💾 Archived View for gemini.circumlunar.space › users › kraileth › neunix › 2021 › dystopian_open_sou… captured on 2023-04-26 at 14:20:36. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-05)
-=-=-=-=-=-=-
Friday, 8. January 2021
[This article has been bi-posted to Gemini and the Web]
Happy New Year! The other day I watched a video on YouTube that had only 6 views since last October. It is about a very important topic, though, and I wish it would have a larger impact as well as get more people alarmed and thinking about the current trends in Open Source. This is not a "OMG we're all doomed!!1" post, but I want to talk about what I feel are grave dangers that we should really, _really_ aim some serious consideration at.
For the readers who would like to watch the video (about 7 minutes), I'll link to it below. Some background info: It's by Lucas Holt. He is the lead developer of _MidnightBSD_, a project that began as a Fork of FreeBSD 6.1 and aimed for better usability on the desktop. There were a couple of people who contributed to the project over time, but it never really took off. Therefore it has continued as a project almost entirely done by one man.
"Pay to Play" video on Youtube
It's not hard to imagine just how much work it is to keep an entire operating system going; much larger teams have failed to deliver something useful after all. So while it's no wonder that MidnightBSD is not in a state where anybody would recommend it to put to everyday usage, I cannot deny that I admire all the work that has been done.
Holt has merged changes back from FreeBSD several times, eventually updating the system to basically 11.4 plus the MidnightBSD additions and changes. He maintains almost 5,000 ports for his platform (of course not all are in perfect shape, though). And he has kept the project going since about 2006 - despite all the taunting and acid-tongued comments on "the most useless OS ever" and things like that. Even though I never found somewhat serious use for MidnightBSD (and I tried a couple of times!), considering all of that he has earned my deepest respect.
To sum up the video: He talks about a trend in Open Source that some very important projects started to raise the bar on contributing to them. Sometimes you're required to employ two full-time (!) developers to be considered even worth hearing. Others require you to provide them with e.g. a paid Amazon EC2 instance to run their CI on. And even where that's not the case, some decision makers will just turn you down if you dare to hand in patches for a platform that's not a huge player itself.
Quite a few people do not even try to hide that they only ever care about Linux and Holt has made the observation that some of the worst-behaving, most arrogant of these are - Redhat employees. There are people on various developer teams that choose to deliberately ruin things for smaller projects, which is certainly not good and shouldn't be what Open Source is about.
At a bare minimum, Open Source only means that the source for some application, collection of software or even entire operating system is available to look at. I could write some program, put the code under an extremely restrictive license and still call this thing "Open Source" as long as I make the code available by some means. One could argue that in the truest sense of the two words that make up the term, that would be a valid way to do things. But that's not what Open Source is or ever was about!
There are various licenses out there that are closely related to Open Source. Taking a closer look at them is one great way to find the very essence of what Open Source actually is. There are two important families of such licenses: The so-called _Copyleft licenses_ and the _permissive licenses_. One could say that downright religious wars have been waged about which side holds the one real truth...
People who have been reading my blog for a while know that I do have a preference and made quite clear which camp I belong to, even though I reject the insane hostility that some zealots preach. But while the long-standing... err... let's say: _controversy_, is an important part of Open Source culture, the details are less relevant to our topic here. They basically disagree on the question of what requirements to put in the license. Should there be any at all? Is it sufficient to ask for giving credit to the original authors? Or should users be forced to keep the source open for example?
Both license families however do not dispute the fundamental rights given to users: They want you to be able to study the code, to build it yourself, to make changes and to put the resulting programs to good use. While it's usually not explicit, the very idea behind all of Open Source is to allow for _collaboration_.
Over the years we've seen a lot of uproar in the community when the leaders of some project made decisions that go against these core values of Open Source. While some even committed the ultimate sin of closing down formerly open code, most of the time it's been slightly less harsh. Still we have seen XFree86 basically falling into oblivion after Xorg was forked from it. The reason this happened was a license change: One individual felt that it was time for a little bit of extra fame - and eventually he ended up blowing his work to pieces. Other examples are pfSense and OPNsense, Owncloud and Nextcloud or Bacula and Bareos. When greed strikes, some previously sane people begin to think that it's a good idea to implement restrictions, rip off the community and go "premium".
