this post was submitted on 30 Sep 2024
292 points (99.7% liked)

Opensource

1204 readers
13 users here now

A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!

CreditsIcon base by Lorc under CC BY 3.0 with modifications to add a gradient



founded 1 year ago
MODERATORS
 

Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.

top 25 comments
sorted by: hot top controversial new old
[–] [email protected] 94 points 5 days ago

Fact: “The security of the world’s most critical software hangs on a small number of solo maintainers, the majority of whom are unpaid volunteers.”

Capitalism: PeOplE nEeD FiNANcial InCeNTivES, WiThOut NOoNe WoUld woRK.

[–] [email protected] 69 points 5 days ago (3 children)

We all need to demand that our governments start funds for open source software.

It's fucking ridiculous that you volunteer your time to build software that benefits millions and billions of people and the government is just like "nah not a charitable contribution to us so you can get fucked in every way".

[–] [email protected] 34 points 5 days ago

And there are several individual EU countries that are moving to open source software, but so far they are not very keen on actually supporting their development. And sadly, EU is moving away from funding open source via Horizon program. https://www.theregister.com/2024/07/17/foss_funding_vanishes_from_eus/

[–] [email protected] 5 points 5 days ago

Open Source tax for tech companies?

Guess that would be bad press.

[–] Kissaki 4 points 5 days ago* (last edited 5 days ago) (3 children)

When you draw a parallel to social charity both are largely volunteer based and underfunded. And both have direct and indirect gains for society.

Physical charity often serves basic needs. I'm not sure selecting qualifying quality open source projects is as easy. Need and gain assessments are a lot less clear.

If it's about public funding distribution, I would like to see some FOSS funding too, but not at the cost of or equal or more than social projects.

How many FOSS projects actually benefit "millions and billions of people"? That kind of impact feels like it's few and far between.

[–] CameronDev 8 points 5 days ago (2 children)

I think there is a much stronger argument for tech businesses being forced to finance and support FOSS. They are the ones directly benefiting from the free work.

Not a clue how to force that though, would probably need to be via some form of regulation. I can't think of any good way to do it without leaving gaping loopholes for abuse. :(

[–] Kissaki 6 points 5 days ago

The EU passed laws that require companies (under conditions) to ensure base requirements in their supply chain.

I think a digital equivalent could be possible and similar. Requiring reasonable security and sustainability assessment.

It's not very obvious or simple to enforce, but would set requirements, and open up opportunities for fines and prosecution.

[–] [email protected] 5 points 5 days ago (1 children)

Why just tech companies? Why not every industry that relies on open source software?

Quite frankly I do not see the point of crafting legislation this tailored, just fund it from general government resources and then generally tax the rich more.

[–] CameronDev 4 points 4 days ago

The link is just a lot more direct, and easier to audit.

A car mechanic buys some software from a company, internally it uses FOSS. Now they have to support the project? They might not even know it uses FOSS internally, I never read those licence things.

Doing it via taxation is probably the easiest option, but then it runs into the problem of country X paying for support, and country Y gets to freeload.

[–] [email protected] 4 points 5 days ago (1 children)

How many FOSS projects actually benefit "millions and billions of people"? That kind of impact feels like it's few and far between.

Linux or any of the different projects and components that support it and it's development, including all the dev tooling like git, languages, etc. etc. Basically any work on Firefox and web browsers, any work on Wikipedia or it's supporting infrastructure, work on stuff like Lemmy and the fediverse likely will in the long run, torrents and the like, open source game engines, IDEs, Blender, Home Assistant etc. etc. etc.

There are a lot of open source projects that have a lot of rippling ramifications, and there is inherent benefit in having more open source software developed independently. If Firefox was a better funded and more competent alternative to Chrome we wouldn't even have this whole Manifest v3 mess since Chrome would just lose all their users.

[–] Kissaki 0 points 4 days ago (1 children)

If Firefox was a better funded and more competent alternative to Chrome we wouldn’t even have this whole Manifest v3 mess since Chrome would just lose all their users.

I don't think that's an issue of competency - which I understand as functionality/feature parity in this wording.

Chrome gained and became this popular likely entirely due to Marketing and big-corp ecosystem network effect through pushing it - through Google, Google Docs, and related Alphabet services.

I don't think Firefox was every really inferior. I've always preferred the dev tools and a few other things over Chrome. There was merely a time where performance was worse, but that likely only mattered in benchmarks - and marketing.

[–] [email protected] 3 points 4 days ago* (last edited 4 days ago) (1 children)

Chrome and all the various Chromium spinoffs got popular partially through anti-competitive tying, but not entirely. Safari, IE, and Edge were also anti-competitively tied and yet they did not see meteoric rises in the same way.

