[HN Gopher] The gift of it's your problem now
___________________________________________________________________
The gift of it's your problem now
Author : Tomte
Score : 403 points
Date : 2021-12-30 13:03 UTC (9 hours ago)
(HTM) web link (apenwarr.ca)
(TXT) w3m dump (apenwarr.ca)
| [deleted]
| beervirus wrote:
| jaredklewis wrote:
| This was a long, thoughtful read. I really enjoyed it and mostly
| see things as the author does.
|
| > So it is with free software. You literally cannot pay for it.
| If you do, it becomes something else.
|
| This is really the crux. Everyone is mad there's no money in
| writing free/os software, but if there was money it wouldn't be
| free/os software. It would just be like what we do at our day
| jobs.
|
| You can write the code someone else wants and get paid for it
| (aka a day job). You also have the option to write the code YOU
| want to write, but in this case you'll need to figure out a plan
| for making money on your own.
| coldpie wrote:
| > Everyone is mad there's no money in writing free/os software,
| but if there was money it wouldn't be free/os software.
|
| This doesn't hold up for me. I develop GPL'd software and I get
| paid for it. I probably wouldn't develop this particular GPL'd
| software if I wasn't getting paid to do it. The issues of
| payment and license seem related, but orthogonal.
| jaredklewis wrote:
| Right, so this is why the article tries to make the subtle
| distinction around "free" vs "open," not in the sense of the
| license, but in the spirit of the project.
|
| Different licenses, but working at GitLab or working at
| GitHub probably feels pretty similar; you have a boss, there
| are probably sprints, you build features, fix bugs, and so
| on.
|
| This is fundamentally different than working on a rust port
| of a GNU utility. This is the sense in which the article is
| using the word "free." This is idiosyncratic and doesn't
| align with its either of free's typical usages (free as in
| beer or free as in FOSS), but there really isn't a perfect
| word for what the article is talking about.
| joe_the_user wrote:
| JM Keynes said: "A 'sound' banker, alas, is not one who sees
| danger and avoids it, but one who, when he is ruined, is ruined
| in a conventional and orthodox way along with his fellows, so
| that no one can really blame him." and same applies to software
| managers.
|
| We're had lots of nasty security breaches lately. These
| breaches overall have nothing _directly_ to do with free
| software but it 's pretty easy to see what they have in common.
|
| Security breaches grow like hardy weeds on the ground of "I
| don't have to face the consequences of bad security, my
| customers do". The Solar Winds and Log4j breach/hole came from
| wildly different software types but each had the quality of
| paying for security at the rate that it might harm you, not at
| the rate it might do harm in general. And comes because
| security is inherently expensive - since "security is a
| process, not feature", done right costs the entire organization
| time and money rather than simply involving a purchase.
|
| Which to say: _" Everyone is mad there's no money in writing
| free/os software, but if there was money it wouldn't be free/os
| software. It would just be like what we do at our day jobs."_
| seems totally incorrect.
|
| QT makes money selling open source software. Red Hat makes
| money selling open source soft. If there was a market for
| tightly secure, verified open source software, people would be
| working writing (and especially testing) that. But companies
| whatever crap onto their machines, whether barely maintained
| java or dubious closed source stuff.
| jaredklewis wrote:
| I see what you're saying, but just to be clear I'm using
| "free" here in the very idiosyncratic way the article does.
|
| Things like Red Hat, GitLab, or MongoDB from a license
| perspective are free/open source. But these types of projects
| are a totally different beast than "real" (for lack of a
| better word) open source projects like the linux kernel,
| emacs, ruby on rails, or lucene.
| RicoElectrico wrote:
| I think of platonic ideal FOSS as liberal art in the ancient
| definition: you do it because you can afford it.
|
| Having said that, this does not imply FOSS developers shouldn't
| have the "product mindset". Quite the opposite, in fact.
| PragmaticPulp wrote:
| I always wonder how much of the most popular open source
| projects are written by people who are actually being paid for
| the work by their employers
|
| Many of my open source contributions came from fixing bugs or
| adding features because I needed them for my job. Many of the
| biggest open source projects I use come from big companies that
| have full-time engineers working on them.
|
| I've also worked at two separate companies that have hired
| developers of very popular open-source projects. It didn't work
| out in either case because the company wanted them to
| prioritize work related to the company, but they wanted to
| continue focusing on the community as before.
|
| On a micro level, it's surprisingly difficult to arrange to pay
| someone outside of a company to work on a project for you. The
| amount of overhead that goes into arranging the contracting
| agreement, communicating the issue, setting up the contractor
| with your environment, and managing it all can quickly snowball
| into a massive commitment for even small work. The exception is
| hiring contractors or contracting companies who have made a
| business out of working in that exact domain and are already up
| to speed on the project and have good relationships with
| upstream maintainers, but those are rare.
| pm215 wrote:
| Conversely, on the receiving end, if you aren't somebody
| who's made a business out of being a contractor then taking
| some company's money to do a specific piece of work also
| seems like too much hassle and overhead to be worth it...
| WJW wrote:
| I think the "dream" of writing FOSS for a living is that it's
| like a normal job except for all the non-fun parts like
| mandatory HR meetings, boring standups, performance reviews,
| having to deal with customers/PMs/etc who don't understand the
| technical constraints, etc etc etc. It is just writing code you
| want to write with zero other obligations but somehow you get
| paid for it.
|
| When it's written out like that I think most people would
| recognize why it is not very realistic to get paid for
| something like that, but it is still a very tempting vision.
| Kinrany wrote:
| It's perfectly reasonable to want to be paid when your work
| has positive externalities. It doesn't matter whether you
| liked doing the work.
| kristjansson wrote:
| If you want to be paid for creating value, exchange value
| for money. If you want to change society, create value in
| exchange for conditions on its use and obligations of its
| users.
| kortilla wrote:
| What does positive externalities have to do with it? The
| entire point of volunteer work is to do something with
| positive externalities where you don't get paid.
| karaterobot wrote:
| I wish there was an open source fairy that put money in my
| bank account every time someone used my software! Until
| then, it's reasonable to _want_ to be paid without having
| to deal with the attendant hassles and responsibilities of
| participating in a business venture, but not reasonable to
| expect that to _happen_.
| mjmahone17 wrote:
| Starting around the renaissance, we kind of had "open
| source fairies" in the form of research grants,
| professorships and other forms of patronage. If you look
| at 19th century scientists, it seems like most the famous
| ones weren't paid to do specific research, but instead
| we're given space to do whatever research they could.
|
| This has gotten more and more restrictive: even in
| academia today, it seems rare for open ended grants to be
| given, and even when there are, there's a lot more
| competition for those grants than we can sustain with
| current funding.
|
| Open ended research doesn't necessarily work in a pure
| market system. And most open ended research probably
| won't provide any concrete monetary benefit to the person
| funding that research. Even Bell Labs wasn't really self-
| funding despite having developed some of the
| underpinnings of our modern economy. This is an (if not
| totally compelling) argument for a basic income: anyone
| can focus on fundamental research without worrying about
| covering life's fundamentals, so long as they're OK
| living a bare bones life while they can't get outside
| funding for it.
| syntheweave wrote:
| The market can work, but I think we've been going through
| a particular centuries-long period where the capital-
| intensive projects are most celebrated since they bring
| together the best of industrialization. However, there
| are crowdfunding platforms of various kinds now that let
| you sustainably finance small projects or build a
| marketing story that can be taken to a larger investor.
| When you get some proof, the funding spigot can flood in
| rather suddenly.
