I read this article (“Open Source” is Broken by Xe) written in the aftermath of the unfortunate
log4j2
fiasco. The author discusses a pertinent problem that has plagued the FOSS (Free and Open Source) world ever since large for-profit corporations started their widespread consumption of FOSS, ever since countless “unicorns” raised infinite amounts of funding on valuations built pretty much entirely on FOSS, ever since FOSS got co-opted into corporatisation and capitalisation. And yet, countless maintainers of critical and widely used FOSS struggle to make a living.Whose fault is this? I do not believe that this is FOSS’ fault as a conceptual framework or a system. If FOSS was broken, the internet as we know it today wouldn’t exist; the countless marvels of technology that we take for granted and techno-economies that thrive on them wouldn’t exist; millions of software developers (like me) who learnt to write code with FOSS and learnt to make a living with that knowledge wouldn’t exist.
[…]How is it that FOSS, a beautiful system that has uplifted and empowered massive swathes of human beings across the globe irrespective of their borders, race, creed, and economic backgrounds, is “broken”? To imply that FOSS is broken because it is abused by a certain category of users, is a form of victim blaming.
Reading the various hot takes regarding the log4j2 problems has been an exercise in frustration. The fact that the maintainers of this small but important piece of software barely received any donations or other forms of financial support, despite their software being extensively used by some of the largest corporations in the world is not a fault of open source – it’s the fault of garbage corporations only taking, but rarely giving. The issue here is not open source – it’s unchecked capitalism.
That being said, these maintainers, and other people who contribute to open source projects, know full well it’s most likely not going to make them rich, or even allow them to recoup any investments made. That’s the nature of open source, and it seems like the technology world has become so infested with venture capitalists that even the mere idea of someone working on something not for the money, but for other reasons seems entirely alien to a lot of people, meaning open source must, therefore, be broken.
Money corrupts anything it touches. I’m insanely grateful for the almost endless number of people contributing to open source projects not because they expect to become rich, but because they enjoy doing it, to show off their skill, for the community of people they love interacting with, for the recognition it sometimes brings, or for the mere secret knowledge that their small project nobody’s ever heard of is a crucial cog in the massive machinery that keeps the technology world spinning.
Open source isn’t broken. It’s working exactly as intended, and it’s by far the most powerful force in the technology world, and it will outlive any of the corporations so many people bend over backwards to please today.
Blaming people for being selfish is like complaining about the nature of humanity that has existed for thousands of years… it’s not likely to change.
I think it is an odd position that so much of our critical infrastructure is ‘unsupported’. It’s entirely possible that proprietary solutions also become unsupported, but there is a certain feedback in system. Your contract is up, the company goes bankrupt, the company sends you notice that the product is interesting end of life and future support will cost you more… Executives get nervous when this happens.
Personally, I think the way forward for open source is similar to the way governments fund say the arts/museums… You can argue that government shouldn’t be funding these things at all, but I think it’s a good working model. We’re not talking billions of dollars here. Best of all, we already have a workable organizational model. Log4j isn’t some random product run by some random person on the internet. A lot of the popular open source software gets pushed to formal organizations. In this case, the Apache Software Foundation. How easy would it be for governments to throw a few million it’s way to maintain our digital infrastructure same as they maintain our cultural or physical infrastructure.
Now would this complicate open source? Of course it would. Life is complex. Maybe they’d try and sway the open source model pushing software in certain ways, pushing political motives…
The US government is already trying to get firms to produce a software bill of materials (SBOM). Seems pretty reasonable to fund the most used components.
Some people are selfish, and capitalism definitely encourages selfish behavior – it seriously rewards that. But human nature is collaborative, not selfish. The idea that people are mainly selfish (or rational self actors) is one of those neoliberal (capitalist purism) myths about human nature that just won’t die.
Human nature collaborative? It’s not wholly selfish, but it’s hardly collaborative. We’ve been warring and raping and pillaging since inception. The idea that we’re a peaceful collaborative species is just not there.
I said collaborative, you said peaceful. We are collaborative to compete as groups.
The vast majority of people are decent individuals.
The whole “raping and pillaging” has been an exception not a norm in human history.
The vast majority of humans through history were not warriors or rapists. They were people just trying to raise a family in whatever was the context of their circumstances.
LMAO no, here is the entire human history in a nutshell…raise capital, hire goon squad, become ruler and exploit those below you. Its really that simple and we have more than ample evidence of this going back over 4000 years.
There is a reason why communism has failed time and time again, the classic free rider problem. The default for human nature is no different than any animal, take as much as you can with as little effort as possible and this is why the current model of FOSS just don’t work, the corps are just gonna take, not give.
Most of human history we’ve not been living in the last few 1000 years.
We were actually living on nature in groups, basically eating berries, etc. and hunting.
Just like other animals we would move away if an area got to crowded, better than having to fight over resources (obviously that happened to).
Surprisingly research shows we probably had more leisure time in that period as well.
But obviously we have a whole lot less direct risks to our health and food supply. in our modern society so we life a lot longer..
