Is It Even Worth Working on FOSS Anymore?

Introduction

I don’t know how to introduce this post other than the question in the title: is it even worth working on Free and Open Source Software anymore?

I have been asking myself this for the past week or two, and it’s uncomfortable for me; I believe in the power of Open Source to empower users and to give them control over their machines.

Exploited FOSS

But that belief of mine has been severely shaken by several things happened this week, things which also made me reconsider things that happened further in the past as well.

log4j

First, the log4j vulnerabilities happened. The maintainers worked to fix it, and what do they get?

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. https://t.co/W2u6AcBUM8

— Volkan Yazıcı (@yazicivo) December 10, 2021

So, it turns out that most of the development work on log4j is not funded, and what is funded is pitifully small.

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.

"I work on Log4j in my spare time"
"always dreamed of working on open source full time"
"3 sponsors are funding @rgoers's work: Michael, Glenn, Matt"

People, what are we doing. pic.twitter.com/2hAxUWCjuC

— Filippo Valsorda @filippo.abyssdomain.expert (@FiloSottile) December 10, 2021

And remember, there are people bashing the maintainers for screwing up something they essentially did as volunteers!

This is something that happens all of the time. When a vulnerability is discovered in a critical piece of software, people complain to maintainers whom they have never once thanked, helped, or paid.

OBS Studio

Also from this week:

Remember yesterday’s news about TikTok releasing a go live platform? Turns out it’s a fork of @OBSProject

Shoutout to @HunterAP23 for pointing this out

STOP STEALING FROM OBS JESUS pic.twitter.com/kx8ckK3MXS

— Naaackers (@Naaackers) December 16, 2021

Yes, it is that simple: TikTok stole code from an Open Source project.

The license OBS Studio is under, the GPL, requires anyone who distributes the code to anyone else to publish their changes in source code, and TikTok obviously did not do that.

Elasticsearch

This is not from this week.

Because Amazon started offering Elasticsearch, it was relicensed. Some people perceived the move poorly, and I can’t blame them.

Audacity

A company “bought” Audacity and added spyware. The same company also did it to MuseScore.

Patterns

These things are not just one-off bad things; they are patterns in the software industry. In fact, they’re so pervasive, they have a name: dark patterns.

Here are some more examples.

Ads in Paid Products

Adding ads to software seems to be in vogue, with Microsoft doing it to Windows, even though people pay for Windows.

That also goes for “smart” TV’s. Ads get added later, after you have had it for a while.

Spyware in Paid Products

Windows also has spyware, and you better believe that smart devices do as well, even if you paid for them. Yes, that includes Apple products.

Companies Pushing Subscription Models

Even worse is when companies push subscription models when you already bought their product, or they make it difficult to cancel a subscription.

• Adobe switched their Creative Suite to Creative Cloud.
• Toyota wants customers to subscribe to use remote start.
• A lot of companies allow you to subscribe online, but must call to cancel.

Why do they do this? Easy: because a subscription model brings in constant, endless revenue. It’s exactly what MBA suits like. And they don’t want to lose it once they get it.

Scarcity of Maintainer Attention

Coming back to Open Source, it is obvious that there is a huge deficit of something we need more of: maintainer attention.

It makes sense why there is scarcity; after all, this is work done by volunteers in their “free” time. They may not have much free time at all!

And yet, these projects are critical infrastructure.

xkcd 2347: Dependency

Companies that depend on these projects are like runaway logging companies: they are mining a scarce resource and not ensuring its sustainability.

The logging companies learned the lesson, and it’s time the software industry learned it.

Copilot

If straight up ignoring licenses, like TikTok did, wasn’t enough, there is now another way companies can extract value from FOSS without paying back: GitHub’s Copilot.

I’ve written before about the dangers of GitHub Copilot, and while the hype and bad press have died down, the dangers have not.

I’ve been busy to do something; I have written licenses to make GitHub hesitate before using my code as input to Copilot, and I’m currently trying to find lawyers to help me solidify those licenses.

But even if I solidify the licenses, what stops GitHub from ignoring them by claiming that their Terms of Service allows them to use my code?

And beyond that, what stops other companies from using Copilot to launder my code?

My Hesitation

Before all of this went down, I was working on Rig, a new build system, one that would scale from small projects, to large projects, to everything in-between, including fully distributed and cached builds.

The ideas are so powerful, in fact, that they can form the basis of a Nix-like package manager, an event-based supervision system that would be vastly simpler than systemd while easier to use than s6, and a DevOps deployment system.

But…will it even matter? Would Rig even be a net gain to the world?

The obvious answer is yes, but it’s not so simple.

Since companies steal Open Source software without a care in the world, what’s to stop companies from stealing Rig and embedding it into their proprietary software?

What will stop them from using Rig to spy on users? What will stop them from using Rig to feed users ads and manipulate them?

What’s to stop them from using Rig to backdoor every piece of software that they build with it, or to distribute a version to users that will backdoor whatever the users build with it?

In other words, what’s to stop companies from using an Open Source Rig to harm users more than it would help?

Open Source or Bust

Okay, well, perhaps the best way to serve users is to not release my code as Open Source? Maybe I should just provide binaries.

That won’t work because Open Source has sort of eaten the software industry; other programmers won’t use your stuff unless it’s Open Source.

Since my software will target programmers, I can’t make it closed source, or it won’t get used. Simple as that.

I’m stuck between a rock and a hard place. If I make Rig Open Source, it could very well do more harm than good, regardless of whether I get paid! And if I don’t, it won’t get used anyway.

Conclusion

Ever since I started trying to not write harmful posts (like this one), I have tried to suggest ways of fixing the problems I have complained about in every post.

But…I can’t do that here. I have no solution.

This is depressing, to say the least. It’s depressing because I see no alternative other than to give up on writing software completely. After all, I can’t get a job, I can’t make money from writing Open Source software, and what Open Source software I do write could end up harming more users than it helps.

I had to accept I couldn’t get a job, but I still thought I could write software in my spare time and help the world.

Was I wrong? Is it now impossible to improve the world with Open Source?

I don’t have the answers to these questions. Until I do, I feel like I should default to doing nothing.

If you have thoughts about this, please feel free to contact me.