|
| I agree that open-ended research still isn't very
| rewarded since it goes too far from immediate wants. But
| I also suspect we are going to get a quality bump on
| "small stuff" in the coming decades, because so many of
| our technologies were rushed to market as soon as they
| were mature enough, and that was a causal factor in major
| quality issues like buggy/insecure software. Those issues
| are not cap-intensive to fix, and could subsist on
| crowdfunding solutions, but they need awareness.
| meheleventyone wrote:
| I think that it's less that people _expect_ it to happen.
| But that it rudely points out the absurdism and
| structural inequality involved in building free software
| within capitalism.
|
| Not just from the perspective of individual compensation
| but that billion dollar corporations can be completely
| exposed due to their reliance on people's hobbies.
| kmonsen wrote:
| I want there to be world peace and all dogs to be happy and
| I think that is reasonable, but I also understand that it
| is not likely to happen. To be honest I feel that is pretty
| similar.
|
| If someone wants to get paid for something, it needs to be
| explicitly charged for. Can always set up a patreon or
| something and only give it to backers or whatever. If they
| give something away for free I think it is a stretch to
| expect to be paid for it just because someone else finds it
| useful.
| mcguire wrote:
| It is certainly reasonable to want that. It is
| unfortunately not reasonable to expect it. Sorry.
|
| I hope you like what you're doing.
| tomxor wrote:
| > It doesn't matter whether you liked doing the work.
|
| It matters hugely, a lot of the good FOSS is good because
| the people who wrote it were passionate about what they are
| doing. You cannot create this passion with money, which was
| one of the largest points the author is making.
| Kinrany wrote:
| Is being averse to having good things a prerequisite to
| passion?
| tomxor wrote:
| I did not say that, I only said it _matters_ that you
| like doing the work.
|
| If anything, wanting good things and being dissatisfied
| with what you have is a pre-requisite to having the
| passion to creating something new. But none of what I am
| talking about are liquid, they are tangible - you can't
| have bad money, it's just money.
| thewakalix wrote:
| Sounds like you might like dath ilan.
| Kinrany wrote:
| I would :(
| WJW wrote:
| I agree, but there are two obstacles to actually getting
| paid:
|
| - The amount you can be paid for any sort of work has a
| range. The ceiling of the range is the value you added, the
| floor of the range is how expensive it would be to get
| someone else to do it. Since in open source the competition
| costs zero, this sets a very low floor for how much you can
| charge.
|
| - Wanting to be paid is indeed reasonable, but just wanting
| it is often not enough when it comes to companies. There
| will be contracts involved, minimum time commitments,
| purchasing processes if the company is big enough, etc.
| Navigating all that is what will turn open source back into
| a job, if you really make work of getting paid for it.
| __s wrote:
| To be fair you can greatly reduce the necessity of those
| other things you list if you take on a role of contributing
| to FOSS dependencies used by where you work. Because you can
| have a significant portion of your time devoted to that work
| & it won't involve those things. You also then gain a passive
| political advantage as feature requests to that dependency
| will fall under your responsibility as the contact point
| between the project & company
|
| Note that I may be totally wrong, as I've never found myself
| in too bureaucratic a team, so have generally found myself
| able to do whatever I want _(within reason ofc, but I try to
| be reasonable)_
| cardosof wrote:
| This. Money and accountability are directly related. So are
| accountability and processes/controls, the "boring" part.
|
| I think the developer dream isn't really FOSS, but something
| along the lines of "very popular, stable API in an API
| marketplace made by a single person".
| dblock wrote:
| I work at AWS on opensearch.org, literally to do this as
| described.
| pm215 wrote:
| I write code somebody else wants and get paid for it as my day
| job. It happens to be open source. Some people write the code
| they want to write, but keep it closed-source. So I don't think
| your contrast quite works.
|
| I think some of the "no money in open source software" unease
| isn't because people would like to get paid to write whatever
| code they feel like, but a desire to retain the benefits of
| having a massive amount of open source code out there (less
| reinvention of the wheel by multiple companies, low-cost low-
| friction way to bootstrap whatever actually interesting/novel
| software your company is doing, etc) but put it on a more
| sustainable footing where money is directed reliably enough at
| the people keeping it together that we can avoid the xkcd "one
| person in Nebraska" failure mode.
| treis wrote:
| IMHO the underlying problem is value based pricing. Roughly
| that means you take how much money your software generates
| for your clients and try to capture as much of that as you
| can. That leads to huge incentive for companies to not depend
| on commercial software since as soon as that happens the
| vendor will take them to pound town in contract negotiations.
|
| That fear makes it nearly impossible for something like Log4J
| to charge anything. Even if it's a penny per year per server
| you don't want to build on it because they can come back next
| year and make it $10 a year. And what are you going to do
| about it?
|
| FOSS removes that threat but it also makes the path of least
| resistance to not pay anything. The ideal solution is
| something like "You have to pay a little bit but it's
| guaranteed that it will never be more than a little bit". But
| I don't see how to do something like that.
| cromulent wrote:
| It is, isn't it. The article talks about "open source is
| communism" but not authoritarianism, real communism. Which
| made me daydream about if the various licenses for FOSS
| required profit making companies to pay 100$ per year for
| all you can eat FOSS. And then it got distributed on some
| usage based basis. Would things be better? Not practical
| though.
| jimhefferon wrote:
| I think the question can be a little more subtle than that. I'm
| involved with an organization that does a lot of Free software.
| But sometimes money is involved.
|
| For instance, we have collected some money and funneled it to
| developers to give them time to do what would otherwise either
| take many years of nights and weekends, or just be too hard to
| get done without time to focus on it alone. This software is
| still Free, though.
| r_hoods_ghost wrote:
| One of the problems is that if your target market is other
| devs, there is a knee jerk demand that your software should be
| foss and free (as in beer).
|
| I hope that we'll see a move away from foss licensing to source
| available licenses over the next few years and an increased
| acceptance of this model in more areas.
|
| Dropping the non discrimination clauses in open source licenses
| while giving licensees the right to view and modify the source
| and integrate it with their own software, but not the right to
| redistribute, is to me a good middle ground for a lot of
| projects. This would allow developers to charge different rates
| (or not charge) depending on the licensee and ensure that they
| can capture more of the value from their work if they need to
| do so in the future, or if their project becomes popular. It
| works for Epic with Unreal Engine and more generally in the
| game industry where it is common to have source available
| licenses.
|
| While free software has its place in certain areas (academia,
| government, hobby projects), and I agree you should be able to
| audit and fix the software that runs on your own devices, it
| also has downsides and I don't think foss licensing should
| always, or even usually, be the default outside of these cases.
| mcguire wrote:
| " _...giving licensees the right to view and modify the
| source and integrate it with their own software, but not the
| right to redistribute, is to me a good middle ground for a
| lot of projects._ "
|
| Licensees have that right with (most) free software licenses.
|
| The downside of this is that, if the owner, Epic say, is not
| interested in changes you need, then you cannot distribute
| those changes no matter how valuable they are to you or
| anyone else. Further, you will have to maintain those changes
| in the face of whatever architectural differences the owner
| decides to introduce.[1] You are in the same position as the
| good old days of proprietary software (Believe me, you could
| absolutely pay IBM to make changes its OS's. If you were,
| say, Ford.) except that you get to see the source. Yay.
|
| [1] Yes, you should be expected to maintain your own changes
| if the original maintainers don't want to. However, that's
| significantly more difficult if the owner is uninterested in
| your features or is actively trying to break you. (Microsoft
| waves in the distance.)
