What is the point of free and open source software (FOSS)? Do we make it for the sake of freedom, or for the sake of expedience? (Or for the sake of our careers?)
In Part 1, we suggested an answer might be found in how people assess the health of FOSS as a social institution. The open source movement promised better software through freedom. In 2022, the biggest challenges to fulfilling that promise are not technical, but social and economic.
Code In the Time of Cholera
OpenSSL is possibly the most popular library in the world for encrypting and decrypting web traffic. In 2014, a bug in the library known as “Heartbleed” was uncovered that allows an attacker to read sensitive memory contents, like encryption keys, or usernames and passwords:
This is, in principle, very bad. Whenever you buy something on the internet, send your social security number, or otherwise share sensitive information, there’s a very good chance that information is being protected by OpenSSL at some point along the way. In 2014, it was the default HTTPS implementation for both Apache and nginx, which together made up over two thirds of all web servers on the internet, to say nothing of its use in browsers, embedded devices, and so on. As Forbes put it, “[s]ome might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.” The bug itself was a routine bounds checking error, which is the programming equivalent of a typo. You deal with typos by catching them in review. They’re always going to happen, and you can’t reasonably expect to prevent all of them.
Heartbleed was a failure of process, not of bounds checking. According to the late/great security researcher Dan Kaminsky:
Everyone, myself included, has some toy that would have fixed this. But you know, word from the Wall Street Journal is that there have been all of $841 in donations to the OpenSSL project to address this matter. We are building the most important technologies for the global economy on shockingly underfunded infrastructure. We are truly living through Code in the Age of Cholera.
At the time, the OpenSSL project had over 500,000 lines of code, exactly one full time employee, and had never taken in more than $1M a year in revenues. It was staffed almost entirely by volunteers. In the weeks after Heartbleed, OpenSSL received all of $9,000 in donations, despite being used by many of the largest and best known companies in the world.
Free Lunches
In English, the word “free” is ambiguous. The oldest criticism of FOSS is probably that, by giving software away, it risks a tragedy of the commons. In the ‘90s people argued that giving software away would make software inherently worthless, whereas in 2022 the concern is that people won’t pay to maintain the massively valuable codebases created by giving software away. Both versions of the argument locate the problem in people not paying for “free software.”
This line of argument reads gratis as the relevant sense of “free,” i.e., available at zero cost. This is the sense the FSF calls “free as in beer,” and what David Bals identifies with the proverbial “free lunch”:
With popular open source code, this price of a free lunch has increased the pressure on those maintaining it—those who handle bug reports, feature requests, code reviews, code commits, etc., for their so-called “free” software. Increasingly, as open source grows in popularity, the price of free lunch has been developer burnout and the abandonment of their open source projects. […] It’s the tragedy of the commons in action[.] [Bals 2020]
About “so-called free software” though, the people doing the calling are quick to remind us they mean “free” as in libre, the lack of restrictions on its use, or in FSF terms, “free as in speech.”
This might seem like nitpicking, given that so much FOSS is also available without cost. But both the Free Software and Open Source wings of the party are fundamentally agnostic with respect to the business models behind the movement, and people have been taking money for software libre forever, to varying levels of success. (We’ll look at a few contemporary ones in a minute.) Furthermore, history is full of successful software gratis. By all accounts free lunches were the norm until software ran headlong into its chains; “commercial software,” i.e., software as a monetizable asset, is a younger social institution than Unix, C and Lisp. Software didn’t even have copyright protection under US law until 1980. And while it’s true that AT&T and IBM were charging licensing fees for their operating systems by the early ‘70s, Unix was also freely available in source form to academic institutions; this resulted in the Berkeley Software Distribution. BSD itself has been repackaged in commercial form ever since, from high end workstations to Nintendos.
Clearly, commercial software was the product of successful software gratis, not the other way around. (Note that we’re not talking about “proprietary software,” which would be the complement to software libre.) The software that demonstrated the value of software was, often, given away. And it wasn’t given away for the purpose of creating a market for software—it was a byproduct of other activities, like building a telephone network or teaching physics. IBM only began selling software because they were legally ordered to, and the reason is telling: “[w]ith a huge community of users willing to share programs, IBM amassed a vast, free software library. Rivals objected, sparking a Justice Department antitrust suit in the late 1960s.”
