Category: Open Source

A fatal flaw in open source ideology went from an intentionally overlooked rift to a massive unignorable chasm this week. It stems from the book “The Cathedral and the Bazaar” by Eric S. Raymond, oft cited and (I’m starting to wonder) not as often read.

[This article is an addendum to “Open Source Considered Harmful.”]

In the chapter “On Management and the Maginot Line” Raymond discusses the difference between “traditional management” and the free flowing volunteer contributions of open source, and how the latter solves common problems in a better way than the former.

On the question whether “traditional development management is a necessary compensation for poorly motivated programmers who would not otherwise turn out good work,” he says the following:

“This answer usually travels with a claim that the open-source community can only be relied on only to do work that is `sexy’ or technically sweet; anything else will be left undone (or done only poorly) unless it’s churned out by money-motivated cubicle peons with managers cracking whips over them.“

“If the conventional, closed-source, heavily-managed style of software development is really defended only by a sort of Maginot Line of problems conducive to boredom, then it’s going to remain viable in each individual application area for only so long as nobody finds those problems really interesting and nobody else finds any way to route around them. Because the moment there is open-source competition for a `boring’ piece of software, customers are going to know that it was finally tackled by someone who chose that problem to solve because of a fascination with the problem itself—which, in software as in other kinds of creative work, is a far more effective motivator than money alone.“

This underlying assumption, that open source developers naturally gravitate not only to “sexy” challenges, but also to difficult “boring” problems has been a foundational component of open source ideology since its inception. When I first read Cathedral a decade ago, this assumption stood out to me as pure fantasy. My lived experience was exactly the opposite: Open source developers (myself included) gravitated easily towards new and shiny and exiting things, but were quite reluctant to take on boring maintenance and security issues. And because every contributor to an open source project is (ostensibly) a volunteer, nobody has the power to delegate work and tell them what to do. In fact, this lack of management is the very thing Raymond says solves the problem… somehow. Meanwhile, in the real world corporations (hosting providers in particular) resorted to paying their employees to do the “boring” but critical work to ensure the project didn’t collapse due to poor maintenance.

Contrary to Raymond’s assertion some 20 years ago, the hard problems of open source very much depend on conventional management structures and paid contributors. And a significant portion of this work is carried by the very corporations Raymond and his open source ideologues wanted to take power away from. At no time has this been made more clear than yesterday when tech CEOs and open source leaders convened at the White House to discuss how to secure open source.

Per GitHub:

“First, there must be a collective industry and community effort to secure the software supply chain. Second, we need to better support open source maintainers to make it easier for them to secure their projects.“

Per Google:

“there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.

For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.“

Per OpenSSF (Open Source Security Foundation):

“Following the recent log4j crisis, the time has never been more pressing for public and private collaboration to ensure that open source software components and the software supply chains they flow through demonstrate the highest cybersecurity integrity.“

In the Cathedral and the Bazaar, Raymond envisioned a future where open source contributors would naturally gravitate towards hard problems and solve them out of personal interest and pride. This falls closely in line with other privileged and elitist stances laid out in his book including “open source has been successful partly because its culture only accepts the most talented 5% or so of the programming population” and in the ideology established by Richard Stallman in the GNU Manifesto.

In both cases, these ideas – the very foundational blocks on which open source ideology is built – are divorced from the reality we all live in where people need money to pay for things like food and clothes and a roof over their head and where most people are willing to do things they enjoy for free (like developing new shiny stuff), but less so when the work is drudging maintenance or security engineering required by corporations and organizations earning billions of dollars off their free labor.

As I said in my previous article on this topic, it is time we rebuild open source ideology to be based on equity, inclusion, and sustainability.

—

Header photo by Chris Lynch on Unsplash.

“Meritocratic hubris is the tendency of winners to inhale too deeply of their success, to forget the luck and good fortune that helped them on their way.” – Michael Sandel

Those who profit from open source have inhaled too deeply of their own success and forgotten the millions of volunteers who helped them on their way. Now we all run the risk of losing ourselves to an unfinished and deeply privileged ideology that saw the world not as it is or even how it could be, but as it would be were we all Richard Stallman. It is time to rethink the foundations of open source.

