[frankdejonge]

I’ve given up on hopes of having funding on open source. My open source packages account for about 1.2% of all PHP code downloaded from Packagist (package manager) but unless there is a commercial effort behind it, I do not see it happening. A couple devs in highly hyped companies is able to generate a following big enough to solicit some non trivial amount of funding but the majority just doesn’t care enough about it to fund it. In the end, is open source maintainers are stupid enough to give our code away for free, so who’s really to blame for this. Perhaps it’s an overly pessimistic view, but not a view that has historically been disproven.

[bayindirh]

MIT is pumped to enable current ecosystem, precisely. Companies say "This my code when I need it, and it's your code when it breaks", and developers read the fine print very late, because they thought exposure is valuable.

GPL & AGPL is effective against that, but companies are afraid of it since it tells "code is a collaborative effort, and you have to share what you did with the code".

Because of this, I share most of the code I write for myself, and strictly use (A)GPLv3 as a license. I don't care what companies do or what riches I possibly ignore. My principles are not for sale.

Being responsible generates no value for the shareholders. Being able to be reckless and ignore everyone while making business is.

Don't get distracted. It's about monies.

[securesaml]

> Companies say "This my code when I need it, and it's your code when it breaks", and developers read the fine print very late, because they thought exposure is valuable.

I think that this is an accurate description of working relationship. But, the fine print (MIT license) explicitly says that the companies are responsible:

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED

[bayindirh]

That line allows shifting the blame upstream without any friction.

Exhibit A: Company X uses library Y by Mr. Z., which is used by another 100 or so companies. Mr. Z. is happy because he's quasi-famous because of all the exposure. A bug has been found in Y by users of Company X, which is not interested in fixing it.

    - Users: Hey Company X, this feature provided by libY is broken.
    - Company X: This makes us lose money, but it's complicated. Tell Mr. Z.
    - Mr. Z: There's no warranty whatsoever.
    - Company X: You either fix it, or we spread the word that you're irresponsible and everyone will inevitably migrate to libW.
    - Mr. Z: OK. Lemme look at that.

Mr Z. drops everything, fixes problem, maybe gets a Thanks!, and might feel better. Company X and other hundred gets free labor for their problems, and one person burns out.

Why? Because nobody tried to understand how GPL works, and companies said MIT or no cookie points anyway.

So, another developer is bought with hope vapor. He gets nothing in the end, while the company is printing money in two ways by not buying an expensive library and selling its capabilities.

Edit: One Daniel Stenberg of curl:// has dropped this: https://mastodon.social/@bagder/115025727082593712

Another (good) write up from LinkedIn: https://www.linkedin.com/posts/troed_how-many-open-source-pr...

[fph]

Do you think this would work?

- Mr. Z: There's no warranty whatsoever. However, I might fix it for a small consulting fee.

- Company X: You either fix it, or we spread the word that you're irresponsible and everyone will inevitably migrate to libW.

- Mr. Z: Ok, and I'll spread the word that you are a cheapskate.

[bayindirh]

Can you give me an example when it did happen or it did indeed work?

[fph]

I don't claim to have first-hand experience, that was just a suggestion. But there is a recent study on how maintainers respond to bug bounties here: https://arxiv.org/abs/2409.07670 .

[securesaml]

https://news.ycombinator.com/item?id=39912916 they did get some funding after asking.

[jefftk]

Instead, we can spread the idea that maintainers don't owe you anything, and that it's normal for them to decline and/or ask for compensation.

Z should ignore or publicize the threat, not give in to it.

(If someone tried this approach with software I maintain I would absolutely not fix their problem.)

[bayindirh]

Please see what Daniel has shared today. Link is in the comment you replied to.

Open Source software became so common that the tragedy of the commons applies to it. IOW, there'll be always someone who will accept exposure as a valid form of payment either being very rich or being desperate or not caring.

[jefftk]

I did read that link before commenting, and there's nothing in there about users damaging Daniel's reputation after he declines to do free work for them?

