something -- and historically this link was immediately knee-jerk | perceived as "shilling a coin" but if you read, there is no coin, | it's just talking about how to ACTUALLY monetize open source | projectsand joirnalism and other online content on the WEB using | WEB technology instead of government enforcers: | https://qbix.com/token | hinkley wrote: | > If you wanted to pay someone to fix some software, you didn't | want a gift. You wanted a company. | | > But if there is no company and someone gave you something | anyway? Say thanks. | | This is what grinds my gears. There is no market for a company | that tries to provide a better version of the gift. The author | completely glosses over the social contracts involved in gift | giving. Contracts that software developers seem to be | particularly immune to. | | I think the party analogy is closer to the crux of it, because we | all have a story about someone who threw and awful party or | bought one pizza for people who helped them move and then retorts | with something tone deaf like "you didn't have to come you know." | | I didn't have to come, but I had other options that day, which I | turned down to come to your stupid party. There was an | opportunity cost associated with your gift. I'm not some | dilettante who is going to crucify you for throwing a boring | party. If that's the sort of people you attract then you've done | yourself a favor by filtering them out. But an _awful_ party is | going to cost the group something. | | (Also I wish the author had mentioned "Free as in Puppy" which is | part of the situation they are describing.) | BeetleB wrote: | > The author completely glosses over the social contracts | involved in gift giving. | | First, social contracts with gift giving vary widely across the | world. It's a good reason they should be ignored here. | | Second, as made very clear in the book _Influence_ by Cialdini, | the common social contract with giving gifts is _reciprocity_ - | and it holds even when the gift is crappy and /or unwanted. | | So if you're going to invoke social contracts, do address all | aspects of that contract. | | You will also find significant disagreement on what the actual | gift here is. For many, the gift is the _code_ , not the | _capability_. I 'm giving the world this code. I provide some | information about it. Whoever chooses to take it is expected to | evaluate it and see if it fits their purposes. | | Finally, regarding the potluck/party scenario, a more | comparable example is a community potluck where everyone in the | city is invited and can bring dishes, with _no constraints | whatsoever_. People will show up, and happily tell everyone | what 's in their dish and how they made it. Most of them will | openly say "I really can't claim this won't harm you" and "I'm | not sure what entails proper cooking." You listen to each one | and decide if you want to eat it. | | Obviously, no one would ever run a potluck that way. You are | using that fact to bash the developers, when you're not | realizing the obvious: Potlucks/parties are a very poor | analogy! Indeed, if you want to stick to the potluck analogy, | then as an organizer, you definitely _would_ put some rules in | place - rules that would (and should) preclude most open source | SW from being used in your product. | kristjansson wrote: | Free software isn't a gift to its recipients, it's gift to the | commons. It's an open house, not an embossed invite. The other | side has some agency in selecting and evaluating the gift they | receive, not least because every package disclaims the lack of | warranty, fitness for purpose, etc. | | Does one have an obligation not to impose a bad party on their | friends? Sure. Should one, seeing lights and music and sign | saying 'all are welcome', feel a loss if they don't enjoy what | they find inside? I don't think so. | bruce343434 wrote: | You can refuse a puppy | hinkley wrote: | I can yes, but if you think you have that much control over | your environment, outside of a solo project, then you're in | for some hard lessons ahead. Most of the time we end up | living not just with our own bad decisions, but everyone | else's too. Thinking you can stop everything bad from | happening will just make you crazy, and cost you friends. | | I can't refuse a puppy when I come home from work and find | that my aunt dropped one off that morning and the kids have | been playing with it all day and already named it. I have to | get other things done. I can't wait by the door in case | someone shows up with a box that is making noises. | janosett wrote: | I don't think this analogy really holds. Whereas one person or | a closed group usually organize a party, open source is, well, | open! | | We could re-imagine this as a potluck I suppose. If you decide | to bring nothing, you can't really complain if the food is | awful. | Kinrany wrote: | I think it does hold: the cost of learning to use an open | source project is not zero. It's the same as not asking the | party planner about every detail even when they're perfectly | willing to answer. | | Gift giving inherently involves trust from the recipient. And | there's no transaction, so it's inherently consequentialist. | kmac_ wrote: | It doesn't hold at all. Open source licences usually | clearly state that there are no guarantees. The contract is | clear and log4j (or any other) authors don't owe anything | to anyone. If you