[AnonymousPlanet]

> It's not like he was getting paid to work on this, was it?

That is completely beside the point. Do the Debian maintainers that were responsible for famous security slipups regarding SSH keys got paid? No. Would the backlash if they had been unwilling to fix the issues been warranted? Absolutely.

Once you are a part of people's infrastructure and these people rely on you to not be irresponsible, you can't afford to play the but-I-dont-get-paid-card. You can resign gracefully and let other people take over. If you put up a tantrum, you probably get your reputation burnt faster than a Google project gets when they suddenly pull the plug.

Open source is not some backyard game anymore. It involves companies and their commitment in form of infrastructure and participation.

Open source is like capitalism. But a project's success is measured in commitment instead of capital.

[kelnos]

Everyone has different goals and different tolerances when they work on open source, whether as a maintainer or contributor.

So there are some Debian developers who are unpaid and slavishly dedicated to fixing security issues and apologizing if they screw up? Great, that increases my confidence in them (I'm a Debian user and happy with that).

But guess what? There are also open source developers who do their thing as a casual hobby and just throw things out there because they hope it might be useful. They don't want to spend 50% of the free time they allocate to the project dealing with support requests and bug reports.

And there's everything in between, and above and beyond. I think this is a mistake that so many people make: that all open source developers are exactly the same, have the same motivations, want the same level of involvement, and have the same responsibility. That's just flat-out false. Every project and maintainer is different, and yes, it can be difficult to judge what kind of support you'll get when looking into taking on a new dependency, but that's the price you have to pay when you get something for no monetary cost.

You have no right to tell anyone what to do or how to do it unless you are paying them for the privilege of doing so.

> Once you are a part of people's infrastructure and these people rely on you to not be irresponsible

Nonsense. Absent a contract and some sort of consideration changing hands, you are responsible for your dependencies, and no one else.

> You can resign gracefully and let other people take over.

No. If users are unhappy with maintainership, they can fork. It's often contentious and not all that fun, but the (unpaid!) maintainer has no obligation to run the project the way you want them to.

[cycloptic]

>you can't afford to play the but-I-dont-get-paid-card

Yes, you can. The projects that have persisted over the long term have had a long history of people being paid to work on them, Debian included. There is no need to do something to "let other people take over" either. The code is open, you just type "git clone" and boom, now you've taken over.

[Uehreka]

I’d argue that if a company has a larger than normal dependency on keeping a project running (like a cloud provider with 1 million VMs running Debian or Debian-based OSes) they should hire a full time employee whose sole job is to work on it.

I think the basic rules still apply: You’re getting this software for free rather than paying for something expensive. Though you deal in the software, you get no guarantee of its fitness for any purpose. If you want a better guarantee of its fitness, either pay the current maintainers or hire someone good who can become a maintainer. OR choose open source projects where a BigCo like Microsoft or Google has hired people to work on it full time.

[AnonymousPlanet]

> You’re getting this software for free rather than paying for something expensive.

So open source is free as in beer, not free as in speech after all. And the reason a company might choose to use open source is solely because it's free, not because they can see the source code or alter it? Because that is why companies are in it, not because they were cheap for the small cash of a paid version. And they're in it because they can watch and choose those projects that are well maintained.

If the maintainer pulls a tantrum and acts unreliable that kills the project from the point of view of any serious user. Until someone else takes over maintenance or it is forked.

This "it's free so you get what you paid for, and if it's shit don't complain because it was free" really rubs me the wrong way. It's a very capitalist mindset that measures everything in money. If there is no money, there is probably no worth, so don't expect any. Accomplishment, dependability, positive net effect? No money, so don't expect it?

[bpt3]

> So open source is free as in beer, not free as in speech after all. And the reason a company might choose to use open source is solely because it's free, not because they can see the source code or alter it? Because that is why companies are in it, not because they were cheap for the small cash of a paid version. And they're in it because they can watch and choose those projects that are well maintained.

In general, developers aren't auditing the source code or modifying open source code; they're assembling open source packages to provide base functionality and combining that together with business logic and glue code to produce a product. So yes, companies are most commonly using open source because it's zero cost (and easily available), not because they can theoretically audit or modify it.

> If the maintainer pulls a tantrum and acts unreliable that kills the project from the point of view of any serious user. Until someone else takes over maintenance or it is forked.

