Comment by securesaml
8 hours ago
The problem is more so maintenance.
The expectation of FOSS is that the users and maintainer work together to resolve bug fixes/features/security issues.
However many companies will dump these issues to the maintainer and take it for granted when they are resolved.
It's not a sustainable model, and will lead to burnout/unmaintained libraries.
If the companies don't have the engineering resources/specialization to complete bug fixes/features, they should sponsor the maintainers.
> The expectation of FOSS is that the users and maintainer work together to resolve bug fixes/features/security issues.
This depends a lot on the users, and then somewhat on the maintainers.
I have seen a lot of end-user facing software where people do not understand that features and fixes do not magically materialize - that there is a person on the other end likely working on this in their free time, with their own prioritization on how they will use that limited time.
It’s OK to say “No” or “Pay me and I’ll do it right now” to companies doing this.
I 100% agree with this. It also is 100% OK to fork aggressively and patch yourself.
(And on the flipside, nothing is owed for a bugfix the maintainer made out of their own free will. Again, a gift.)
The problem is lots of open source is unmaintained/insecure, and there aren't any security engineers on those open source libraries.
For the library to be secure, there needs to be funding, not by magic and expecting maintainers will do stuff on there free will.
1 reply →
Correct, maintainers can say that and get shamed.
And it leads to unmaintained libraries, since companies don't want to pay.
At some point, is open sourcing your work a liability?
Help normalize saying no? As an OSS maintainer, the sense of entitlement many have is quite frustrating. After years in OSS, I have built up a thick skin and am fine saying no, but many aren't.
I’m sure many companies like to pay. It’s probably the cheapest way to solve a business problem. It should be the norm. If a company wants to have a bug fixed or a feature added, they should pay. And GitHub should make it easy to do so.
> At some point, is open sourcing your work a liability?
I argue that open sourcing your work is no more liable than making a comment on social media. The biggest risk to an open source maintainer is publicly losing their patience and/or being heterodox in their beliefs. Code isn't a requirement for that to happen.
> Correct, maintainers can say that and get shamed.
And then they can shrug and move on with their respective days. If I open source something it's a gift to the commons, not a promise to work on it for free in perpetuity. I don't really care if someone tries to shame me for that, as there's nothing to be ashamed of.
If you look at the issue list for any significant open source project, it's probably of nonzero size. That's a way of saying "no": just don't do it.
Maybe you're overloaded, maybe you just don't feel like it. It's totally normal, and different projects have different levels of resources, some with none anymore.
3 replies →
A company finding a bug and opening an issue on an open source project _is_ contributing.
What happens next is completely irrelevant. The maintainer can 100% decide to just ignore the issue or close it.
Opening issues doesn't create unmaintained software. In fact it helps.
No the expectation of FOSS is that code is provided AS-IS with NO WARRANTY because that’s what it says in the license.
People's expectations are not constrained by the license. They are free to exercise a sense of entitlement beyond the terms of the contract and empirically they often do. The license does not prohibit them from engaging with the authors or maintainers for any reason whatsoever, including requesting free labor.
You could perhaps add a clause in the license that restricts this behavior but then it would no longer be FOSS.