Use and Abuse
Returning to Melody Horn’s “Post-open source”, [Horn 2020] Horn’s argument is that, unlike the free software movement, corporate exploitation “was always the endgame of the open source movement”, even if “it took a while to take off.” On the lingering question of life and death:
i wouldn’t say that the open source movement died per se. it was undead from the moment it began; it won, and with its victory it has stopped pretending to be anything other than a lich. the only meaningful lesson to learn from the open source movement is that letting corporations do whatever the hell they want ends poorly, which is not exactly news.
That’s one lesson, but I want to push back on the idea that it’s the only one. The story is more complicated. Horn’s piece was written in reaction to Mozilla’s August 2020 layoffs of roughly 250 people. For many of us, Mozilla is still synonymous with the best of FOSS: an international, nonprofit entity that makes end user software people actually use, that promotes solid and occasionally brilliant engineering, and that for decades has been essentially the only player in web standards representing the interests of the public. Those layoffs were a dark day not just for Mozilla, but for all of planet FOSS.
The term “open source” was a byproduct of the birth of Mozilla, it turns out. “Open source” was coined by Christine Peterson in 1998 to make free software “more understandable to newcomers and to business, which was viewed as necessary to its spread to a broader community of users”:
On February 2, 1998, Eric Raymond arrived on a visit to work with Netscape on the plan to release the browser code under a free-software-style license. […] Between meetings that week, I was still focused on the need for a better name and came up with the term “open source software.” […] By late February, both O’Reilly & Associates and Netscape had started to use the term.
Eric Raymond’s The Cathedral and the Bazaar, which is about software production and not software freedom, was cited by Netscape as critical to their decision to create the Mozilla project in the first place. Four months later,O’Reilly hosted a forum of “open source pioneers” that included the technical principals behind Linux, Python, Perl, Tcl/Tk, sendmail, and bind, in addition to Raymond and other OSS luminaries. Netscape was clearly in search of volunteer labor, but if your feelings for Mozilla are as warm as mine, and apparently Horn’s, it’s hard to read this as a pure corporate ploy. Developers seem to have been in the driver’s seat the whole time.
But which developers? Linus Torvalds and Guido van Rossum are not good proxies for exploited developers of 2022, or even 1998. The open source model is essentially peer to peer—it works best when everyone who consumes the software is also in a position to contribute. Two structural problems with this arrangement:
(1) This is, in general, unpaid labor. You might be getting paid by your employer for that time and contributing the result, but then again you might not be. Consider the phenomenon of open source contribution as a competitive career booster, which creates a professional incentive to work for free. Giving the developer leisure class a competitive advantage over people trying to break into the industry was not, I presume, on the agenda at the O’Reilly summit.
(2) The explosion in demand for software over the last 30 years means more developers exist to build it. The expectation that users are also contributors is not a sustainable model for apprenticeship. A beginning front end developer might find themselves depending on thousands of Node packages for their first boot camp project. They are not in a position to contribute to any of them. Any arrangement capable of growth must address this.
The field is now larger, more specialized, and more diverse, and junior developers face stiff competition for a limited number of entry-level positions. Open source contributions themselves have become a source of inequality among job seekers. People entering the industry now have more in common economically and culturally with commodity information workers in other fields than they do with anyone at the O’Reilly summit.
(Speaking of 2022: Like Richard Stallman (see Part 1), Eric Raymond has found himself outside the mores of his peers. For example, people will literally pledge money to stop being reminded of him on Twitter: “In the first quarter of 2018 alone, [Democratic fundraising group] the Great Slate has raised over $140,000 … A good chunk of that was driven by security researcher Thomas Ptacek’s promise to stop tweeting about Eric S. Raymond, a notorious figure in the open-source community whose bizarre and abundant ramblings on everything including race and sex could be considered early forerunners of current alt-right strains in the tech community.” [Jeong 2018])
The Comedy of the Commons
“Open source” was conceived under a scarcity mentality: in 1998 the big question was, how do you make money on software that you’re giving away? That’s still a question, but these days it means, “what model would you like to adopt?” Back then the question was whether you could do it at all. The goal of “open source” was to create a market, by showing that free software was of equal technical quality. (This was probably an easier conversation to have than one about long term sustainability.) Peterson 2018 cites the conflation of libre and gratis as a motivating factor:
The problem with the main earlier label, “free software,” was not its political connotations, but that—to newcomers—its seeming focus on price is distracting. A term was needed that focuses on the key issue of source code…
Of course, source code was the key issue to getting businesses to adopt free software; free software advocates would probably say freedom is the key issue, and that’s why the term is what it is. In this sense, Horn is entirely correct that getting corporations on free software was always the goal of the open source folks. Some didn’t need much convincing; by 2001 the once-staid IBM was defacing American cities with peace, love and Linux graffiti, while their own AIX remains closed to this day. But they had also been active technically and financially in the FOSS world for years by that point, arguably representing a success story for the model. (IBM at the millennium also gave us Captain Sisko demanding flying cars, so there’s that.)