There's no single definition of "serious user". There have been projects with no technical issues that are maintained by massive assholes that are widely used, so I would disagree with your statement here.

> This "it's free so you get what you paid for, and if it's shit don't complain because it was free" really rubs me the wrong way. It's a very capitalist mindset that measures everything in money. If there is no money, there is probably no worth, so don't expect any. Accomplishment, dependability, positive net effect? No money, so don't expect it?

1. Unsurprisingly, any discussion within the context of how businesses make decisions or should act is likely to revolve around money.

2. The fundamental issues is that there's a massive disconnect between the worth/value provided by a project to users and the value it provides to the creator.

3. The license dictates what users should expect as far as "what they get" from a library. It almost all cases with open source, they should expect to get nothing, and anything beyond that is a bonus.

[Uehreka]

> This "it's free so you get what you paid for, and if it's shit don't complain because it was free" really rubs me the wrong way. It's a very capitalist mindset that measures everything in money.

I mean like... yeah.

If I'm maintaining an open source project as a side gig or for fun, I might be able to review and merge some patches. But if the corporations that use my project submit a busload of PRs (or worse, just issues with no solutions) and I end up spending so much time on them that I have no time to work on my dayjob and make rent... that's not gonna work.

Now if those corporations each chuck a hundred bucks a month (less than the cost of a single Developer's Enterprise MSDN subscription) my way, then sure! I'll scale back my freelance web dev work and spend half my workweek dedicated to maintaining this project!

So yeah, I think the corporations who make money off open source projects should be kicking back a bit of money to those projects if they want an expectation of reliability. It doesn't have to be a ton of money either:

- If we're talking about a tiny header parsing library that needs occasional security patches, maybe expense a few bucks at the maintainer's Patreon so they can spend 10 hours a year on those patches.

- If we're talking about the web framework that underlies your big newspaper's CMS, maybe have a developer spend 20 hours a month pushing well made PRs to fix the problems you care about.

- If we're talking about an OS like Debian and you're AWS, maybe hire a 3 person team to work solely on keeping it secure.

[AnonymousPlanet]

What rubs me the wrong way is the notion that if it's for free it has no worth. This "free == shit" idea that is expressed in "you can use it but don't expect much of it because it's free". Maybe I'm just too much of an old school open source idealist.

[UncleMeat]

Some floss developers choose to work for free. That’s fine or even admirable.

That doesn’t mean that everybody needs to. If a dev isn’t being paid then they should have the absolute right to refuse all maintenance or even just destroy the project.

I’d keep my code closed source if there was a risk that it would start getting used and suddenly I’ve got an extra job for zero pay.

[AnonymousPlanet]

> Some floss developers choose to work for free. That’s fine or even admirable.

Uh, yes. I agree.

> If a dev isn’t being paid then they should have the absolute right to refuse all maintenance or even just destroy the project.

Where in my post did I say they cannot quit?

> I’d keep my code closed source if there was a risk that it would start getting used and suddenly I’ve got an extra job for zero pay.

I'm with you.

I have the feeling, you are replying to a different post or didn't read mine fully.

[UncleMeat]

I absolutely read your post fully.

I disagree that there is an obligation to "resign gracefully". If people choose to depend on your code without some sort of contract then that is on then and you absolutely can continue to play the "I don't get paid" card if you so choose. The fact that the Debian maintainers don't play this card does not mean that everybody should behave the same as they do.

[AnonymousPlanet]

Let me help you: > You can resign gracefully and let other people take over. If you put up a tantrum, you probably get your reputation burnt faster than a Google project gets when they suddenly pull the plug.

Where did I say I believe there is an obligation to "resign gracefully"? I said, that you will burn your reputation. Not that I think that is how should be. Just like a politician burns their reputation with something you or I might not find offensive. And that is where shitstorms come from. "I'm just minding my little own business down here" doesn't work once there's a spotlight on you. Do I like it? No. Do I get downvoted on HN for describing the world as something people take offence in? Apparently.

[GrinningFool]

    > Open source is not some backyard game anymore. It 
    > involves companies and their commitment in form of 
    > infrastructure and participation.

I think this approach leads to sustainability problems, and discourages individuals from sharing their work in open source form. I make a project because I need it, and maybe it's fun to build. I generally share it because I think others might find it useful too.