The reality is that a large part of the reason that Chrome got popular is because they wrote the best JavaScript engine, by orders of magnitude, right at the time that web apps were taking off. Google wrote a better JavaScript engine because they were a web app company, but it benefited every single page that used any Javascript.

While Firefox devs were still debating whether or not a web page should just be a static document, the web browser became the most successful ever cross platform development framework in history, vastly out stripping the likes of Java and Q++, and yet, it's 10 years later and Firefox still does not have proper PWA support.

[–] Kissaki 1 points 3 days ago

and Firefox still does not have proper PWA support

I recently had to learn about that, targeting PWA. :(

When I read "you can install an extension for it" I thought that would be simple enough. But that extension then requires an additional Firefox installation which causes it's own share of problems. (Comparatively complicated setup process despite simple walkthrough wizard with installer integration, program shortcuts being added, Firefox onboarding being triggered in the PWA.)

[–] [email protected] 3 points 5 days ago (1 children)

I agree, there is a lot of fluff. However I think FOSS is more of a web, not every piece of software has a billion users, but the collection of projects as a whole prop each other up. You have a language by itself, but also all of its libs that make the language useful.

[–] Kissaki 1 points 4 days ago

I agree. The split and collective nature makes it hard to assess and fundamentally support though - which is what I was referring to in one point.

[–] [email protected] 64 points 5 days ago
[–] [email protected] 25 points 5 days ago* (last edited 5 days ago) (1 children)

I made a little "reverse regex" library for fun ages ago. You give it a regex and it generates text from it. I thought of it as a toy, but people found use for it in unit testing. Eventually, someone forked it and added better test support because I am the world's worst maintainer.

Anyway, I only say this because I learned that it is shockingly easy for some throw away idea you put up on GitHub to suddenly become the unpaid backbone of somebody else's CI pipeline. Then, you're getting angry PR's and tickets about how a security issue or an unpatched dependency in your toy library NEEDS to be fixed and now you've got a new unpaid job!

Or you do what I did and abandon the project so one of the poor fools actually using it in production needs to maintain it. Us programmers though, we like when our code is being used, we like to help people, we want the work we put out there with our name on it to be a good representative of us, to show us as helpful, hard-working, and dependable. It can be so easy to fall into this feeling that because you wrote it, you "owe" your users some ongoing commitment.

And those users are often themselves beholden to their bosses, just trying to find the least-effort solution to get back to what they wanted to be working on. The shit all rolls down hill and ultimately I think our industry needs massive structural changes to thrive. I honestly sometimes muse about a return to the guild system. All feature requests and bug reports (and I mean like, globally, ALL tickets) come to the Guild and we shall assign them out under the principle of mutual aid (from each member according to ability, to each member according to their needs). In this way, the Guild will carefully train the next generation of holy adeptus mechanicus and make broad decisions on how technology can best serve the people.

[–] [email protected] 8 points 5 days ago

I fully support you. But keep in mind that many PRs and issues have "spec wording", where words such as NEED, REQUIRE, MUST and SHOULD are not commands upon somebody.

[–] onlinepersona 6 points 4 days ago

We need a new license that requires payment if the use is commercial. One of the people involved in the coining of the term "open source" is already working on a licence, but maybe another one will be released earlier.

Companies that freeload from open source now should be forced to pay up.

Anti Commercial-AI license

[–] refalo -3 points 5 days ago* (last edited 5 days ago) (2 children)

The bigger problem to me is that I have seen an untold number of open source developers that despise all manner of capitalism in the first place, so you can't even pay them to work on things. It's like they just want everyone to live under a rock in the woods and all be poor together or something. That's not going to progress society very much IMO.

[–] ballmerpeaking 4 points 5 days ago (1 children)

I've never heard of that in my life

[–] refalo 0 points 5 days ago (1 children)

You must not be active in any chat systems that are frequented by FOSS developers then? I see it constantly across Matrix, IRC, XMPP and other places.

[–] ballmerpeaking 4 points 4 days ago

Yes, there's a few with some quirky opinions. All of them will take money in some way.

[–] [email protected] 1 points 4 days ago (1 children)

I don't know the context of your interactions with them, but it is possible that they don't want to take on the burden and expectations that come with being paid, and so it just becomes a convenient excuse to not get tangled up in working on things in a compensated capacity.

[–] refalo 1 points 4 days ago

To rephrase what I said, they explicitly tell you they are not interested in money as a concept at all. They prefer to have none... they basically want to have nothing and wish that the rest of the world believed the same thing.