Open Source is awful
One of my favorite podcasts is Make Me Smart, hosted by public radio's Kai Ryssdal and Molly Wood. It's part of the Marketplace family of shows by American Public Media and is a friendly, casual look at the "big picture" of many of the stories of the day. One of their running themes is the "Make Me Smart question" that they ask everyone they interview, and encourage listeners to write or tweet or vlog in with their own answers to:
What is something you thought you knew that it later turned out you were wrong about?
It took me a while to decide what my own answer to that would be, but when I finally did I realized it was going to be way too long for a tweet to explain, so here we go.
I used to think Open Source was amazing. I've since come to realize just how awful it is.
With those incendiary words out of the way, allow me to explain. First, I need to draw a clear distinction between three often-confused concepts: Free Software, Open Source, and Volunteer Coding.
Free Software is a philosophy
"Free Software" is a term coined by Richard Stallman in the early 1980s, and steered by the Free Software Foundation. Free Software has nothing to do with price or cost; blame the English language for being dumb enough to use the same word for "freedom or lack of restriction" and "doesn't require money". Free Software is a moral stance that argues for maximizing the personal digital sovereignty of the user of a software program. Specifically, it is a commitment by the developer to respect the personal sovereignty of their users in four ways:
- The freedom to run the program as you wish, for any purpose (freedom 0).
- The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
- The freedom to redistribute copies so you can help your neighbor (freedom 2).
- The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.
That's a bit clunky, so I like to reorganize it a bit to the freedom to:
- Use the program as you see fit
- Learn from the program as you wish
- Improve the program to make it fit your needs better
- Share your knowledge and improvements with others
Why is that so important? Because as law professor Larry Lessig has been pointing out for 20 years, Code is Law. The code that runs on our computers, phones, watches, cars, websites, and refrigerators dictates what we can and cannot do. As we turn our lives more and more over to technology as a mediator, the code that controls that technology becomes a key mechanism of control, for good or ill. It came 25 years later, but I think Cory Doctorow summed up the concept behind Free Software most succinctly:
When a computer receives conflicting instructions from its owner and from a remote party, the owner always wins.
Free Software is, at its core, the belief that you have a fundamental right to control your computer and your digital sovereignty, and any software license that gets in the way of that is immoral.
I agree with this position.
Open Source is a pragmatic development style
Stallman and his associates began developing software under a license that respected the four freedoms and making it available to as many people as possible. Nothing in the principle of Free Software precludes someone from selling copies of a program under a Free Software license, but since users have a moral right to the source code of the program and to share that source code it means that in practice selling per-unit becomes a rather difficult and ineffective business model. Which is fine, as there's plenty of other business models for software that work quite well.
However, when the source code is freely available and multiple people can modify it to suit their whims, it becomes quite natural to share those modifications back to a central source (the original developer) to aggregate together. That includes bug fixes, new features, security hardening, and even documentation. Thus, the availability of Free Software naturally lends itself toward (although does not mandate) collaborative development by multiple parties. It also encourages the development of more generic, shareable libraries (bundles of code) that others can freely reuse, which is the most dramatic improvement in developer productivity of the last 30 years.
That collaborative process, in which multiple users of a program (or their agents/employees) collectively work on a program "in the open" to make it better for all users, tends over time to lead to better quality software. (Well, most of the time, and over a long enough time frame.) By the late 1990s as the cost of such collaboration plummeted thanks to the Internet businesses started to catch on to those benefits.
Of course, business hates the word "Free"; both meanings of the word, in fact, but primarily the no-money part, at least for their own work. So was coined the term "Open Source" as a more business-friendly way to brand that collaborative development model while stripping out the philosophical and moral underpinnings that enabled it in the first place. (As I write this, the OpenSource.org website is celebrating "20 years of Open Source", completely ignoring and whitewashing the fact that Free Software predates it by 14 years and is responsible for its very existence.)
The Open Source Definition is worded differently than Free Software, and while it aims in the same direction there are some subtle differences.
I fully agree with the benefits of collaborative development in-the-open, and as both a developer and an end-user find it generally superior in most cases. The whitewashing of the moral and philosophical reasons for it in favor of purely pragmatic ones, however, I find to be undermining and self-defeating.