One of the great virtues of Open Source is that a continuation of the software in the old way of the project is possible. With OPNsense we still have a great, permissively licensed firewall OS based on FreeBSD and Pf despite NetGate's efforts to mess with pfSense. Bareos still has the features that Bacula cut out (!) of the Open Source version and moved to the commercial one. And so on. The very nature of Open Source also allows for people to pick up and continue some software when the original project shuts down for whatever reason.
There are a lot of benefits to Open Source over Closed Source models. But is it really immune to each and every attack you can aim at it?
There is always the pretty obvious danger of closing down source code if the license does not prohibit that. Though I make the claim that this in fact mostly a non-issue. There are a lot of voices out there who are going hysteric about this. But despite what they try to make things look, it is impossible to close down source code that is under an Open Source license! A project can stop releasing the source for newer versions, effectively stopping to distribute current code. But then the Open Source community can always stop using that stuff and continue on with the a fork that stays open.
But we haven't talked about three other immanent dangers: _narrow-mindedness_, _non-portability_ and _leadership driven by monetary interest_.
One could say that today Open Source is victim of its overwhelming success. A lot of companies and individual developers jumped the wagon because it's very much beneficial for them. "Let's put the source on GitHub and people might report issues or even open pull-requests, actively improving our code - all for free!" While this is a pretty smart thing to do from a commercial point of view, in this case software code was not opened up because somebody really believes in the ideas of Open Source. It was merely done to benefit from some of the most obvious advantages.
Depending on how far-sighted such an actor is, he might understand the indirect advantages to the project when keeping things as open as possible - or maybe not. For example a developer might decide that he'll only ever use Ubuntu. Somebody reports a problem with Arch Linux: Close ("not supported!"). Another person opens a PR adding NetBSD support: Close ("Get lost, freak!").
Such behavior is about as stupid and when it comes to the values also as anti Open Source as it gets. Witnessing something like this makes people who actually care about Open Source cringe. How can anybody be too blind to see that they are hurting themselves in the long run? But it happens time and time again. By turning down the Arch guy, the project has probably lost a future contributor - and maybe the issue reported was due to incompatibilities with the never GCC in Arch that will eventually land in Ubuntu, too, and could have been fixed ahead of time...
Open Source is about being _open-minded_. Just publishing the source and fishing for free contributions while living the ways of a closed-source spirit is in fact a real threat to Open Source. I wish more people would just say _no_ to projects that regularly say "no" to others (without a good reason). It's perfectly fine that some project cannot guarantee their software to even compile on illumos all the time. But the illumos people will take care of that and probably submit patches if needed. But refusing to even talk about possible support for that platform is very bad style and does not fit well with the ideals of Open Source.
If I witness that an arrogant developer insults, say a Haiku person, I'll go looking for more welcoming alternatives (and am perfectly willing to accept something that is technically less ideal for now). Not because I've ever used Haiku or do plan to do so. But simply because I believe in Open Source and in fact have a heart for the cool smaller projects that are doing interesting things aside of the often somewhat boring mainstream.
Somewhat related to the point above is (deliberate) non-portability. A great example of this is Systemd. Yes, there have been many, many hateful comments about it and there are people who have stated that they really hope the main developer will keep the promise to never make it portable "so that *BSD is never going to be infected".
But whatever your stance on this particular case is - there is an important fact: As soon as any such non-portable Open Source project gains a certain popularity, it will begin to poison other projects, too. Some developers will add dependencies to such non-portable software and thus make their own software unusable on other platforms even though that very software alone would work perfectly fine! Sometimes this happens because developers make the false assumption that "everybody uses Systemd today, anyway", sometimes because they use it themselves and don't realize the implication of making it a mandatory requirement.
