None of these blogposts (including this one) have any realistic solution to the problem of making OSS software and being able to live from it, and prevent others from exploiting you in the process.
Hyperscalers like Amazon exploit OSS projects by reselling them as a cloud service and they earn a gigantic sum in the process. But this is not a neutral thing to do - the OSS project is still responsible for maintenance! (And in many places, the "no warranty" clause seems completely disregarded - users and corporations demand bugfixes since it's a "critical library")
The most telling sentence is "Open source culture relies on trust. Trust that companies you and I helped build (even without being on the payroll) wouldn't rugpull."...
where is any trust in exploiting someone's work without giving anything back? the hyperscalers routinely break the OSS social contract, but because they abide to the letter of the licences, they get a free pass and many white knights from even the OSS community and even OSI itself.
A business model of "you can see the source, you can modify it but you can't offer it as a service or resell my work" is much more honest and trustworthy than the "develop a library, a cloud service picks it up then pressures you with PRs and issues until you permanently burn out from the whole thing"
This is partly addressed by the post - "But you know what? I'd just prefer honesty. If revenue is so dependent on selling software, just... make the software proprietary. Don't be so coy!".
This is not honesty though. Claiming that anything not party-approved.... I mean OSI-approved is not open source and it's proprietary is a very myopic thing. For users and developers, it's much more beneficial if they can see or even modify the source even if they don't have an unrestricted right to use and modify it however they want. This absolutist, black-and-white approach could potentially lead to many pieces of software becoming fully proprietary, all-rights-reserved in the future since the open source community harasses source available projects quite frequently, and not many have the patience to put up with that. And that would be a sad outcome indeed for user freedom, repairability, portability and other values RMS and the FSF dearly holds.
> None of these blogposts (including this one) have any realistic solution to the problem of making OSS software and being able to live from it...
Should OSS solve that "problem"? Free software predates billion-dollar OSS / open-core companies, it also doesn't require the maintainer directly earn a living from it. Perhaps the era of OSS megacorps and the concomitant VC/startup dreams is setting, as these large, formerly OSS companies are rejecting OSS licenses in favor of bigger profits. To that, I say good riddance, not every useful git repository has to be incorporated.
> ...and prevent others from exploiting you in the process.
The whole point of free and open source software is anyone can use it and improve it - including Amazon and the person you hate. An OSS license is not a growth-hack for adoption: if you want to discourage Amazon from using your product, use AGPL. If you're worried others won't use your AGPL software, then you're growth-hacking.
FL/OSS will be fine between evening/weekend hackers (xz), small-to-medium companies/consultancies (Rails), and our neo-feudal tech overlords (React).
If you don't want a cyberpunk-like dystopia of megacorps controlling everything, yes. This is not just affecting the VC-funded startups' profitability but it also affects ordinary software developers' lifestyle businesses too. Sure, the core principles of OSS don't require that you'd be able to earn money from your work, but then perhaps it is OSS which is not fit for purpose, not the desire to earn money from creating software.
>if you want to discourage Amazon from using your product, use AGPL.
The AGPL is still not restrictive enough because you can resell the software without contributing anything back if you don't modify it. Stuff like the SSPL or the Commons Clause are much better to prevent that kind of exploitation.
>FL/OSS will be fine between evening/weekend hackers (xz), small-to-medium companies/consultancies (Rails), and our neo-feudal tech overlords (React).
I find the xz example especially funny because that shows how it is very much not fine. Single developer, burnt out, not getting paid a penny for his thankless work, a bunch of state-sponsored actors pressure him to hand his project over -> backdoor injected. If Lasse Collin could get support for his project, this almost certainly would not have happened.
> The AGPL is still not restrictive enough because you can resell the software without contributing anything back if you don't modify it
Why would you want to restrict reselling? If you want free software then you’re going to have reselling. If you don’t want reselling, then don’t make your software free/open source.
I’m not sure why people are getting mixed up. Anyone can make proprietary software and restrict all they want. There’s tons of commercial software. But it doesn’t have the features of free/open source.
Depends on what your philosophy is. You believe in the software commons and the free sharing of software? You would want software to remain as a public good so no one can profit from it exclusively.
Are you a business who made some software? You don't want others to resell it because it's your work, you made it and you don't want others to freeload.
>If you don’t want reselling, then don’t make your software free/open source.
Sure, and the consequences of this will be much more all-rights-reserved proprietary software. A huge loss to users and developers.
>But it doesn’t have the features of free/open source.
Yes it does. Just because it doesn't conform to all tenets of the OSI definition, many useful things are still kept. The most obvious is the right to view the source code - which is highly liberating in an age where many vendors lock their systems down or try to offer everything as a SaaS where you don't even see the binaries.
You usually also have the right to modify the software under most of these licences - you are the user but you find a bug in the software, you don't need to wait for the vendor to fix it, you can fix it and share your modifications to other users (either paid or not).
You can also have the right to contribute changes if contributions are allowed, which is also a positive for everyone.
There are many freedoms which can be granted without necessarily going for a maximalist open-source approach but still preserving the right to exploit your own work and prevent others from exploiting it.
> Depends on what your philosophy is. You believe in the software commons and the free sharing of software? You would want software to remain as a public good so no one can profit from it exclusively.
> Are you a business who made some software? You don't want others to resell it because it's your work, you made it and you don't want others to freeload.
I cant help but notice that you assume everyone uses money as a measure of desirable/undesirable outcomes. Whenever I publish a library/project with a GPL license (my preferred license), it's so that others can use it. I have a well paying job that's enabled in part by others sharing their work[1], so I let the "freeloaders" have at it - I too am one, after all.
