Excellent article: I am NOT A SUPPLIER!
https://www.softwaremaxims.com/blog/not-a-supplier
You are all on the hobbiest maintainers turf now
https://www.softwaremaxims.com/blog/open-source-hobbyists-turf
This guy nails it. If you want me to be your supplier then pay me. Period. Most of this comes from a pathological corporate mindset where sociopathic greed is considered normal. Plus a failure to read the licenses in first place: #gpl: software supplied with no warranty of fitness, not even implicit.
Focus more on #FreeSoftware and less on Open.
You Are All On The Hobbyists Maintainersβ Turf Now
For quite some time, I have felt some unease at the public discourse around OpenSource. In the past few years, we have seen a growing discourse around the sustainability and security of the large body of OpenSource software.Thomas Depierre
Questa voce Γ¨ stata modificata (1 mese fa)
Thomas Depierre
in reply to smxi • • •I would point out that I am not asking for money.
I am stating the reality. I doubt money will help that much or that it could be sustainable.
What I am saying is that you cannot make me a supplier and you need to accept that. Stop bending the world to your view. Accept it as it is and find out what to do from there.
Also. I am definitely not someone that would advise to focus on Free vs Open.
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to Thomas Depierre • • •clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •Many bigger projects, especially stuff in the circles near the Cloud Native Computing Foundation, have distros of open projects.
Just want to run OpenStack and Kubernetes, or want to contribute changes? Get it from upstream, work with upstream.
Want an SLA, an SBOM, support etc? Buy a distro from a commercial vendor. Upstream will get fixes in the pace that works for upstream and distros provide whatever their clients want to pay for.
To call it a product distro is appropriate, because community OS distros like Debian and Fedora do this too, they don't just package things, they also track bugs and act as a first-level support line, they backport fixes, etc, and when appropriate it all bubbles up to upstream, which can stay focused on the latest version and the upstream product vision. And of course commercial distros like RHEL do this too, or perhaps even more so, and are definitely willing to sell the service of doing so.
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •... So: Commercial software vendors can repackage upstream, they can softfork upstream, if necessary they can hardfork upstream, and if people want their supply chain they can find a vendor willing to do it in one of these ways. I'm surprised this route isn't discussed very loudly every time this kind of exploit is made.
@smxi @Thomas Depierre
Thomas Depierre
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •@clacke It is not discussed a lot because it mostly does not work.
The most obvious aspect is that they use open source precisely to avoid having to deal with the legal and procurement journey because it is slow and painful, and no one wants to talk to procurement.
The less obvious fact is that you cannot sustainably maintain most of these projects this way. You cannot get a vendor for long. And you cannot hardfork them, because maintaining them necessitate an expertise you cannot hire
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to Thomas Depierre • • •@Thomas Depierre @smxi Good points, and true for most companies.
But then you also have companies who desperately want to pay someone but don't know who and how. Maybe not enough of them.
#tidelift obviously is trying to cater to those companies, and it's not unsuccessful, but also not the smashing success that I'd want it to be.
And what I'm talking not is not exactly Tidelift, which takes more of a facilitator approach rather than a vendor approach.
Maybe not everything can be covered by Tidelift-but-vendor, but I'd like to think there is a missed opportunity with some core projects for which this would work better than Tidelift or foundations financing grants.
Thomas Depierre
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •@clacke I mean the problem is also on the other side.
As a maintainer, i cannot take that supplier posture except if i have a quite high and stable income.
I need at least 80% of my salary income coming from it in a stable way before i can spend more time on it. Paying me does not help under that.
Because I cannot find the time. I have a job. Family. Pets. A house. Friends. Hobbies.
I cannot cut them sustainably. The only thing that can be cut is my work. And it is inflexible
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to Thomas Depierre • • •@Thomas Depierre @smxi That's exactly where the third-party vendor makes sense. Focus on what interests you, and a business charges people and takes care of the "boring" stuff, the supplier role.
(Personally I'm super excited by the "boring" stuff and would love to work for this fictional "Code Gnomes Inc" company)
Where the model falls down, apart from the obvious issue of finding people who want to pay, is, as you pointed out, if the problem domain and intrinsic complexity make the supplier parts difficult for anyone other than the deeply skilled original author to manage.
If that's the truest for the projects that would need help the most, that could be why nobody else is talking about this.
Thomas Depierre
in reply to Thomas Depierre • • •clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to Thomas Depierre • • •clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •If all the companies that claim to want a supplier would be willing to put their money where their mouth is, there would be a market for #CodeGnomesInc to partner with and shield the maintainer rather than to add to their burden.
If people are just trying to add duties to existing maintainers, those people can get lost and get back when they have something to contribute.
@smxi @Thomas Depierre
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •Elena ``of Valhalla''
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • •@clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ for some things, I think that paying people to work inside existing distributions can also work; it is e.g. already possible to pay somebody to work on maintaining specific debian packages past the time the official support for a certain release has ended (and probably also way past the official *upstream* support has ended).
It has to be managed carefully, but I believe that Freexian / Debian LTS is a good example which could apply to other cases (and is probably completely not suitable for others).