| ignoramous wrote:
| > _One of the problems is that if your target market is other
| devs, there is a knee jerk demand that your software should
| be foss and free (as in beer)._
|
| The problem with source-available COSS licenses like SSPLv1,
| BSLv1, Perimeter etc is that, it almost to the point of
| insulting developers who care about FOSS, wants to have its
| cake and eat it too: That is, the benefits of both, open and
| proprietary software. That's a hard sell, and it remains to
| be seen if they'd be as successful as FOSS for developer
| tools: http://dtrace.org/blogs/bmc/2018/12/14/open-source-
| confronts... and https://steveklabnik.com/writing/the-
| culture-war-at-the-hear...
|
| Another popular strategy is to open source just enough bits,
| but not all of it: Previously named "open-core", pioneered by
| Elastic (who have since moved to SSPLv1) and GitLab, but is
| now accepted as open-source, anyway. Tailscale falls in this
| category. https://www.heavybit.com/library/video/commercial-
| open-sourc...
|
| > _I hope that we 'll see a move away from foss licensing to
| source available licenses over the next few years and an
| increased acceptance of this model in more areas._
|
| Nouveau open source strategy is to have a strangle hold on
| the software itself (think Chrome / Android) by keeping the
| development tightly guarded along with the business interests
| of the original sponsor. Typically, these projects are open
| sourced to commodotise competitor's advantages
| (Symbian/Blackberry in the case of Android, IE in the case of
| Chrome): https://www.joelonsoftware.com/2002/06/12/strategy-
| letter-v/
|
| The traditional way of being in a F/OSS business was through
| associate services like deployments and consulting ala RedHat
| for Linux / Acquia for Drupal:
| http://dtrace.org/blogs/bmc/2004/08/28/the-economics-of-
| soft...
|
| Open source, in particular FOSS (free-as-in-beer), in itself
| is a business strategy (but not a business model) if one
| knows how to use it to their advantage (as the author points
| out, many startups doing so these days):
| https://a16z.com/2019/01/22/what-comes-after-open-source/
| panic wrote:
| _> I read a book once which argued that the problem with modern
| political discourse is it pits the "I don't want things taken
| from me" (liberty!) people against the "XYZ is a human right"
| (entitlement!) people. And that a better way to frame the
| cultural argument is "XYZ is my responsibility to society."_
|
| I don't know if it's the book he's talking about, but Simone Weil
| makes this argument in the beginning of The Need for
| Roots[+]--that the correct way to think about our relationship to
| society isn't "rights" (someone else's problem) but obligations
| (our problem).
|
| [+] https://antilogicalism.com/wp-
| content/uploads/2019/04/need-r...
| kortilla wrote:
| That's pretty lazy thinking. Those are the same things. Your
| "rights" are everyone's "obligations".
| sophiebits wrote:
| From the post's author, the mentioned book is:
|
| > The Future of Capitalism by Paul Collier. There are a lot of
| insights in there but beware that the writing is kinda
| problematic in some ways, so it doesn't get my full
| endorsement.
|
| https://twitter.com/apenwarr/status/1476590932619567104
| a9h74j wrote:
| I don't recall which of Simone Weil's works this is from, but
| in terms of suggesting the ineffectiveness of rights, she
| presented this dialog of one person pleading with a much more
| powerful one:
|
| Pleading: But sir, you must respect my rights.
|
| Reply: I do not see the necessity of that.
| WalterBright wrote:
| There aren't any fundamental rights which require someone
| else to provide them to you. For example, your right to free
| speech does not oblige others to provide a platform for you.
|
| Now, "rights" can be created by law, but those are a
| different meaning of the word. A more apt word would be one
| of "privilege", "license", "obligation" or "power".
|
| For example, it is often said that the President has the
| right to veto legislation. No, he doesn't. He has the _power_
| to veto legislation.
|
| The words right, privilege, license, obligation, and power
| are probably the most misused words in the English language.
| arminiusreturns wrote:
| What Ive noticed on this topic as a staunch proponent of
| individual rights from their enlightenment and renaissance
| roots is that far too many people pontificating on this
| subject don't even know the difference between a negative
| right and a positive right, nor do they understand the
| perils and antithetical nature of _collective rights_.
| notriddle wrote:
| Your post isn't really an argument. It's just
| contradiction.
|
| The whole point of calling rights "ineffective" is to say
| that this idea of fundamental rights that other people
| aren't obligated to provide to you has no utility. Your
| definition doesn't really contain any evidence to the
| contrary.
| titzer wrote:
| > There aren't any fundamental rights which require someone
| else to provide them to you.
|
| This is, of course, totally false. From the moment of birth
| your parents have to provide sustenance and safety, or
| you'll die. Similarly, someone must teach you a native
| language, if only indirectly, or you'll be unable to
| communicate or acquire skills. If a parent neglects a child
| and fails to provide them "services" (or whatever), the
| state will absolutely take the child away and punish the
| parents.
|
| As an adult, you have the right to a system of justice that
| allows you to argue grievances against others. You have the
| right to police and fire fighters. Those are all services
| provided to you.
|
| I used to think this way when I was a hardcore libertarian,
| but I'm not anymore. There are bazillions of things that we
| take for granted that are just table stakes in a modern
| society, like the rule of law, an educational system, clean
| air and water, and yes, healthcare. A hospital can't refuse
| you emergency care if you can't pay, and that's absolutely
| a right established in the social contract.
|
| Rights are a mix of inherent and acquired capabilities as
| well as courtesies granted by a social contract. Until you
| start paying back every person from whom you've learned a
| word in the English language, yeah, you are getting tons
| and tons of things for free without realizing it.
| stavros wrote:
| How is an "obligation" not the exact same thing as a "right",
| just from the other person's perspective?
|
| Pleading: But, sir, you must fulfill your obligations.
|
| Reply: I do not see the necessity of that.
| hdjrudni wrote:
| You didn't flip the dialogue, you just substituted
| different words.
|
| Replier: I should fulfill my obligations to society.
|
| Pleader: _le suffering_
|
| Replier: Ya..I should really do that now. It's my duty.
|
| That's the difference, the perspective. You aren't asking
| someone to fulfill their obligations, people are taking it
| upon themselves because the mindset has shifted. It's now
| upon you to do the right thing, not hand-wave say "you have
| rights..but it's someone else's job to realize them"
| stock_toaster wrote:
| I think the whole point is that it is from the other
| perspective (they are "jural corelative"?)[1].
|
| Example: https://en.wikipedia.org/wiki/Noblesse_oblige
|
| [1]: https://en.wikipedia.org/wiki/Corelative
| VWWHFSfQ wrote:
| > the correct way to think about our relationship to society
|
| This is where it falls apart. There is no correct way to think
| about our relationship to society.
|
| For instance, I don't think it should be illegal for a private
| citizen to own an AR-15 and take it out to a field and shoot up
| some soda cans once in awhile. But, as we know, sometimes
| owners of AR-15s take them to a church or school and shoot up
| some people. Are the lawful owners of AR-15s incorrectly
| thinking about their relationship to society? Are they the
| responsible party?
|
| edit: this coming from an American perspective on civil
| liberties, obviously.
| zby wrote:
| I have only one question: is his blog a gift?
| unnouinceput wrote:
| I don't like hair trimmers. I have no use for them and they
| only occupy space and eventually I return them when I get them
| as gifts. And yet, every 2 or 3 years I get one as a gift.
|
| His blog is a hair trimmer, now I have to kill the memory it
| occupied in my brain (return the gift).
| fmajid wrote:
| The hair trimmers are not a gift. They are a pointed
| commentary on your grooming, or so I would assume.
| tarsiec wrote:
| "Everything I don't like is communism!"
| zaphar wrote:
| That isn't even close to what the author wrote. The "quote"
| reflects nothing of substance from the article.
| xg15 wrote:
| From log4j to Communism vs Authoritarianism in less than 400
| words. Gotta admit, that is impressive even for internet
| standards.
| mirkules wrote:
| What's more is that the author is wrong. Free Software is
| libertarianism, not communism.