At the time I release the software, my problem is adequately solved: I already did the work , maybe someone else may benefit. Creating/sharing value with others is the point - I don't mind if someone else sells it : if they abide by the license, that means I can sell something identical for half of whatever they sold it for if I suddenly felt competitive.
1. I'm amazed that I can use Linux, git, hypervisors, orchestrators, various computers and interpreter, libraries, ops tools and more all for free,and with the ability to pry them open and make any changes I want! How frigging cool is that?! I'm compelled to pay it forward in any way I can.
Because I don't mind people using my software commercially if they are respecting the license. I wouldn't want to be charged for all my commercial usage of Linux, Git, Postgres, zsh, the rust toolchain, etc.
I believe if everyone in our industry tried to capture all/most of of the economic value of their work, we'd all be poorer for it, metaphorically and literally since a huge part of high SDE salaries is due to high productivity enabled by the open source ecosystem. We are all freeloaders, to varying degrees. Without FL/OSS, most of these source-available companies would never have gotten off the ground.
Exactly. I don't understand the drama on this at all.
"Corporate Open Source is dead"?? I don't even know what that means! Having launched at least 20 open source companies, several that went public -- this is not news that this faction of companies were NEVER going to make it (AND WE SAID SO). And that is ok.
That's entirely fair, but you can tailor the licences to target the biggest freeloaders (prohibit hosting it as a cloud service, allow everything else) while letting everyone else use it without worrying about licensing.
That's the beautiful part - you can choose vastly different approaches with differing levels of freedom/openness, depending on your and your users' needs. A game is licenced quite differently than a library which is also licenced differently than a website. And they can all coexist:)
FWIW, I avoid using and contributing to projects with revenue-based licenses on principle - I hate bait-and-switches and folk who pull up ladders behind themselves. They will have to coexist with the forks with standard licenses.
Your solution seems to just incorporate OSS and at some point it just isn't OSS anymore. The problem was not the developer of xz, it is the people that build upon it without reflection. Although to be fair, almost every developer has a dependency like that somewhere.
I find it funny that people call to support the developer. That is true, but the scam was exactly about how the dev was pressured to hire more maintainers. The lesson here should be that if third party is nagging you about your open source project, you just hint them on the "no warranty" part. Everything else is their problem.
I wish the developer would swim in money. He did more constructive work than many, many very rich people. Problem still is that there is no entity that could be trusted to pay him. If that would be corporation, the pressure would be even higher. Because then you are essentially a freelancing developer with a corporate contract. You lose freedom and independence, something many OSS developers specifically do not want.
> None of these blogposts (including this one) have any realistic solution to the problem of making OSS software and being able to live from it, and prevent others from exploiting you in the process.
You’re begging the question of whether one should be able to earn a living from making free software.
Free software is not fundamentally about business or profit: it’s about ethics. It’s about the freedom of software users to use, modify and share their software.
How programmers get paid is an interesting question, but it’s not the most important question. The important one is, ‘is it ethical for a programmer to prevent his software’s users from using, inspecting, modifying and sharing modifications to the software they use?’ And the answer in my opinion is a resounding ‘no!’
Sure. If it's about ethics then I could argue that corporations are not people. So I can give the right to all people to use, inspect, modify and share modifications to the software they use, but corporations aren't people so they don't get those rights. :D
None of these blogposts (including this one) have any realistic solution to the problem of making OSS software and being able to live from it
In other words --- developers can not live from Open Source alone.
If all software was Open Source, there would likely be a lot fewer developers. And those that remain would be spending a lot more time and effort on survival and less time creating software.
Open Source is inherently self limiting and unsustainable. It is a utopian concept that defies the basic economic reality we are all forced to contend with.
And the really crazy part --- even the least educated manual laborer can immediately grasp that giving his work away for free invites exploitation. It may be noble and good for somebody --- but ultimately not for himself or others like him.
> "And the really crazy part --- even the least educated manual laborer can immediately grasp that giving his work away for free invites exploitation."
The funniest part is that this outcome was obvious even in the 1990s. Evangelists were begging businesses to start using FOSS with slogans like "free as in beer and free as in speech" and hailing every corporate adoption as a victory. Meanwhile, business were belching contentedly and asking for another free beer while pointedly not giving a rat's ass about giving back or software freedom.
I'm absolutely amazed that it took reality this long to catch up with FOSS.
"Evangelists" = People promoting ideas not firmly rooted in reality.
The software industry seems to harbor more than it's fair share --- crypto evangelists, open source evangelists. As folks from the ghetto used to say, "You gotta be rich to even think like that".
There are uses for CLAs besides rug pulls. For example, if you want to offer software as AGPL, accept community contributions, but be able to _also_ offer a non-AGPL option to paying customers (who effectively pay to be allowed to integrate the license without themselves being subject to licensing risk). Quite a few big orgs have a full ban on internal use of AGPL software so this can be very valuable.
That requires a CLA (as I understand it, IANAL) because you're relicensing a contributor's contribution. At the same time though, I wouldn't consider it a rugpull - contributors lose nothing here, and the open source project gains a funding mechanism (a rare thing in open source).
I think you can do this in a principled way with some extra corporate/bureaucratic machinery, like the Free Qt Foundation, so that it doesn't allow rug pulls.
Funnily, one of the best places for this in practice (IMO) is microsoft. Who is now, again funnily enough, GPLing a lot of their software but have CLAs so they can do long term support for people that want to pay for it.
Latest versions stay fully open source while back ported fixes are a paid feature if you don't keep your software up to date. That, to me, is a win win.
> Funnily, one of the best places for this in practice (IMO) is microsoft. Who is now, again funnily enough, GPLing a lot of their software but have CLAs so they can do long term support for people that want to pay for it.
