I’m writing this partially in response to the recent log4j vulnerability, where I see several people suggest that funding open source projects could have prevented this security meltdown from happening. In this post I hope to convince you that the biggest problem with open source projects isn’t the lack of funding.
Don’t get me wrong: I do believe that open source contributors should be paid a comfortable wage so that they can contribute full-time to the project. However, there is a greater disease that afflicts open source projects and funding them in the wrong way will only worsen the affliction.
The true problem with open source projects is catering to the needs of large and exploitative tech companies. Open source projects will continue to compromise on quality, ethics, and fair working conditions so long as they view adoption by these companies as the highest measure of success.
The log4j vulnerability
I don’t mean to dunk on log4j or its maintainers, but the log4j vulnerability perfectly illustrates the problem with putting the needs of big business first.
The maintainers of the log4j project knew that one of the lesser-known features was potentially problematic (although perhaps they underestimated the impact). However, did not remove the feature out of concern for breaking backwards compatibility. This is covered in more detail here:
As the above post notes, if large tech companies had funded the log4j project that would have only increased the pressure to not break backwards compatibility. Large companies are notorious for being loathe to migrate their codebases to accommodate breaking changes, to the point that they will significantly fall behind on upgrades or vendor an open source project. These companies consistently place their priorities ahead of the needs of the wider open source ecosystem.
Exploitation
The log4j incident is a symptom of a larger problem: many large and publicly-traded companies are exploitative and abusive and open source projects that simp for these large companies aren’t doing themselves any favors.
Not all companies are bad, but we can all tell when a given company has lost all sense of ethics or social responsibility when they do things like:
engaging in anti-competitive business practices
exposing sensitive user data through willful neglect
busting unions unscrupulously
doing business with authoritarian regimes
not even attempting to morally justify their actions
“The shareholders made us do it”
Is having an ethically dubious logo on your project’s page really something to be proud of? Or is it actually a red flag? Think about it:
Do you believe that a company that asks their employees to cut corners won’t ask open source projects they sponsor to hack around problems?
Do you believe that a company that colludes with other employers to depress wages will agree to fair working conditions for the open source projects they depend on?
Do you believe that a company that has compromised on its own morals won’t pressure its dependencies to do the same?
Free software vs open source
I’m not exaggerating when I say that businesses encourage open source developers to compromise on their morals, because this has already happened.
The most prominent example is that the predecessor to the open source movement was the free software movement, which was not just about making source code freely available, but also securing certain freedoms for end users, such as the right to inspect, modify and run the software their lives depend on.
The free software movement is fundamentally a moral movement, and whether or not you agree with their goals, their stated purpose is grounded in ethical arguments, not a business justification. Richard Stallman discusses this in Why Open Source Misses the Point of Free Software:
For the free software movement, free software is an ethical imperative, essential respect for the users’ freedom. By contrast, the philosophy of open source considers issues in terms of how to make software “better”—in a practical sense only. It says that nonfree software is an inferior solution to the practical problem at hand.
In contrast, the open source movement originated when businesses pressured developers to compromise on their ethical principles (especially copyleft licenses) in favor of being as easy to commercialize as possible (especially with permissive licenses). The same essay notes:
That is, however, what the leaders of open source decided to do. They figured that by keeping quiet about ethics and freedom, and talking only about the immediate practical benefits of certain free software, they might be able to “sell” the software more effectively to certain users, especially business.
… and they were successful, if you define success as wildly enriching tech companies.
Solutions
I’m not an expert on fixing this problem, but I also don’t believe that open source developers need to accept exploitative working conditions. I’ll briefly mention some alternatives that people have shared with me when I’ve brought up this subject in the past.
First off, funding is still important (despite this post’s title) and anybody interested in doing open source full-time should read:
… and if you do accept sponsorships, try to steer clear of accepting funding from companies with a dubious record. Even if they never explicitly threaten to withdraw their sponsorship the implicit risk will always loom over you and influence your actions.
If you form a business around your open source software you should prefer more ethical and sustainable business models. For example, consider staying away from venture capital and instead see if something like a co-op might be more appropriate, which is described in more detail here:
This is more common than you think and you can find a list of open source projects backed by co-ops here:
However, open source developers should first reflect upon what success looks likes for their project before pursuing funding. If your measure of success is “large companies use my project or fund my project”, you still run the risk of being taken advantage of by those same companies. If your goal is to be used then, well, you’ll be used.
More generally, I believe that open source development should return to its roots as a free software movement guided by moral principles. Doing so would help the open source community set better boundaries, which would in turn improve software quality, funding, and working conditions. Without a moral center to give developers a spine, they’ll continue to race to the bottom to please corporate interests.