What I'm reading in your comment is that once it becomes widely used, it becomes my responsibility to meet the needs of these people and organizations who have started using the work I freely give to them. The act of having it used by other people obligates me to them.

That perspective seems like it will eventually force the people who share their work in this way down the path of burnout.

    > Open source is like capitalism. But a project's success 
    > is measured in commitment instead of capital.

I would argue that the goals of any given open source project - and therefore the measures of its success - are under the control of the owner(s) of that project. If one of the goals is to make a widely distributed and used thing, then yes - there are obligations such as you've described; they are inherent in that goal.

If the goal is only to build a thing and share it, there can be no such obligation - regardless of how popular it gets.

[AnonymousPlanet]

> I think this approach leads to sustainability problems, and discourages individuals from sharing their work in open source form. I make a project because I need it, and maybe it's fun to build. I generally share it because I think others might find it useful too.

I don't believe that every little open source project is automatically held to the rules I described. But once your exposure gets bigger, you suddenly enter different waters. Hopefully you might have maintainers of a distribution shielding you from the biggest impact.

> What I'm reading in your comment is that once it becomes widely used, it becomes my responsibility to meet the needs of these people and organizations who have started using the work I freely give to them. The act of having it used by other people obligates me to them.

That is precisely what is happening in many places. I didn't say I like it. In most cases people can move. Sometimes the "market" moves on or forks it. But this is what I have been seeing more and more.

> If the goal is only to build a thing and share it, there can be no such obligation - regardless of how popular it gets.

This is tricky. Viewed from the moral standpoint of the starter of the project, I agree. But once you got into the limelight with your project and other people started depending on it, every misstep suddenly becomes a jackass move. You essentially lost the project.

[kelnos]

> But once your exposure gets bigger, you suddenly enter different waters.

I fundamentally disagree with this. Just because my exposure has gotten larger (possibly through no action of my own), it doesn't magically give me more resources, more free time, more motivation, a team of developers, etc. If people (or companies) want to depend on a one-person open source project for something important to them, then they should pay to fund it, either by giving that developer money directly, or by hiring people in-house to contribute to that project.

(Not doing so is just foolish and risky on the company's part, too: depending solely on an unpaid volunteer for an important part of your infrastructure is not a winning move.)

Also consider that more users generally means less free time for developing, and more time handling bug reports and support issues. If an open source project grows, it's absolutely critical for users to step up and pitch in, either with their own skills, or with monetary resources that can help the maintainer (who might have a day job) focus more on the project.

Maintainers do have a responsibility to decide what they want their level of involvement to be, though, and to communicate that. Potential users should have the information they need to decide if the project they want to depend on is well-supported and sustainable. They have no right to demand that the maintainer change their approach or level of involvement, however.

> But once you got into the limelight with your project and other people started depending on it, every misstep suddenly becomes a jackass move.

I really dislike the lack of charitable interpretation given here, and this just contributes to the "entitled user" image. The unpaid maintainer of an open source project does not owe anyone anything. Full stop. Users are responsible for their dependencies. I'll repeat that: users are responsible for their dependencies. If they are going to take on a dependency for that's given away for free and not do their due diligence to make sure it is reliably and sustainably developed, that's on them. If they're not happy with the maintainership and want to use it anyway, that's on them. Users do not get to tell unpaid maintainers how to maintain their software. If they want to be helpful and constructive, that's great, but anything less is rude and unwanted.

[AnonymousPlanet]

>> But once your exposure gets bigger, you suddenly enter different waters.

> I fundamentally disagree with this.

Don't get angry with me over this. I'm just the messenger

> I really dislike the lack of charitable interpretation given here, and this just contributes to the "entitled user" image.

Again, I'm just explaining to you how the world is not how I want the world to be. So don't call me entitled! Just read my posts maybe?

[nradov]

Commitment can't be measured. It isn't a quantifiable thing, like dollars.

[AnonymousPlanet]

That is true and that is where the analogy ends.

I originally invented the analogy to make some friends of mine who had a very strong market oriented mindset, understand open source. This was many years ago, when the likes of Microsoft painted open source in the light of anarcho hippie communism. I needed to explain to them that open source is closer to their thinking than some Fortune 500 behemoth that is capitalism on the outside but basically socialism inside.