Volunteer coding is exploitation
Parallel with the growth of Free Software and its watered down sibling Open Source came the idea of volunteer coding. Once again, it's not in anyway intrinsic in the idea of Free Software or of Open Source. In fact, charging for your work is something most Free Software advocates fully encourage. However, much of the early Free Software was written on a volunteer basis by people who believed in it for moral reasons, and because it's really hard to sort out ownership and payment when a program is developed collaboratively by people from different organizations with different interests. As a result, "give it away at no cost" became a de facto expectation of Free Software and Open Source.
Additionally, many people get involved in an Open Source project (either starting it or contributing to it) on their spare time, for fun. Working on a project you care about for reasons other than "because my boss/client is paying me to" and doing so independent of the normal constraints of business schedules ("we have to do it the sloppy way because sales promised it to the client last week and we don't have time to do it properly, damn them...") is a very different experience and very refreshing. The entire social dynamic among the team is different. The social reward of having accomplished something, done something well, learned something, or helped people out is very different than a paycheck and not a substitute for it, but certainly valuable to many developers' emotional health.
But that has led to a rather significant problem as Open Source code has become more and more popular. Today, nearly every business relies on Free/Open Source code in some way, either explicitly or implicitly. It's presence is strongest in web-based software and on servers, but virtually every industry has some significant component where, whether they realize it or not, they're relying on code they got for free from someone they don't know with whom they have no formal business relationship.
I can guarantee you that there is Free Software involved in the process of you reading this post right now, with 100% certainty.
But here's the problem: A successful software project takes work to maintain. Bugs get found and need to be fixed; security holes need to be patched; some related piece of code changes that requires updating your code; documentation needs to be improved; users with questions need to be answered; and that's all before we even begin to think about adding features or functionality to it. That takes real time and real effort.
But if most businesses are using Open Source code for free, how are the developers compensated for that real time and effort? In the majority of cases the answer is "with verbal abuse and emotional blackmail."
They very largest projects (the Linux kernel, the Firefox web browser, etc.) often end up with a few smart companies realizing it's in their self-interest to fund full time development, and most of their work ends up being non-volunteer. They're not the problem. The problem is the mid-range to small projects, maintained by volunteers, that get short-shrifted. People don't value free.
Not a month goes by in the last several years without some maintainer of an Open Source project throwing up their hands in frustration and walking away because of burnout; burnout caused, invariably, by the demands that people make of their free time. The code was free, so why isn't free support and personalized help available for life???
Basically, this is how the software industry works today:
When Drupal 8 was released in late 2015 after 5 years of development, there was a huge outcry because that meant Drupal 6 was going out of support. Drupal (a web-based CMS and one of the largest Free/Open Source projects in the world) has long had a policy of providing security support for the current stable version and one previous major release, meaning that when a new major version is released 2 releases back from it goes out of support. This support is provided for free by the Drupal community (or rather, the Drupal Security Team) and is a pledge to fix any found security issues in a supported version. When Drupal 8 was released that meant Drupal 6, released in 2008, would have had seven years of completely no-cost security maintenance, provided by members of the Drupal community.
So what was the response from site owners running Drupal 6 sites? A sampling:
- "You can't do that to us!"
- "You need to provide an LTS version." (Long Term Support)
- "Screw this, if you won't support me I'm not using Drupal."
- "Not only we need Drupal 6 for eternity but also php versions supporting it for eternity." (link)
- "#Boycott Ending D6 support!" (link)
Eventually, a few companies started up selling Drupal 6 maintenance and support contracts. But people were still incensed that, godforbid, their seven years of relying on the labor of unpaid volunteers with whom they had no business arrangement was coming to an end. That is, they could no longer continue to be leeches.
Jordi Boggiano is the lead maintainer of Composer, the package manager that was a key component of modernizing the PHP ecosystem. (PHP is the programming language that powers most websites in the world.) He has an entire conference keynote on managing an Open Source project, much of which boils down to learning how to ignore the entitled, abusive demands that people throw at you:
One of the most influential and important PHP developers today is Fabien Potencier, the project lead of Symfony, who has managed to build a successful business on Open Source. And yet he gets so much abuse for it:
The illusion of getting software for “free”: Open-Source contributors are the exploited slaves of the modern programming world.— Fabien Potencier (@fabpot) February 24, 2018
(See the discussion thread after that tweet, too, for more details and discussion.)