|
| "Free" refers to the freedom to modify the software, the
| liberty of one person to (legally) do whatever they want with
| the thing they own. Common ownership, or community control of
| means of production has nothing to do with Free Software.
| Nobody owns free software and nobody controls it.
| fmajid wrote:
| More precisely anarchism. The ethos of Stallman is completely
| at odds with that of libertarians.
| jrm4 wrote:
| I can't help but think _so much_ of this could be solved if we
| simply had real and effective product liability rules and
| consequences for things that use software.
|
| You give it away for free, no guarantees and such? Great, we
| appreciate it.
|
| You sold something to someone? Okay, well, like with food and
| buildings and cars and airplane rides, we understand that if it's
| done wrong it can be really harmful, so we have real legal
| consequences for getting it wrong. Where you sourced your inputs
| is _not my problem_ when it does -- whether that input was "free
| software" or "rotten ingredients" or "faulty concrete."
| EGreg wrote:
| Actually, cryptocurrencies and DAOs were supposed to be
| socialism. The network was going to be owned by the people. The
| natural way to monetize open source.
|
| Well, minus the whole one person one vote part, but still better
| than the surveillance capitalism of Big Tech companies funded by
| VCs buying shares, propping up their "free to lockin" model and
| dumping them on the public, who then made them extract rents
| forever to satisfy wall street earnings.
|
| In my opinion, cryptos were seduced by the dark side of profit,
| and buyers failed to care that the emperor (blockchain) has no
| clothes (scalability).
|
| I am focused on micropayments and local currencies with actual
| utility, and moving past blockchain. I am going to link to
| something -- and historically this link was immediately knee-jerk
| perceived as "shilling a coin" but if you read, there is no coin,
| it's just talking about how to ACTUALLY monetize open source
| projectsand joirnalism and other online content on the WEB using
| WEB technology instead of government enforcers:
| https://qbix.com/token
| hinkley wrote:
| > If you wanted to pay someone to fix some software, you didn't
| want a gift. You wanted a company.
|
| > But if there is no company and someone gave you something
| anyway? Say thanks.
|
| This is what grinds my gears. There is no market for a company
| that tries to provide a better version of the gift. The author
| completely glosses over the social contracts involved in gift
| giving. Contracts that software developers seem to be
| particularly immune to.
|
| I think the party analogy is closer to the crux of it, because we
| all have a story about someone who threw and awful party or
| bought one pizza for people who helped them move and then retorts
| with something tone deaf like "you didn't have to come you know."
|
| I didn't have to come, but I had other options that day, which I
| turned down to come to your stupid party. There was an
| opportunity cost associated with your gift. I'm not some
| dilettante who is going to crucify you for throwing a boring
| party. If that's the sort of people you attract then you've done
| yourself a favor by filtering them out. But an _awful_ party is
| going to cost the group something.
|
| (Also I wish the author had mentioned "Free as in Puppy" which is
| part of the situation they are describing.)
| BeetleB wrote:
| > The author completely glosses over the social contracts
| involved in gift giving.
|
| First, social contracts with gift giving vary widely across the
| world. It's a good reason they should be ignored here.
|
| Second, as made very clear in the book _Influence_ by Cialdini,
| the common social contract with giving gifts is _reciprocity_ -
| and it holds even when the gift is crappy and /or unwanted.
|
| So if you're going to invoke social contracts, do address all
| aspects of that contract.
|
| You will also find significant disagreement on what the actual
| gift here is. For many, the gift is the _code_ , not the
| _capability_. I 'm giving the world this code. I provide some
| information about it. Whoever chooses to take it is expected to
| evaluate it and see if it fits their purposes.
|
| Finally, regarding the potluck/party scenario, a more
| comparable example is a community potluck where everyone in the
| city is invited and can bring dishes, with _no constraints
| whatsoever_. People will show up, and happily tell everyone
| what 's in their dish and how they made it. Most of them will
| openly say "I really can't claim this won't harm you" and "I'm
| not sure what entails proper cooking." You listen to each one
| and decide if you want to eat it.
|
| Obviously, no one would ever run a potluck that way. You are
| using that fact to bash the developers, when you're not
| realizing the obvious: Potlucks/parties are a very poor
| analogy! Indeed, if you want to stick to the potluck analogy,
| then as an organizer, you definitely _would_ put some rules in
| place - rules that would (and should) preclude most open source
| SW from being used in your product.
| kristjansson wrote:
| Free software isn't a gift to its recipients, it's gift to the
| commons. It's an open house, not an embossed invite. The other
| side has some agency in selecting and evaluating the gift they
| receive, not least because every package disclaims the lack of
| warranty, fitness for purpose, etc.
|
| Does one have an obligation not to impose a bad party on their
| friends? Sure. Should one, seeing lights and music and sign
| saying 'all are welcome', feel a loss if they don't enjoy what
| they find inside? I don't think so.
| bruce343434 wrote:
| You can refuse a puppy
| hinkley wrote:
| I can yes, but if you think you have that much control over
| your environment, outside of a solo project, then you're in
| for some hard lessons ahead. Most of the time we end up
| living not just with our own bad decisions, but everyone
| else's too. Thinking you can stop everything bad from
| happening will just make you crazy, and cost you friends.
|
| I can't refuse a puppy when I come home from work and find
| that my aunt dropped one off that morning and the kids have
| been playing with it all day and already named it. I have to
| get other things done. I can't wait by the door in case
| someone shows up with a box that is making noises.
| janosett wrote:
| I don't think this analogy really holds. Whereas one person or
| a closed group usually organize a party, open source is, well,
| open!
|
| We could re-imagine this as a potluck I suppose. If you decide
| to bring nothing, you can't really complain if the food is
| awful.
| Kinrany wrote:
| I think it does hold: the cost of learning to use an open
| source project is not zero. It's the same as not asking the
| party planner about every detail even when they're perfectly
| willing to answer.
|
| Gift giving inherently involves trust from the recipient. And
| there's no transaction, so it's inherently consequentialist.
| kmac_ wrote:
| It doesn't hold at all. Open source licences usually
| clearly state that there are no guarantees. The contract is
| clear and log4j (or any other) authors don't owe anything
| to anyone. If you want guarantees, pay for it.
| Kinrany wrote:
| No one in this thread mentioned licensing or legal
| issues.
|
| As an edge case, consider a CLI that solves a trivial
| problem but also turns the computer into a space heater
| via an always-on service. It will rightfully damage the
| author's reputation with the users and they'll avoid
| using that person's code again, but they won't sue of
| course.
| hinkley wrote:
| I was in a club (full of adults) in high school that I only
| realized how amazing the leadership was after the then-
| president had passed away due to health issues. Which is a
| shame because adult me definitely would have found him and
| said thank you, and also fuck all those people who tried to
| vote you out, and then didn't do as well.
|
| They ran a fund raiser event (not unlike a fun run) twice a
| year and it was eye opening how many hands it took to make a
| good idea into one people invited their friends to next year.
| I volunteered a couple years at a couple of events and I know
| I worked harder those two days than I did when I
| participated, and not on the tasks I expected to be
| challenging. High school movie parties fall apart because
| it's all anarchy, _and_ no self control. There 's a lot that
| goes into making a soiree a success instead of a disaster.
|
| My partner years ago stopped hosting parties because we were
| both ragged by the time people arrived, and there was always
| something we worked hard on that went unnoticed. Sometimes
| necessary, other times just a bad call on our part. Now we
| farm out the work a bit more, but even a potluck has key
| dishes and can fail if everyone guesses wrong. But if you pay
| close enough attention to a potluck, for many families
| grandma's dishes are the keystone that holds it together.
