[politelemon]

> This policy will probably make some downstream users nervous, but maybe it encourages them to contribute a little more.

This is an understated but brilliant framing. Oh I know they won't contribute, users will continue to apply pressure through issue threads saying that their clueless security teams are breathing down their necks. But at least you'd hope this gives pause.

The linked issue is worth a read, it's a shame the burden that corporate leeches like apple and google have placed on him. To them this project is simply free labour they have assumed they are entitled to and by extension are subject to their individual security theatrics.

https://gitlab.gnome.org/GNOME/libxml2/-/issues/913

[jsnell]

I'd note that the only thing Apple, Google and MS are said to have done is to use the software.

The bug has no actual example of them making demands, "leeching" or acting entitled.

The security issues would be security issues just the same even if the library was only used by Linux desktops. (And if the library is unfit for use in other operating systems like the author suggests, feels like it probably is equally unfit for use in Gnome.)

[polotics]

It's high-time for a "reasonable compensation" clause in hobbyists' open-source software licenses I think. Something to the effect of: "if you're using my labour of love to make millions, gimme one of these millions..."

[ThrowawayR2]

Yes, it's called "becoming proprietary software" because what are you going to do to get that oh so reasonable compensation? Create your own billing department and manage tax payments on your revenue? Hire a legal team to create and enforce your license? Sic the BSA (apparently they still exist after all these years!) to threaten to audit organizations who aren't paying? Fend off lawsuits from users, competitors, and patent trolls? (Once you start collecting money, other people inevitably want a piece of it.)

[watwut]

You can make such license, there is no issue with that. You just cant call it "MIT License" after that.

[pabs3]

That probably wouldn't meet the Open Source Definition.

https://opensourcedefinition.org/

[abracadaniel]

I’d also like to see a license which prohibits any for-profit use. A don’t charge others for something you got for free license.

[pabs3]

There are lots of those, CC-NC to start with.

[illiac786]

The compensation should be in code not in money…

[altairprime]

Uncompensated use for unshared reward is, by definition, leeching. The BBS use of the term referred to leeching in the context your upload/download ratio, the torrent use in the context of your seeded/downloaded ratio.

ratio = (contributions - demands) : earnings

If you contribute nothing, demand nothing, and earn nothing, carry on. “Nothing” is loosely defined as “near enough to zero in the context of a specific project”.

If you contribute nothing, demand nothing, and earn (DL) a million dollars using it somehow, you’re a leecher. Your U/D ratio is 0.0. That should be an uncomfortable realization. One way to cope with that is to raise your ratio to 0.1. If you make a million dollars of revenue using libcurl, how much are you allocating to donate back?

If you contribute nothing and demand security fixes, then you’re not a leecher — you’re a parasite, because your demands exceed your contributions; your sign bit is still negative even if your ratio is 0.0 or NaN. It has been zero days since this workplace had a maintainer injury due to parasitic behavior.

Leechers are demoralizing when the revenue earned would let the author quit their day job to do more fun work instead. Parasites leave a trail of damaged and dead projects in their wake. libxml2’s maintainer made a policy change that cuts off the food supply for parasites; good. They’ll still burnout someday due to the untreated morale damage being done by the billionaire leechers, though.

If an author accepts contributions and you feel like a leecher, do something about it. If they do not accept contributions (including money) or if the anccepted contributions are incompatible (their code is in COBOL and you only know Rust, they only offer “donate bitcoin”, you’re a broke student funding school with your project) then maybe write them a thank you letter? and revisit this if your or their circumstances change someday.

As a former open source maintainer, I don’t mind it when people leech. That’s chill. Go for it. I don’t have a tip jar because I don’t expect a tip. But I mind when people DL a million dollars of revenue using my work and have a UL:DL ratio of 0.0 with me.

Corporations, formally do not care whether users are hobbyists, leechers, or parasites. Maintainers do. The OSI continues to reject as Open Source any licenses attempting to stop the morale impact of millionaire leechers and the time and effort drained by parasites.

Which is more important to the future of open source: the right to be a leecher or a parasite, or the maintainers that they feed upon?

[jsnell]

> If you contribute nothing and demand security fixes, then you’re not a leecher — you’re a parasite, because your demands exceed your contributions;

There's the "demand" word again. Who is that demanded something from the maintainer, and where? I saw no indication in the original bug of any demands from big tech companies.

(Just the act reporting a security issue is not a demand. A verifiable bug is a bug whether it was reported or not, and reporting one is a contribution.)

When the demand part of your torrent-inspired equation is zero, how is it leeching? It's just zero, no matter what the earnings are.

[hypothesis]

Just looking at a few previous issues:

https://gitlab.gnome.org/GNOME/libxml2/-/issues/905#note_243...

[jsnell]

That doesn't look like Google, Apple or Microsoft though? It's some random guy.

[altairprime]

On the spectrum of grey areas from “request” to “demand”, we not only have to evaluate the literal words typed but also the context and expectations of open source. As the libxml2 maintainer indicates, they are no longer willing to participate in security bug secrecy and priority. In hindsight, those expectations that most take for granted as necessary must have demanded considerable time and energy from them. They could have said no at any time, but not as easily as turning down a feature request. For asocial-leaning maintainers (hi!) saying no to security processes is no more difficult than refusing any other request — but for the vast majority of maintainers, it will take an effort of courage and will to refuse the ‘demands’ — the social pressures, the contexts and expectations — of security’s best practices, reporting processes, and priority overrides. (Elsethread, the individual making demands in an issue is also a case of ‘demand’ rather than ‘request’, that isn’t much in the in-between grey area at all.)

Psychologically, it hits different when a leecher — someone whose uploads are not greater than some minimum threshold — begins demanding something; what they receive then is not just a free copy of the maintainer’s work to profit from, but also the specialized work of the maintainer to satisfy or reject their request. The cumulative impact of dealing with parasites is distinct from the demotivating effect of profitable leechers who silently download their work and never say anything at all?(and also from the motivating effect of seeing millions of people benefiting from leeching — adoption is often a significant reward). Torrenting has no language for this difference, as in torrenting there is no such problem; so I did some research and chose ‘parasite’ here. I recognize that, scientifically, the animal ‘leech’ tends to be viewed as ‘parasitic’; but there’s a clear difference in connotations, as a torrent leecher is not viewed with – does not view themselves with — the same disgust and loathing as parasites are.

[jsnell]

> begins demanding something

Yes, those alleged demands by "leechers" are exactly what I've been asking about. From the lack of specifics, it is starting to be pretty obvious that they do not actually exist.

I'm not saying that the maintainer did anything wrong. They don't have to give anyone the time of day, and everyone should be happier now that expectations have been set appropriately.

But why can't we just accept that it is a choice he has the right to make? Why do we need to fabricate villains by making up stories about demands, entitlement, and billions in profit?

[altairprime]

> Why do we need to fabricate villains

Is the behavior of these corporations towards maintainers something that we should evaluate against moral standards — i.e. by considering “are they villains in this story?” — or are they exempt from such moral judgments so long as they complied lawfully with the licensing terms?

I think the former. If I interpret your question correctly, you think the latter? I’m not open to persuasion on this specific viewpoint, so we’re probably at an impasse here.

[prymitive]

I think a lot of people, when they see an open source project that somehow fits into their current challenges, read it as the person realising the project saying “I alone now own this entire problem space” and so that GitHub repo is now just an extension of your jira board.