want guarantees, pay for it. | Kinrany wrote: | No one in this thread mentioned licensing or legal | issues. | | As an edge case, consider a CLI that solves a trivial | problem but also turns the computer into a space heater | via an always-on service. It will rightfully damage the | author's reputation with the users and they'll avoid | using that person's code again, but they won't sue of | course. | hinkley wrote: | I was in a club (full of adults) in high school that I only | realized how amazing the leadership was after the then- | president had passed away due to health issues. Which is a | shame because adult me definitely would have found him and | said thank you, and also fuck all those people who tried to | vote you out, and then didn't do as well. | | They ran a fund raiser event (not unlike a fun run) twice a | year and it was eye opening how many hands it took to make a | good idea into one people invited their friends to next year. | I volunteered a couple years at a couple of events and I know | I worked harder those two days than I did when I | participated, and not on the tasks I expected to be | challenging. High school movie parties fall apart because | it's all anarchy, _and_ no self control. There 's a lot that | goes into making a soiree a success instead of a disaster. | | My partner years ago stopped hosting parties because we were | both ragged by the time people arrived, and there was always | something we worked hard on that went unnoticed. Sometimes | necessary, other times just a bad call on our part. Now we | farm out the work a bit more, but even a potluck has key | dishes and can fail if everyone guesses wrong. But if you pay | close enough attention to a potluck, for many families | grandma's dishes are the keystone that holds it together. | She's seen some shit. She knows what's what. | | I used to bring an Igloo water dispenser to a volunteer group | because the group I was in in high school worried a _lot_ | about people injuring themselves in the heat. They had | meetings every year before the events to refresh people. Heat | exhaustion is scary, even dangerous, but heat stroke is life- | altering. For the volunteer group, I think maybe five of us | cared enough to bring fluids, and while my extra didn 't | always get used, I'm absolutely sure that one of us saved | somebody. And if one of the other five had been sick, or had | a wedding, then mine wouldn't have been backup. It's not hard | to bring water, but someone _has_ to do it. Unfailingly. | | The rest of the group would of course care if someone got | sick, but only to prevent it happening a second time. When | you do something right the first time, nobody appreciates how | hard it was. | pmjones wrote: | I expounded on the gift-giving theme as well, some years ago, and | am glad to see I was not alone: http://paul-m- | jones.com/post/2018/12/11/open-source-and-sque... | dado3212 wrote: | > Miraculously the Internet Consensus is always the same both | before and after these kinds of events. In engineering we call | this a "non-causal system" because the outputs are produced | before the inputs. | | So funny. | gitgud wrote: | > _When you try to pay for gifts, it turns the whole gift process | into a transaction. It stops being a gift. It becomes an | inefficient, misdesigned, awkward market._ | | This resonated with me. When opensource involves money, | incentives become misaligned... And all the bad parts of a SASS | product become important, vendor lock in, upselling etc... | Snetry wrote: | > As a result, they started a nonprofit organization to rewrite | all of Unix, which the printer did not run and which therefore | would not solve any of the original problem, but was a pretty | cool project nonetheless and was much more fun than the original | problem, and the rest was history. | | That is an incredibly bad retelling of the GNU story | shadowgovt wrote: | As with most legends, it left out the details but got the crux | of the situation right. | badsectoracula wrote: | The crux of the situation was that RMS started GNU because he | realized that not having access to the printer's source code | put whoever had access to it in a position of power over his | use of the printer and the implications that has when | extended to other aspects where software is concerned and | will be concerned with as computer use increases. | | This was not mentioned at all in the blog post. | shadowgovt wrote: | He doesn't mention the power dynamic in the story | (https://www.fsf.org/blogs/community/201cthe-printer- | story201...). | | You can infer it mattered, but you can also infer he was | pissed he couldn't make the machine do what he wanted. | These are both valid interpretations if the same story... | Which is the "crux" is up to the teller. | badsectoracula wrote: | The _entire point_ of Free Software is about users being | in control of their programs, so _of course_ it is about | the power dynamic. But of course even if it was about him | pissed - and he was pissed, which is something he did | mention - it was because he was denied that control. | | There isn't really any other interpretation than that. | | Also the story you linked at is not RMS' story, but a | different and more recent story which is also about a | printer that sounds similar to RMS'. The RMS story is | linked in the page you gave, though it is a transcript | and kinda big. Here is the relevant bits: | | > And then I heard that somebody at Carnegie Mellon | University had a copy of that software. So I was visiting | there later, so I went to his office and I said, "Hi, I'm | from MIT. Could I have a copy of the printer source | code?" And he said "No, I promised not to give you a | copy." [Laughter] I was stunned. I was so -- I was angry, | and I had no idea how I could do justice to it. All I | could think of was to turn around on my heel and walk out | of his room. Maybe I slammed the door. [Laughter] And I | thought about it later on, because I realized that I was | seeing not just an isolated jerk, but a social phenomenon | that was important and affected a lot of people. | | Emphasis on the last bit: "And I thought about it later | on, because I realized that I was seeing not just an | isolated jerk, but a social phenomenon that was important | and affected a lot of people." | | And after all he made the Free Software Foundation, not | Working Printers Foundation. | shadowgovt wrote: | That's a good story about being pissed you can't make the | software do what you want. | Snetry wrote: | did it get the crux right? To me this reads like Stallman got | mad a company said no to him and because of that decided to | rewrite UNIX because idk | sja wrote: | I interpreted this bit as intentionally reductive for the sake | of humor. And I thought it was funny! | Snetry wrote: | okay after a reading it a few times I can see how it could be | considered tongue in cheek I'll give it that | rfrey wrote: | This article was not about retelling the GNU story. Think of | that sentence as a cultural reference, not an explanatory | history. | Snetry wrote: | okay but even then it botches it | mherdeg wrote: | Hmm, re: | | > how startups tend to go bankrupt and their tech dies with them | | I have this mental model, which may not be entirely accurate, | that the original Iridium corporation successfully launched | satellites into orbit, erased the multi-billion dollar costs of | the launch using bankruptcy, and then handed over control to a | successor corporation who inherited control of the constellation | but none of the startup costs. | | Do I have the story right? Is there any other example like this | where a failed company manages to leave us with something useful | while its immense costs were just ... evaporated? | CommieBobDole wrote: | That's roughly true, but it's sort of a special case; as I | recall it, the US Department of Defense had come to depend on | Iridium and didn't want to lose service, so they facilitated | the orderly bankruptcy and re-emergence of the company, in part | by offering an enormous multi-year contract to the successor | company. | gowld wrote: | The company didn't "fail" -- it ripped off creditors. | Kon-Peki wrote: | Motorola developed and launched Iridium. They may have lost | their $X investment, but they also went out and sold mobile | network infrastructure equipment in the developing world for | $(X * Y). | jcun4128 wrote: | I liked the book Eccentric Orbits about Iridium | kingcharles wrote: | Do things like Tumblr and Skype count? | | Where a legacy Internet behemoth mistakenly clicks "Buy It Now" | on a startup for eleventy billion dollars during some drug-and- | drink fueled bender and then wakes up the next day and offloads | it to some rando on Twitter for whatever they have lying around | in their PayPal balance. | neilparikh wrote: | It's funny, I think Yahoo has done this twice now: once with | Tumblr and once with Delicious (although the chain of | ownership for Delicious is much longer). | beervirus wrote: | coliveira wrote: | They didn't give me anything, they gave to the companies that | bought the satellites for next to nothing. | [deleted] | jasode wrote: | _> Is there any other example like this where a failed company | manages to leave us with something useful while its immense | costs were just ... evaporated?_ | | Blender's original investors' capital not totally evaporated | but the $100k buyout to release it as open source was a small | fraction of their $4.5 million: | | https://docs.blender.org/manual/en/latest/getting_started/ab... | h2odragon wrote: | What other gifts continue to be the responsibility of the giver | after they're given? | | If I give you a puppy, and it gets sick, should the vet bill me? | | If I gave you a car, and the wheels fall off two years later, is | that my problem? | | In this instance people have been using this Java package for | _years_ I gather without problems. Why is the responsibility for | changing the package anyone but theirs, the people using it; now | that they 're decided they have stricter requirements for that | need? | | Even the entertainment industry's notion of "ownership" isn't so | endless. They'd like to be paid every time we use their product, | but have settled for "licensed media" ... but that license | doesn't extend to replacing the media when it wears out. | shadowgovt wrote: | > Why is the responsibility for changing the package anyone but | theirs, the people using it; now that they're decided they have | stricter requirements for that need? | | It isn't. Every open source consumer is ultimately responsible | for the use of the code. That's baked into every open source | license I'm aware of. Even the "share and enjoy" mantra is a | tongue-in-cheek reference to a rhyme that ends with | recommending what porcine orifices you can put your head on if | you