Open Source

A Fatal Flaw in the Bazaar’s Foundations

A fatal flaw in open source ideology went from an intentionally overlooked rift to a massive unignorable chasm this week. It stems from the book “The Cathedral and the Bazaar” by Eric S. Raymond, oft cited and (I’m starting to wonder) not as often read.

[This article is an addendum to “Open Source Considered Harmful.”]

In the chapter “On Management and the Maginot Line” Raymond discusses the difference between “traditional management” and the free flowing volunteer contributions of open source, and how the latter solves common problems in a better way than the former.

On the question whether “traditional development management is a necessary compensation for poorly motivated programmers who would not otherwise turn out good work,” he says the following:

This answer usually travels with a claim that the open-source community can only be relied on only to do work that is `sexy’ or technically sweet; anything else will be left undone (or done only poorly) unless it’s churned out by money-motivated cubicle peons with managers cracking whips over them.

If the conventional, closed-source, heavily-managed style of software development is really defended only by a sort of Maginot Line of problems conducive to boredom, then it’s going to remain viable in each individual application area for only so long as nobody finds those problems really interesting and nobody else finds any way to route around them. Because the moment there is open-source competition for a `boring’ piece of software, customers are going to know that it was finally tackled by someone who chose that problem to solve because of a fascination with the problem itself—which, in software as in other kinds of creative work, is a far more effective motivator than money alone.

This underlying assumption, that open source developers naturally gravitate not only to “sexy” challenges, but also to difficult “boring” problems has been a foundational component of open source ideology since its inception. When I first read Cathedral a decade ago, this assumption stood out to me as pure fantasy. My lived experience was exactly the opposite: Open source developers (myself included) gravitated easily towards new and shiny and exiting things, but were quite reluctant to take on boring maintenance and security issues. And because every contributor to an open source project is (ostensibly) a volunteer, nobody has the power to delegate work and tell them what to do. In fact, this lack of management is the very thing Raymond says solves the problem… somehow. Meanwhile, in the real world corporations (hosting providers in particular) resorted to paying their employees to do the “boring” but critical work to ensure the project didn’t collapse due to poor maintenance.

Contrary to Raymond’s assertion some 20 years ago, the hard problems of open source very much depend on conventional management structures and paid contributors. And a significant portion of this work is carried by the very corporations Raymond and his open source ideologues wanted to take power away from. At no time has this been made more clear than yesterday when tech CEOs and open source leaders convened at the White House to discuss how to secure open source.

Per GitHub:

First, there must be a collective industry and community effort to secure the software supply chain. Second, we need to better support open source maintainers to make it easier for them to secure their projects.

Per Google:

there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.

For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.

Per OpenSSF (Open Source Security Foundation):

Following the recent log4j crisis, the time has never been more pressing for public and private collaboration to ensure that open source software components and the software supply chains they flow through demonstrate the highest cybersecurity integrity.

In the Cathedral and the Bazaar, Raymond envisioned a future where open source contributors would naturally gravitate towards hard problems and solve them out of personal interest and pride. This falls closely in line with other privileged and elitist stances laid out in his book including “open source has been successful partly because its culture only accepts the most talented 5% or so of the programming population” and in the ideology established by Richard Stallman in the GNU Manifesto.

In both cases, these ideas – the very foundational blocks on which open source ideology is built – are divorced from the reality we all live in where people need money to pay for things like food and clothes and a roof over their head and where most people are willing to do things they enjoy for free (like developing new shiny stuff), but less so when the work is drudging maintenance or security engineering required by corporations and organizations earning billions of dollars off their free labor.

As I said in my previous article on this topic, it is time we rebuild open source ideology to be based on equity, inclusion, and sustainability.

Header photo by Chris Lynch on Unsplash.

By Morten Rand-Hendriksen

Morten Rand-Hendriksen is a Senior Staff Instructor at LinkedIn Learning (formerly specializing in AI, bleeding edge web technologies, and the intersection between technology and humanity. He also occasionally teaches at Emily Carr University of Art and Design. He is a popular conference and workshop speaker on all things tech ethics, AI, web technologies, and open source.