Actually some of the oldest records we have going back over 3000 years to ancient Sumerian Civilization? Show EXACTLY that same behavior, 1.- Raise Capital, 2.- Hire goon squad, 3.- declare yourself ruler (add divine mandate for extra fear points) and exploit those in your area.
The Romans, Greeks, Sumerians, Persians, they all show this exact same pattern so unless you want to argue we should go back to being cavemen (as that appears to be the last time we were a species that didn’t exploit one another but even then tribal warfare was a thing) then I’m sorry to burst your bubble but civilization was literally built on the backs of slaves.
That’s hopelessly naive. If you think anyone who has a lot of money or power got it by themselves, you don’t know how anything works.
Nobody said they didn’t use others to get to the top but guess what? Look at the richest 100 and see how many show sociopathic behavior. Hell look at Amazon, the owner is so rich he can build his own rocket to launch Captain Kirk into space and still steals the tips given to their drivers, does that sound like co-operation to you?
So I would argue sir YOU are the one being hopelessly naive because the last 2000+ years of civilization was built on exploitation and often times on the back of slaves which just FYI here are the latest figures for the number of people currently enslaved which are over 40 million…
https://reliefweb.int/report/world/which-countries-have-highest-rates-modern-slavery-and-most-victims
> the way forward for open source is similar to the way governments fund say the arts/museums
Note that governments have the same challenge corporations do. A single government that taxes its businesses in order to pay for FOSS which is freely given away to businesses outside its borders (which don’t pay the tax) is at a competitive disadvantage. It is subsidizing freeloading.
Making this model work sounds to me a lot like patent pools. If you pay into the pool – whether by taxes or outside contribution – you get to consume everything in the pool. If not, that pool is not available to you. This is really just trying to reduce the friction of asking anyone to donate $1 for a trivial piece of code – larger prices with a larger ecosystem behind it.
Any time I do FOSS work, I consider it charity.
Any time my employer pays us to do FOSS, we consider it charity.
I use FOSS daily at work. We make every effort to contribute back (in kind) when we find / fix issues. For projects where we are using something as a main-stay of the platform stack, we try to embed into and become part of the community.
Certainly there are other individuals and other employers that do not take this stance, but we recognize that being only a consumer rather than contributor is detrimental to our own ambitions.
As with any community of (fallible) people, there will be all types of actors — good, bad, and indifferent.
@Bryanv
Since putting my money where my mouth was and shifting 100% to Linux I have some work I need to get on with. The applications I needed aren’t generally available on Linux but can run via Wine. Wine is still not a click and forget option.
Thankfully by persistence and some luck I discovered an academic project which hosted an open source application I needed implemented as a web page. I saved a copy locally and it runs locally. This gives me confidence and security that I can finish the tasks I need to get done. The value to me on a personal level is huge. It’s not just the value created by this application but the massive savings in knock-on effects which don’t just cost me but cost other people too. This can easily add up to thousands or tens of thousands of pounds. Access to one application can change lives and do a lot of social good beyond what the original authors may have imagined. It’s difficult to quantify the benefit but by facilitating success a lot of misery may be avoided which I hope helps feed into better things as everyone moves forward.
I actually got the recommendation of an American who was using this application as a tool during the lectures they distributed for free on Youtube. Yes, they were peddling their business but here’s the thing. They know not everyone can pay for their bespoke services and there was no meaningful loss to them giving away their lectures. There’s a Canadian builder who does fantastic lectures on everything related to DIY and he has the same philosophy. An American lady who runs a cleaning business gives all her tips and working methods away on Youtube too. None of them are going out of business.
It can be very difficult to quantify the benefits of open source. The tech world especially is all tech tech tech and this is a really dull narrative most of the time. I think maybe if some of the more human stories behind it are told it might be less dull and help inject some humanity into the system.
It’s really a stretch to say that this is just bad players, and not the system of open source software. Open source turned its back on GPL in favor of more permissive BSD/MIT style licenses, and the result is that corporations – playing completely by the rules – can take, and rarely give back. The system created this situation. Yeah, the financial system is capitalism, but it’s also open source. GPL though, is also capitalist, relying on private property and contract law – just like capitalism.
The problem is that open source became all about “zero cost” rather than “liberty and obligation” – a model that forces the source to stay open, by all users/contributors. It’s DEFINITELY an open source problem.
Completely agree. As is often the case, it’s easy to blame “big bad” but Open Source community has its part to play. And this includes open source projects incorporating other open source projects that it in turn isnt contributing “down to” when they get financial support.
I think you hit the nail on the head, but most people miss the forest for the trees. The most recent trend in software has been rewarding companies that are able to leverage other people’s work for their own gain, but the detriment of “the community”. Additionally, “open source” created a feedback loop where takers are constantly rewarded for this practice. This is the sort of thing RMS was railing on about 20 years ago as he tried to differentiate between “open source” and “free software”, and people were calling him a kook.