Elsewhere, Microsoft famously denounced free software as “cancer” and “communism”, other once-mighty players drove themseves into bankruptcy fighting it and others, like Netscape, ended up giving away their own source code. Unlike Amazon profiting from the unpaid labor of the MongoDB and Elasticsearch communities, Sun Microsystems footed the bill for industrial-strength tools like Java and the JVM, Solaris and ZFS before making them free. If this was a conspiracy to exploit the developers invested in maintaining free software, it wasn’t very well run.
The exploitation in question was really only perfected by the corporate interests that followed. When “open source” was a new idea, there was no Facebook or GitHub. Amazon and Google were still curiosities whose markets were dominated by the likes of Borders and Alta Vista. It rings true to say “open source” led to corporate exploitation, but rather than being conceived as a plot to fleece workers, it was a victim of its own success. People who predicted in the late '90s that free software would make software worthless got it completely backwards. Free software became so valuable it couldn’t sustain its own mode of production.
Here’s my point: the labor problems in FOSS are not a tragedy of the commons, because the problem is not the destruction of value. On the contrary, it was—and is—so good at creating value that it can’t keep up with itself. This is an example of what Carol M. Rose termed the “comedy of the commons” in 1987, where increased use of a resource results in increased value. In 1998, the question was how to crack the corporate market. Now the questions are (a) how to manage the resulting abundance, and (b) why tremendous demand for a product leads to a situation that’s less equitable for the people who make it, rather than more.
The Future
The second half of Horn’s piece (which, let’s remember, is called “Post-Open Source”) contains a great critical roundup of alternatives to traditional FOSS licenses. I encourage you to read it. Instead of licenses, here we’ll consider a few economic options.
Shareholder Values
At least some of the exploitation is corporation-on-corporation, or at least Amazon-on-corporation. MongoDB, a document database that was originally released under the AGPL, switched in 2018 to the closed Server Side Public License as a result of certain “large cloud vendors capturing all the value [of MongoDB] but contribut[ing] nothing back to the community.” In 2021, Elasticsearch, a widely used search engine, itself based on the free Apache Lucene, followed suit. Bracketing concerns about the SSPL itself, let’s note that MongoDB Inc. and Elastic NV are both publicly traded companies; when you get down to it, they exist to generate value for their shareholders, not write good software or pay developers. They may do that as well, but only in the service of shareholder value. Berkshire Hathaway used to be pretty good at making fabric. We have no idea what MongoDB Inc. will be making in five years.
In 2021, Elastic NV took in $608M, while MongoDB Inc reported nearly $874M in revenue. It’s simply impossible to believe that’s not enough money to pay developers and keep the software stable and current. The MongoDB contributor graph on GitHub shows a grand total of 18 developers with more than 500 merged commits since 2008. Their issue with Amazon is market share, not pull requests.
In his 2021 piece “Are open source databases dead?”, Tony Baer suggests these “defections towards restrictive licensing [are] the death knell for open source” in the database world, but only because open source licenses can’t be used for market “differentiation” the way the SSPL can. In fact, Baer notes at the end of the piece that “evergreen projects like PostgreSQL, Cassandra, and more recently, Spark [are] thriving; the common thread with these projects is that they are all community-based.” Hmm!