---

In December 2021, a serious vulnerability was discovered in a Java logging library called Log4j. It put a significant portion of the online infrastructure we rely on for the functioning of modern society at risk. Government agencies reached out to the developers to get it fixed, only to discover Log4j, like most open source software, is developed and maintained by unpaid contributors.

In response, the White House did the only thing they could do: Reach out to large software companies to find someone they could hold accountable for fixing the problem.

Per White House national security adviser Jake Sullivan: open-source software is widely used but is maintained by volunteers, making it “a key national security concern.” 

In other words, the White House considers open source potentially harmful. Let that sink in.

Then on January 9, 2022, a developer deliberately corrupted two major open source JavaScript libraries called “colors” and “faker,” affecting thousands of applications.

These corruptions were a political move by a developer to draw attention to the fact most open source developers volunteer their time and skill to build and maintain software others earn billions of dollars from. Per Wired.com: “A massive number of websites, software, and apps rely on open-source developers to create essential tools and components — all for free. It’s the same issue that results in unpaid developers working tirelessly to fix the security issues in their open-source software,“

Saying the quiet parts out loud

I’ve worked in open source for 15 years. I believe in open source, and I believe the online world we live in today would never have been built without open source. I also believe the open source ideology has become harmful, to individuals and to the community, and we – the open source community – need to rethink some of our core ideals and values and accept some hard truths.

Let me say the quiet parts out loud:

• Most of the online services we rely on for everything from social media to banking to healthcare depend on software written by unpaid volunteers, and when something goes wrong with that software, the responsibility of fixing those issues fall on those same unpaid volunteers.
• The world runs on open source, but with a few exceptions there are no meaningful governance structures in place to ensure oversight or accountability within the open source community.
• Open source software is a multi-billion dollar industry, yet the vast majority of open source developers and contributors never get paid a cent for their work. Meanwhile, corporations built on top of open source software have billion dollar valuations.
• Nobody speaks for open source, so when businesses, organizations, governments and world leaders need to talk to someone about open source, they have no choice but to turn to venture capitalists and large corporations whose financial success hinges on being able to steer open source projects in directions that are profitable to them for advice.
• Most open source projects are governed and controlled by a so-called “Benevolent Dictator For Life” or BDFL – typically a relatively young, relatively white man who either started the project or took control over the project early on – whose power is absolute and unchallenged.
• In many open source projects, that BDFL runs a corporate entity, built on the open source software, that for the average user is indistinguishable from the open source project itself (often going as far as sharing its name) that siphons enormous wealth from the project without distributing that wealth back to the volunteer contributors. In open source speak: They build cathedrals to look like the bazaar, in the middle of the bazaar, and reserve the exclusive right to advertise their cathedral as the bazaar.

Harm to contributors

In my years working in open source I’ve seen the real harms of this culture on contributors. Doing unpaid work while others profit off that work is harmful. Being told this is the way it’s supposed to work, that if you just work hard enough somehow you’ll end up being paid, is harmful. Shifting the responsibility of finding funding for mission critical infrastructure work to the individual contributor while large corporations lean on them to immediately fix issues and move the project in directions beneficial to them is harmful. Believing this culture of exploiting unpaid labor is healthy is harmful.

Power in open source projects is distributed based on a meritocratic “decisions are made by those who show up” model meaning if you have something important to say, or a vested interest in the project, you need to invest significant time and effort into the project to be heard. This gives corporate interests and people in positions of privilege power, while the majority of contributors are left to fend for themselves. Why? Because for the vast majority of contributors, this means volunteering their time so other people can make money off their work.

Most people – in particular women, people belonging historically excluded and oppressed groups, and people with disabilities – do not have the privilege of time and money to volunteer “enough” to be recognized in these meritocratic systems. As a result, decisions in these projects are made by an unrepresentative group of people who typically fall in the categories young, white, male, North American, abled, and in lockstep with the ideologies of the BDFL.

When questions are asked to the leaders of open source projects about why wealth is so unevenly distributed – why some corporations can earn millions of dollars on the work of unpaid contributors while the contributors themselves are chided for suggesting they deserve to be paid for their work – the answer is always the same: “Open source is volunteer contribution. If you want to get paid, go work in proprietary software.”