| She's seen some shit. She knows what's what.
|
| I used to bring an Igloo water dispenser to a volunteer group
| because the group I was in in high school worried a _lot_
| about people injuring themselves in the heat. They had
| meetings every year before the events to refresh people. Heat
| exhaustion is scary, even dangerous, but heat stroke is life-
| altering. For the volunteer group, I think maybe five of us
| cared enough to bring fluids, and while my extra didn 't
| always get used, I'm absolutely sure that one of us saved
| somebody. And if one of the other five had been sick, or had
| a wedding, then mine wouldn't have been backup. It's not hard
| to bring water, but someone _has_ to do it. Unfailingly.
|
| The rest of the group would of course care if someone got
| sick, but only to prevent it happening a second time. When
| you do something right the first time, nobody appreciates how
| hard it was.
| pmjones wrote:
| I expounded on the gift-giving theme as well, some years ago, and
| am glad to see I was not alone: http://paul-m-
| jones.com/post/2018/12/11/open-source-and-sque...
| dado3212 wrote:
| > Miraculously the Internet Consensus is always the same both
| before and after these kinds of events. In engineering we call
| this a "non-causal system" because the outputs are produced
| before the inputs.
|
| So funny.
| gitgud wrote:
| > _When you try to pay for gifts, it turns the whole gift process
| into a transaction. It stops being a gift. It becomes an
| inefficient, misdesigned, awkward market._
|
| This resonated with me. When opensource involves money,
| incentives become misaligned... And all the bad parts of a SASS
| product become important, vendor lock in, upselling etc...
| Snetry wrote:
| > As a result, they started a nonprofit organization to rewrite
| all of Unix, which the printer did not run and which therefore
| would not solve any of the original problem, but was a pretty
| cool project nonetheless and was much more fun than the original
| problem, and the rest was history.
|
| That is an incredibly bad retelling of the GNU story
| shadowgovt wrote:
| As with most legends, it left out the details but got the crux
| of the situation right.
| badsectoracula wrote:
| The crux of the situation was that RMS started GNU because he
| realized that not having access to the printer's source code
| put whoever had access to it in a position of power over his
| use of the printer and the implications that has when
| extended to other aspects where software is concerned and
| will be concerned with as computer use increases.
|
| This was not mentioned at all in the blog post.
| shadowgovt wrote:
| He doesn't mention the power dynamic in the story
| (https://www.fsf.org/blogs/community/201cthe-printer-
| story201...).
|
| You can infer it mattered, but you can also infer he was
| pissed he couldn't make the machine do what he wanted.
| These are both valid interpretations if the same story...
| Which is the "crux" is up to the teller.
| badsectoracula wrote:
| The _entire point_ of Free Software is about users being
| in control of their programs, so _of course_ it is about
| the power dynamic. But of course even if it was about him
| pissed - and he was pissed, which is something he did
| mention - it was because he was denied that control.
|
| There isn't really any other interpretation than that.
|
| Also the story you linked at is not RMS' story, but a
| different and more recent story which is also about a
| printer that sounds similar to RMS'. The RMS story is
| linked in the page you gave, though it is a transcript
| and kinda big. Here is the relevant bits:
|
| > And then I heard that somebody at Carnegie Mellon
| University had a copy of that software. So I was visiting
| there later, so I went to his office and I said, "Hi, I'm
| from MIT. Could I have a copy of the printer source
| code?" And he said "No, I promised not to give you a
| copy." [Laughter] I was stunned. I was so -- I was angry,
| and I had no idea how I could do justice to it. All I
| could think of was to turn around on my heel and walk out
| of his room. Maybe I slammed the door. [Laughter] And I
| thought about it later on, because I realized that I was
| seeing not just an isolated jerk, but a social phenomenon
| that was important and affected a lot of people.
|
| Emphasis on the last bit: "And I thought about it later
| on, because I realized that I was seeing not just an
| isolated jerk, but a social phenomenon that was important
| and affected a lot of people."
|
| And after all he made the Free Software Foundation, not
| Working Printers Foundation.
| shadowgovt wrote:
| That's a good story about being pissed you can't make the
| software do what you want.
| Snetry wrote:
| did it get the crux right? To me this reads like Stallman got
| mad a company said no to him and because of that decided to
| rewrite UNIX because idk
| sja wrote:
| I interpreted this bit as intentionally reductive for the sake
| of humor. And I thought it was funny!
| Snetry wrote:
| okay after a reading it a few times I can see how it could be
| considered tongue in cheek I'll give it that
| rfrey wrote:
| This article was not about retelling the GNU story. Think of
| that sentence as a cultural reference, not an explanatory
| history.
| Snetry wrote:
| okay but even then it botches it
| mherdeg wrote:
| Hmm, re:
|
| > how startups tend to go bankrupt and their tech dies with them
|
| I have this mental model, which may not be entirely accurate,
| that the original Iridium corporation successfully launched
| satellites into orbit, erased the multi-billion dollar costs of
| the launch using bankruptcy, and then handed over control to a
| successor corporation who inherited control of the constellation
| but none of the startup costs.
|
| Do I have the story right? Is there any other example like this
| where a failed company manages to leave us with something useful
| while its immense costs were just ... evaporated?
| CommieBobDole wrote:
| That's roughly true, but it's sort of a special case; as I
| recall it, the US Department of Defense had come to depend on
| Iridium and didn't want to lose service, so they facilitated
| the orderly bankruptcy and re-emergence of the company, in part
| by offering an enormous multi-year contract to the successor
| company.
| gowld wrote:
| The company didn't "fail" -- it ripped off creditors.
| Kon-Peki wrote:
| Motorola developed and launched Iridium. They may have lost
| their $X investment, but they also went out and sold mobile
| network infrastructure equipment in the developing world for
| $(X * Y).
| jcun4128 wrote:
| I liked the book Eccentric Orbits about Iridium
| kingcharles wrote:
| Do things like Tumblr and Skype count?
|
| Where a legacy Internet behemoth mistakenly clicks "Buy It Now"
| on a startup for eleventy billion dollars during some drug-and-
| drink fueled bender and then wakes up the next day and offloads
| it to some rando on Twitter for whatever they have lying around
| in their PayPal balance.
| neilparikh wrote:
| It's funny, I think Yahoo has done this twice now: once with
| Tumblr and once with Delicious (although the chain of
| ownership for Delicious is much longer).
| beervirus wrote:
| coliveira wrote:
| They didn't give me anything, they gave to the companies that
| bought the satellites for next to nothing.
| [deleted]
| jasode wrote:
| _> Is there any other example like this where a failed company
| manages to leave us with something useful while its immense
| costs were just ... evaporated?_
|
| Blender's original investors' capital not totally evaporated
| but the $100k buyout to release it as open source was a small
| fraction of their $4.5 million:
|
| https://docs.blender.org/manual/en/latest/getting_started/ab...
| h2odragon wrote:
| What other gifts continue to be the responsibility of the giver
| after they're given?
|
| If I give you a puppy, and it gets sick, should the vet bill me?
|
| If I gave you a car, and the wheels fall off two years later, is
| that my problem?
|
| In this instance people have been using this Java package for
| _years_ I gather without problems. Why is the responsibility for
| changing the package anyone but theirs, the people using it; now
| that they 're decided they have stricter requirements for that
| need?
|
| Even the entertainment industry's notion of "ownership" isn't so
| endless. They'd like to be paid every time we use their product,
| but have settled for "licensed media" ... but that license
| doesn't extend to replacing the media when it wears out.
| shadowgovt wrote:
| > Why is the responsibility for changing the package anyone but
| theirs, the people using it; now that they're decided they have
| stricter requirements for that need?