Huh, what software is MS releasing under the GPL now?
MIT is the standard OSS license for Microsoft stuff that is open source. You also see Apache for some projects that predate standardization on MIT, and GPL where there's no way to avoid it (i.e. when you have to build on code that is itself GPL).
That said, peak OSS at Microsoft is already past. These days, it's all about advertising products as OSS while quietly close-sourcing parts of it (e.g. just about the only thing in VSCode that's fully open source is JS support, every other language extension is closed to some extent).
Hmm. Orgs which ban AGPL should be marked and targeted for dismantling. Any way to scope them out, or public registry of them we can build? Orgs banning AGPL should not be allowed to exist at all, or use open source at all. They should all be systematically sabotaged by the OSS community, and if possible acquired/reformed, or destroyed.
And it would be very convenient for me to be able to relicense an AGPL contributor's work as if it were mine all along, like an evil genius capitalist, tee hee hee :3
But I would fork a project that tried it, and that is the attitude we should encourage.
Those aren't valid reasons for CLAs in my organizations and projects, since they do damage to AGPL as I envision it.
I wonder if there are other reasons for a genuine AGPL radical to support a CLA? Seems AGPL is good enough on its own, and most CLAs just weaken it - both technically and in a spiritual and ethical sense. Could we strengthen it instead?
Richard Stallman, of all people, is not as intransigent as you.
> I've considered selling exceptions acceptable since the 1990s, and on occasion I've suggested it to companies. Sometimes this approach has made it possible for important programs to become free software.
> [..] [S]elling exceptions permits limited embedding of the code in proprietary software, but the [non-copyleft] X11 license goes even further, permitting unlimited use of the code (and modified versions of it) in proprietary software. If this doesn't make the X11 license unacceptable, it doesn't make selling exceptions unacceptable.
> I consider selling exceptions an acceptable thing for a company to do, and I will suggest it where appropriate as a way to get programs freed.
Unless that text was recently changed, or unless Hashicorp went out of its way to verbally reassure people that they didn't intend to ever exercise that option, I feel very little sympathy for any open source contributor who clicked that link and then was dismayed to find Hashicorp using his work in a commercial product.
I'm glad Jeff pointed out the RMS article on Free software
> For the free software movement, however, nonfree software is a social problem, and the solution is to stop using it and move to free software.
> “Free software.” “Open source.” If it's the same software (or nearly so), does it matter which name you use? Yes, because different words convey different ideas. While a free program by any other name would give you the same freedom today, establishing freedom in a lasting way depends above all on teaching people to value freedom. If you want to help do this, it is essential to speak of “free software.”
> We in the free software movement don't think of the open source camp as an enemy; the enemy is proprietary (nonfree) software. But we want people to know we stand for freedom, so we do not accept being mislabeled as open source supporters. What we advocate is not “open source,” and what we oppose is not “closed source.” To make this clear, we avoid using those terms.
People in the FOSS world has been beating this drum since the very beginning. Free software was always an ideology. I get that that turns people off, just like projects wrapped up in religion and politics do, but it's the only way to ensure that stuff like this doesn't happen.
I concede that the people who champion FOSS are not always the kindest people to be around, see the response from people about Guix when I mentioned it as an alternative to Nix.
But when I was in Boston I was a card carrying member of the FSF. I went to a few libre planets, and I met some real nice people in real life who also cared about FOSS very deeply, so I know not everyone in the community is a jerk.
I think the FSF's take is philosophically solid, and I've gotten a ton of of their software and advocacy over the years, as most software developers surely have. However, developers and other technical people are nearly the only people for whom that's true.
So much of the FOSS world blames marketing for the lack of non-technical users, routinely ignore, or even deride the prospect of prioritizing the most important factor non-technical users choosing software: usability. The people who do so dismiss interface and experience design as superfluous aesthetics. It might be true for people with a working mental model of software architecture in their back pocket, but to others, those little 'trivial' bits of prerequisite knowledge aggregate into a giant frustrating roadblock.
They mean that what they advocate is “free software”, not “open source”; and that what they oppose is therefore “non-free software”, not “closed source”.
Honestly, how could that be hard to understand from the context of the discussion here?
It's possible that "Open Source" here is the OSI definition, which FSF has some objections to. If "Closed Source" just means "not Open Source as OSI defines it", then it is true that some non-OSI software is "free" software. Free software still requires source to be available and that you're allowed to modify and distribute it.
Source available from the beginning is ethical. Open source that becomes something else is shady.
I am glad they tried. I know there's lots of cynical stuff on the internet, but realistically the open source progress on stuff like Terraform or similar wouldn't have happened if these companies didn't try an alternative.
I'm not sure what people want these companies to do. If there's no money, if the idea didn't work, they need to pivot to something that does work.
There are many reasons people prefer open source software other than wanting to do their own development: Security auditing, the ability to reverse engineer protocols / serialization formats, or simply to better understand a product's features.
If you do actual open source and your product is any good, somebody else is just going to repackage it and sell it, either as SAAS/IAAS or as a boxed product. So why not get there first? It's depressing. That's been my experience every time I gave code away, at least. Somebody else made money off it.
I think at this point it's undisputed that modern society relies on a lot of permissively licensed software, and the people who maintain that software aren't getting paid enough (or at all) to do it. xz is only the most recent example, NTP and OpenSSL come to mind.
I used to do OSS development full time, but it wasn't financially sustainable for me.
IMO, that's more of a sad story about the state of respect for supply chain risk management in the software engineering discipline. It may be convenient at first to add a bunch of dependencies for free that solve a particular task, and ignore the part that says "AS IS WITHOUT WARRANTY OF ANY KIND". The only thing a FOSS license gives anyone is code. It never gave anyone maintenance or support.