Partnerships, Co-Ops and the Like
There are of course business models that do not revolve around generating value for shareholders. Many law partnerships work this way. The Gnar effectively works this way; if we were to bid on a support contract for something like MongoDB I surely hope it would come in at less than $800M per year. (Remember: 18 developers.) Many states recognize also worker-owned cooperatives; some of those produce software. For a list of tech companies organized as co-ops, see this repository from GitHub user Henning: https://github.com/hng
Mittelstand
The German Mittelstand is usually translated as “small and middle class businesses,” but that doesn’t quite cover it:
Mittelstand core values represent a sharp counterpoint to a singular focus on shareholder value in favour of long-term survival based on enduring relationships with key company stakeholders, combined with a commitment to excellent products and services. [Venohr, Fear, Witt 2015]
Neil Thanadar argues we should “[m]ake Mittelstands cool in America” to provide an alternate model for startups to the dilemma of either bootstrapping a business or raising large amounts of venture capital; he argues “seed funding can and should be a path to profitability for most startups.” This should be especially true in the case of FOSS, where the primary investment is that of labor rather than capital.
When All Else Fails…
Returning to [Bals 2020]:
Too few people—and their organizations—who rely on open source software are contributing to the projects they use. If you’re a developer and have a favorite open source component, you can contribute to its development through development, sharing your modifications, bug reporting, crowd-funding, letting the developers know how you are using it and helping others get started. That last may be the most important thing you can do for any open source project—helping build a user community large enough to sustain the project.
The last thing I want to do is discourage anyone from participating in FOSS. That said, given how the world has changed in the last 24r years, maybe we should think critically about the idea that what this system needs is more unpaid labor. There is already plenty of value in open source. The problem, again, is how that value is distributed.
In 2016, we got a glimpse of what FOSS developers going on strike might look like. Much of the Javascript world is dependent on the Node Package Manager, or npm, to manage their free software dependencies. This is no small task, as even trivial React apps can have over 13k dependencies. Each one represents a potential point of failure.
FOSS developer Azer Koçulu maintained a number of packages on npm, including a templating tool called kik. When Kik, the popular messaging application, threatened him with legal action, npm, Inc., the for-profit company behind the registry sided with Kik. Instead of renaming the package, he pulled all of his npm packages in protest:
To Koçulu, npm’s decision to transfer ownership of the kik package to Kik ran counter to the values of the community it serves. In his reply, Koçulu said he wanted all of the packages he had registered on npm taken down. ”I don’t wanna be a part of npm anymore,” he wrote. “If you don’t do it, let me know how do it quickly.”
Within hours of the deletion, websites large and small around the world started breaking. One of Koçulu’s other packages, left-pad, was a simple 11-line tool that somehow had come to be a dependency of thousands of other repositories, including React itself. For all intents and purposes, the npm ecosystem ground to a halt.
The situation was resolved when npm, Inc. simply republished the left-pad packages over the author’s objections. They were on solid legal ground. Once Koçulu open sourced the code, anyone in possession of it was allowed to distribute it. But we’re talking about open source, not free software, so we’re concerned with practicality, not principle. In practice, it demonstrated two things:
First, developers should expect business interests, even “critical part[s] of the JavaScript community,” to behave like business interests. npm, Inc. was acquired by GitHub a few years later. It would be naive to think the market value of the company did not play into the decision. (Think about everything you know about tech startups and “exit strategies”. For Kik’s part, it seems like if the issue was really that “you have to enforce trademarks or you lose them” they could have given Koçulu an exclusive, limited license to use the name for $1 and renamed their package kik-platform or something, but I’m no lawyer.)
Second, it underscored that volunteers building these mechanisms also have the ability to turn them off. Even if a general strike of open source developers was infeasible or undesirable, the communities behind influential packages have the power to exert considerable influence over the day-to-day functioning of the consumer internet. The mere necessity of OpenSSL was not enough to prevent the project from falling into disarray. It’s possible that more concrete action is necessary to rehabilitate the open source mode of production, and it’s difficult to imagine for-profit entities having a leg to stand on complaining about people stopping work they weren’t being paid for in the first place.
Conclusion
Our questions here were, what is the point of FOSS? Is it hale and hearty, or mortally ill? This was a hard question to pin down for free software in Part I. For open source the answer is clearer, because open source’s goals are clear: by its own account, the goal is better software and mainstream adoption. It’s impossible to ignore FOSS's track record in those respects. At the same time, it’s impossible to ignore circumstances where both software and developers are suffering. If the community doesn’t find a way to responsibly distribute the value it creates, open source may yet collapse under its own weight.
Learn more about how The Gnar builds software.