Some folks are explicitly providing their hard work for others at no expense (monetary or otherwise) and complaining these other people are hanging them out to dry. Open source is broken, and it’s broken by design! Complaining about it isn’t going to change the fact that someone can take your work, make it proprietary and never even acknowledge you ever existed. If you think your work should be rewarded (monetarily or otherwise) then use a license that explicitly requires such rewards like the GPL or similar.
There’s a lot of railing against capitalism on one hand, and dogmatic support for capitalist lies on the other (homo economist in particular) on the other in this thread. This isn’t really a problem of capitalism though – it’s just a problem of how the free software is licensed, and I think we agree on that.
I’ve been wondering what open source licensing would look like if instead of seeking to keep the source open, as the GPL does, licenses instead required changes to corporate structure. What if the license only granted free access (MIT/BSD style) to companies which were employee owned (fully or partially)?
Some folks on here seem to care a lot about the failures of capitalism, but don’t seem to be pointing at any kind of system that might replace it, nor do they offer a way to get there. Well how about replacing capitalist owned corporation with employee/democracy owned companies? That’d be my suggestion. More democracy at work. Honestly, I think RMS shot at the wrong target.
Funny you say that. I worked for Zeppelin Systems (https://www.zeppelin.com/de-en/) which had a very interesting structure. The company is the what’s left of von Zeppelin’s dirigible company. As would be expected, the company went bankrupt after WWII and von Zeppelin donated the it to a foundation owned by the city of Friedrichshafen, Germany. So the way it works is the city mayor is the chairman of the board of directors of the Zeppelin Foundation. The foundation then owns a multitude of companies, including Zeppelin Systems. While Zeppelin Systems is a for-profit LLC (GmbH), it’s board of directors answers to a foundation, whose chairman is the mayor of the city (an elected official) where it is headquartered. Priorities were quite different in that company.
Nice! I’m also thinking of companies like Mondragon in Spain. It’s completely worker owned and operated. Don’t some of the bigger German car companies have advisory boards partially made up by workers? (They have a weird split governance model that muddies things, but it’s more worker participation that American workers can even dream of.)
To extend that, you must also consider how many open source projects are technical dead ends, duplicate works, or forks based on personal or ideological differences.
Companies don’t want to be dragged into the politics of it all. My company contributed to a number of projects, but some are impossible because of how the maintainers manage the projects as personal fiefdoms or make the hurdles to submissions so difficult as to not be worth it. We must not assume Open Source is some utopia of software development or delivery.
Thank you for the thoughtful reply. The issue isn’t capitalism; it’s people, and people can do good things or bad. things. History has shown that capitalism tends to drive more good behavior while communism drives the opposite.
FOSS was born out of frustration with licensing restrictions that were “limiting” researchers’ abilities to leverage and build upon the work of others. It was an academic initiative. But, these comp sci researchers were getting paid for their work. Their employers could pay to license software from other vendors or even try to purchase the patents. Or, if they didn’t feel it was worth it, they could build an alternative or tell their researchers to move on. Why is the company that invested the time and effort to create something first the “bad guy” just because they want a return on their investment?
I see a lot of parallels with medical and pharmaceutical research. For a timely example, check out the history of mRNA vaccines. Researchers at universities and companies all over the globe contributed to various developments, sometimes by accident. Companies formed around new discoveries. Some companies dismantled when funding dried up or interests changed. Patents were bought and sold. Patents expired. New patents were issued, and the cycle continued. A robust exchange of knowledge and information occurred, and people made money along the way.
Why should software be any different? I’m not suggesting that IP frameworks like patents and copyright law are perfect, but rather, that they are a framework and vehicle that align reward with investment and interest with opportunities.
9five4,
That’s debatable. Both can be corrupted and there’s no shortage of examples of this. I think the adage “absolute power corrupts absolutely” gets it right. Ideally what we need is balance. The problem is when greedy people get into power they tend not to respect balance because they simply want everything for themselves.
I don’t think that’s what makes them bad, however there can be a lot of abuse especially when it comes to entities becoming so dominant that they have the power to manipulate markets and control competition. Capitalism goes downhill when things are so slanted in favor of the giants. The US is rediscovering the robber barrons era where high concentrations of wealth & power belongs to very few hands.
Software patents are ripe with abuse. It makes sense to grant exclusive ownership to physical property, but ideas are not physical and when it comes to software there is no natural limit to the number of people and developers who can benefit from them. Imposing monopolistic restrictions on software algorithms is a hamstrung idea. Software patents twist the point of patents around on it’s head, software companies never needed any artificial government incentives to write code, instead the main selling selling point behind software patents today is their monopoly power. Wealthy companies take huge interest in amassing an arsenal of patents to use against competition. There is practically no business value for software patents outside of court. The documentation contained in software patents may as well go in the trash as far as most software developers are concerned. It is cryptic and useless compared to the wealth of information on the internet.
Companies like apple and microsoft are very fortunate that software patents weren’t a thing when they started out because otherwise they would have been forced to license all the software algorithms from IBM.
Hrm.
The result is that Google usurped “GPL Linux” so that Google (via. GooglePlay services) and various other companies (via. hardware sales of smartphones) can profit from Linux (Android) without giving anything back.