Any organization that uses software that is "as is" should have a plan to maintain that software themselves, or mitigate the risk in other ways. And many of the large players in this industry do exactly that, and their full-time employees are top contributors to many large FOSS projects.
A great many open source maintainers are employed by a corporation that pays them well, if not fantastically well, for maintaining it. Over time, the trend has been increasingly in that direction.
Exactly. If I put something out in the world for the benefit of others, and someone packages it up for profit, I'm still achieving my goal. In fact, that helps my goal to advance even further! That's not depressing to me, that's exciting.
Haha jokes on you. I sucked your AGPL code into my LLM and now you have to prove I'm actually using your code when it generates the same thing. Good luck with that.
It's why things like Captura no longer exist. You make something fantastic with an open source license, someone else renames it and sells it in app stores, and the people running the app stores go "the license allowed for this, we see nothing wrong".
It's well past time for getting rid of licenses that say "you can do what you like with this software", and replace them with licenses that allows you to sell as long as the original project gets a cut, without taking on any of the liability.
The idea that you just mark your work as MIT/GPL/CC0 may have made open source more popular, but it also ruins lives when that thing you worked on for years and never made you anything makes a random drive-by asshole more than your annual salary.
There is absolutely nothing wrong with making and selling proprietary software. If you want to make money, you should probably just do that.
I'm very happy to have created a mildly popular permissively-licensed library. It's a contribution to a community with zero intention of profit. That is, for the most part, what open source is all about.
If you read me as saying making and selling proprietary software was wrong, you read a very different text from what I wrote. Making and selling software is perfectly fine, and building that software on top of libraries specifically released for that purpose is equally fine.
Open source licenses that in perpetuity lock you out of any form of gains from your own work, even when that work is the very backbone of someone else's non-open-source, for-pay product, are morally objectionable licenses.
I believe the parent is responding primarily to this point:
> The idea that you just mark your work as MIT/GPL/CC0 may have made open source more popular, but it also ruins lives when that thing you worked on for years and never made you anything makes a random drive-by asshole more than your annual salary.
There's no reason this should ruin your life - your quality of living didn't suddenly decrease. If you are unhappy with this outcome, you probably didn't really intend to create open source software, and should stick to writing proprietary software.
> Open source licenses that in perpetuity lock you out of any form of gains from your own work, even when that work is the very backbone of someone else's non-open-source, for-pay product, are morally objectionable licenses.
It is simply false that open source licenses lock you out of any form of gains from your own work. They allow others the opportunity to benefit from it, as you yourself can too.
It is possible that someone wanted to share their work with others without any payment expectations (but not realize the value of their work) and chooses to license it permissively.The product becomes successful, but the only ones earning money through the product are big companies. ( One may argue that project became successful because of its license or because it was used by the said company, but they are difficult arguments to prove and accept).
I won't fault them for expecting to get paid if they later realize the value of their work and know that it is generating significant commercial money. It is natural to feel like being taken advantage of by the commercial entity when they don't get compensated (even if that was their initial choice).
When someone says "you should have chosen to make it proprietary or use a more restrictive license from beginning", it might come across as a polite way of saying "Too bad, no backsies! You were foolish enough to chose a permissive license. So, accept the consequences".
If a developer wants to get paid for their work with something other than "feel good OSS points", I don't see many options out there. They need to solicit donations(which doesn't have good track record) or re-license.
I think as more products go through this cycle of permissive license, monetization by third-party and re-licensing, we'll be seeing a significant number of projects erring on the side of caution and use restrictive licenses from the start.
I think this discounts the rest of the work required in converting a technological solution into a product. That is, marketing, sales, support, strategy, operations, and oftentimes, UI/UX work.
But in general, yes, I feel that the bigger issue here is a fundamental mismatch between the author's desires and their chosen license. It's not so different from signing a contract with terms you later regret.
If someone makes a small game, wants users to enjoy all the freedoms its developer had, but does not want random 3rd party to include it in a product without telling their users about that, use a GPL style license.
If someone is working on a network protocol, an image format, or audio/video codec, and have that go everywhere to become a defacto standard is more important than other considerations, go for a BSD/MIT style license.
Some vendors don't mind their users looking under the hood. But still want to retain control. Enter 'shared source' (=not open source) or dual licensing (eg. free for non-commercial use, commercial users: pay up).
Documentation is different. So is hardware.
If you're a developer (or vendor): think about this, and pick appropriate license. Just don't complain when you did open source something, and a 3rd party runs with it.
The idea that you just mark your work as MIT/GPL/CC0 may have made open source more popular, but it also ruins lives when that thing you worked on for years and never made you anything makes a random drive-by asshole more than your annual salary.
[Citation Needed] (and a couple of questions)
1. How has this ruined someone's life? That mechanism isn't easy for me to see.
2. If the license allowed for it, why should any one see something wrong there?
3. Aren't you putting short shrift on the effort it takes to productize something?
This is the correct approach - double license, if you're non-commercial then you'll get GPL/AGPL/etc. and if you're a company and want to use it to make money this way or another then pay up.
A fair approach that provides a way of supporting the people making it and further development.
You do realize, I hope, that if you give even one person A GPL/AGPL version of your software, they can then redistribute it to anyone for any purpose. There's no such thing as "GPL for non-commercial use".
I don't have a post about it, but the equation is pretty simple: good cross-platform software + good documentation + responsive development = good product. The trick is to write good software -- the license doesn't matter so much. But, making it free/libre is competitively advantageous, all else considered. Some customers have told me they would not have considered paying for a proprietary option.
My project is called reMarkable Connection Utility (RCU), and it makes about $2.1k MRR, selling ~200 copies/month. Some months are worse, some are better.