don't like the software. | | ... But there's more to be gained by the original authors, in | glory and internet points, by publishing a fix for the problem | than in washing their hands of the whole affair. Some people | want their code correct as a point of professional pride alone. | ekidd wrote: | > Even the "share and enjoy" mantra is a tongue-in-cheek | reference to a rhyme | | I don't know of any rhyme, but I always assumed that this was | a reference to the _Hitchhiker 's Guide_ and Sirius | Cybernetics Corporation. Which, yes, does involve a pig: | https://www.goodreads.com/quotes/95859-share-and-enjoy-is- | th... | | Sirus Cybernetics Corporation was best known for having | created Marvin, the depressed android, and doors with | cheerful personalities: | | > "All the doors in this spaceship have a cheerful and sunny | disposition. It is their pleasure to open for you, and their | satisfaction to close again with the knowledge of a job well | done." | | So yes, "Share and enjoy" was originally deeply drenched in | irony, and it functioned as a warning to proceed at the | user's own risk. | xg15 wrote: | It's not just internet points, it's what makes the whole | thing practically viable. | | If you don't give any guarantees beside "it's a hobby | project", you can't expect anyone else to use your software | beyond hobby projects either. | ekidd wrote: | > If you don't give any guarantees beside "it's a hobby | project", you can't expect anyone else to use your software | beyond hobby projects either. | | I am happy to provide consulting services and support | guarantees through my LLC, and have done so in the past. | | Non-paying users who ask nicely might get fixes. Or they | might not! Unfortunately, those fixes might also arrive a | year or two after they stopped caring, I'm sad to say. | | But a project which doesn't bring me any revenue, and which | doesn't function as valuable advertising, is only going to | receive support when I have the time and the inclination. | | Realistically, commerical adoption is only interesting to | me if there's _some_ upside for me. This isn 't to say that | companies should never use my libraries or tools. Just that | if they want timely support, they should be prepared to | either pay me, or use the "Fork" button. | BeetleB wrote: | > If you don't give any guarantees beside "it's a hobby | project", you can't expect anyone else to use your software | beyond hobby projects either. | | Can't speak for log4j, but I don't _expect_ anyone to use | my SW beyond hobby projects. If they do, I expect them to | be responsible for how they use it. | fxtentacle wrote: | Or it's the opposite. I've had people base their business | operations on my clearly marked hobby project. And then | they started being nasty when I stopped updating it. | jjav wrote: | > If you don't give any guarantees beside "it's a hobby | project", you can't expect anyone else to use your software | beyond hobby projects either. | | That's a good thing. The companies shouldn't be expecting | free code and free support. If they want something for a | commercial product, pay for a commercial library with a | support contract. | nomdep wrote: | Reviewing code is (should be) significant less work than | reimplementing it yourself, if you were able to do it in | the first place. | netcan wrote: | So... this is essentially a cultural question, so I think the | best way to look at it is empirically. | | Not exactly your question, but there's an anthropological | pattern whereby gift exchange between individuals of disparate | class or power (eg peasant & lord) automatically create a | tradition. If a boss gives his employees a turkey for | christmas, christmas turkeys become a permanent expectation. If | a lord give his king 20 camels for spring equinox, this can | easily escalate into a permanent tax. | hinkley wrote: | I know a former software developer who is very open about | going to therapy. He once commented on this fact, saying that | he knew someone who also talked openly about therapy, and | that he never would have gone if they hadn't known this | person. Essentially he's hoping to be 'that guy' for somebody | else. | | Computer science, to people who are picking college degrees, | seems like a safe, sterile environment of pure logic. But the | only jobs are in software development, which is organic as | hell. It's messy, it often smells, sometimes it rots. And | sometimes it's just scary. A lot of people seem to be in | denial about this for a long time. | | Software is full of social capital and emotions, and we often | try to conceal both behind a mask of objective thought. I can | tell you ten logical reasons we shouldn't write the code this | way but the real problem is that I think your solution is | going to leave me stressed out of my comfort zone and/or | missing life events because I either can't trust that you'll | clean up your own mess, or that the business won't let you | because you can't do it fast or robust enough. So I'm gonna | argue with you about getting anywhere near that cliff edge, | but we're not going to talk about the proverbial agoraphobia | because that's too hard. | | And if my logical, objective, sterile reasons for saying 'no' | are deflected, odds are very good I'm going to acquiesce | instead of actually agree, and I'll be secretly stressed, | possibly grumpy, possibly even ready with an 'I told you so.' | All while we're