Another Open Source maintainer, Alison Gianotto, has a successful business built on her company's Open Source project, SnipeIT. She and her team have built extensive documentation for it, answer support requests from non-customers just using the app for free (rather than the paid hosted version), and yet still gets crap like this on a regular basis (mild compared to much of what she tweets):
Even the bare fundamentals of the Internet get neglected. The entirety of the modern Internet depends on all computers on it having clocks that are very closely synchronized. Encryption doesn't work without that, and nothing else works without Encryption. Most computers stay synchronized using the Network Time Protocol, NTP, and a small program that runs on your computer to coordinate that. For years, NTP was maintained by one guy on a slow trickle of donations and no one even realized it.
The 2014 Heartbleed security vulnerability in OpenSSL happened because we simply weren't paying attention. Because everyone assumed it was someone else's problem.
Let me spell it out as clearly and as bluntly as I possibly can:
If you are relying on a piece of software, and you have not signed a contract with the maintainer/publisher of it nor are you actively and continually contributing to it in an ongoing fashion, then the author/maintainer doesn't owe you jack shit and never will.
Volunteer coding culture is self-abuse
Of course, we should not be surprised that users who make money off of software they get for free with almost no strings attached will abuse that non-relationship. Afterall, we Open Source developers do it to ourselves.
The Open Source community broadly (of which I do consider myself a full member) loves to evangelize itself. For years part of the selling point we made when pitching an Open Source solution to customers was "think of all the money you save on the license", which is both entirely true (often the non-Free alternatives cost over $500,000 just to walk in the door) and completely false (because it implies there's no equivalent cost elsewhere). I certainly made that argument enough times myself. I was wrong.
We love to encourage developers to get involved; "give back" is the mantra. There's all sorts of ways we have to lower the barrier for people to start engaging in volunteer coding on Open Source projects, to encourage them to do so, and to reward them emotionally for it with praise, high-fives (physical and virtual), hugs (physical and virtual), "street cred", and encouragement to keep doing it. But it's almost always to get them to spend more spare time working on something and giving their work away for free. And if godforbid your work becomes successful your reward is to do it even more. I've also spent a lot of time encouraging people to "give back" as an abstract concept, ignoring the inherent trap of it. I was wrong.
There is a host of social problems related to that dynamic, as it favors that segment of the population with the time to throw away on a beneficial hobby, but Ashe Dryden has written on that topic far better than I could so I will not repeat her. I want to talk more about the idea that we, as developers who are often donating our time (which based on the typical programmer salary is quite valuable) to people who are so often ungrateful and abusive in return and then turn around and encourage others to do the same.
That's veering into Stockholm Syndrome territory.
And of course if your career becomes tightly entwined with Open Source work, you're putting your career into a situation where none of the few remaining legal workplace and employment protections apply to you. If a project lead decides he doesn't like you anymore, for whatever reason, you're SOL and have no recourse. Depending on the situation that could harm you or your employer or both. (I am speaking from a great deal of very painful personal experience here.)
When the Drupal project decided it was time to overhaul its own website in 2008/9, they hired professional designers to figure out what to do. To actually implement it, however, the answer was simply "oh, the community will provide." Because of course we could always rely on the kindness of strangers to execute a hundred-gigabyte-scale migration and redesign without clear leadership and coordination on volunteer time. Spoiler alert: After over a year of that not happening the Drupal Association finally broke down and hired someone to do it.
We tell people that they should get involved in Open Source projects because it will make them more valuable employees, and raise their profile. That is simply the polite way of saying "do work for free and we'll pay you in exposure". We all know that's called exploitation, and the writing community is trying to push back against that sort of abuse.
Too, there's no guarantee that a patch submitted to an Open Source project will be accepted. You won't know until the work has already been done. There are absolutely valid reasons for that, but it effectively turns all Open Source contributions into spec work. The design community has made it very clear that spec work is unacceptable exploitation. So why do we enshrine it as the standard operating procedure for Open Source code?
