Is It Even Worth Working on FOSS Anymore?

December 24, 2021
Tech Professionalism Open Source FOSS TikTok log4j OBS Studio Cybersecurity GitHub Copilot Amazon Elasticsearch Elastic

Please see the disclaimer.

Introduction

I don’t know how to introduce this post other than the question in the title: is it even worth working on Free and Open Source Software anymore?

I have been asking myself this for the past week or two, and it’s uncomfortable for me; I believe in the power of Open Source to empower users and to give them control over their machines.

Exploited FOSS

But that belief of mine has been severely shaken by several things happened this week, things which also made me reconsider things that happened further in the past as well.

log4j

First, the log4j vulnerabilities happened. The maintainers worked to fix it, and what do they get?

So, it turns out that most of the development work on log4j is not funded, and what is funded is pitifully small.

And remember, there are people bashing the maintainers for screwing up something they essentially did as volunteers!

This is something that happens all of the time. When a vulnerability is discovered in a critical piece of software, people complain to maintainers whom they have never once thanked, helped, or paid.

OBS Studio

Also from this week:

Yes, it is that simple: TikTok stole code from an Open Source project.

The license OBS Studio is under, the GPL, requires anyone who distributes the code to anyone else to publish their changes in source code, and TikTok obviously did not do that.

Elasticsearch

This is not from this week.

Because Amazon started offering Elasticsearch, it was relicensed. Some people perceived the move poorly, and I can’t blame them.

Audacity

A company “bought” Audacity and added spyware. The same company also did it to MuseScore.

Patterns

These things are not just one-off bad things; they are patterns in the software industry. In fact, they’re so pervasive, they have a name: dark patterns.

Here are some more examples.

Ads in Paid Products

Adding ads to software seems to be in vogue, with Microsoft doing it to Windows, even though people pay for Windows.

That also goes for “smart” TV’s. Ads get added later, after you have had it for a while.

Spyware in Paid Products

Windows also has spyware, and you better believe that smart devices do as well, even if you paid for them. Yes, that includes Apple products.

Companies Pushing Subscription Models

Even worse is when companies push subscription models when you already bought their product, or they make it difficult to cancel a subscription.

Why do they do this? Easy: because a subscription model brings in constant, endless revenue. It’s exactly what MBA suits like. And they don’t want to lose it once they get it.

Scarcity of Maintainer Attention

Coming back to Open Source, it is obvious that there is a huge deficit of something we need more of: maintainer attention.

It makes sense why there is scarcity; after all, this is work done by volunteers in their “free” time. They may not have much free time at all!

And yet, these projects are critical infrastructure.

xkcd 2347: Dependency

xkcd 2347: Dependency

Companies that depend on these projects are like runaway logging companies: they are mining a scarce resource and not ensuring its sustainability.

The logging companies learned the lesson, and it’s time the software industry learned it.

Copilot

If straight up ignoring licenses, like TikTok did, wasn’t enough, there is now another way companies can extract value from FOSS without paying back: GitHub’s Copilot.

I’ve written before about the dangers of GitHub Copilot, and while the hype and bad press have died down, the dangers have not.

I’ve been busy to do something; I have written licenses to make GitHub hesitate before using my code as input to Copilot, and I’m currently trying to find lawyers to help me solidify those licenses.

Unfortunately, I can budget very little, about one hour’s worth of time for the attorney I would have used, and he thought I needed five hours’ worth of work.

I have contacted a couple of non-profits for help, but I don’t expect to get any because they probably have bigger fish to fry.

But even if I solidify the licenses, what stops GitHub from ignoring them by claiming that their Terms of Service allows them to use my code?

This is one big reason I pulled all of my code, except for bc, off of GitHub. If they make this argument about anything other than bc, they will be lying.

And beyond that, what stops other companies from using Copilot to launder my code?

My Hesitation

Before all of this went down, I was working on Rig, a new build system, one that would scale from small projects, to large projects, to everything in-between, including fully distributed and cached builds.

The ideas are so powerful, in fact, that they can form the basis of a Nix-like package manager, an event-based supervision system that would be vastly simpler than systemd while easier to use than s6, and a DevOps deployment system.

In fact, to implement the DevOps deployment system, no changes will be needed to Rig at all; it could do that without any outside help.

In essence, Rig would have been able to build distributed systems in exactly the same way it would build a single project: you specify targets and their dependencies, and Rig would do the rest, including parallelization.

But…will it even matter? Would Rig even be a net gain to the world?

The obvious answer is yes, but it’s not so simple.

Since companies steal Open Source software without a care in the world, what’s to stop companies from stealing Rig and embedding it into their proprietary software?

What will stop them from using Rig to spy on users? What will stop them from using Rig to feed users ads and manipulate them?

What’s to stop them from using Rig to backdoor every piece of software that they build with it, or to distribute a version to users that will backdoor whatever the users build with it?

In other words, what’s to stop companies from using an Open Source Rig to harm users more than it would help?

Open Source or Bust

Okay, well, perhaps the best way to serve users is to not release my code as Open Source? Maybe I should just provide binaries.

That won’t work because Open Source has sort of eaten the software industry; other programmers won’t use your stuff unless it’s Open Source.

Of course, those programmers are all too happy to hide their code from end users, who don’t know better.

Since my software will target programmers, I can’t make it closed source, or it won’t get used. Simple as that.

It’s even worse; Linux distros will often refuse to even package your software if it’s not Open Source.

I’m stuck between a rock and a hard place. If I make Rig Open Source, it could very well do more harm than good, regardless of whether I get paid! And if I don’t, it won’t get used anyway.

Conclusion

Ever since I started trying to not write harmful posts (like this one), I have tried to suggest ways of fixing the problems I have complained about in every post.

But…I can’t do that here. I have no solution.

This is depressing, to say the least. It’s depressing because I see no alternative other than to give up on writing software completely. After all, I can’t get a job, I can’t make money from writing Open Source software, and what Open Source software I do write could end up harming more users than it helps.

I had to accept I couldn’t get a job, but I still thought I could write software in my spare time and help the world.

Was I wrong? Is it now impossible to improve the world with Open Source?

I don’t have the answers to these questions. Until I do, I feel like I should default to doing nothing.

If you have thoughts about this, please feel free to contact me.

My Whitepaper About GitHub Copilot

I wrote a whitepaper about GitHub Copilot. Link inside.
Tech Professionalism Copilot GitHub FOSS Open Source Copyleft ML Machine Learning AI Artificial Intelligence Code Laundering

Projects in the Pipeline

This post has descriptions of all of the software projects I currently have in the pipeline.
Tech Programming KoOS Yada Yao Rig Portability

Poisoning GitHub Copilot and Machine Learning

GitHub has made me angry again. This time, it's because they are laundering code with machine learning. To fight that, I have developed new FOSS licenses to poison their well.
Tech GitHub FOSS Open Source Copyleft ML Machine Learning AI Artificial Intelligence Code Laundering Copilot