Comment by spott
2 months ago
This makes an assumption that a bunch of companies are maintaining their own forks of MIT software with bug fixes and features and not giving it back.
I find that hard to believe.
2 months ago
This makes an assumption that a bunch of companies are maintaining their own forks of MIT software with bug fixes and features and not giving it back.
I find that hard to believe.
One of the comments on the LWN article is an analysis of exactly that happening with this very library - https://lwn.net/Articles/1026956/
In short, Apple maintain a 448 kB diff which they 'throw across the wall' in the form of an opaque tarball, shorn of all context. Many of the changes contained within look potentially security-related, but it's been released in a way which would require a huge amount of work to unpick.
That level of effort is unfeasible for a volunteer upstream developer, but is a nice juicy resource for a motivated attacker. Apple's behaviour, therefore, is going to be a net negative from a security point of view for all other users of this library.
My reading of this wasn’t that Apple has a bunch of security bug fixes they aren’t upstreaming, it is that they are maintaining their own forks of an old version and back porting security bug fixes from upstream into their fork.
Maybe they are doing their own security fixes, but at this point they are so far diverged from upstream that it isn’t clear that those security bugs exist in upstream.
But that is my guess, I don’t really have enough information to say much for sure.
Digging into it further, it looks like there's a mix - backported bugfixes, Apple-specific fixes, and security issues which may or may not have been fixed by upstream long ago.
Some of it almost certainly would be useful upstream (eg. the clang warnings, and any unfixed security issues), and some might warrant being reimplemented in a different way (those Apple-specific ifdefs in the middle of platform-independent code blocks). But that's not ever going to happen, because of the way Apple jumbles it all together.
2 replies →
No, they're mostly not. They're throwing the maintenance demand back on the unpaid, understaffed open source developers. That's what TFA is about.
Oh, I've seen it plenty. Cultural awareness is just very low in places for some reason.
I work a bigco and this happens all the time. I have probably written 20 patches for open source stuff like kubernetes, but when I open a pull request nobody on the project looks at it and it sits open forever. We keep patch sets internally and rebase on top of upstream as some project will not take our contributions.
Not really. A company that does not bother contributing to a liberally-licensed project will 100% avoid GPL software like the plague. In either case, they won't contribute. In the latter case, they don't get to free-ride like a parasite.
It is reasonable to assume that this is true. But an equally effective way other than making your license unpalatable to them, is just to say no and state clearly: "Patches or GTFO". Also, have a homepage to link with your (hefty?) consulting rates?
I have mentioned this in the past, but there was this weird shift in culture just after 2000 where increasingly open source projects were made to please their users, whether they were corporate or not, and "your project is your CV" became how their maintainers would view their projects. It does not have to be this way and we should (like it seems to be the case with libxml2) maybe try to fix this culture?
> It is reasonable to assume that this is true. But an equally effective way other than making your license unpalatable to them, is just to say no and state clearly: "Patches or GTFO". Also, have a homepage to link with your (hefty?) consulting rates?
That's fine for feature requests, but the issue in the present case is bug reports.
2 replies →
> will 100% avoid GPL software like the plague.
Not true. Many companies uses Linux for example.
They will just avoid using GPL software in ways that would impact their own intellectual property (linking a GPL library to their proprietary software). Sometimes they will even use it with dubious "workaround" such as saying "we use a deamon with IPC so that's ok"
> > will 100% avoid GPL software like the plague.
> Not true. Many companies uses Linux for example.
I thought it was clear, given that this is a discussion about an open source library, that they were talking about GPL libraries. The way that standalone GPL software is used in companies is qualitatively quite different.
1 reply →