trying to keep hard things 'professional'. | | Your solution is nerve wracking. This one is not. We should | use this one, because we have better things to stress about. | You're goddamned right we're going to trade a little more | stress for you now for less stress for the entire company | three months from now. It's a fair trade. | stevenhuang wrote: | Did you respond to the wrong comment? Not sure where you're | going with this comment. | xorcist wrote: | The examples are a bit one sided. | | If I give you covid, is that my responsibility? | | If I give you a piece of software with a backdoor in it, is | that my problem? | | In reality, all actions carry various kinds of | responsibilities. And well designed backdoors looks exactly | like oversights, so the difference isn't all that clear cut in | pratice. | [deleted] | [deleted] | xg15 wrote: | > _In this instance people have been using this Java package | for years I gather without problems. Why is the responsibility | for changing the package anyone but theirs, the people using | it; now that they 're decided they have stricter requirements | for that need?_ | | Because for a long time, libraries have been advertised as | building blocks that you can quickly integrate into your own | application _without having to understand in detail how the | library works_. This assumption has been pretty crucial in the | cost /benefits calculation for using libraries vs writing | functionality yourself. | | Now that internet security is becoming an ever more serious | topic, this assumption might be less and less viable to hold. | We've walked back on it to an extend already with the current | best practice of "you don't have to understand how it works, | but at least update frequently". | | However, it might as well happen that this is not enough to | keep security issues from happening. Things are already moving | in a direction where it's absolutely expected that a developer | understands and takes responsibility for every line of code | that is included in their prodiuct, whether they wrote it | themself or not. But if that happens, it will fundamentally | change the way we deal with libraries and how software | ecosystems work. | | Yes, free software devs can smugly repeat their stance of "it's | a gift so don't complain, no guarantees about anything" - but | if everyone took this serious, no one could use free software | for anything critical, so the free software movement would be | mostly dead. | | > _now that they 're decided they have stricter requirements | for that need?_ | | I think what made the log4j vulnerability so dangerous wasn't | the ability to load arbitrary code via JNDI on it's own (even | though that was certainly a horribly overengeneered and | dangerous feature). The main vulnerability was that log4j was | accepting substitution patterns in the "parameters" section of | a logging command, the main purpose of which is to accept | untrusted input. There has been at least one other CVE which | exploits this without needing JNDI at all. | | "Don't trust user input" hass been a fundamental rule of | security for a long time, and it was reasonable to assume the | log4j authors were aware of it. So the current situation is not | that requirements have suddenly became stricter, it's simply | that log4j broke a fundamental assumption about its API. | | (I'm also pretty sure that while the JNDI thing was an | unfortunate feature and was "working as intended", the | "substitutions in untrusted input" part was likely a honest bug | and never intended like that) | jjav wrote: | Back a few decades ago, companies (at least ones I worked at) | did not often use open source libraries in products. | Sometimes you'd go through months of lawyer meetings to get | some special case approved, but that was rare. So when you | needed a library you couldn't write internally, you'd buy it | from a vendor. That came with maintenance and a support | contract. | | As a developer that was a bit of a pain since you had to get | purchase approval instead of just adding a dependency to a | build file. | | But, I'm feeling that is actually the better model the | industry should go back to. It meant that developing | libraries was actually a viable business. Today companies | just leech off the open source everything, externalizing all | their costs and dumping the maintenance burden on unpaid | volunteers. | burnished wrote: | How do you 'leech' off of something intended to be used for | the common good? That perspective just doesn't make sense. | mcguire wrote: | " _As a developer that was a bit of a pain since you had to | get purchase approval instead of just adding a dependency | to a build file._ " | | How much of a pain was it when the vendor refused to fix | your bug because it, or you, weren't important enough? When | the vendor went out of business, or was bought by a company | uninterested in the product you were using? | | Oh, and when you consider writing a library internally, | keep in mind that patents are a thing. | | " _It meant that developing libraries was actually a viable | business._ " | | Yeah, I remember that. I remember when there were a million | billion little companies producing C++ libraries. Then C++ | started to get really popular, and those companies' | customers went from a small group of experts to a large | group of, uh, non-experts. Then they discovered that | support was hard and all went out