|
| It isn't. Every open source consumer is ultimately responsible
| for the use of the code. That's baked into every open source
| license I'm aware of. Even the "share and enjoy" mantra is a
| tongue-in-cheek reference to a rhyme that ends with
| recommending what porcine orifices you can put your head on if
| you don't like the software.
|
| ... But there's more to be gained by the original authors, in
| glory and internet points, by publishing a fix for the problem
| than in washing their hands of the whole affair. Some people
| want their code correct as a point of professional pride alone.
| ekidd wrote:
| > Even the "share and enjoy" mantra is a tongue-in-cheek
| reference to a rhyme
|
| I don't know of any rhyme, but I always assumed that this was
| a reference to the _Hitchhiker 's Guide_ and Sirius
| Cybernetics Corporation. Which, yes, does involve a pig:
| https://www.goodreads.com/quotes/95859-share-and-enjoy-is-
| th...
|
| Sirus Cybernetics Corporation was best known for having
| created Marvin, the depressed android, and doors with
| cheerful personalities:
|
| > "All the doors in this spaceship have a cheerful and sunny
| disposition. It is their pleasure to open for you, and their
| satisfaction to close again with the knowledge of a job well
| done."
|
| So yes, "Share and enjoy" was originally deeply drenched in
| irony, and it functioned as a warning to proceed at the
| user's own risk.
| xg15 wrote:
| It's not just internet points, it's what makes the whole
| thing practically viable.
|
| If you don't give any guarantees beside "it's a hobby
| project", you can't expect anyone else to use your software
| beyond hobby projects either.
| ekidd wrote:
| > If you don't give any guarantees beside "it's a hobby
| project", you can't expect anyone else to use your software
| beyond hobby projects either.
|
| I am happy to provide consulting services and support
| guarantees through my LLC, and have done so in the past.
|
| Non-paying users who ask nicely might get fixes. Or they
| might not! Unfortunately, those fixes might also arrive a
| year or two after they stopped caring, I'm sad to say.
|
| But a project which doesn't bring me any revenue, and which
| doesn't function as valuable advertising, is only going to
| receive support when I have the time and the inclination.
|
| Realistically, commerical adoption is only interesting to
| me if there's _some_ upside for me. This isn 't to say that
| companies should never use my libraries or tools. Just that
| if they want timely support, they should be prepared to
| either pay me, or use the "Fork" button.
| BeetleB wrote:
| > If you don't give any guarantees beside "it's a hobby
| project", you can't expect anyone else to use your software
| beyond hobby projects either.
|
| Can't speak for log4j, but I don't _expect_ anyone to use
| my SW beyond hobby projects. If they do, I expect them to
| be responsible for how they use it.
| fxtentacle wrote:
| Or it's the opposite. I've had people base their business
| operations on my clearly marked hobby project. And then
| they started being nasty when I stopped updating it.
| jjav wrote:
| > If you don't give any guarantees beside "it's a hobby
| project", you can't expect anyone else to use your software
| beyond hobby projects either.
|
| That's a good thing. The companies shouldn't be expecting
| free code and free support. If they want something for a
| commercial product, pay for a commercial library with a
| support contract.
| nomdep wrote:
| Reviewing code is (should be) significant less work than
| reimplementing it yourself, if you were able to do it in
| the first place.
| netcan wrote:
| So... this is essentially a cultural question, so I think the
| best way to look at it is empirically.
|
| Not exactly your question, but there's an anthropological
| pattern whereby gift exchange between individuals of disparate
| class or power (eg peasant & lord) automatically create a
| tradition. If a boss gives his employees a turkey for
| christmas, christmas turkeys become a permanent expectation. If
| a lord give his king 20 camels for spring equinox, this can
| easily escalate into a permanent tax.
| hinkley wrote:
| I know a former software developer who is very open about
| going to therapy. He once commented on this fact, saying that
| he knew someone who also talked openly about therapy, and
| that he never would have gone if they hadn't known this
| person. Essentially he's hoping to be 'that guy' for somebody
| else.
|
| Computer science, to people who are picking college degrees,
| seems like a safe, sterile environment of pure logic. But the
| only jobs are in software development, which is organic as
| hell. It's messy, it often smells, sometimes it rots. And
| sometimes it's just scary. A lot of people seem to be in
| denial about this for a long time.
|
| Software is full of social capital and emotions, and we often
| try to conceal both behind a mask of objective thought. I can
| tell you ten logical reasons we shouldn't write the code this
| way but the real problem is that I think your solution is
| going to leave me stressed out of my comfort zone and/or
| missing life events because I either can't trust that you'll
| clean up your own mess, or that the business won't let you
| because you can't do it fast or robust enough. So I'm gonna
| argue with you about getting anywhere near that cliff edge,
| but we're not going to talk about the proverbial agoraphobia
| because that's too hard.
|
| And if my logical, objective, sterile reasons for saying 'no'
| are deflected, odds are very good I'm going to acquiesce
| instead of actually agree, and I'll be secretly stressed,
| possibly grumpy, possibly even ready with an 'I told you so.'
| All while we're trying to keep hard things 'professional'.
|
| Your solution is nerve wracking. This one is not. We should
| use this one, because we have better things to stress about.
| You're goddamned right we're going to trade a little more
| stress for you now for less stress for the entire company
| three months from now. It's a fair trade.
| stevenhuang wrote:
| Did you respond to the wrong comment? Not sure where you're
| going with this comment.
| xorcist wrote:
| The examples are a bit one sided.
|
| If I give you covid, is that my responsibility?
|
| If I give you a piece of software with a backdoor in it, is
| that my problem?
|
| In reality, all actions carry various kinds of
| responsibilities. And well designed backdoors looks exactly
| like oversights, so the difference isn't all that clear cut in
| pratice.
| [deleted]
| [deleted]
| xg15 wrote:
| > _In this instance people have been using this Java package
| for years I gather without problems. Why is the responsibility
| for changing the package anyone but theirs, the people using
| it; now that they 're decided they have stricter requirements
| for that need?_
|
| Because for a long time, libraries have been advertised as
| building blocks that you can quickly integrate into your own
| application _without having to understand in detail how the
| library works_. This assumption has been pretty crucial in the
| cost /benefits calculation for using libraries vs writing
| functionality yourself.
|
| Now that internet security is becoming an ever more serious
| topic, this assumption might be less and less viable to hold.
| We've walked back on it to an extend already with the current
| best practice of "you don't have to understand how it works,
| but at least update frequently".
|
| However, it might as well happen that this is not enough to
| keep security issues from happening. Things are already moving
| in a direction where it's absolutely expected that a developer
| understands and takes responsibility for every line of code
| that is included in their prodiuct, whether they wrote it
| themself or not. But if that happens, it will fundamentally
| change the way we deal with libraries and how software
| ecosystems work.
|
| Yes, free software devs can smugly repeat their stance of "it's
| a gift so don't complain, no guarantees about anything" - but
| if everyone took this serious, no one could use free software
| for anything critical, so the free software movement would be
| mostly dead.
|
| > _now that they 're decided they have stricter requirements
| for that need?_
|
| I think what made the log4j vulnerability so dangerous wasn't
| the ability to load arbitrary code via JNDI on it's own (even
| though that was certainly a horribly overengeneered and
| dangerous feature). The main vulnerability was that log4j was
| accepting substitution patterns in the "parameters" section of
| a logging command, the main purpose of which is to accept
| untrusted input. There has been at least one other CVE which
| exploits this without needing JNDI at all.
|
| "Don't trust user input" hass been a fundamental rule of
| security for a long time, and it was reasonable to assume the
| log4j authors were aware of it. So the current situation is not
| that requirements have suddenly became stricter, it's simply
| that log4j broke a fundamental assumption about its API.