The main advantage here would be that the results of such paid work would be available also for other people, and thus they could be less expensive for each individual customer.
like this
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ likes this.
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to Elena ``of Valhalla'' • • •@Elena ``of Valhalla'' This is awesome! First time I hear of it.
Yet another "if you think of it, someone on the internet did it". This is exactly what I'm talking about.
https://www.freexian.com/lts/debian/details/
"Several Debian developers who are willing to provide security updates for Debian on a paid basis got together and created the service presented on this page. Freexian, a French company managed by 3 Debian developers, collects money from all parties willing to financially support the LTS effort, and uses this money to pay the Debian contributors who are providing security updates."
π€©
Debian Long Term Support - Details
FreexianElena ``of Valhalla'' likes this.
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •So, anyone who wants a Debian supplier can just jump on this and that's exactly what they get.
"Any contribution gives you the right to submit a list of packages that you rely on, and that should be prioritized in terms of security support."
"If your funding level is at least Bronze 1, Freexian will subscribe the person listed as technical contact to a private mailing list that all contributing companies can use to discuss their needs and share their experience."
"If your funding level is at least Silver 1, you can submit your queries and requests about Debian LTS in general and/or any security update in particular to us."
"If your funding level is Platinum, you can submit to us functional tests covering the set of packages that you care about, and we will run those tests on updated packages to detect undesired regressions"
#Freexian #DebianLts
@smxi @Thomas Depierre
smxi
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to smxi • • •@smxi So you don't. You do you. And someone else who accepts money for gnome work shields you from the people inside the capital funnel machinery who want a supply chain.
If you're worried about code pollution from corporate concerns, the gnomes can look at how OpenSSH does it as a model: The upstream is clean and OpenBSD-specific, and then there's a downstream distro that adds abstractions and adaptations to make OpenSSH run on GNU, POSIX and elsewhere.
@Thomas Depierre
smxi
in reply to smxi • • •clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to smxi • • •@smxi @Thomas Depierre That's the "if you are not interested, [they can] hire someone else" part of what I said.
Don't push duties on original authors. Pay *someone* to dot the Is and cross the Ts and whatever else corporate risk analysis requires.
NiceMicro
in reply to smxi • • •if at least developers used #GPL / #AGPL, the corporations at least were forced to contribute back in one way or an other, but due to the rampant use of MIT and BSD licenses, they can literally get away without doing anything beneficial for the wider ecosystem while using other people's code (those other people let them do it).
I think the proliferation of MIT and BSD licenses really made the #FreeSoftware free rider problem much worse than it should be.
smxi
in reply to NiceMicro • • •@nicemicro valid use cases for bsd type licenses: single project (apache,nginx,openssh) where priority is get that tech into everything. Outside those you are working for free for corporations who will never give back. Truly freed code survives because you can't steal it without obligation. This stopped being a debate years ago:
#Gpl: linux,libreoffice,khtml>applewebkit>blink
Bsd/mit: Bsds,openoffice,mozilla
It's funny to see people pretend this is a debate when success of gpl transparent.
NiceMicro
in reply to smxi • • •I think that the huge rate of burnout in developers that cause issues time and time again can be traced back to this attitude of "I will license it permissively to get it into everything". When the code gets into everything without compensation, the pressure of responsibility mounts, and bad things happen.
It is my personal belief that one's mental health doesn't worth the "bragging right" of one's code getting into a wide range of proprietary garbage.
#FreeSoftware #GPL
smxi
in reply to NiceMicro • • •smxi
in reply to smxi • • •NiceMicro
in reply to smxi • • •honestly, I don't really mind that much what RedHat is doing. No one is entitled to get updates to a software from you just because you gave them an earlier version.
As long as they don't restrict your GPL guaranteed rights for the software itself, they can condition the future business relationship with their customers on whatever they want.
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to NiceMicro • • •@NiceMicro You seem to be referring to how Red Hat conducted business before they shut down CentOS 8/9.
With their current setup, you as a paying customer get the binary packages, but you don't get the Complete and Corresponding Source Code for your packages.
All you get from them is "[it all comes from the git repos for CentOS Stream, some commits in there, you'll figure it out]". In theory you can find the information, but it's obscured for no reason other than obscuring.
If you redistribute what you got from them, as the GPL requires them to give you the right to do, they will terminate your support contract and access.
@smxi
NiceMicro
in reply to clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ • • •NiceMicro
in reply to NiceMicro • • •@clacke The GPL does not have any clause that makes a user entitled to any future versions or any tech support.
Therefore, it is not a violation of the GPL to terminate business relationship based on an action that is allowed by the license but not allowed by the business agreement.
Red Hat can't come and take away the code they already gave you, and can't stop you redistributing it. They have all the rights to not talk to you any more though.
clacke: inhibited exhausted pixie dream boy πΈπͺππ°ππ
in reply to NiceMicro • • •@NiceMicro @smxi If the license requires them to allow redistribution, and if they ensure redistribution has negative consequences, then a reasonable bystander would say they are not allowing redistribution, but are in effect imposing "further restrictions".
But nobody has gone to court over it yet.