The result is that several large companies (Amazon, Microsoft, …) usurped “GPL Linux” (and KVM and a bunch of other open source projects) to make a huge amount of profit locking it all behind proprietary cloud service provider APIs without giving anything back.
The result is that a lot of the work that’s gone into Linux distros (under many different licenses) was usurped by Microsoft to become their WSL compatibility layer without giving anything back.
The result is a huge number of content providers (including OSAlert) using open source to implement an “advertising as funding” business model, without giving anything back to any of the open source projects that they depend on.
Now…
“Open source is broken” depends on what the goal was. If you assume the goal was to replace proprietary software with open software then you have to conclude that “many mega-corps profiting from open source while giving nothing back” indicates that open source was relatively successful and therefore not broken. If you assume the goal of open source is to destroy capitalism, or ensure that developers get fair compensation for their work, then you have to conclude that open source was a dismal failure.
I’d have to say open source was relatively successful and therefore not broken (because I assume the goal was to replace proprietary software). Sure; some developers might spend years working on something while starving, then abandon a project because they can’t afford rent; but that’s “fine” because open source means that someone else can take over the project (and the project can continue to replace proprietary software).
Agree, although it’s also that software authors understood the letter of the GPL without its underlying spirit. The GPL was written at a time when software was consumed locally, and software businesses charged money. It was incompatible with a business profiting from it in any serious way, since a code recipient could redistribute it freely.
The advent of remotely hosted services removed the foundation from under the GPL. It scarcely matters whether log4j2 is MIT or GPL, because anyone can freely run it and charge money for the service built on it, without paying or contributing in any way. The spiritual successor to the GPL is closer to the AGPL than anything else, but for whatever reason, there’s a huge amount of reluctance to embrace it, so the GPL has been completely de-fanged.
In hindsight FOSS was always a “race to the bottom” where given two alternative pieces of code, the one with the fewest costs/constraints will become more popular, and the popular thing will get the most contributions. So we’re living in a strange unsustainable industry where the cost (financial and otherwise) of FOSS goes to zero while programmer salaries are sky-high. The only reason it’s lasted this long is because there are so many programmers that if even a tiny fraction donate code for free it’s enough to supply the entire world with core infrastructure.
This reminds of of the infamous “dependency” XKCD: https://xkcd.com/2347/
I don’t think many people depending on a very important, but “not so well maintained” part of infrastructure is a “corporation” problem. It is used *everywhere*, including open source (tomcat, maven), and commercial products.
The problem is more of “tragedy of the commons”. People want to graze their sheep on the common land (open source projects), but don’t want to “waste” their time maintaining those lands.
Maybe instead of asking donations of money, maybe open source projects can ask donation of “time”? Many corporations already fund projects directly related to their work (like Linux Kernel developers employed in large corps), but will not look at dependencies. It could be time to look at the entire stack, and make sure every piece receives *some* attention.
I think people also assume the Apache foundation is a good player that takes care of things.
And I wonder if it was just a standalone project if people would have had a different perspective of it.
That’s a fair possibility. I would have assumed log4j was being funded decently because of the Apache relationship. However, I don’t think it would be better funded outside of Apache. Honestly, I guess I just assumed it was part of core Java somehow.
It has been a while… but…
As far as I know, Apache will give you infrastructure, and also process structure to make sure your project meets a minimum standard. (documentation, tests, etc).
Given sheer amount of projects under their umbrella, barring a large dedicated team of security experts, I cannot see them managing each and every CL/pull request:
https://projects.apache.org/projects.html
So, things will slip.
Still much better than not having this support at all.
I’m glad the general topic of open source and the EU initiative have been mentioned in topics since I commented some topics ago that I felt “the state”would become the ultimate custodian of the common purpose of open source much like roads and funding R&D.
This discussion can grow very fast as you have different competing state models with everything from society to economics and everything in between. Law and tax are typically used to shape or fund certain things which begins to get into some of the “who looks after it” and “who pays for it” issues. This is why getting other people involved in the overall discussion rather than just tech people is a good idea. It expands the number of stakeholders and supportive influence.
@HollyB
This is the same logic that failed the Asilomar conference, where geneticists deliberately avoided debating issues of ethics or social consequence of the technical debates around cloning and recombinant DNA, and it is now seen as a tactic for technical types to obfuscate responsibility for the outcomes of their actions.
Take direct responsibility for what you make, don’t hand it off!
@cpcf
Not at all. It’s simply taking a position and allowing people to contribute and develop understanding and creativity and sometimes somewhere along the line realise they aren’t quite the experts they thought they were the first time around.
So far nobody is saying anything I haven’t already heard a dozen times over. I doubt anyone on this website is personally responsible for driving public policy nor an expert in any one of a number of elements of regulation or lawmaking and so on. So you have the same fixed views, the same monoculture, going around and around hence the need for a format which allows creative discussion and input of other “none stale” points of view and alternatives. The general public and businesses from other sectors and consumer groups and so on have a far better idea of what they want and what works and what their requirements are than software developers. A lot of the alleged “new” and “intractable” problems aren’t new and not actually problems and tech people will begin to appreciate this once they step outside of their silo.
