| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by WorldMaker 1483 days ago

It's not Microsoft's fault that Duende took their ball and went home, becoming a closed source operation after years of open source work. That's on Duende for being bad Open Source community members.

I somewhat sympathize that Duende's unpaid support costs went up once Microsoft pointed a lot of heat their way by including it in official samples, and they should get paid for support. I also somewhat sympathize that closing their source was seen as the easiest option to redirect the community to paid support plans.

But it's still a jerk move in the Open Source community to have code be open source for more than a decade and then close it simply because it was used in one tutorial/sample too many.

Sure, Microsoft could have offered sponsorships or other help, had Duende asked. Supposedly Duende didn't ask, their first public response was when they immediately went closed sourced because apparently they never really cared about Open Source.

There are people not building an open source product in good faith in this story, but it doesn't seem to be Microsoft (surprisingly).

Microsoft probably should replace IdentityServer with something that actually wants to be good Open Source in the samples again. They are between a rock and a hard place because if they fork the last Apache versions of IdentityServer they look like the bad guy for "stealing" Duende's work at that point, and they can't resurrect their old code because it was bad. They probably have to wait for some third party fed up enough with paying Duende for bad faith Open Source to make their own fork.

1 comments

melony 1483 days ago

They don't have to fork anything, they can just add a built-in OAuth to ASP.NET Core Identity. They did that with JSON and created an in-house alternative to Newtonsoft's fast JSON library once it became popular enough. I didn't hear any PMs whining about "competing with the open source community" then.

WorldMaker 1483 days ago

OAuth is too (stupidly) complicated for "just add a built-in OAuth to ASP.NET Core Identity". They had that in previous samples (which you can still find online if you look) and it was bad code that suffered from code rot and stopped being "OAuth compliant" especially with respect to even more (stupidly) complicated OIDC, so they looked for someone to maintain that and IdentityServer already existed and was OAuth compliant/audited. That's why it needs to be forked. Someone has to do the OAuth/OIDC hard work. Microsoft is paid to do that in other divisions of the company, of course, but it's all in Azure and they want you to pay for Azure AD alphabet soup that pays the bills for their OAuth/OIDC compatibility auditing.

> They did that with JSON and created an in-house alternative to Newtonsoft's fast JSON library once it became popular enough. I didn't hear any PMs whining about "competing with the open source community" then.

James Newton-King, the "Newton of Newtonsoft", was one of the developers involved in that project that decided a clean compatibility break with JSON.NET (which has been showing its age, but also has far too many users to easily break API compatibility) was necessary to achieve the performance goals that System.Text.Json was created to meet. That's not so much competition as it is cooperation.