of business. | | I really wonder what would have happened it HP hadn't open- | sourced the STL... | nradov wrote: | I have zero sympathy for the library users who got burned by | this security defect. It's fine to use free software for | critical systems, but only as long as you have developers who | can maintain it internally or a paid support contract with a | vendor who can do that for you. Those options cost money. If | you fail to account for that in your software bill of | materials then you deserve the consequences. | quags wrote: | This is what happens as things move more into mainstream from | a few technical users using this as intended in sort of a | small walled garden so to speak and then as it grows you get | non technical users and bad actors. Look how smtp started, | open for anyone where open relays were expected, to what we | have today - still a large spam problem, compromised accounts | with security on top of it. There are lots of rewrites and | different smtp programs as things like smail and sendmail | were replaced by exim, postfix and qmail (qmail which is free | software, but really unmaintained and could be anyone's | problem if they wanted). | | I'd argue if there is an application that being built on | libraries with out a full understanding of keeping them | maintained over the years you will get a massive cluster fuck | with code rot. These are things that are learned with | experience, as a dev starts they take short cuts and learn | from the mistakes. It is not a bad system when you are | learning from your mistakes. There are simple solutions like | using an operating system that is maintained. Log4j and java | packages exist for example in operating systems that get | security updates - and continue to do so for the life of the | operating system. | xg15 wrote: | Yeah, my guess is also that long-term, software development | will involve less libraries and more "reinventing the | wheel" for those reasons. | | > _Log4j and java packages exist for example in operating | systems that get security updates - and continue to do so | for the life of the operating system._ | | But how does an updated OS help if the packages themselves | are not updated? | danaris wrote: | > Yeah, my guess is also that long-term, software | development will involve less libraries and more | "reinventing the wheel" for those reasons. | | I very much hope not. | | I would greatly prefer to see some certification bodies | arise that can vet libraries for exploits like this and | give a certificate of some sort saying "This library is | safe to use". | | Of course, that requires them to have some _extremely_ | good exploit-finders. | throw0101a wrote: | > _But how does an updated OS help if the packages | themselves are not updated?_ | | Package maintainers apply patches and roll a new package | version (e.g., +deb11u1). | | At some point the package maintainers themselves may not | want to babysit things anymore and deprecate the package. | But most packaging systems that I'm aware of have | mechanisms for applying patches. | | In many cases _even if_ the software itself is _still_ | maintained, the package maintainers may only apply a | specific patch to ensure maximum compatibility. | | It's why many of us prefer 'slow moving' distros with | "old" packages: minimal change for a given version and | then only when 'necessary'. | hinkley wrote: | It's also a competitive problem. | | Log4j commoditized log formatting, appending, and rolling for | Java. If all my competitors use it and I don't, then I'm | behind them in the market. I spent engineering resources | creating my own, and add another layer to the NIH snowball | which will eventually start rolling all on its own if I don't | constantly invest a small amount of my limited attention into | stopping it. | | I only win if my competitors don't get away with it. Whole | empires have been built in the time between log4j being | 'production ready' and the discovery of this RCE bug. I'm | reasonably sure that the majority of software companies that | have ever existed, existed during this period, and any of | them who used Java got away with it, and trillions of dollars | to go with 'it'. | imran-iq wrote: | >Yes, free software devs can smugly repeat their stance of | "it's a gift so don't complain, no guarantees about anything" | - but if everyone took this serious, no one could use free | software for anything critical, so the free software movement | would be mostly dead. | | I don't think they have to smugly reply, it's included in the | licence[1] of the software that folks chose to use. See | sections 7 and 8 | | 1: https://logging.apache.org/log4j/2.x/license.html | isogon wrote: | There is social context to licenses. | | My employment contract states that I am an at-will | employee, so my boss could technically fire me because they | didn't like my haircut. If they were to _actually_ do this, | I would certainly be slighted by this, probably post about | it publicly and forewarn others against working for them, | although they would not have violated the letter of the | contract nor my understanding of its literal meaning. | 908B64B197 wrote: | > However, it might as well happen that this is not enough to | keep security issues from happening. Things are already | moving in a direction where it's absolutely expected that a | developer understands and takes responsibility for every line | of code that