If you’re looking for a textbook example of gaslighting, there it is.

Not paying open source contributors for their work is a political decision based on the ideology established in the GNU Manifesto from 1985 from which the popular GNU GPL license originates. In it, Richard Stallman puts forth a utopian fever dream in which open source software wins the battle for software supremacy, corporations who rely on open source pay a form of tax to the open source community, and contributors magically get paid because of course people who do good work get paid. Think I’m being hyperbolic or unfair in my description? Read for yourself:

“In the long run, making programs free is a step toward the postscarcity world, where nobody will have to work very hard just to make a living. People will be free to devote themselves to activities that are fun, such as programming, after spending the necessary ten hours a week on required tasks such as legislation, family counseling, robot repair and asteroid prospecting. There will be no need to be able to make a living from programming.” – GNU Manifesto by Richard Stallman

37 years later and corporations make ever-increasing profits on the unpaid labor of volunteer open source contributors. Open source won the battle of software supremacy, on the backs of millions of unpaid workers.

Here’s the thing:

There is no good reason why open source contributors can’t get paid by the project for their work.

There is no good reason open source projects can’t set up foundations that collect money from investors and those who rely on the software and pay it to contributors based on need. There are models for this already in organizations like the OpenJS Foundation and the newly founded PHP Foundation. The reason this is not happening, in my opinion, is setting up such structures would shift the center of power from the BDFLs and their teams to the community itself. Which should be the goal of any open source project, but would financially impact the people currently in power. Which is why BDFLs and their supporters vehemently oppose any attempt at introducing meaningful governance into open source projects.

As a result, open source projects rarely if ever have any coherent policies, guidelines, or tools for accountability beyond protecting the open source nature of the project. Which is why when an open source project is approached by government because of its effects on society, instead of sending representatives from the open source project to talk to government, unelected and unappointed corporations with a financial interest in the project speak on the project’s behalf.

Harm to the community

“Part of the issue, of course, is the overreliance by for-profit businesses on open source, free software developed and maintained by a small, overstretched team of volunteers.” – Wired.com

Open source won the war for software supremacy. Now comes the hard part: Taking responsibility for our work by creating a healthy sustainable ecosystem where the people who build the infrastructure of the web can live meaningful lives while doing meaningful work.

The lack of proper governance, funding, and oversight in open source is causing real harm to individual contributors, to the open source community, and to the wider internet community relying on our work. We are acting as if these are still little hobby projects we’re hacking away at in our parents basements. In reality, they are mission-critical, often at government levels, and what got us here is no longer sufficient to get us anywhere but chaos.

Here’s what’s happening in the real world: Governments and large corporations are waking up to the reality our online infrastructure is built on software maintained by unpaid volunteers without any meaningful governance or accountability. To protect themselves, governments and corporations are doing the only thing they can do: Work together to solve the problem. What do you think that solution will be? I know what it definitely will not be: More volunteer contribution.

More likely, government will ask the big corporations to either lean very hard on the open source projects to fix their issues, or more likely inject their own staff into the projects to take over. And while the open source community keeps saying this is an impossibility, it really is not. Open source has largely been taken over by corporations already, both from the inside and from the outside. Just follow the money. And when push comes to shove and governments start getting involved, shareholders and investors will quickly pivot from “let these kids do their magic” to “let’s take control over this mess to protect our profits!”

If we don’t do the hard work of creating proper open source governance, open source policy, and functional funding of open source contributors, the dream of open source will die in our hands and we won’t even notice.

It is time we rebuild open source ideology to be based on equity, inclusion, and sustainability. We built the modern world. Now we need to take care of it and of ourselves.

—

Header photo by Julius Drost on Unsplash.

Every time we contribute to an open source project, in any way, we are answering an important question:

Why don’t I walk away and start a new fork?

I’ve been working in and with and around open source software for the better part of 15 years, and over that time I’ve seen the rise of amazing ideas, powerful communities, valuable ecosystems, and massively profitable companies. Which is great. Open source is eating the world by giving everyone a chance to contribute and use software and technologies without being beholden to expensive proprietary licenses. I’ve also seen a slow and systemic erosion of the principle of walking away. Which is not great. Actually, it very bad.

