I get the same question every time I shut down something. No, I don't want people to see my embarrassing spaghetti code. With that said, I haven't shut down any critical products so it has been more like "would be nice if you made it open source" but my point is that there are many non-obvious reasons not to open source something.
Another is that I've randomly put credentials in the source code that I don't want leaked (again, my code is an ugly mess full of shortcuts and hacks). Yet another is that it would be impossible for someone to host themselves because I don't even understand it myself.
I get your point, because I'm "baking" some code I would like to open source one day and cleanups are in order.
However, when you're closing shop dumping the code out there for others to figure out how to run, even if you can't help them set up an env from scratch still helps. I also think we need more spaghetti code out there, would help teach new developers how to maintain and refactor "legacy" code.
The credentials in source code thing, I thought by this time would have been a "solved" issue, but I guess some people still yolo it :). Credentials in source code, are the equivalent of password on post it notes ;)
> Credentials in source code, are the equivalent of password on post it notes ;)
While not the best security, post it notes are immune to hacking and really hard to leak without a home intrusion.
Credentials in source that won't be shared is a pretty efficient hack. Often it happens by mistake - eg. when you hard-code that credential into a bash script during testing when you're trying to curl a new API and then push it by mistake after a coworker asks for you to share your progress on a new branch for review.
Shameless plug: if anyone needs to get credentials out of their code, EnvKey[1] makes it really easy (disclaimer—I’m the founder.) We just launched our v2, which includes a free cloud tier for up to 7 users, or you can self-host it. Give it a try and sleep better at night :)
Agree, I think the fear of someone finding a vulnerability and the original author being held accountable is high enough for almost nobody to open source their code.
If the company publishes the code, then closes, what's the harm? Any hard-coded creds would be invalid and any license violations wouldn't matter because there would be no company.
I'd love to hear about these "non-obvious" reasons, because I can't say "I'm embarrassed by my code" sounds like a good excuse after convincing people to move to your platform, charging them a subscription for it, then kicking them off with only 60 days notice.
And "I don't think others could figure out how to host it" isn't a reason not to release. It costs nothing but a pretty insignificant amount of time to publish it, so even if it's "impossible" to re-host (and history would say it's not), I really don't see a reason not to let people try.
I think you're mistaking me for someone else. Otherwise I don't know where you got 60 days from but it's not true - I give them 0 days notice. I also never convince anyone to "move" to my projects. I tell them from day 1 that they should use it at their own risk but for some reason people insist on using it regardless. In fact, if anything I try to convince them not to use my platform (me: "it's really bad and early" they: "it's ok" me: "it probably won't work" they: "it's ok"). So don't hold me accountable for things like that.
I see I wrote that very clumsily, sorry. I was talking about the Friday shutdown and replied to your comment as a general response to the reasons for not releasing code. Obviously personal projects or anything else you don't market and sell/rent out to people are completely different. fwiw, I'm quite similar with my personal projects, but if I took people's money for something and then had to shut it down, I'd do everything in my power to enable them to keep using it without me.
A software developer who is trying to sell products to businesses, software on which those businesses would rely, admits to creating an "ugly mess" of "spaghetti code ... full of shortcuts and hacks" and to embedding security credentials in the SCM.
I wish you no ill will, but goodness, talk about an anti-ad for your products.
Creds should be outside the SCM, and there are varying levels of "best practice" - vaults, environment variables of CI servers, text files with strict permissions outside the SCM, etc.
You would be surprised how many businesses run on equally bad or worse code. At least I'm honest about it.
Your tips are true but not very helpful. I know it's bad or I wouldn't call it an ugly mess. I have better practices nowadays regarding credentials but all my projects always spiral out of control some way or another. If it's not this it's something else but I'm never proud of my code.
As a freelancer/indie dev when someone asks me to share a codebase I wrote, I get worried.
Freelance projects are bounded by NDA. And my personal projects are bounded by shame.
If I am worrying about credentials, code cleanliness, documentation etc I wouldn't have any time or energy to turn my stream of free flowing ideas into code.
That's a terrible way to think and oddly an excuse I hear a lot. If that's the case, there would be no OSS software, every OSS starts off crappy and full of bugs and usually not even close to finished.
The goal of OSS is not to show off your skills as some elite programmer.
> every OSS starts off crappy and full of bugs and usually not even close to finished.
I think the quality/bugginess isn't as much of a factor as the fact that the codebase was not written with the intention of becoming OSS. Things like lack of documentation, hard-coded secrets, inflexible hosting/deployment, etc. are difficult to account for after the fact. And if you ignore these things and just "throw code over the wall", then virtually no one will even look at your code, let alone use it. Kind of a waste of time just to indulge a few self-righteous commenters on some message board, if you ask me.
A lot of OSS software was written with the intention of being open-sourced, so many of the things that make open-sourcing a previously-closed repo difficult are considered upfront.
Easy to say, harder to do. I get anxiety just thinking about it.
What's the goal? You make it sound like I have an obligation to do it for some utilitarian reasons, while in reality maybe one or two previous customers would use it while migrating to something else. It's crap software with much better OSS alternatives already.
It either dies with me or dies as an abandoned repo I need to be ashamed of.
I am just jumping in not to pressure you specifically to dump the source but in my experience in quant finance and music software development (hobby), I see kind of a tragedy of the commons especially in finance. If more people made their source available upon winding down a project it would drive down costs in the entire industry and indeed the whole tech ecosystem.
Reimplementation saps alot of productivity from the economy.
Someone in the business likely is in-scope for licensing decisions and on the facade this sort of decision probably looks noble and altruistic. To answer your question, "is it possible" - yes.
Ethically, however, it doesn't really check out for me. If the software is a core part of your business and the (or one of the) primary reasons an investor has joined your business then it's at the very least a bait and switch to make such a decision without their involvement. To a big VC or private equity firm this may infuriate some but have little monetary impact; at a much smaller firm this could be highly damaging.
I'm also fairly certain that whatever harm comes from this decision would put the CEO in personal liability, potentially all the way up the decision chain.
The issue isn't who gets to make "day-to-day business decisions" (i'm not sure how you characterize licensing source code as open source as such, but it doens't matter).
The issue is that shareholders literally own the property owned by the company, that's what it means to be a shareholder. Including intellectual property.
Announcing you are shutting down a company, and then, without board approval, the CEO giving away what assets remain... is super sketchy and probably illegal, probably stealing from the shareholders (or even more likely other creditors, if they exist), who would probably like to partially recoup their losses from sales of any remaining assets. What those assets are you are giving away are, say, a fleet of cars, or the intellectual property of source code, legally the same.
Imagine if a car service company announced it was shutting down, and then gave away all it's cars, instead of selling them in an orderly fashion and distributing profits to anyone who was owed money, including creditors and shareholders.
Given that with a company going out of business a lot of people are going to be losing money and wanting to get what they can out of any assets... the time to release as open source is really before you go out of business.
Well giving away all company IP for free isn't a "day-to-day business decision". If the company is shutting down the assets go to the investors, and they can choose what to do with it.
Another is that I've randomly put credentials in the source code that I don't want leaked (again, my code is an ugly mess full of shortcuts and hacks). Yet another is that it would be impossible for someone to host themselves because I don't even understand it myself.