.png)
2 hours ago
2
It is a remarkable triumph of free and open source software (FOSS) that it is so useful and so reliable that it has become ubiquitous. So reliable, in fact, that organisations of all shapes and sizes have baked it into the heart of their operations with little time spent wondering: “What happens when something breaks?”
That reliability is looking less… well, reliable… recently, as hundreds of NPM packages are compromised and we avoid a global outbreak of xz-style backdoors by sheer luck. Questions are asked about who is behind widely-used packages even as we all grow sick of seeing that one XKCD comic illustrating that Open Source is one person.
What to do?
The essence of Free Software is: “When it breaks, you get to keep both halves.” If something doesn’t work the way you want it to, you can change it so that it does. You can add features you think are missing. You can remove features you don’t like. You can adapt the software to better meet your own needs whenever you want.
However, if there’s a bug or a security vulnerability, you either have to fix it yourself, or ask someone else to help. No one is required to help you, because you have no explicit relationship with the people who wrote the software that you found on the side of the road and decided to take home with you.
This is a key point. There is no supply chain here because there is no supplier. Someone created the software artifact once upon a time, yes, but it was not supplied to you. It was made available to the world at large. You happened across this software that already existed and decided to use it, of your own free will.
If you want the software to get updated—to have bugs fixed and security vulnerabilities patched—you want something very different. What you want is an ongoing supply of software, not a copy of a specific software artifact. Confusing these two situations is, I think, at the core of the current angst about sustainability of free and open source software.
Where does that ongoing supply come from?
If you don’t want to do all the work yourself, you need to establish a relationship with other people. But if you’ve just been picking up software you found lying around the place, you don’t have a relationship with the people who built it. Not really. You might think you do, but one could argue that what you actually have is a parasocial relationship with free software, not a reciprocal relationship based on mutual advantage.
A lot of people have treated free software as a kind of naturally occurring resource, something that spontaneously happens in nature rather than as a product of directed human effort. Maintaining software takes work, and that work is done by people. People who might decide to do something different today, like changing the license, or selling their company, or letting someone else take over maintenance because they’re tired of the thankless toil, someone who inserts a back door into the code.
There is, unfortunately, a great deal of entitlement from those who are happy to take the gift of free software but are unwilling to take on the burden of looking after the ecosystem that sustains it. A surprising number of people expect that software built by volunteers in their spare time, given away for free, should somehow achieve levels of perfection that even highly profitable private companies struggle to attain. It’s particularly galling when the entitlement comes from those same highly profitable companies, especially when their ‘contributions’ to open source are thinly-veiled attempts to lock customers into their proprietary ecosystems.
It is time to renegotiate the terms of this one-sided deal. The individuals giving away the fruits of their labour owe us nothing more. It is enough that we have received this tremendous boon, this vast array of high-quality software that is available free of charge. But if we want them to continue doing it, they will need to be supported in concrete, material ways.
Or they might simply stop.
In fact, I would encourage more unsupported maintainers to do just that. Stop rushing to fix bugs for people without a support contract. Patch security flaws at a more leisurely pace unless someone is willing to pay for greater urgency. Take your time and enjoy your hobby more, since that is what unpaid software maintenance is. Collaborate with other people only so much as it brings you joy.
Businesses and governments need to get used to the idea that you are not part of their “software supply chain” unless they are a paying customer. Unless and until they are willing to make direct, material contributions to the software maintainers they rely on, it is long past time that maintainers stopped letting them take advantage of their good nature. They are free to solve the problem themselves, just as they always have been.
Thank you to Emma Davidson for the push to write more about this topic.