|
| (I'm also pretty sure that while the JNDI thing was an
| unfortunate feature and was "working as intended", the
| "substitutions in untrusted input" part was likely a honest bug
| and never intended like that)
| jjav wrote:
| Back a few decades ago, companies (at least ones I worked at)
| did not often use open source libraries in products.
| Sometimes you'd go through months of lawyer meetings to get
| some special case approved, but that was rare. So when you
| needed a library you couldn't write internally, you'd buy it
| from a vendor. That came with maintenance and a support
| contract.
|
| As a developer that was a bit of a pain since you had to get
| purchase approval instead of just adding a dependency to a
| build file.
|
| But, I'm feeling that is actually the better model the
| industry should go back to. It meant that developing
| libraries was actually a viable business. Today companies
| just leech off the open source everything, externalizing all
| their costs and dumping the maintenance burden on unpaid
| volunteers.
| burnished wrote:
| How do you 'leech' off of something intended to be used for
| the common good? That perspective just doesn't make sense.
| mcguire wrote:
| " _As a developer that was a bit of a pain since you had to
| get purchase approval instead of just adding a dependency
| to a build file._ "
|
| How much of a pain was it when the vendor refused to fix
| your bug because it, or you, weren't important enough? When
| the vendor went out of business, or was bought by a company
| uninterested in the product you were using?
|
| Oh, and when you consider writing a library internally,
| keep in mind that patents are a thing.
|
| " _It meant that developing libraries was actually a viable
| business._ "
|
| Yeah, I remember that. I remember when there were a million
| billion little companies producing C++ libraries. Then C++
| started to get really popular, and those companies'
| customers went from a small group of experts to a large
| group of, uh, non-experts. Then they discovered that
| support was hard and all went out of business.
|
| I really wonder what would have happened it HP hadn't open-
| sourced the STL...
| nradov wrote:
| I have zero sympathy for the library users who got burned by
| this security defect. It's fine to use free software for
| critical systems, but only as long as you have developers who
| can maintain it internally or a paid support contract with a
| vendor who can do that for you. Those options cost money. If
| you fail to account for that in your software bill of
| materials then you deserve the consequences.
| quags wrote:
| This is what happens as things move more into mainstream from
| a few technical users using this as intended in sort of a
| small walled garden so to speak and then as it grows you get
| non technical users and bad actors. Look how smtp started,
| open for anyone where open relays were expected, to what we
| have today - still a large spam problem, compromised accounts
| with security on top of it. There are lots of rewrites and
| different smtp programs as things like smail and sendmail
| were replaced by exim, postfix and qmail (qmail which is free
| software, but really unmaintained and could be anyone's
| problem if they wanted).
|
| I'd argue if there is an application that being built on
| libraries with out a full understanding of keeping them
| maintained over the years you will get a massive cluster fuck
| with code rot. These are things that are learned with
| experience, as a dev starts they take short cuts and learn
| from the mistakes. It is not a bad system when you are
| learning from your mistakes. There are simple solutions like
| using an operating system that is maintained. Log4j and java
| packages exist for example in operating systems that get
| security updates - and continue to do so for the life of the
| operating system.
| xg15 wrote:
| Yeah, my guess is also that long-term, software development
| will involve less libraries and more "reinventing the
| wheel" for those reasons.
|
| > _Log4j and java packages exist for example in operating
| systems that get security updates - and continue to do so
| for the life of the operating system._
|
| But how does an updated OS help if the packages themselves
| are not updated?
| danaris wrote:
| > Yeah, my guess is also that long-term, software
| development will involve less libraries and more
| "reinventing the wheel" for those reasons.
|
| I very much hope not.
|
| I would greatly prefer to see some certification bodies
| arise that can vet libraries for exploits like this and
| give a certificate of some sort saying "This library is
| safe to use".
|
| Of course, that requires them to have some _extremely_
| good exploit-finders.
| throw0101a wrote:
| > _But how does an updated OS help if the packages
| themselves are not updated?_
|
| Package maintainers apply patches and roll a new package
| version (e.g., +deb11u1).
|
| At some point the package maintainers themselves may not
| want to babysit things anymore and deprecate the package.
| But most packaging systems that I'm aware of have
| mechanisms for applying patches.
|
| In many cases _even if_ the software itself is _still_
| maintained, the package maintainers may only apply a
| specific patch to ensure maximum compatibility.
|
| It's why many of us prefer 'slow moving' distros with
| "old" packages: minimal change for a given version and
| then only when 'necessary'.
| hinkley wrote:
| It's also a competitive problem.
|
| Log4j commoditized log formatting, appending, and rolling for
| Java. If all my competitors use it and I don't, then I'm
| behind them in the market. I spent engineering resources
| creating my own, and add another layer to the NIH snowball
| which will eventually start rolling all on its own if I don't
| constantly invest a small amount of my limited attention into
| stopping it.
|
| I only win if my competitors don't get away with it. Whole
| empires have been built in the time between log4j being
| 'production ready' and the discovery of this RCE bug. I'm
| reasonably sure that the majority of software companies that
| have ever existed, existed during this period, and any of
| them who used Java got away with it, and trillions of dollars
| to go with 'it'.
| imran-iq wrote:
| >Yes, free software devs can smugly repeat their stance of
| "it's a gift so don't complain, no guarantees about anything"
| - but if everyone took this serious, no one could use free
| software for anything critical, so the free software movement
| would be mostly dead.
|
| I don't think they have to smugly reply, it's included in the
| licence[1] of the software that folks chose to use. See
| sections 7 and 8
|
| 1: https://logging.apache.org/log4j/2.x/license.html
| isogon wrote:
| There is social context to licenses.
|
| My employment contract states that I am an at-will
| employee, so my boss could technically fire me because they
| didn't like my haircut. If they were to _actually_ do this,
| I would certainly be slighted by this, probably post about
| it publicly and forewarn others against working for them,
| although they would not have violated the letter of the
| contract nor my understanding of its literal meaning.
| 908B64B197 wrote:
| > However, it might as well happen that this is not enough to
| keep security issues from happening. Things are already
| moving in a direction where it's absolutely expected that a
| developer understands and takes responsibility for every line
| of code that is included in their prodiuct, whether they
| wrote it themself or not. But if that happens, it will
| fundamentally change the way we deal with libraries and how
| software ecosystems work.
|
| That's one of the differences between coders and engineers.
|
| Coders just import libraries to avoid re-inventing the wheel.
| Engineers consider each import as a dependency they'll have
| to maintain, buy support for or replace. Log4j just
| highlighted this difference, with some knowing exactly what
| to patch and others franctically trying to determine if one
| of the thousands of dependencies they imported into their app
| actually used it.
|
| > Yes, free software devs can smugly repeat their stance of
| "it's a gift so don't complain, no guarantees about anything"
| - but if everyone took this serious, no one could use free
| software for anything critical, so the free software movement
| would be mostly dead.
|
| There's a simple alternative: hire the devs.
| mcguire wrote:
| " _" Don't trust user input" hass been a fundamental rule of
| security for a long time, and it was reasonable to assume the
| log4j authors were aware of it. So the current situation is
| not that requirements have suddenly became stricter, it's
| simply that log4j broke a fundamental assumption about its
| API._"
|
| Once you see it this way, the whole "open source is broken"
| debate goes out the window. It was just a bug. A bad one, but
| not anything that hasn't happened before and won't happen
| again, open source or not.
|
| " _Yes, free software devs can smugly repeat their stance of
| "it's a gift so don't complain, no guarantees about anything"
| - but if everyone took this serious, no one could use free
| software for anything critical, so the free software movement
| would be mostly dead._"
|
| Free software devs _have_ to smugly repeat "no guarantees
| about anything" in the same way that non-free software
| development has to do it: Otherwise all software development
| would be mostly dead.