There’s no point being an armchair general or hindsight hero or finding one tiny cotton thread on a garment and giving it a yank so you can exclaim “Aha!”
Whaaaa… whaaaa… capitalism. Dude, that’s not even an argument, much less a proposed solution. Get a clue.
The real issue here is that software doesn’t come with a security patching obligation. Let me put it this way: If I am given a free radio, say as part of a promotion, and the lithium battery inside is prone to exploding, it doesn’t matter that I got the radio for free. The vendor is still liable to provide a recall, and the lithium battery vendor is still liable to replace or recall and safely recycle the lithium battery.
Which is the issue here: Software is somehow excluded from the obligation to issue recalls (say, in the form of security patches). It has also been excluded from warranties (not infinite liability mind you, but if for example a software problem makes my phone unusable after 9 months, I should be able to return the phone and get a refund despite it being a software issue). In a world of myriad regulations about everything, it boggles the mind… My guess is that security patching obligations and warranties are things that neither corporations want implemented (for obvious reasons) but more crucially not activists either (because it could hurt open source).
Maybe customers need an activist organization explicitly pushing for customer rights, not open source.
Oh and btw if open-source cannot work in a regulatory environment were timely security patches are mandated, then yes, it’s broken (and should be replaced by shared-source software). But my guess is that only some open-source projects would qualify as “broken”.
> Oh and btw if open-source cannot work in a regulatory environment were timely security patches are mandated, then yes, it’s broken
Have you checked open source licenses ?
It uses the legal system to clearly communicate:: it’s your responsibility.
In part because of the complexity as The1stImmortal mentioned.
My point is that such licenses shouldn’t be allowed to exist, much like a car manufacturer can’t force you to sign a contract were you waive the warranty in order to sit in the car. Or the couldn’t before in-dash entertainment systems started sporting EULAs. Do we see the problem here? Since every gadget will have a computer inside, nothing will have a proper warranty.
You just described a situation where raw capitalism would push businesses to ship such cheap batteries, and let customers take the risk, if it wasn’t for regulation reigning such capitalism in and limiting its behaviours.
Software is far, far more complex than physical products – the number of ways it can interact with itself and other systems, the number of ways it can break, is astronomically large even with the simplest programmes, compared to physical products which have a relatively small and limited number of failure modes.
Software cannot be warrantied in the same way physical products can be.
In the case of FOSS software, it shouldn’t be required to act like for-profit commercial products, either. Pressures, incentives, effects and costs are completely different. You can’t return free (libre *and* beer) open source software for a refund, for example.
Bigger commercial products already tend to offer maintenance agreements and support, and many have released patches for that. Smaller or “dead” products… who would you return them to? How could a one person developer for example possibly provide the level of warranty required for the insane numbers of possible bugs in any given software stack? Where do you even draw the line, once shared runtimes etc get involved?
This requires a novel and better solution than simply porting physical product market policies.
I do have a suspicion that part of the problem here is the more permissive licenses, making user patching or bugchecking of closed source products relying on open-source third party libraries essentially impossible – however this is just a seed of a thought, I haven’t fully developed/explored it yet.
Regulation and risk analysis is where you begin. This and your “haven’t fully thought through” point is exactly why I step back from these things and take a more public policy and developing dialogue position. Claims like “software is too complex” and “free software cannot come with a warranty” and other similar arguments are mostly memes or slogans which act like conversational dead ends. Conclusions are made before discussion begins.
Almost all tech people are not managers or marketers nor are the public policy creators nor lawyers nor qualified in a number of surrounding expert fields. This is part of the problem. A lot of the cited “problems” aren’t actually problems and are known knowns and easily managed and have been for years.
Any construction or engineering project has an extremely small original component. The rest is bill of materials with every component being certified to a standard. Some bill of materials items can be propitiatory such as a patent concrete or glue but there will always be an equivalent at the design stage and 99% of everything else will be a generic component. Somebody somewhere is always liable. There is nobody who isn’t. If doesn’t matter as a supplier if you gave away nuts and bolts for free. If they are not certified or in any way fail short of standard you are liable.
The problem is, software actually is too complex to provide the kind of behavioural guarantees that underpin selling a physical product, and the software market (in the subset of cases where “market” even makes sense to apply) is fundamentally different to that of physical widgets, even leaving aside F/OSS software licensing.
It’s not impossible to regulate it, of course, but the point was that it’s not sufficient just to lift a regulation regime wholesale from the world of physical widgets and impose it on the software world. The entire thing needs a rethink from scratch – whatever solution is found will be unique to that world.
The comparison to construction and engineering collapses because in this case – anyone can build anything, for any purpose, with no expenditure or immediate risk to anyone, using entire or partial pieces of other peoples’ constructions. Things aren’t even given away, they’re maybe taken, maybe just common industry knowledge. It’s like saying someone is responsible for the fact that 2+2=4.
Despite universities trying to desperately label it as such, despite sharing some principles and ideas, despite job titles… software is fundamentally NOT engineering.
