I’m writing this partially in response to the recent log4j
vulnerability, where I see several people suggest that funding open source projects could have prevented this security meltdown from happening. In this post I hope to convince you that the biggest problem with open source projects isn’t the lack of funding.
Don’t get me wrong: I do believe that open source contributors should be paid a comfortable wage so that they can contribute full-time to the project. However, there is a greater disease that afflicts open source projects and funding them in the wrong way will only worsen the affliction.
The true problem with open source projects is catering to the needs of large and exploitative tech companies. Open source projects will continue to compromise on quality, ethics, and fair working conditions so long as they view adoption by these companies as the highest measure of success.
The log4j
vulnerability
I don’t mean to dunk on log4j
or its maintainers, but the log4j
vulnerability perfectly illustrates the problem with putting the needs of big business first.
The maintainers of the log4j
project knew that one of the lesser-known features was potentially problematic (although perhaps they underestimated the impact). However, did not remove the feature out of concern for breaking backwards compatibility. This is covered in more detail here:
As the above post notes, if large tech companies had funded the log4j
project that would have only increased the pressure to not break backwards compatibility. Large companies are notorious for being loathe to migrate their codebases to accommodate breaking changes, to the point that they will significantly fall behind on upgrades or vendor an open source project. These companies consistently place their priorities ahead of the needs of the wider open source ecosystem.
Exploitation
The log4j
incident is a symptom of a larger problem: many large and publicly-traded companies are exploitative and abusive and open source projects that simp for these large companies aren’t doing themselves any favors.
Not all companies are bad, but we can all tell when a given company has lost all sense of ethics or social responsibility when they do things like:
engaging in anti-competitive business practices
exposing sensitive user data through willful neglect
busting unions unscrupulously
doing business with authoritarian regimes
not even attempting to morally justify their actions
“The shareholders made us do it”
Is having an ethically dubious logo on your project’s page really something to be proud of? Or is it actually a red flag? Think about it:
Do you believe that a company that asks their employees to cut corners won’t ask open source projects they sponsor to hack around problems?
Do you believe that a company that colludes with other employers to depress wages will agree to fair working conditions for the open source projects they depend on?
Do you believe that a company that has compromised on its own morals won’t pressure its dependencies to do the same?
Free software vs open source
I’m not exaggerating when I say that businesses encourage open source developers to compromise on their morals, because this has already happened.
The most prominent example is that the predecessor to the open source movement was the free software movement, which was not just about making source code freely available, but also securing certain freedoms for end users, such as the right to inspect, modify and run the software their lives depend on.
The free software movement is fundamentally a moral movement, and whether or not you agree with their goals, their stated purpose is grounded in ethical arguments, not a business justification. Richard Stallman discusses this in Why Open Source Misses the Point of Free Software:
For the free software movement, free software is an ethical imperative, essential respect for the users’ freedom. By contrast, the philosophy of open source considers issues in terms of how to make software “better”—in a practical sense only. It says that nonfree software is an inferior solution to the practical problem at hand.
In contrast, the open source movement originated when businesses pressured developers to compromise on their ethical principles (especially copyleft licenses) in favor of being as easy to commercialize as possible (especially with permissive licenses). The same essay notes:
That is, however, what the leaders of open source decided to do. They figured that by keeping quiet about ethics and freedom, and talking only about the immediate practical benefits of certain free software, they might be able to “sell” the software more effectively to certain users, especially business.
… and they were successful, if you define success as wildly enriching tech companies.
Solutions
I’m not an expert on fixing this problem, but I also don’t believe that open source developers need to accept exploitative working conditions. I’ll briefly mention some alternatives that people have shared with me when I’ve brought up this subject in the past.
First off, funding is still important (despite this post’s title) and anybody interested in doing open source full-time should read:
… and if you do accept sponsorships, try to steer clear of accepting funding from companies with a dubious record. Even if they never explicitly threaten to withdraw their sponsorship the implicit risk will always loom over you and influence your actions.
If you form a business around your open source software you should prefer more ethical and sustainable business models. For example, consider staying away from venture capital and instead see if something like a co-op might be more appropriate, which is described in more detail here:
This is more common than you think and you can find a list of open source projects backed by co-ops here:
However, open source developers should first reflect upon what success looks likes for their project before pursuing funding. If your measure of success is “large companies use my project or fund my project”, you still run the risk of being taken advantage of by those same companies. If your goal is to be used then, well, you’ll be used.
More generally, I believe that open source development should return to its roots as a free software movement guided by moral principles. Doing so would help the open source community set better boundaries, which would in turn improve software quality, funding, and working conditions. Without a moral center to give developers a spine, they’ll continue to race to the bottom to please corporate interests.
Thanks for writing this piece. I really enjoy thinking about this stuff and I hope that society can find a better way of building things like free software that exist in the public commons.
ReplyDeleteParts of what you wrote kind of rub me the wrong way, though. People often want software they work on to be widely used; that is something that is cool about software and inspires people to work on it. But unless everyone becomes a programmer, open source libraries and generic utilities like Log4j aren't really directly usable by end users, so it's a reality that the consumers of that work are often businesses assembling a whole mix of open source and proprietary stuff into some overall software (like Minecraft!). I'd argue we haven't really found a good way to produce these sorts of aggregate software projects with the same quality, cohesiveness, and functionality as what the best businesses can produce. I would love for this to be different, but it's the current reality.
So I don't think we want to argue that it's always some moral failing for maintainers to consider business consumers of their software. (I don't think that's exactly what you're saying though it kind of came across that way.)
Maintainers are also going to have different ideas about which businesses are unethical and I think there's often room for reasonable people to disagree, especially when talking about bigger businesses that do lots of things, some good and some bad. Maintainers may also just think of the issue entirely differently. If you develop a generic feature which can be used for both good or evil, are you obligated not to develop that feature simply because there's at least one evil MegaCorp out there who will use it? I guess my point is, these questions can get pretty nuanced.
I think you're right that business needs end up being the loudest voice in the room, and that is problematic, not just because businesses can be unethical, but also because they tend to be incredibly myopic. They want to solve their short-term problems and there is often literally no-one being like "hey, why don't we step back and cooperate to solve this problem properly".
Also I think it's terrible how little businesses give back to open source that they rely on. The lack of diverse funding of open source is IMO part of the problem. If we could build a regular culture of businesses giving "no strings attached" money to open source maintainers (ideally with some actual mechanism to help it work at scale), it becomes easier for maintainers to consider the overall needs of the ecosystem in a more balanced way.
yup, totally right. The problem is that log4j isn't organized in a way that everyone is paid basically the same salary no matter how little or how much they contribute to its development. Turning it into a co-op would set its incentives right!
ReplyDeleteA co-operative means worker ownership, not "basically the same salary"
Delete