We do it, I think, because we're fundamentally trying to be good people. We want to help others, we want to see our work get used, we want to be "part of something". We realize that we've benefitted hugely from the work of others developing Free and Open Source software, and really do want to "give back" to the commons. Those are all very positive desires that we can and should encourage. However, they are also very easily abused at a systematic level. People don't value what they get for free the same way as something they pay even a single cent for.
We're leaving tens or hundreds of billions of dollars on the table every year, money that goes straight into the pockets of users we don't even know yet who demand more of our time. In economic parlance, we've allowed the technology industry to "externalize costs" yet internalize profit. You're basically paying someone else to make money from your time and effort.
And then we realize burnout is a problem, and start talking about the need for "self-care" and time management as a solution. That is, to be blunt, hogwash.
We have built a system that encourages people to voluntarily donate highly-skilled labor that wealthy corporations can benefit from, then reward them in ways that make them feel guilty for not doing more of it, then when they become successful hit them with emotional abuse, and then respond "well you need to take care of yourself, you know" when it becomes too much.
This is a fundamentally exploitative dynamic, and we're all guilty of it.
Not all bad, but bad enough
To be fair, there are absolutely companies that handle this well. They hire people to work on Open Source projects they rely on, full or part time. They actively sponsor developer events for those involved in the projects. They make resources available to developers to help them with their work. These are all good things, and there are companies that are Doing It Right(tm). We should celebrate and encourage those.
There are also people and companies that are just taking and not giving back in any meaningful way, but are at least nice about it. They're not abusive, they're not demanding, and understand that they're getting someone else's free labor. That's fine too, and I don't want to cast stones at those who are accepting a free gift graciously.
None of that should be taken to say you shouldn't help a project where you can, either. If you find a bug, report it. Just be polite about it. If you can fix it, great, just be polite about it. But don't feel like you have a moral duty to then continue to donate your free time to that project afterward unless you're getting something out of it, just as the people working on the project have no moral obligation to do anything for you, either, including fixing your bug.
But what we in the Open Source community need to realize is that we are hurting ourselves and each other. Every time we encourage someone to spend more of their personal time building high-value output that we expect them to then give away for free, we are devaluing their time. We are encouraging them to put themselves out there for exploitation, because of the culture of entitlement we have allowed to grow up around us and in some cases have encouraged. We also perpetuate the inequalities in the Open Source community that we lament so often but fail to seriously address.
A better way
We have built this toxic environment, despite the most noble of intentions. That means it's on us to correct it. That means changing our own behavior and rejecting the idea that those who benefit from our work but don't support us matter.
Let me say that again:
If you are responsible for piece of software, and you have not signed a contract with a given user and that user is not actively and continually contributing to you or your project in an ongoing fashion, then you don't owe the user jack shit and never will.
I know, that's harsh. We want to be able to help people. We want people to be successful with our tools. But we cannot, must not foster a culture where people and companies are successful through the exploitation of the good will of others.
Eran Hammer summed this up nicely in his call for A New Social Contract for Open Source: "My code is free — my time is not."
Do not donate your high-skill time to someone just because they ask, unless you personally enjoy the specific task being done. A feature request that doesn't include a check isn't one you should pay any attention to. (I may recommend an exception for exploitable security flaws, here, as a matter of public safety.)
In Eran's case he asks for sponsors who get fast-track support. Other options include just getting hired by a company that uses your project or the project you want to contribute to. The cryptoasset crowd here on SteemIt would probably be most interested in Utopian.io, which tries to reward developers with Steem cryptoassets. Various people have tried services like Patreon (or GitTip before it), although that model doesn't seem to work as well in Open Source. There are likely many models here that will work, depending on the project and the people.
However, just as we have had to face up to the fact that selling per-unit is a business model that just doesn't work economically with Open Source we have to accept that demanding massive amounts of volunteer time just doesn't work economically or socially. It's a business model, but not a sustainable or ethical one.
And it is on us, who work in Open Source, to ensure that abusive business model dies off.