I've never purchased any advertisement. Its users advocate for it through online forums. That genuine attestation, to its quality and also to me as a person/programmer, helps it sell. That its users, too, are free to share their copy with friends helps people encounter the program who otherwise would not have purchased forthright.
I sell it from my personal website with links to PayPal and Stripe. The return URL is its download page. No JavaScript anywhere. I provide the entire Git history of the project, as well as binaries for all major distros of GNU/Linux, FreeBSD, Windows, and macOS. I also provide two mailing lists -- one for all customers to be informed of updates, and another for customers to talk with each other, see my latest code patches, and talk about its general development and the reMarkable tablet.
There's nothing to stop any of your paying customers from setting up their own site and giving away (or selling for cheaper) copies of RCU, right? I'm guessing you understand that and figure the downside risk is low--small numbers, low stakes, consumer focused, good vibes?
That's right, and they have, but I still earn enough income to develop and maintain the program. Free redistribution does not hurt my sales because people who would have paid for the program do, and those who wouldn't can end up trying it, a fraction of whom go on to become customers because they want updates and support from the most-trusted source (me).
You'll see a very similar thing elsewhere: illicit file sharing increases box office revenue and increases album sales.
Anyone who wants a no-fee copy of RCU can find it many places by searching. If someone ever extends my program with a cool new feature, their version must be released as AGPLv3+, and that means I can re-incorporate their improvements into my own offering. The market dynamics of free/libre software are such that since I have the reputation, the first-mover advantage, and the top search engine rankings, then anyone looking to compete needs to do so on quality of features -- which I have the license to copy, just as they copied from me. Anyone who wants to compete with me needs to compete with all that.
Anyone who shares my program ends up promoting it in the best way possible, by talking about it and telling others it's good and worth using.
If you make software with a small team and you have about 2 dozen customers who pay for a support contract, then those contracts are actually surprisingly cheap.
Just because they’re failing doesn’t mean switching licenses will help. HashiCorp did not increase the popularity of Terraform Cloud by clamping down on the ability of other companies to host Terraform services.
There were any number of things HashiCorp could have done to improve revenue generation from their products without changing the source license. When they realized they weren’t building the best SaaS version of their products, they didn’t try to improve their service. Instead they tried to run the competition out of business.
"Corporate Open Source" is many things. Look at how many companies are paying for membership on the Linux Foundation Board: Platinum costs $500k a year, gold is $100k a year, and silver is $5-20k based on size: https://www.linuxfoundation.org/about/members
Linux foundation was never about Linux or open source. quite the contrary.
the foundation started as a way for companies to band Against gpl. and they won the day Linus have up and allowed tainted kernel be the default and every device distributor moved their proprietary code to modules and rejoiced.
their focus then was on gpl3 fud because google et al have much more money than modem vendors.
The resistance to GPL isn't just companies, I think you'll find the average programmer prefers using libraries licensed under MIT when given the choice.
It seems like there's a kind of political ideology over what "open source" even means and how it should be practiced.There's a school of thought that says we should switch everything over to viral copyleft licenses. This will "protect" the code and ensure all derivative work is always open source.
Then there's others, like myself, who believe if you want something that's truly "free and open" it should come with as few conditions as possible.
What about LGPL? It used to be everywhere when people were using SourceForge - but post-GitHub it seems to have dropped-off in popularity.
When libs are distributed as binaries (.NET, Java, etc) it feels LGPL vs MIT/Apache is moot as hardly anyone actually modifies libraries, it seems. I wonder how different it is for Go and C/C++…
Unfortunately true. I like to call the Linux foundation the megacorporations LUG (Linux user group). They want to use Linux alright, but they would prefer to do with it whatever they want, so they are not really friends of the GPL and a few other things.
Products aren't projects, which has confused people for decades.
If open source products retreating from some of the "freedom" elements bothers you, then you should be focusing your ire on the megacorporations and overfunded startups who simply refuse to contribute to the financial viability of the products that sustain them.
For some reason "we" celebrate the exploitative, though, so I guess that's out.
Yep. The author complains that there used to be plucky startups with Open Core business models who've now gone "extinct", while simultaneously sharpening their pitchforks because those same companies got successful and _slightly_ amended their licenses to prevent loosing revenue against IaaS giants so that they can, in turn, continue innovating. I guess money grows on trees where they live.
The projects I think of most are redis and ansible—both of which I've used extensively, and quickly went from 'neat thing I spotted on Hacker News' to 'now it's a startup', then a few years later 'it's just another corporation, the open source project is buried somewhere deep inside'.
The projects weren't as much open core as they were literal open source projects made to solve some problem the author had with other existing tooling. The open core part was injected when the startup decided it had to turn into a platform to sustain the beefy staffing budgets while they figured out how to generate revenue off something that was freely available.
I'm not sure what the alternative is or what you are advocating. Antirez stopped working on Redis 4 years ago. We were lucky someone created Redis "for the love of the game". Now before you there are a couple options
1. Antirez2 pops up and works on Redis because they love working on Redis
2. Someone is incentivized, with money, to work on Redis.
(1) didn't happen, so we must go with (2), and with (2) comes the problem of the actual business model that will be used to sustain (2).
A. Donations/Support contracts
B. Open "Core" aka I'm the only one allowed to sell this as SaaS.
Method (A) has shown to be an abject failure while AWS takes your revenue. Companies have successfully chosen method (B). Either you have a method (C) in mind, or you just aren't being reasonable in asking people to work on OSS for free. You can be mad about the "rugpull", but between the choice of "rugpull" and abandon the project, I don't see how "rugpull" is the worse option
There's plenty of people / groups willing to work on Redis without direct monetary compensation, as the plethora of forks have shown. They don't need to be 'asked'.
