💾 Archived View for tilde.club › ~winter › gemlog › 2024 › 7-06.gmi captured on 2024-07-09 at 01:52:55. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
The software supply chain is something they've done to themselves
EEE is something we do to ourselves
On Open Source and the Sustainability of the Commons
Specifically leaving aside what Nat wrote about EEE and the Fediverse (which is interesting, and which I've thought about a bit, to the extent that I've just blocked threads.net via my Mastodon account), I think I agree with ploum, and with Nat - for infrastructure-type code, there are a lot of reasons not to use the more permissive open source licenses, such as MIT or the BSDs.
The thing is, I'm not sure how much it matters. We live in an age where companies violate copyright, and norms, with absolute impunity. Think of Microsoft or OpenAI sucking up the entire text of the pre-generative-AI web, creating models from it, and having their lawyers claim there's no copyright problem, that when they copy, that makes it right. It used to be claimed that the GPL (and variants) would force companies to open source any changes. That feels like a lot of wishful thinking now, belonging to the same era that felt that the web would be a great force for democratization, rather than the perfect surveillance mechanism for authoritarian regimes across the world.
One thing I fully agree with is Nat's assertion that any maintainers feeling heat from companies should simply tell them to fuck off:
Whenever I've read about software developers suffering under the weight of pressure from large corporations using their projects, I've always found I had a hard time really sympathizing with them. I fully believe that it's stressful, but it's stressful in as much as it's stressful to constantly be surrounded by people asking things of you. Like, yeah, that is very stressful, but it's also an opportunity to learn how to politely say "no."
Pretty much every open source license mentions that the code is provided without liability. So.
Companies can pound sound. Companies that want something fixed can pay top contractor rates of hundreds of dollars an hour, and even then, companies should expect to hear "no".
Daniel Sternberg on a distressing email he received
A few years ago, I remember reading stuff on how Daniel Sternberg was getting leaned on, hard, by companies to fix CVEs in curl's codebase. And I remember thinking, who the hell do they think they are? He's presumably not on retainer, is doing this because it's something they love, and they're treating him exactly as if he's some sort of low-level employee.
At this point I confess that I use MIT myself for all my projects, that I do so specifically because I know there's no chance that any of my code will be used for anything critical. And even if it were, I've got a day job, and that's got my focus. I do this for fun, because after 13 years hacking on the same slowly-growing project, it's got to be fun.
I use MIT because I don't care who uses my code, and for what; given what it is, there's no possibility it'll get abused by a shitty corporation in service of polluting rivers, or stealing water, or... (etc). But if it were, I don't know if using a different license would be enough. I know when I started as a developer, almost twenty years ago, my company was very, very careful about what code they used, what libraries they used. It was, essentially, a company founded by devs. Those sorts of ideas around caution were built into the culture.
And those sorts of companies are largely gone. Mine got bought by some VC-backed company from the US which then proceeded to gut the company and coast on the fumes in that very VC way. Caution has been thrown to the wind with the last ten or fifteen years of Silicon Valley culture, which companies around the world mimic brainlessly. Why slow down when you can go fast? If you break something you can fix it, or, failing that, just lie.
But in today's culture of anything-goes (and anything-goes-quickly), I don't think it matters so much. Much harder to catch a company using a modified piece of open source software for which they need to release the source. And even if you did, would you, J. Random Developer, take legal action against a FAANG?
I didn't think so. And neither do they. So if they're going to do what they want with our code, then in a sense it's pretty much an imperative that, when they start feeling the heat, we tell them that they're on their own.