Why do we even bother with the Open Source?

Why Engineers Keep Learning All the Time?

This will not come as a surprise to any developer, but for everyone else: statistically¹, software engineers enjoy learning new things. That's not just a preference; the ability to self-teach and apply new knowledge is a fundamental job requirement for developers at any seniority level. We love tech, we want to explore what's new, and create something on top of that. This drive is both a good and a bad thing. It's good because the drive to improve brings us better, more useful software that we can all use in our daily lives. It's bad because perfectly good "old" things quickly lose interest, making it difficult to find a team willing to keep them running, leading to issues like security problems and lack of backward compatibility.

Why is There So Much Free, Useful Software?

Sometimes, we learn things just for learning's sake. Other times, we want to solve our own problem and possibly someone else's if they encounter it. We don't want to maintain things we no longer feel like maintaining, but we still want the satisfaction of knowing that people find our work useful and maybe even contribute to it to solve the problem better.

This idea led to the creation of the open-source movement². Anyone can share their code for free, allowing others to modify and redistribute it, or extend existing software and provide their own improvements. Today, open source is at the core of every modern software. Maintainers work thanklessly, often providing a foundation for large, commercial applications that bring significant revenue to the biggest tech corporations. Here's an XKCD strip that illustrates this:

dependency_2x

So, It's a Win-Win, Right...?

Imagine providing the result of your hard work for free and for everyone's benefit, only to receive an email like this: https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/

Let's forget about the factual basis for the claim made in those emails (blaming the author of cURL for being exploited is misguided at best); it's simply not okay to threaten someone. Daniel shared that his software has been pulled 6 billion (yes, with a "b") times from Docker. Wherever you look, there's cURL installed. As a sole maintainer, even if you distribute it with no warranty, can you really say that you don't feel responsible for such a project?

Try to put yourself in this position. You had an issue, you solved it, and shared the solution with everyone for free. Someone decided that your solution is the best for their problem and pulled it into their code. For a moment, imagine that this someone is a maintainer of popular open-source or proprietary software - like Microsoft³. Suddenly, countless people rely on that software (probably unbeknownst to most), a smaller but significant number make a lot of money from it (usually indirectly), and you're still one person who had this particular issue, yet nobody knows you...

...Unless Something Goes Very Wrong.

Recently, the software called "XZ utils" made headlines. In brief, xz is a compression software used in virtually every Linux distribution. If you'd like to know the technical details, I'll link the articles below^{4, 5}. If you're not into such details, just know that this project is a dependency of another and, like many others, is maintained by one "random" person. Lasse Collin was tricked into giving more and more access to the project by someone named Jia Tan. The attacker slowly gained trust and provided useful patches, only to introduce a sophisticated backdoor later.

The common incentive for writing open-source code is that it allows you to be more visible as a developer, showcase your skills and work ethic before talking to potential employers. In reality, most people (including CTOs, engineering managers, project leads, etc.) have never heard of Collin. You know his work, for sure. I doubt any of you have reached out to him to offer a job, sponsorship, or anything similar. Developers become frustrated and abandon their projects over time because they can't get recognition for their work, let alone a few bucks for coffee.

How Do I Know That You Don't Know?

Let's examine what Microsoft posted in another large open-source project's issue tracker:

GKKyTVqXwAA-vH2

Quoting the maintainers directly⁶:

After politely requesting a support contract from Microsoft for long-term maintenance, they offered a one-time payment of a few thousand dollars instead.

This is unacceptable. We didn't make it up; this is what @microsoft @microsoftteams actually did.

Microsoft (a company that made $230 billion in 2023) pushes volunteers to work faster because they use their software as part of their commercial product for free. Instead of stepping up and paying people they depend on for continuous support, they offer a one-time payment of a few thousand dollars.

The maintainers of FFMPG called this "unacceptable". I'd use stronger words. Microsoft, in their issue, tries to guilt people who spend their free time on something for free because it's a "highly visible product". The only worse example of the "this is important, or I'll lose money" attitude I can think of is "The customer has nuclear weapons"⁷. Yes, this happened.

What Can We Do to Fix It?

I know it's difficult to convince companies to pay for something generally available for free, and I won't ask you to try. However, if you're a software developer, you know which projects saved you time (and made you money). Somewhere in the README or on their website, there might be a donations/sponsorship link - use it. If you're not a developer, I'm linking to a list of projects you're probably using or depending on, even if you don't realize it:

If you can spend one dollar a month and donate to any of these (and convince your friends to do so!), that'd be invaluable for the maintainers.

1. We also like statistics...

2. I hope the OSS evangelists can forgive me for this gross oversimplification.

3. Yes, curl is part of Windows, too, since version 10.

4. https://securityboulevard.com/2024/03/an-accidental-discovery-of-a-backdoor-likely-prevented-thousands-of-infections/

5. https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know

6. source: https://twitter.com/FFmpeg/status/1775178805704888726

7. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95644#c4