[moksly]

The alternative to what we have now is not going to be a healthy OSS community. The alternative is going to be big companies insourcing more of their libraries.

The only reason why OSS has seen the up-pick it has is because major companies profit from it. Microsoft didn’t embrace open source because it had a change or morals, it embraced open source because it started making so much more money from enterprise orgs switching to Azure compared to selling us licenses for on-prem alternatives. Facebook and Google don’t share their massive front end-libraries and extensive tools because they are nice, they do so because it helps them dictate web-development and being able to on-board new hires who are already familiar with their tech.

If anything, I think it’s more likely that we are going to see a big player pick up a NPM alternative and make sharing packages much harder. I think the fact that no one has done this, should tell you all about how little the enterprise industry worries about the status que.

I don’t think it’s necessarily healthy, and I sympathise with OSS maintainers who don’t get paid for their work, but I don’t think it’s a massive issue either. The OSS world is still better than it ever was, and your tech stack isn’t actually in danger if you review that code you use.

[simonw]

"Your tech stack isn’t actually in danger if you review that code you use."

Tell that to everyone who depended on Log4j for the past 8 years!

[nicce]

Well, did they review that code for sure?

[nopenopenopeno]

The welfare queen megacorps have been too comfortable expecting handouts like open source charity work and public bailouts. Open source software has served the elite executive class while leaving working people to depend on anti-freedom proprietary offerings. I am sick of watching it go down like that. The never-ending data leaks, dark patterns, lock-in strategies, and attacks on encryption and freedom of speech, are all exacerbated by this tendency to yield the commons to the ruling class. If open source doesn’t serve working people, I don’t care a lick for it anymore. Cheers to Stallman and all, but this is where his proposals fell short.

[moksly]

Did open source ever serve working people?

Where the GNU project always fell short in my opinion was that it thought there was a difference between free to use and free as in beer.

There was an abundance of people who predicted where the internet would head once big corporations got into it. There is an entire genre of cyberpunk authors who did after all, and I guess Stallman gets credit for trying to stop it, but it always comes down to money.

It’s very easy to fool yourself into thinking differently, but the harsh truth is that everything you do for money is being weighed and evaluated by someone in the management chain whom, at the very least, considers if you’re worth your cost, every three months.

I just don’t see how OSS is supposed to have changed in that regard. Maybe it was more ideological when it was mainly paid for by academia, but someone still paid for it, and considering how much OSS has improved in the wake of corporate capitalism taking over, academia don’t appear to have paid enough.

That’s easy for me to say of course, I have no solutions, but I still think we’re better off now than ever.

[pas]

the mindset is important. MS open sourced things because devs working there pushed for it.

it's a good thing even if MS benefits more than others. it's not a zero sum game.

the problem is on the other end, where the produced economic surplus is distributed to a very few.

[creamytaco]

Reviewing code is the elephant in the room. Filosotile -perhaps out of ignorance or disconnect- fails to mention that the vast majority of open source projects (log4j being a great recent example) are absolute shit. Nobody should be building anything on top, nevermind giving the maintainers more money.

In-house development, software BOMs, rising of standards and multiple rounds of code review are the processes that the industry is shifting towards and for good reason.

[wpietri]

I would be fascinated to see your evidence that in-house code is any better on average than open-source code.

I haven't done a lot of consulting lately, so I haven't seen much in-house code in the last few years. But my experience is that the average in-house codebase is worse. And that makes sense from the incentives. Open-source projects that want more than one contributor need to be approachable enough that people join in. Whereas with most in-house code, people commit to working on it without ever seeing it. Switching to work on another open-source project is easy; switching to another job is hard. Open-source authors get to decide when to release; in-house code is generally driven by execs. And so on.

[pixl97]

As someone that has to support a lot of in-house code, yea, it's a bunch of crap too.

"Works good enough" is how our world generally operates unless under strict regulatory guidelines.

[creamytaco]

I worked at engineers-call-the-shots fintech and later SV shops for many years. No, their in-house code is not worse than open-source.

In fact one can safely say that top companies that attract top talent also have methodologies in place that lead to better than average code quality.

[the_af]

If you are comparing the top engineering shops to open source, you should also pick the top (quality) open source projects. Apples to apples.

Most in-house code is crap.

[the_af]

> In-house development

... keeps resulting in shit code, too! There's no evidence standards of quality are rising. In my own extremely limited view of in-house software -- i.e. my own professional experience -- code quality is crap, standard quality practices are very low and actually worse than in FOSS projects (I've seen someone mention more than once that "this crap PR simply wouldn't fly if this were an open source project, it's so bad nobody would want to review it!"), absolutely dumb bugs keep hitting production, and people think of automated testing as "that thing we don't want to do".

In-house code is just code you don't know is garbage because you cannot look at the code.

[moksly]

I didn’t say in-house code was good, but it does keep you from being exploited by things like what recently happened with NPM.

Companies genuinely don’t care about the software they use, as long as it works and isn’t hacked. This is especially true in non-tech enterprise. At my former place they still had hundreds of ASP Webforms with custom in-house ASP libraries that were utter shit, but they worked.

What I’m postulating is that this is the alternative to the current status que.

I’d personally love for NPM to review their packages, or for a big player like Microsoft to step in and make a more limited platform with reviews, but I just don’t think anyone is going to be willing to pay for it.

[the_af]

> At my former place they still had hundreds of ASP Webforms with custom in-house ASP libraries that were utter shit, but they worked.

But the same is true of open source. I thought you wanted non-shit software.

In-house software is easily exploitable and full of security bugs as well.

[moksly]

I think I’m too senior to believe in non-shit software.

I work in non tech enterprise. You’d think that things like the ransomware scandals, GDPR, the increased risk-awareness would have improved the business processes or management awareness or all the things are “corporate digital maturity” but the pressure to get things done fast with minimal resources has frankly never been higher.

In that environment we’re always going to have shit-software. If anything I agree with you, which is why I said that I thought that the current status quo was the best ever.

[moksly]

I didn’t say in-house code was good, but it does keep you from being exploited by things like what recently happened with NPM.

Companies genuinely don’t care about the software they use, as long as it works and isn’t hacked. This is especially true in non-tech enterprise.

At my former place they still had hundreds of ASP Webforms with custom in-house ASP libraries that were utter shit, but they worked.

[watwut]

The industry is nor moving towards multiple rounds of code review. Nor towards in house development nor away from using open source.

[creamytaco]

Every engineering-driven fintech company I know of (having myself worked there or having friends who work there) is doubling down on every single one of the processes I mentioned.

[geodel]

Yeah, and that is about 0.1% of total amount of software assembled and deployed in the world. It is like saying all my friends drink Evian water so that's the way we handle clean drinking water shortage in the world.