Nor should developers be required to be certified, qualified engineers before ever writing a line of code, contributing to a project, or putting something on a public git server.
The dead end conclusions here are that software is just like building a bridge or a high-rise – it’s not, it never has been, never will be and while some ideas may be borrowed and adapted you can’t treat it like it’s those things. Something new is needed.
@The1stImmortal
You’re somewhat missing the point of everything which was said. I took a pause to see how you would reply tocosb and you repeated your mistakes.
You are taking a very narrow framing and either stretching or squeezing the equivalences to ram a point of view home. In doing so you are skipping right past all the concepts, principles, spread of domain expertise, perspectives, and outcomes.
If you think the IT sector is bad try the bra retail sector. I decided to review fitting because one underwire bra was digging in. It turns out many regard Nordstrom as offering the “gold standard” for fitting and they take months to train their staff. In comparison Victoria Secret is so far wrong they are a joke. Fitting is more than a couple of simple measurements. Different bra types fit different breast shapes differently. There’s details relating to various aspects of bra construction which affect fitting and other supplementary details which I won’t go into but basically there’s a bit more involved than many think. I followed through on what I had learned off expert retailers and women who had done their background research and after this buying and trying on new bras found their advice to be correct.
I’m curious what Mark’s and Spencer’s bra fitting service will recommend so may visit in the new year. This can wait until I’ve got my booster shot out of the way and have a clearer idea of how the pandemic is going.
That pretty close to the biggest load of crap I’ve ever heard! “Because it’s hard” is not a reason for delivering unsafe products. I’m a Mechanical Engineer whose been involved in product design and certification, so I speak from experience: Providing a safe and reliable product IS HARD! You might take it for granted because you do not understand the process, but that doesn’t mean someone isn’t putting in the work. Things like safety factors, reliability testing, suitability testing, certification, etc means that sometimes it can takes years, if not decades, to even get a single product out the door. Even then, sometimes unforeseen situations occur and your product has to be recalled.
The thing is that FOSS doesn’t provide you with a working solution. FOSS is distributed as code or other type of incomplete solution. It is the responsibility of the party who is selling you the integrated solution to make sure that product is suitable.
This is similar to how you can use someone else’s design in the physical world, but it is still your responsibility to make sure it meets all regulations before you are allowed to distribute it. I had a similar experience with a winch we integrated into a product being sold in Canada. Canadian regulation required that such a winch be UL-certified. Guess what, it was our responsibility to pay for and ensure the design was suitable. We attempted to push that requirement to the vendor but the vendor wasn’t interested in UL-certification, so we had to eat it. The fact is that it was 100% on us to make sure the design met the requirements/regulation of the market, not our 3rd party supplier.
I know. That’s what I’m getting at.
Safety isn’t such a big deal with software per se, as it only becomes an issue once you connect it to real world equipment etc (which can somewhat be assessed for safety in its own right), but software is orders of magnitude more complex and with more failure modes than any machine in the real world. Reliability is terribly hard for mechanical systems. It’s many, many times harder for software (to the point where in many cases it may even be mathematically impossible to guarantee).
Yup. And that’s not feasable for software, nor would it be effective to follow the same process.
Sometimes it is. Sometimes it isn’t. Depends on what it is, who’s using it, and for what. Sometimes nothing is being sold at all. What happens if you just say “hey, we made a winch, this is the design we used, no guarantees it’ll work for you tho” and someone makes a winch off those plans? Are you responsible then?
If you do not connect it to the real world, then it isn’t useful and has no reason for existing. Again, you seem to be underestimating how complex systems are.
You think it’s not feasible and effective because you and most companies don’t want to do it. It’s expensive, that’s for sure. Rushing a half-assed product into the market and screwing your customers when it goes south seems to be M.O. for the software industry. It’s sad that you and so many others think this is the way it should be.
I currently work with robotic manipulators and the controller has 2 processors working independently of each other. Both systems are constantly performing the same calculations and comparing each other. If they do not match, then you can assume something went wrong and the systems comes to an emergency stop. Keep in mind, these robots run in fully autonomous environments without human interaction. If safety procedure are properly followed, no bodily harm will ever come from a failure. The damage they cause is strictly monetary, much like the damage caused by poorly written software. That’s just another small example of what can be done when the motivation is there.
No, you are not responsible and there wouldn’t be any question about that. Your design was clearly never vetted for safety or applicable laws, so someone using your plans cannot expect it. Any system integrator who wishes to use your design, for whatever reason, can pursue certification, if they so choose. At the end of the day, it’s not even the system’s integrator responsibility to make sure a product is safe. OSHA and other regulations require workplaces to be safe. As such, the employer is ultimately the one responsible for all of it. Usually employers choose to mitigate the risk by only purchasing equipment certified for their industry, transfer the risk to the manufacturer through contracts, or accept the risk and purchase insurance to reduce their exposure. If you’ve never been involved in a HAZOP, I suggest you look it up. I was involved in one a long time ago that took 4 weeks to complete and required the involvement of 15 people, plus support staff.