Some time ago I posted what I called the “Open Source Serenity Prayer” on Twitter.

The Open Source Serenity Prayer:
Self, grant me the serenity to accept the things I cannot change,
Courage to change the things I can,
Wisdom to know the difference,
And temperance to walk away and start a new fork.

— Morten @ home (@mor10) September 24, 2019

 My intention was to remind open source contributors of what I believe is the core ethos of open source: the ability to walk away and make something new. Yet when I posted this text, a chorus of concerned friends and acquaintances chimed in with the same refrain: “Walking away? If I walk away, I lose everything.”

This is a problem. This keeps me up at night.

Asking for clarification on people’s concerns, I heard variations over the same theme:

• My job depends on the success of this particular version of a project.
• My skills are tied to this particular version of a project, I can’t succeed anywhere else.
• A project is too big / too dominant for a fork to be successful.
• A project is no longer a tool; it has become infrastructure.

In other words, some open source projects have turned into monocultures – the exact opposite of what open source was meant to create.

This is why walking away matters, maybe now more than ever before.

The Ethos of Open Source

At the core of open source ideology and practice lies the powerful concept of “forking;” taking what already exists (a “branch”) and making a new copy (a “fork”) from which new branches can grow. Very much like cultivating a garden. This is the proverbial “standing on the shoulders of giants” made real: You take something that works, often the work of countless other contributors like you, and build something from it. It may be a slight variation on the same theme, or something entirely new and different. Then someone else can take this new thing you built, fork it again, and build something new and different from it.

Forking and branching gives open source communities the freedom to explore a plurality of ideas without starting from scratch, and individual contributors the capability of choosing every day to do work they find meaningful and valuable without any expectation or obligation of future commitment or their work being wasted: If you create something which you find valuable, and the project you want to contribute to does not want to include your work, you can create a fork and build your own vision of the future. All the while, the maintainers of the original project and anyone else can copy or build from your new work to make further works, with or without your involvement. Everything is connected to everything else, and everything builds on and learns from everything else.

Contribution to open source and the open commons is in a very real way the giving away of your work without direct remuneration or reward. Your work may be funded by someone, and you may get status, or praise, or even power from your contributions, but these are secondary. Once contributed to the commons, the work becomes the property of everyone, from which new forks can be made.

Thus, every time we contribute to an open source project, in any way, we are saying to ourselves “I believe in this fork, I believe in the future it builds, and I am going to give away my time and work to it today to move it forward.” We are also saying “today I choose to stay with this fork, to not walk away and start a new one.”

The important things here are agency and capability: The choice of continuing to contribute to a particular fork, or to walk away and create a new one, must be a real choice. When a project becomes so powerful, or dominant, or such a monoculture that the choice of walking away becomes unfeasible, or a significant risk, or even impossible, the effective capability of forking the project is lost. And with it we lose what makes open source valuable to begin with.

Walking away

Open source ideology started as a revolutionary counterculture fighting monopolies, monocultures, and corporate control. Choosing open source was an active walking away from the default models of expensive and restrictive proprietary licenses. Inherent to the open source ideology is the freedom of agency, autonomy of contribution, and the capability of walking away and starting a new fork when the work is no longer meaningful to you, or you have a new vision of the future, or you disagree with where the project is headed. This, the capability and willingness to walk away and start new forks and new projects and new versions and futures, is what made open source so successful. If we don’t embrace this, if we don’t actively cultivate the plurality of ideas which brought us here, we’ll fall victim corporatization, monopolization, and the creation of monocultures. Which is what I’m seeing everywhere I look.

When an open source leader says their project is “not a grain, it is the soil” and implies a single fork should become the infrastructure for everything, it may be time to find the strength to walk away and start a new fork to keep our open source garden from succumbing to monoculture.

Cross-posted to LinkedIn.

Note: This article was inspired by Cory Doctorow’s book “Walkway” in which he explores a future where citizens literally walk away from “Default” society to live and work in a new society founded on open source ideals and values. I think this book should become essential reading for open source ideology and open source contributors (it’s also a very good and entertaining book, so there’s that.)