💾 Archived View for blog.snowfrost.garden › 2 captured on 2023-01-29 at 02:16:57. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Since Heartbleed—and certainly before that—the problem of the solo, or small-team developers, thanklessly maintaining open source software used by countless people and organizations that profit off their work while giving crumbs (at best) back, has been a critical issue in software development.
With the recent discovery of CVE-2021-44228, a.k.a. the log4j debacle, the issue is once again thrust to the forefront.
The open source and free software movements undoubtedly stem from the philosophy and practices of the Free Software Foundation. The FSF champions the use of such code, and has written a handful of licenses in its over 35 years in operation to ensure the continued proliferation of code that is free to receive, examine, operate, extend, and share.
There are few issues more central to the FSF’s mission than the log4j debacle. In yet another case among countless others, code released for free, by a handful of unpaid maintainers, has been spread across the entire world, literally. "Apple, Microsoft, Steam, Twitter, Baidu, and Cloudflare" are only a small (but critically important and valuable) handful of companies that rely on this code, according to TNW’s Ivan Mehta[1]. These companies, some of the most massive engineering organizations in the world, have built their software on top of a project maintained by a handful of people in their spare time, and now that the vulnerability has been revealed, those handful of maintainers have spent nearly all their time patching and testing security fixes while the whole Internet breathes down their necks.
1: https://thenextweb.com/news/log4j-bug-internet-open-source-contributors-analysis
The FSF, however, doesn’t seem to have anything to say on the matter. The vulnerability was announced on December 10th. It’s now December 13th. The FSF is a 501(c)(3) non-profit organization, with an operating budget of over 1.3 million dollars in 2017, according to Wikipedia. It’s beyond belief that an organization that is so well known throughout the software world, and which receives such a large amount of money to continue its mission, has nothing to say about this. However, their news page (https://www.fsf.org/news[2]) as well as their Twitter account (@fsf) have made no mention of this mind-bogglingly important issue.
I don’t want to spend much ink on the problems of open source software. Plenty of smarter, more experienced people have already done so, including Filippo Valsorda[3] who suggests that overworked, burnt-out developers should "send invoices for ‘support and sponsorship’ on letterhead" to the companies which routinely take advantage of these underfunded, under appreciated maintainers, which I completely approve of. "Fuck You, Pay Me" has been a critical rallying cry for countless other jobs, including artists, who are ceaselessly offered payment in ‘exposure’, which cannot feed anyone.
3: https://blog.filippo.io/professional-maintainers/
What I’d like to talk about here is why the FSF hasn’t said anything about this. The most obvious reason is that it exposes a pretty critical flaw in the ethos that has guided their efforts from the beginning, awkwardly phrased into song[4] by Richard Stallman:
4: https://www.gnu.org/music/free-software-song.en.html
Hoarders can get piles of money,
That is true, hackers, that is true.
But they cannot help their neighbors;
That's not good, hackers, that's not good.
When we have enough free software
At our call, hackers, at our call,
We'll kick out those dirty licenses
Ever more, hackers, ever more.
There's a lot to unpack there (people with money cannot help their neighbors? Do you really think that's the limiting function?) but, ignoring the irony of a foundation spending three decades writing *more* licenses in an attempt to liberate software for good, this ethos ignores a fairly critical point: To write software, people need to eat. And they need money to do that. And when they don’t get paid, and their software runs the internet, then they are not only underpaid and under-appreciated, they’re also being exploited by enormous conglomerates. Companies who could afford to pay teams of dozens of engineers to maintain all of these critical projects, companies with so much cash that this effort would be a rounding error on their balance sheet. An ideology that was meant to free programmers and users has instead put them directly under the microscope, and in an unwinnable position where they must choose between their passion and their ability to survive in the world.
So what could they possibly say or do in response to this? Perhaps they are busy doing other things. But then this raises the question: what is it they are doing?
I’ve tried to piece together the exact reason for the existence of the FSF, and I hate to be brutally honest, but I cannot find any.
Charity Navigator is a non-profit organization dedicated to appraising charities and other fundraising organizations. This appraisal includes how much money these organizations under scrutiny receive versus how much they spend on specific efforts, the transparency provided by these organizations, and how much donated money is required to maintain administrative overhead.
They are incredibly positive[5] about the Free Software Foundation. In 2019, the FSF reported on their IRS 990 (a return for tax-exempt organizations) revenue over just under 2.2 million dollars, and expenses of 1.6 million dollars.
5: https://www.charitynavigator.org/ein/042888848
Based on the Foundation’s 990, the three largest programs they support with their charity work are as follows:
1. The "Education and outreach program" which comprises the Foundation’s work in online and in-person campaigns about the importance of free software, articles and educational materials, and "coordinating and empowering volunteers to advocate for free software in their local communities". This program received just over $700,000 of the charity’s funds.
2. The GNU Project, which develops the GNU Operating System. The GNU Project was announced in 1983, nearly 40 years ago. In that time, the development of Linux in 1991 (outside the auspices of the Foundation) gave the GNU Project an operating system to work with. Since then, Linux distributions are no longer tightly woven into the fabric of the GNU Project’s work, as alternative core utilities have been built, such as BusyBox, which are unique from the GNU Project’s existing utilities, and able to be used in more places, such as embedded systems, without the baggage of the older GNU utilities. To date, the GNU Project has never released a production-ready operating system. The GNU Project received just over $315,000 dollars of the charity’s funds.