For example, there are regulations in place that say that a Barbie doll cannot be sold with lead-based paints or other harmful chemicals. If Mattel chooses to use a new (and supposedly better) formulation, then they are responsible for the safety of that formulation. In this case, they might choose to mitigate their risk by asking the designer of the new formulation to certify it through an independent 3rd party. The designer can choose to not agree to such demands and Mattel will then have the option of pursuing certification on their own or producing their own formulation. But if Mattel really, really, really wants to use this new formulation, then they will have to take on the responsibility. Additionally, even if they received all possible certifications, but the product is still found to be unsafe, Mattel is 100% responsible. This, obviously, assumes that there were no other issues such as documents being falsified. At this point, Mattel would have to recall the product and eat the damage.
This scenario is not new and constantly happens.
> Which is the issue here: Software is somehow excluded from the obligation to issue recalls (…)
What are you talking about? You’re perfectly free to return your copy of log4j and get the $0 you paid for it returned to your account.
Glad to know about that, but what’s their method of notifying users about the recall? Corporate and not. Most open-source software doesn’t even offer a registration functionality.
And that’s the problem. Plus the fact corporate users who have integrated the software in their own products aren’t obligated by law to issue a recall or provide a security fix themselves.
As a open source user and author, I’ve gotten used to recalls (i.e. security advisories) being put on the projects’ websites. The same website the software can be obtained from. I find it very similar to voluntary recalls of physical products that don’t meet quality standards by putting posters in brick-and-mortar stores or information on manufacturers’ websites. As long as there’s no direct risk of injury or death from software itself, why would anyone need more?
Oh, and I don’t know where you live but in my 2nd world country we have a General Product Safety Act that applies to every manufacturer and/or distributor of physical products. If a product could cause bodily harm because of security vulnerability in a logging library (however silly that sounds), it still would have been recalled because the Act doesn’t make distinction between software and hardware.
kurkosdr,
Few states require vendors/producers to recycle their own products.
https://www.call2recycle.org/recycling-laws-by-state/
You’re giving other industries too much credit, the only recalls the government imposes are safety recalls where life is at stake. not fit for purpose recalls (if you can think of any government mandated recalls for non-health, non-safety purposes, let me know).
The problem is when corporate and consumer interests are contrary to each other. Corporations have become proficient at optimizing their profits at the expense of consumers. In a competitive market there are incentives to cater to consumer wants. But free markets often lack natural forces keeping the market competitive and in the absence of regulation. Concentration of corporate power creates a positive feedback loop harming competition. The result is the demise of merit based competition and the rise of dominant market forces to block competition.
Honestly from cars to monitors, power supplies, ssds, etc. sometimes getting products warrantied is a no go because the company doesn’t care. It’s one of those things where companies like to advertise warranties, but then train their own teams to deny them. I’d say roughly half of the warranties I’ve tried to claim the manufacturers intended to fight despite the obvious failure of their product under warranty. In the US you can go to consumer affairs or even take them to court to force them to honor a warranty, but IMHO if it comes to that point it means that the warranty didn’t serve it’s purpose.
So when you say software should be warrantied like normal products, well. I think it’s one of those things where the practice falls short of the ideal.
It’s up to a consumer to make up their own mind, is it not?
When it comes to governments spending public tax dollars, I don’t think spending our money on proprietary software that we the public cannot use makes much sense at all. I don’t care who wins the contracts, but we should be entitled to the software development that our money pays for. We’ve spent billions of tax dollars on proprietary software that we don’t own and we have to continually spend billions over and over again? It makes no sense at all for all of us to pay over and over again for the same software. I think there needs to be a FOSS mandate for government contracts.
The point of open source and free software is not creators getting their compensation for maintenance work. It is all about the freedom of getting access to the code and being able to tweak it even when it is not maintained any more. Money is just a second thought.
About evil companies not contributing enough to open source projects, I would say it is more complicated than that. To contribute to a project, you need to realize that you are using it. When you have ton of libraries, and no proper auditing process to check if all of your components are maintained properly, you do not even realize what is maintained and what is not. I work in a rather small company and we do not have enough time and money to upgrade our libraries and software to patched version, let alone give money to other projects.
Furthermore, Log4j2 is a bad example. It was largely superseded by Logback.
As per my comment on managing complex projects the responsibility for handling the “bill of materials” is on you. In a properly regulated market you wouldn’t have a business because you simply wouldn’t be allowed to practice.
I’ve heard the “we don’t have enough time to do X properly” before. In almost all cases this is not true.
Controversial statement that I believe 70%. Large companies should understand their exposure. Completely understand which projects their piece of software depends on, and write their software with things like this in mind. No one wants to invest in redoing something like log4j, but previous dependency issues like the npm leftpad issue were just dumb. Write your own dang leftpad you lazy devs.
You can’t offer something for free and then expect compensation. You also can’t expect others to contribute because that’s what you do. Sitting around complaining about how people play the game isn’t helpful, you have to change the rules to get change. Or at least find a way to make it in someones interest to give back in some way.
friedchicken,
You’re right, but at the same time I don’t think anything is going to change because those best positioned to change things are the benefactors who are sitting pretty cozy themselves. Whenever you have norms that hurt those at the bottom with few resources and connections, the industry tends not to care. Real change may require privileged people at the top to get involved and they have the least incentive.