| BeetleB wrote:
| > Because for a long time, libraries have been advertised as
| building blocks that you can quickly integrate into your own
| application without having to understand in detail how the
| library works.
|
| Libraries _in general_ have been advertised this way, but it
| 's not true for any given library, unless the library
| maintainers make that claim. In fact, it's quite common for
| people to release libraries with the exact opposite claim:
| They are not liable for anything that goes wrong, and they
| don't promise any support.
|
| It is a bit offensive to have expectations from someone when
| the person makes it unambiguous how their SW can be used, and
| where their responsibility lies.
|
| Now yes, it is true that many major, popular open source
| libraries do make a show of their libraries being reliable,
| and do provide support. And those that do tend to have more
| adoption. But even a number of those do say "Hey, we're
| putting in this effort, but are not _promising_ bad things
| won 't happen."
|
| > Yes, free software devs can smugly repeat their stance of
| "it's a gift so don't complain, no guarantees about anything"
| - but if everyone took this serious, no one could use free
| software for anything critical, so the free software movement
| would be mostly dead.
|
| This is transforming a continuum into a fairly worthless
| binary scenario. You're not going to have every library say
| "We won't provide support" just as you won't have every
| library say "We'll follow best security practices" - so why
| bring it up? It's trivial to show the latter would have
| likely killed the free SW movement too.
|
| The reality is a continuum. And that is how the free software
| movement succeeds.
| daniel-cussen wrote:
| > If I give you a puppy, and it gets sick, should the vet bill
| me?
|
| > If I gave you a car, and the wheels fall off two years later,
| is that my problem?
|
| So in Western culture there's this notion that a gift creates
| no further obligations. The recipient should just be happy he
| got what he got and not expect anything more. As if to say, at
| least you didn't get nothing, you can still get nothing, you
| want nothing?
|
| I would say with the puppy if it gets sick and the recipient
| can't afford it, you should accept paying the bill. Before it
| was the "giftee's" puppy, it was your puppy for some small
| amount of time after you got it and before you gave it. Surely
| when you gave me a puppy you expected me to be able to keep it
| alive, right? And as for the car, it's not right to give
| someone a car whose maintenance they can't afford. The puppy
| and the car are two excellent examples of gifts that cannot be
| given without forming a relationship between the giver and the
| receiver.
|
| On the other hand a gift you can give and split and that's it
| is food or money. Just handing money to a beggar, he might ask
| for more, and you can walk.
|
| In some African cultures it's more like, if you do me a favor,
| do me another favor, and then we're true blue and you can rely
| on me to help you in return, but never in a tit-for-tat manner.
| It's in the book Debt: The First 5000 Years.
| georgebarnett wrote:
| The software library in question wasn't gifted. It was made
| open/available for re-use from a library.
|
| The person who chose to put it into _their_ code took
| ownership of its ongoing maintenance in their instance of its
| usage (presumably because they felt that would be less work
| than entirely diy).
|
| There is no puppy here.
| dasil003 wrote:
| This cultural expectation follows naturally from the nature of
| software. Software (especially of the networked variety) isn't
| something you can just deploy and be done. It has to be
| maintained to continue running over time as the ecosystem
| changes. The cost of this maintenance is lowest when amortized
| across the largest set of users, hence the success of open
| source software, and the desire to avoid forks. The people who
| are most qualified to maintain software are the original
| creators, so that is the path of least resistance.
|
| Of course no one is obligated to maintain anything, open source
| maintainers abandon stuff all the time without any
| repercussions beyond passive internet rage.
| andrewflnr wrote:
| Yep. The puppy analogy falls apart when you've given the same
| puppy to 10,000 people. All of them _could_ pay the vet bill
| separately, but we instinctively recoil from that as being
| horribly inefficient (and personally inconvenient) when it 's
| possible for just the one puppy-giver to pay it.
| rapind wrote:
| I think it could be both a user and an industry issue.
|
| Lately I've been experimenting with treating many libraries as
| a starting point in some of my projects. Meaning I read and use
| the code, often removing things I don't need.
|
| So I fork and maintain my own lesser / crippled version (and
| hope authors don't take this as passive aggressive criticism!).
| This helps me lower attack surface and better understand what's
| going on.
|
| This doesn't work for everything obviously. I'm not forking an
| OS or database, so there are still lots of black boxes, but for
| some stuff for I'm liking this approach.
|
| Now if another dev inherits my code I doubt they'll see it my
| way. The industry wisdom points at simply assembling libraries
| and only writing your specific business logic. So what if you
| use a library to do one thing that just happens to do 100 other
| things (this having a much larger attack surface and bug
| potential)?
|
| I don't know yet if I'm being foolish or if I've stumbled on
| some ancient programmer wisdom I simply failed to grasp
| earlier. At least I'll probably never run into a leftpad issue.
| renewiltord wrote:
| It's just a natural outcome of the fact that most programmers are
| talkers, not doers. Naturally, they go online to talk about how
| they wouldn't have written the bug and haven't ever. But the
| truth is that's because they've never done anything worthwhile.
|
| It's like the whole OpenSSL thing again.
| runningmike wrote:
| 'You literally cannot pay for it. If you do, it becomes something
| else.' This is mot true and imho misleading. You can pay for GPL
| software. Many people do pay a lot for FOSS software. You can pay
| devs that develop GPL software. And it will still be FOSS.
| Payments do not change wether software is FOSS or not.
| jdiez17 wrote:
| In that case (using the article's analogies), you are receiving
| a gift (GPL/FOSS software), and choosing to give them a gift as
| well (money). Both transactions are 100% no strings attached.
| adamgordonbell wrote:
| There is a book, called 'The Gift: How the Creative Spirit
| Transforms the World' that is popular in author circles. It's
| about the gift economy and how it's different than capitalism and
| how creative endeavours are really part of the gift economy, not
| the cash economy proper.
|
| I honestly got a bit bored of reading it and stopped, but the
| idea stays with me. This essay captures some of that idea - why
| you can't pay for a gift, how gifts work differently. They are a
| form of capital in that gift givers get social credit or
| something, but it's a very different system, a more traditional
| one than capitalism.
| jboynyc wrote:
| You might have more fun reading Marcel Mauss' classic, also
| called _The Gift_ , on the structure and function of gift
| exchange across various societies.
| gowld wrote:
| "gift economy" is also the model underpinning Free Software.
| throwaway4aday wrote:
| It's also the model underpinning bribery. It's multi-purpose.
| ignoramous wrote:
| Does the book talk about one among the dangling questions the
| author posed but didn't answer: _how simultaneously, whole
| promising branches of the "gift economy" structure have never
| been explored._?
| tehjoker wrote:
| The gift economy part was good, the poorly read philosophy on
| communism lacking in class consciousness was yawn. Points for
| recognizing authoritarianism from capitalism. Negative points for
| assuming the US government was designed to secure liberty for all
| rather than the landed classes.
| hemmert wrote:
| Thanks for that gift of an article!
| Centmo wrote:
| If you liked it so much, why don't you give a donation :)
| draw_down wrote:
| andybak wrote:
| In case I forget when I'm done - I'm half a dozen paragraphs in
| and I want to say how much I love this style of writing.
| ignoramous wrote:
| You're not the only one:
| https://news.ycombinator.com/item?id=2320966 (2011)
| coderintherye wrote:
| Somewhat related to the points about authoritarianism, a book
| review of "The Conquest of Bread" that had some discussion about
| a month back: https://news.ycombinator.com/item?id=29349688
___________________________________________________________________
(page generated 2021-12-30 23:00 UTC)