3. The License Education Project, which "assists developers and users in understanding software licensing and determining which software is ethically safe for them to use". This project does not appear to be mentioned by name anywhere on the FSF’s website. This project received just over $382,000 dollars of the charity’s funds.
Added up, these three projects, which are clearly directly under the purview of the FSF, and not contributions to other groups, maintainers, or projects, total just over 1.4 million dollars of the FSF’s funds. Out of 1.6 million dollars received in FY2019. Another $100,000 dollars goes to the salary of the Executive Director of the Foundation, John Sullivan. The FSF has 13 other employees; it is presumed they must fight over the remaining $100,000 amongst themselves.
One thing Charity Navigator is very clear to say is that they have so far been unable to provide a rating that appraises the *impact* of the Free Software Foundation. They're not alone.
I don’t think it’s unreasonable to suggest that these efforts are, if not total failures, unimpressive and disappointing for a charity that is over 30 years old. On the other hand, it may be that their efforts have succeeded to the point that we are where we stand today because of them: overworked, underpaid developers holding up the infrastructure of modern IT on their backs.
If the latter is truly the case, then an unforgivable oversight has occurred: the Foundation, during its entire lifetime, has never been able to see this future arriving, in such severity and magnitude, as it exists today. A charity dedicated to the proliferation and proselytization of free software, never, in its 36 years of existence, anticipated this.
Other evidence points to this conjecture as well. The AGPL was first released in 2007, in a reaction to the modern IT world, in which most programs communicate extensively with servers outside the control of the user, such as performing API requests in an app or sending Javascript executed by the user’s browser. The highest-profile user of this license was the MongoDB foundation, until 2018, when they switched to a slightly incompatible license. For some strange reason, no major companies or organizations that rely heavily on open source have taken up this particular license. In fact, large companies such as Google have employees dedicated to ensuring no AGPL code ever shows up in their monorepos, because the result would be disastrous—and a legal shitshow—for their company. I am hard-pressed to consider this any kind of blow to the exploitation of free and open source software. The release of this license did nothing to slow down the exploitation of programmers or advance the freedom of users.
So why is the FSF—and, by association, its fundamental philosophy—such a well known and highly regarded organization within the open source community? Besides spending the vast bulk of their funds on their own, ineffective projects, what else do they do?
Do they protect the rights of users in more proactive ways? Since the fight on programmer exploitation has already been demonstrably lost, the most obvious way to answer this question would be to see where they fight for the enforcement of these licenses. The Wikipedia page on "Open source license litigation" lists one lawsuit where the FSF is the plaintiff: *Free Software Foundation, Inc. v. Cisco Systems, Inc (2009)*. This lawsuit ended in a settlement, wherein Cisco created an internal role for license compliance (a.k.a. CYA) and made a financial contribution to the FSF. I’m not sure that helped any users. Or programmers. Or anyone.
We’re running out of actual, material work that the FSF does, so we can go through this list pretty quickly:
1. The GNU licenses. In the Foundation’s existence, they have written four licenses, about one every ten years.
2. The GNU Press, which has published nine books on GNU software, and a book on "philosophy", *Free Software, Free Society: Selected Essays of Richard M. Stallman*. Their outreach in this category includes such helpful tips such as looking through bookstores for these works and then letting the bookstore owner know that they don’t carry these books. Remember bookstores?
3. The Free Software Directory, a "listing of software packages that have been verified as free software", for which it has received funding from UNESCO to maintain. There are 16,626 items on this list, and it’s not clear any of them could not be found with a Google search. Nearly 400 of these projects are GNU Projects.
4. Savannah, a project hosting website. It hosts 3,835 projects, 87% of which are not free software. It is pure conjecture but I imagine this forge does not compare, feature-wise, to GitHub, which has, I believe, genuinely improved the software development landscape by making things such as CI/CD, code reviews, pull requests, and issue tracking, next to painless.
5. A list of hardware and device drivers that are 100% free software. I suggest that since hardware developers that care about free software is incredibly intentional in their design, development, marketing, and release about championing this fact (such as Purism’s offerings), this is not a difficult list to maintain.
6. Advocacy. This includes that "Defective By Design" campaign from the iPod era, which may have been vaguely responsible for Apple’s switch to DRM-free music in 2009, though I suspect this had more, much more, to do with Steve Jobs’ particular relationship with music companies.
In terms of actual, proactive community outreach, I’m hard-pressed to find any examples. The FSF provides some tools for existing communities, such as LibrePlanet, which is an "organizing space for everyone in the free software and free culture movements". It’s a wiki. And I imagine most free software communities are using IRC or other online communities, such as Discord to do this kind of work. I do not see the FSF doing any kind of boots-on-the-ground advocacy, and as the log4j debacle shows, they do not seem interested in discussing the modern state of the world in software development with the people who are affected by it the most, either. (Another massive oversight in their work is the long-standing conflicts between video game developers and independent modding communities, abandonware, and so on. One would think this would be incredibly fertile territory for the FSF, but that's another essay entirely.)
It is long past time for the software development community to take a step back and try and figure out how the hell we got to this point. The FSF has been an integral part in ensuring that programmers don’t get paid for their work, and if they *aren’t* responsible for that, then I honestly can’t point to anything they *have* done, and their vaunted position in the software community—and the philosophy that has nurtured the climate we live in today as programmers and users—needs critical re-examination.