The only problem is that the people who bought the copyright now want an ROI.
We saw this with xz. Many, including me, suggested this is an example of how paying developers could reduce likelihood of attack and speed up progress. These people make these products in their spare time. You know... After work. So they clearly would rather do that than their job. But a common response was "what, so we could pay the hacker?" Which missed the entire point.
I'm also reminded by a relatively recent episode of either PIMA or Freakanomics (I forget which) where Steve asks Bill Gates why charities don't pay as well as corporate gigs and Gate's response was "it's a charity".
We seem to forget that things take work. Just because someone does that work on their own time and without asking for compensation doesn't mean that they don't deserve it. It just means their more passionate.
> By working on a project with a CLA, where you sign away your code, you're giving carte blanche for the company to take away your freedom to use their software.
Ok it's been a while so I don't remember the details or how it played out, but when Linux introduced a CoC, there were people who contributed to the kernel in the past that threatened to withdraw their code from the kernel, which would've been a nightmare to handle and clean up. How much power does a contributor have if my project is using a standard licence like GPL or BSD? Does the contributor hold any copyright over their code? Im not talking about rug pulls here, let's just say the contributor gets really mad at me for some reason.
I don't think a contributor can unilatary withdraw their code from a code base unless there is license change. Then it wouldn't be about "withdrawing" their code but refusing to allow it to be distributed under a different license than the one that applied when they submitted it.
So if Linus wanted to relicense the kernel under a different license than GPL2 he couldn't do it by himself without tracking down all the contributors and getting them to agree to the license change or removing the code in question which, for someting as large and with as many contributors as the kernel, would be basically impossible.
The CoC is completely different. It's not a license change but a process change. If a contributor doesn't like a new CoC or a new processs they can decide to no longer contribute in the future under that process, including no longer maintaining "their" code already in the kernel but they can't force anyone to remove it.
I think that the developer can demand a withdrawal of their contribution, though I don't know what happens to the code that's already published under a FOSS license. Regardless, many projects including the Linux kernel require the developer to sign off their contributions under the terms of the 'developer certificate of origin' [1]. While the developer retains the copyright to the contribution under DCO, they acknowledge that it will be distributed in perpetuity under the original license. So, retracting the contribution may not be an option.
The main purpose of a DCO is to take the portion of a CLA that guarantees the developer actually has a right to license the code under the project's license, as it's something that some users worry about using the software without. Basically so if someone copies some code from one of the Windows leaks into Linux and Microsoft comes to sue the Linux Foundation over it, they can point to it and say "we had legal sign off they had the right to license this code, please sue them instead".
In terms of irrevocability, the DCO is not that different from most open source licenses who themselves claim to be perpetual. The arguments for exceptions to that being true all either apply to e.g. both the GPL and the DCO, or to neither.
Generally the consensus is that an irrevocable license grant means irrevocable, though there are some concerns about examples set by e.g. the precedent that lets artists claw back rights from record labels after 30 years.
Without a separate CLA or copyright assignment, the contributor retains the copyright to their code, and licenses it to the project under the terms of the GPL (or whatever license).
The license is basically a legally-binding promise not to sue, as long as you follow the rules in the license. So the general consensus is that they can't terminate the license unless you violate the license. (Though there are dissenting opinions on that.)
Are you sure? (/s), because IBM mentioned "AI" no less than 10 times in their announcement of the purchase:
> AI-driven application growth … IBM's deep focus and investment in […] AI … The global excitement surrounding generative AI … HashiCorp's capabilities and talent will create a comprehensive hybrid cloud platform designed for the AI era … generative AI deployment continues to grow … IBM's commitment to […] AI innovation … today's AI revolution … AI-driven complexity … IBM is a leading provider of global […] AI, … IBM's breakthrough innovations in AI
Thankfully the press managed to delete most of those, though there were some announcement that nonetheless took the bait.
Obviously, you discover and talk to AI services with consul, store AI secrets in vault, deploy AI platform nomad with AI infrastructure software terraform.
It's weird because in this case you could also read it as "Jeff Geerling says that corporate open source is dead", which just happens to be posted on his personal blog that has a domain name which is his personal name. It's not as if it's the site that called "Jeff Geerling" after all.
The title should be as posted on the blog, it would be weird if he put Jeff Geerling there (and he didn't). Rule's the same for bloggers without their name (obviously) in the domain, e.g. Julia Evans at jvns.ca is often submitted; not with a 'Julia Evans:' prefix.
Seems the HTML <title> attribute of his page is "Corporate Open Source Is Dead | Jeff Geerling". OK, that's not "Jeff Geerling: Corporate Open Source Is Dead" like on this HN page, but it's certainly not "jeffgeerling.com" either. The difference between a "Jeff Geerling:" prefix and a "| Jeff Geerling" suffix is rather small in comparison. So what, exactly, is "as posted on the blog"?
>it would be weird if he put Jeff Geerling there (and he didn't).
It's not like the main title within the page is just "Corporate Open Source Is Dead" either; there's a more prominent "Jeff Geerling" above that. So yes, he did.
(Personally, I usually go with what's displayed on the browser window title / tab, i.e. the <title> attribute. AFAICR.)
The declining share price and profits is exactly what made it possible for IBM to buy Hashicorp. The license change didn't juice things -- it watered down the price. $6 billion is a snip compared to the $14 billion IPO valuation.
If you can't capture sufficient value, you're not going to be able to make a business around it. The problem isn't value creation, which the OSS model does do. The problem is value capture. That's why so many people go around saying "We need to pay X more". That's a sign that creation and capture have a gap.