is included in their prodiuct, whether they | wrote it themself or not. But if that happens, it will | fundamentally change the way we deal with libraries and how | software ecosystems work. | | That's one of the differences between coders and engineers. | | Coders just import libraries to avoid re-inventing the wheel. | Engineers consider each import as a dependency they'll have | to maintain, buy support for or replace. Log4j just | highlighted this difference, with some knowing exactly what | to patch and others franctically trying to determine if one | of the thousands of dependencies they imported into their app | actually used it. | | > Yes, free software devs can smugly repeat their stance of | "it's a gift so don't complain, no guarantees about anything" | - but if everyone took this serious, no one could use free | software for anything critical, so the free software movement | would be mostly dead. | | There's a simple alternative: hire the devs. | mcguire wrote: | " _" Don't trust user input" hass been a fundamental rule of | security for a long time, and it was reasonable to assume the | log4j authors were aware of it. So the current situation is | not that requirements have suddenly became stricter, it's | simply that log4j broke a fundamental assumption about its | API._" | | Once you see it this way, the whole "open source is broken" | debate goes out the window. It was just a bug. A bad one, but | not anything that hasn't happened before and won't happen | again, open source or not. | | " _Yes, free software devs can smugly repeat their stance of | "it's a gift so don't complain, no guarantees about anything" | - but if everyone took this serious, no one could use free | software for anything critical, so the free software movement | would be mostly dead._" | | Free software devs _have_ to smugly repeat "no guarantees | about anything" in the same way that non-free software | development has to do it: Otherwise all software development | would be mostly dead. | BeetleB wrote: | > Because for a long time, libraries have been advertised as | building blocks that you can quickly integrate into your own | application without having to understand in detail how the | library works. | | Libraries _in general_ have been advertised this way, but it | 's not true for any given library, unless the library | maintainers make that claim. In fact, it's quite common for | people to release libraries with the exact opposite claim: | They are not liable for anything that goes wrong, and they | don't promise any support. | | It is a bit offensive to have expectations from someone when | the person makes it unambiguous how their SW can be used, and | where their responsibility lies. | | Now yes, it is true that many major, popular open source | libraries do make a show of their libraries being reliable, | and do provide support. And those that do tend to have more | adoption. But even a number of those do say "Hey, we're | putting in this effort, but are not _promising_ bad things | won 't happen." | | > Yes, free software devs can smugly repeat their stance of | "it's a gift so don't complain, no guarantees about anything" | - but if everyone took this serious, no one could use free | software for anything critical, so the free software movement | would be mostly dead. | | This is transforming a continuum into a fairly worthless | binary scenario. You're not going to have every library say | "We won't provide support" just as you won't have every | library say "We'll follow best security practices" - so why | bring it up? It's trivial to show the latter would have | likely killed the free SW movement too. | | The reality is a continuum. And that is how the free software | movement succeeds. | daniel-cussen wrote: | > If I give you a puppy, and it gets sick, should the vet bill | me? | | > If I gave you a car, and the wheels fall off two years later, | is that my problem? | | So in Western culture there's this notion that a gift creates | no further obligations. The recipient should just be happy he | got what he got and not expect anything more. As if to say, at | least you didn't get nothing, you can still get nothing, you | want nothing? | | I would say with the puppy if it gets sick and the recipient | can't afford it, you should accept paying the bill. Before it | was the "giftee's" puppy, it was your puppy for some small | amount of time after you got it and before you gave it. Surely | when you gave me a puppy you expected me to be able to keep it | alive, right? And as for the car, it's not right to give | someone a car whose maintenance they can't afford. The puppy | and the car are two excellent examples of gifts that cannot be | given without forming a relationship between the giver and the | receiver. | | On the other hand a gift you can give and split and that's it | is food or money. Just handing money to a beggar, he might ask | for more, and you can walk. | | In some African cultures it's more like, if you do me a favor, | do me another favor, and then we're true blue and you can rely | on me to help you in return, but never in a tit-for-tat manner. | It's in the book Debt: The First 5000 Years. | georgebarnett wrote: | The software library in question wasn't gifted. It was made | open/available for re-use from a library. | | The person who chose to put it into _their_ code took | ownership of its ongoing maintenance in their instance of its | usage (presumably because they felt that would be less work | than entirely diy). | | There is no puppy here. | dasil003 wrote: | This cultural expectation follows naturally from the nature of | software. Software (especially of the networked variety) isn't | something you can just deploy and be done. It has to be | maintained to continue running over time as the ecosystem | changes. The cost of this maintenance is lowest when amortized | across the largest set of users, hence the success of open | source software, and the desire to avoid forks. The people who | are most qualified to maintain software are the original | creators, so that is the path of least resistance. | | Of course no one is obligated to maintain anything, open source | maintainers abandon stuff all the time without any | repercussions beyond passive internet rage. | andrewflnr wrote: | Yep. The puppy analogy falls apart when you've given the same | puppy to 10,000 people. All of them _could_ pay the vet bill | separately, but we instinctively recoil from that as being | horribly inefficient (and personally inconvenient) when it 's | possible for just the one puppy-giver to pay it. | rapind wrote: | I think it could be both a user and an industry issue. | | Lately I've been experimenting with treating many libraries as | a starting point in some of my projects. Meaning I read and use | the code, often removing things I don't need. | | So I fork and maintain my own lesser / crippled version (and | hope authors don't take this as passive aggressive criticism!). | This helps me lower attack surface and better understand what's | going on. | | This doesn't work for everything obviously. I'm not forking an | OS or database, so there are still lots of black boxes, but for | some stuff for I'm liking this approach. | | Now if another dev inherits my code I doubt they'll see it my | way. The industry wisdom points at simply assembling libraries | and only writing your specific business logic. So what if you | use a library to do one thing that just happens to do 100 other | things (this having a much larger attack surface and bug | potential)? | | I don't know yet if I'm being foolish or if I've stumbled on | some ancient programmer wisdom I simply failed to grasp | earlier. At least I'll probably never run into a leftpad issue. | renewiltord wrote: | It's just a natural outcome of the fact that most programmers are | talkers, not doers. Naturally, they go online to talk about how | they wouldn't have written the bug and haven't ever. But the | truth is that's because they've never done anything worthwhile. | | It's like the whole OpenSSL thing again. | runningmike wrote: | 'You literally cannot pay for it. If you do, it becomes something | else.' This is mot true and imho misleading. You can pay for GPL | software. Many people do pay a lot for FOSS software. You can pay | devs that develop GPL software. And it will still be FOSS. | Payments do not change wether software is FOSS or not. | jdiez17 wrote: | In that case (using the article's analogies), you are receiving | a gift (GPL/FOSS software), and choosing to give them a gift as | well (money). Both transactions are 100% no strings attached. | adamgordonbell wrote: | There is a book, called 'The Gift: How the Creative Spirit | Transforms the World' that is popular in author circles. It's | about the gift economy and how it's different than capitalism and | how creative endeavours are really part of the gift economy, not | the cash economy proper. | | I honestly got a bit bored of reading it and stopped, but the | idea stays with me. This essay captures some of that idea - why | you can't pay for a gift, how gifts work differently. They are a | form of capital in that gift givers get social credit or | something, but it's a very different system, a more traditional | one than capitalism. | jboynyc wrote: | You might have more fun reading Marcel Mauss' classic, also | called _The Gift_ , on the structure and function of gift | exchange across various societies. | gowld wrote: | "gift economy" is also the model underpinning Free Software. | throwaway4aday wrote: | It's also the model underpinning bribery. It's multi-purpose. | ignoramous wrote: | Does the book talk about one among the dangling questions the | author posed but didn't answer: _how simultaneously, whole | promising branches of the "gift economy" structure have never | been explored._? | tehjoker wrote: | The gift economy part was good, the poorly read philosophy on | communism lacking in class consciousness was yawn. Points for | recognizing authoritarianism from capitalism. Negative points for | assuming the US government was designed to secure liberty for all | rather than the landed classes. | hemmert wrote: | Thanks for that gift of an article! | Centmo wrote: | If you liked it so much, why don't you give a donation :) | draw_down wrote: | andybak wrote: | In case I forget when I'm done - I'm half a dozen paragraphs in | and I want to say how much I love this style of writing. | ignoramous wrote: | You're not the only one: | https://news.ycombinator.com/item?id=2320966 (2011) | coderintherye wrote: | Somewhat related to the points about authoritarianism, a book | review of "The Conquest of Bread" that had some discussion about | a month back: https://news.ycombinator.com/item?id=29349688 ___________________________________________________________________ (page generated 2021-12-30 23:00 UTC)