It’s not just the people at the top with the power to change things, the ones actually doing the work have power too. If devs can unite, which is admittedly like herding cats a lot of the time, they can apply pressure to those dependent on their work. The only reason those benefactors have the least incentive is because they aren’t provided any. Nothing will change if their benefit isn’t at risk. If you’re going to clean my house for free while I watch, I’m going to watch you clean my house. If you’re going to clean my house as long as I’m helping too, I have incentive to participate so I don’t have to be fully responsible and can still take advantage of your willingness to help.
I don’t think there’s a one-size-fits-all solution here though. There must be somewhere in between a free-for-all and a complete spaghetti’ed mess of conditions. Listening to people complain about open-source leeches is like being stuck in a time loop. It’s just the same old complaints and the same old responses to them. Do the same thing -> expect different result -> repeat.
From Thom’s wikipedia link…
Just think, Alibaba could have sat on it and used it nefariously. Alibaba probably weren’t the first to discover this either. Any time things like this happens, It always makes me wonder how many other companies/governments discovered something first only to use it as ammunition for espionage & electronic warfare.
You think it’s a conspiracy, but that’s exactly what companies like Hacking Team do: discovering (and even purchasing) vulnerabilities so that can be
selectively used against high-value targets without the software authors even knowing the vulnerabilities exist. Companies like Hacking Team even make software that automates the process. Combine that with a custom-written piece of malware that no AV will catch, and you basically have undetectable intrusion.
This is why, when Hacking Team got hacked in the summer of 2015, we suddenly found ourselves surrounded with several high-severity vulnerabilities targeting Flash and Android complete with ready-to-use exploits.
It’s also why Google offers bounty for vulnerabilities in Chrome: It’s not bragging, as most security-clueless people assume, it’s trying to outbid the likes of Hacking Team in buying the exploit. Because of you’ve got a high-severity vulnerability for Chrome, you’ve got almost everyone.
To give you a sense how powerful such vulnerabilities can be (or more accurately, the exploits that use them), Hacking Team had an exploit targeting the font rendering system of Windows (which runs on kernel mode, a legacy from when Windows NT had to run on systems with main memory less than the caches on some of today’s systems).
Disable JavaScript and Flash all you want, you can’t disable font rendering. Or X.org in the case of Desktop Linux.
If you have reason to believe governments are after you, the only safe computer is a computer which has been bought from a store (because intelligence services have the habit of intercepting packages sent to certain addresses) and which never had its WiFi or Bluetooth turned on, never connected to the internet, and never had any storage media attached to it. Use the infamous ten finger interface.
This doesn’t mean that providing security patches for known vulnerabilities shouldn’t be an obligation.
kurkosdr,
I wasn’t trying to cast the issue as a conspiracy. It’s not a surprise that companies like “Hacking Team” serve government clients who act above the law. Wikipedia even published a customer list that was leaked.
https://en.wikipedia.org/wiki/Hacking_Team#Customer_list
But what I wonder about is how prevalent these activities are in everyday corporate America acting illegally in their own interests. For example, how many fortune 500 companies have resorted to hacking to gain an advantage? There are countless scenarios where hacking would provide valuable corporate intel, but it doesn’t automatically mean they’re doing it. Is there evidence that they are?
Another twist is that a lot of these companies are sitting on mountains of data coming in through the front door without hacking. For example the odds are pretty high that giant corporations (think ms, google, amazon, apple, etc) could technically have access to troves of email and other data in a case against themselves. It would be pretty bad if they were somehow caught snooping around,
We know of cases of individual employees at google & facebook snooping on data because they went on to do stupid things and got themselves caught. It’s an inescapable fact that IT employees have privileged access to data, know how the systems work and how to do things undetected and create plausible deniability. It’s ironic, but IT technicians typically have more access than the corporate CEO and executives despite being many pay grades lower.
At some point the open source community has to rip the band-aid off and realize the ability for the public to see the code doesn’t mean it’s any more secure. The problem here is that none of these companies ever had any reason to pay money to have the code audited for security before using it. If you want your code to be secure, you have to pay for regular audits; and ideally by a third party that specializes in that. Not sure why so many people expect random companies to shell out a lot of money for these audits, plus I don’t think the auditors will fix the issues they find either.
dark2,
Obviously we can agree FOSS needs to have more funding and more resources. But I would point out that some open source projects have in fact been audited. And generally known vulnerabilities are quick to be fixed.
https://openvpn.net/security-advisories/
I don’t think most pros asssume FOSS automatically means something is secure. But it does make it possible for users to spot check things. It’s harder to hide secrets in FOSS than a black box. Like when I tried to find out what kind of tracking microsoft added to it’s edge browser, I couldn’t because microsoft keeps large swaths of it proprietary. Black boxes impedes the public from being able to determine the full extent of what they’re doing. This is more problematic with proprietary software.