> there'll be always someone who will accept exposure as a valid form of payment either being very rich or being desperate or not caring

Why is this, especially in the cases of being rich or not caring about compensation, a problem? I have done a lot of Open Source work for free, and a lot of Open Source work while paid by companies, and I don't feel like I've been exploited or otherwise mistreated in either case.

[pabs3]

> nobody tried to understand how GPL works

The GPL can't solve the FOSS funding situation, its relatively easy to comply with, and still not send any money (nor code) back upstream to maintainers.

[bayindirh]

As our resident GPL expert, you're right, but the reality differs a bit, with all the respect.

Companies doesn't like GPL because it mandates them to show hang their laundry outside. In turn, this creates a code quality pressure which companies doesn't want to pay for. Also, this visibility creates another, more psychological pressure on companies by exposing the external stuff they are using.

As a result, companies become more vulnerable to external pressure since somebody can point out what they are using without supporting and calling them out on it.

This can potentially send more money to developers, but this will not create value for the shareholders. Because having another yacht is more important than a pesky person's mental health and living conditions.

[pabs3]

The GPL doesn't mandate public disclosure of code, just offering code to your users, who probably won't even know what source code is, let alone download it, tell anyone about it, modify it or redistribute it.

The EU CRA law is going to start creating the code quality pressure you mention too, with financial and other penalties. So they will have to do the right thing eventually. Hopefully that will make the GPL more acceptable to them.

The external pressure thing applies to the permissive licenses too, since companies have to provide attribution as part of the MIT/BSD/etc licenses, usually by having copies of their copyright notices in the system settings of their devices, for example curl is permissively licenced, all the car companies use it, none of them sponsor curl, and curl is now complaining about that. Of course, its extremely unlikely any of those companies care. The CRA might make them care though.

https://mastodon.social/@bagder/115025727082593712

[godshatter]

More realistically, users are going to say "Hey Company X, this feature is broken." They won't know or care about libY. I would have replied with "There's no warranty whatsoever. Please submit a bug report and we will prioritize it accordingly. We do accept pull requests."

The bug might have low impact in most cases but doesn't work with how Company X is using libY, so it might not get fixed for a while. If this is hurting them, they can fix it themselves and submit a PR. Or they can work with them to prioritize their bug, which puts them on the other foot. If it's a huge problem that affects half the web, then Mr. Z will be working on it anyway.

If I were Mr. Z, I would know the problems Company X will have replacing libY with libW, and wish them the best of luck if they bring it up. No one's paying me, if they want to use something else, good riddance. Especially if they are threatening me. But I get it, people are different.

[carlosjobim]

I'm sorry, but what kind of fantasy is this? Here's how it works in reality:

    - Customers: Hey Company X, this feature provided by libY is broken.

    - Company X: This makes us lose money, but it's complicated. Tell Mr. Z.

    - Customers: We don't care who Mr. Z is or who is responsible. If your company does not fix the problem we are going to fucking murder you.

No paying customer will ever accept that a company tries to shift the blame to somebody else. So Mr. Z is free to ignore anything that company asks from him, reputation intact.

[frankdejonge]

This I would strongly dispute. I’ve seen it first hand many times that developers who ignore such things are definitely finding the negative consequences of it. It takes very careful maneuvering not to get burned, either by reputation damage or to burn out.

[carlosjobim]

So your "reputation" among a bunch of parasites takes a hit? Who cares about what they think? They're not giving you any money anyway. They're just using you.

It's like if a group of bums in the park think I'm a cool guy because I give them cigarettes when they ask. Great. And if I stop giving them free cigarettes then they say amongst themselves "man, that guy is a real jerk". Ok, should I care about what a bunch of free loading bums think?

Of course I understand that I will be down voted for this. Because people who love being victimized hates when people point out that they're being taken advantage of.

[sexyman48]

stupid to give our code away for free

Most professional developers aren't that stupid. The problem is students, and the underemployed more broadly, write code to make a name for themselves, which isn't entirely irrational.