You'll see that with traditional open-source. With companies that attempt to capture the value, your customers will always hate you unless you're careful.
Of course using the Elastic license family from the beginning is one way there. The Llama license family is another way. But perhaps my favourite observed thing has to be Kong's licensing: the base thing is Apache 2.0 but when you sign a contract with them, they'll give you access to the Enterprise plugins and you can edit their source. I loved working with them.
They seem to have done a good job with value capture. I think they're leaving a lot on the table, but there is significant path dependence on what they've done, so they don't have the option any more. But good job.
What is dead is the utopian dream that making companies whose main product is raw software, is possible to do in a sustainable way, while keeping everything open source.
There are bills to pay, donations only give so much, very few buy books from community members, consulting doesn't apply to all software, trainings even less, not everything can be a SaaS,...
Most successful open source projects are actually backed by companies and most of those projects are of course alive and kicking. The entire fortune 500 runs on software and the most of that consists of massive amounts of open source with some sprinklings of proprietary stuff mixed in. Linux would have stayed a silly hobby project without the possibility for this.
What's dead, or rather was never really that much alive is the notion of not quite so open source projects where a single corporate entity attempts to dictate the rules and actively discourages outside contributions, and people profiting from "their" source code. As a proportion of most widely used OSS software the amount of software and the number of developers involved with it is a rounding error.
There are two main problems with corporate OSS:
1) it stifles the formation of a healthy community of outside contributors. This endangers long term success of projects. The more restrictions exist (e.g. copy right transfers or aggressively anti commercial usage licenses like AGPL), the more likely it is that would be contributors will take the hint and stay away.
2) it limits growth to the strategy, financial success, and imagination/skills of just one company. Because with projects being bottle necked on the financial success of just one company and cut of from outside help, absolutely nothing happens unless that one company pays for it.
And with finances effectively supplied by VC investors interested more in IPOs and quick exits than good software, OSS is just a buzzword that goes on the investor deck and not something they actively value or appreciate. Hence legal monstrosities like BSL that make no sense whatsoever from the point of view of nurturing a healthy community of external developers. Most VC companies of course fail. That kind of is the point. And most of their restrictively licensed software projects die along with them and don't survive the implosion of these companies. Developers move onto other things and the software gets peddled to hedge-funds or companies like IBM.
The only exception to this is properly licensed open source that can simply be forked. Oracle, Redis, Red Hat, Hashicorp, Elasticsearch, etc. found that out the hard way. The answer is not getting more proprietary about OSS software and preventing forks. The software gets forked precisely because these projects are too valuable to let it rot away behind corporate pay walls. This is not a failure of open source but actually a huge success. The software will long survive the misguided corporate shenanigans. The software and community will be fine. Those companies, possibly a lot less.
The Jury is still out. I suspect in 5 years, Valkey and OpenTofu will be more popular than Redis and Terraform, at the very least for new products, but probably also for most actually maintained products. There's a good chance OpenSearch will also displace Elasticsearch.
I recently re-licensed a large open source project from MIT to a source-available license which restricts redistribution after someone decided to fork it, completely rearrange the code and introduce subtle breaking interface changes, and then package it up with basic Electron UI for sale on a platform digital store.
I don't know what the answer is, but the OSI definition is clearly not built to withstand this era of late stage capitalism and the "hustle culture" that permeates through it.
Trademark law should handle this (at least in some countries). Register a trademark and then send a cease and desist to the fork as they are creating confusion in the marketplace by distributing something they created using your registered name.
Perhaps consider using Apache 2.0 license, section six has language that specifically addresses trademarks.
A lot of open source devs are allergic to promoting their work so owning the trademark won't help them. For example, the above developer could have created their own official GUI and put it in the app store but they won't. Realistically the value is in GUIs, SaaS, marketing, etc. not in backend code.
I do a fair bit of promotion on YouTube[1] which has resulted in a vibrant community around the software, and I am now creating an official, free GUI[2].
In this specific case even if there had been a trademark in place, the person in question had not used the name of the project at all, but had decided to aggressively market it in community spaces.
Ultimately after much reflection and experiencing first hand how easy it is for people to abuse (in my opinion) the option of deliberately hard-forking and introducing breaking changes to funnel people towards a paid piece of software (in this case, a GUI) that will _only_ work with their hard-fork, I concluded that preventing this kind of ecosystem fragmentation is more important to me than an "OSI-approved" badge.
It's basically become market research where the amount of devs which get hooked indicate success and these devs also double as the client (a trap). I try to stay with my stack, which also makes me miss out on things like the highly recommended Tailscale-service.
I started (and just published) a website[1] that tries to track relicensing risks across a number of OSS projects. The current methodology looks at trademark holders, licenses, and CLA/DCO requirements. I think there's community value in educating develpers, surfacing risks, tracking when a project changes it's posture, and promoting forks.
If this sort of thing is interesting to you, I'm looking to expand the project listing with community support. I suspect the relicensing trend is on its way up.
This goes against the foss ethos but given that foss is ultimately rooted in freedom I think what I will suggest can be reconciled with the primary principle.
I’ve been thinking the only way to truly protect freedom of individuals and of foss development is to have a dual license which is foss unless you deploy it to over 10m users or 10m revenue or belong to list of companies like the eu designated gatekeepers. In that case each project should have the latitude to decide if they will enforce terms if any. Meaning that given the needs of the developers being otherwise met they can always forego any additional requirements
I don't blame the big corps like IBM (disclaimer: I work there, I don't speak for them) and Microsoft and Google. I really blame investors who are looking to get their money back. When they force an IPO but there's no business model to sustain the company, this is what happens. CEOs resort to developer-hostile actions which kills off the community and generates ill-will towards the company. People here shit on "lifestyle companies" but IMO that's the best model for sustainablility and developer communities (if that's what you're into).