If this happens to a project that basically has three users world-wide, it's a pitty but does not have a major impact. If it's a software however that is a critical component in various downstream projects it can potentially affect millions of users. The right thing here is __not to break solidarity with other platforms__. Even if the primary platform for your project is Linux, _never ever_ go as far as adding a _hard dependency_ on Systemd and other such software! If you can, it's much better to make support optional so that people who want to use it benefit from existing support. But don't ruin the day for everybody else!
And think again about the exemplary NetBSD pull-request mentioned above: Assume that the developer had shown less hostility and accepted the PR (with no promises to ever test if things actually work properly or at all). The software would probably have landed in Pkgsrc and somebody else would soon have hit a problem due to a corner case on NetBSD/SPARC64. A closer inspection of that would have revealed a serious bug that remained undetected and unfixed. After a new feature was added not much later, the bug became exploitable. Eventually the project gained a "nice" new CVE of severity 9.2 - which could well have been avoided in an alternate reality where the project leader had had a more friendly and open-minded personality...
Taking portability very seriously is exceptionally hard work. But remember: Nobody is asking you to support all the hardware you probably don't even have or all the operating systems that you don't know your way around on. But just be open to enthusiasts who care for such platforms and let them at least contribute.
This one is a no-brainer - but unfortunately one that we can see happening more and more often. Over the last few years people started to complain about e.g. Linux being "hi-jacked by corporations". And there is some truth to it: There is a lot of paid work being done on various Open Source projects. Some of the companies that pay developers do so because they have an interest in improving Open Source software they use. A couple even fund such projects because they feel giving back something after receiving for free is the right thing to do. But then there's the other type, too: Corporations that have their very own agenda and leverage the fact that decision makers on some projects are their employees to influence development.
Be it the person responsible for a certain kernel subsystem turning down good patches that would be beneficial for a lot of people for seemingly no good reason - but in fact because they were handed in by a competitor because his employer is secretly working on something similar and has an interest to get that one in instead. Be it because the employer thinks that the developer is not payed to do anything for platforms that are not of interest to its own commercial plan and is expected to simply turn those down to "save time" for "important work". Things like that actually happen and have been happening for a while now.
Limiting the influence of commercial companies is a topic on its own. IMO more projects should think about governance models much more deeply and consider the possible impacts of what can happen if a malicious actor buys in.
As noted above, I feel that some actors in Open Source are too much focused on their own use-case only and are completely ignorant of what other people might be interested in. But as this post's topic was a very negative one, I'd like to end it more positively. Despite the relatively rare but very unfortunate misbehaving of some representatives of important projects, the overwhelming majority of people in Open Source _are_ happy to allow contributions from more "exotic" projects.
But what's that funny looking word doing there in the heading? Let me explain. We already have _FOSS_, an acronym for "Free and Open Source Software". There's a group of people arguing that we should rather focus on what they call _FLOSS_, "Free and Libre Open Source Software". The "libre" in there is meant to put focus on some copyleft ideas of freedom - "free" was already taken and has the problem that the English word doesn't distinguish between free "as in freedom" and free of charge. I feel that a term that emphasizes the _community aspect_ of Open Source, the _invitation_ to just about anybody _to collaborate_ and Open Source _solidarity_ with systems other than what I use, could be helpful. How about _VOSS_? I think it's better than fitting in another letter there.
_Vrij_ is the Dutch word for free. Why Dutch? For one part to honor the work that has been done at the Vrije Universiteit of Amsterdam (for readers who noticed the additional "e": That's due to inflection). Just think of the nowadays often overlooked work of Professor Tanenbaum e.g. with Minix (which inspired Linux among other things). The other thing is that it's relatively easy to pronounce for people who speak English. It's not completely similar but relatively close to the English "fray". And if you're looking for the noun, there's both _vrijheid_ and _vrijdom_. I think the latter is less common, but again: It's much closer to English "freedom" and thus probably much more practical.
So... I _really_ care for vrij(e) Open Source Software! Do you?