If you offer something for free. And it becomes popular partly because it is free. Well it should be pretty clear that there is not huge money in free product... And at some level someone packaging with some margin your free product is well...
So the TLDR; is don't trust any corporate open source that requires a CLA and don't contribute to those projects unless you are prepared to fork if the rug gets pulled.
Any project with a CLA was already subject to that stipulation. You get to do work for a company for free with the added benefit that you're now also on the hook for any legal problems that might arise from the code you contributed.
What a deal, you get to put in the time and effort AND potentially fight a legal battle when a patent troll decides to go "wouldn't it be fun if" all on your own!
Ah sorry about that, was paraphrasing for the video, but the blog post should have the direct quote since I don't have a snapshot. I'll update the page when I'm back at my computer later!
Always remember: It's either AGPLv3 or proprietary all rights reserved. Anything else means you're giving your labor away for free to the beggar barons. Biggest wealth transfer in history, from developers and straight into the pockets of billionaires. It's just irrational.
Also remember: Whoever owns the copyright gets to do whatever they want. The licensing security of free software, defined here as the likelihood of free software remaining free software, is proportional to the number of copyright owners involved. Changing the license requires agreement between all copyright holders, once a sizeable number of them has built up it becomes all but impossible. Therefore, anyone who asks you to assign your copyright to them should be viewed with suspicion. A true proponent of free software would want to maximize the number of copyright holders involved, not centralize the copyrights under a single entity.
That's exactly the point I was making. My whole point was: DO NOT just give things away. That's just irrational. It brings you no profit and doesn't actually create long lasting wealth and freedom in the form of copyleft software. All it does is enable your exploitation. All it does is enrich billionaire corporations who are free to take the work of others, use it to make a killing and then laugh all the way to the bank at the suckers who made it all possible for free.
Don't just give your code away for free. Either make it proprietary all rights reserved, or make it AGPLv3. Those are the two choices. Maximum profit or maximum freedom. Either they pay you lots of money, or they adhere to the full set of conditions spelled out by the AGPLv3.
Don't just give your stuff away. Attach lots of strings to it. Strings that force others to benefit you in return for your generosity. Either by paying you lots of money or by being equally generous to you in return.
Don't just give software away. That was the point.
There is exactly one scenario where "permissive" licensing makes sense: a world without copyright. In other words, a world without licensing at all. They can copy your software and you can copy theirs. Until such a day comes that copyright is abolished though, "permissive" licensing is just nonsense, it just gives away all your leverage.
You cut off “if you care about what happens to them afterwards”. It’s perfectly fine for somebody to just give software away as long they’re fine that someone else will make money off it. You don’t seem to be fine with it, but others are.
I've seen quite a few of these people become very bitter over the years. Taken for fools and exploited. They were supposedly "fine" with it at first. At some point it must have hit them.
I don't blame them. Their reaction is understandable. I blame whoever came up with this "permissive licensing" psyop.
That's not correct though. Charity is a valid thing.
Expectations-based giving should honestly always be frowned upon. Once you give something up it's no longer in your control. If somebody has a problem with that, it's actually them that's the problem.
I think a lot of folks don't think through the licenses they choose before they use them. They never really thought about if they'd be mad if somebody else commercialized their code. You give up that right when you chose that license but that's okay. Licensing is a choice.
You're also free to use AGPL if you want or even go proprietary -- but don't blame open source licenses if you chose them by mistake.
I'm willing to bet almost everyone who does free and open source software is secretly hoping it will come back to them somehow. Usually as an actual job, maybe as a consultant for the software they created, maybe custom feature work. These days it's often a patreon or github sponsorships which are ethical ways to make money. Maybe it's the prestige of having one's full name attached to some major project that drives them. Maybe it's the enthusiasm for computing freedom and the copyleft ideals: sharing your work and benefiting from the work of others in return, knowing that you're adding to a commons and that your freedom is ensured.
Expectations can be as low as basic respect and acknowledgement. But they do exist.
You're absolutely right that most people don't seem to think through the licenses that they choose. That's my point though. That's why I came here. To tell everyone that it makes no sense to choose anything but AGPLv3 or proprietary. If you agree with me, then upvote the comment so that more people will see it and hopefully avoid falling into the permissive licensing trap.
Teraform and serverless doing the exact same thing at the exact same time really indicates that the market conditions that allowed for software like this was not long term sustainable.
As a builder that leverages them both, I'm saddened, but I get it.
None of these blogposts (including this one) have any realistic solution to the problem of making OSS software and being able to live from it, and prevent others from exploiting you in the process.
Hyperscalers like Amazon exploit OSS projects by reselling them as a cloud service and they earn a gigantic sum in the process. But this is not a neutral thing to do - the OSS project is still responsible for maintenance! (And in many places, the "no warranty" clause seems completely disregarded - users and corporations demand bugfixes since it's a "critical library")
The most telling sentence is "Open source culture relies on trust. Trust that companies you and I helped build (even without being on the payroll) wouldn't rugpull."...
where is any trust in exploiting someone's work without giving anything back? the hyperscalers routinely break the OSS social contract, but because they abide to the letter of the licences, they get a free pass and many white knights from even the OSS community and even OSI itself.
A business model of "you can see the source, you can modify it but you can't offer it as a service or resell my work" is much more honest and trustworthy than the "develop a library, a cloud service picks it up then pressures you with PRs and issues until you permanently burn out from the whole thing"
This is partly addressed by the post - "But you know what? I'd just prefer honesty. If revenue is so dependent on selling software, just... make the software proprietary. Don't be so coy!".
This is not honesty though. Claiming that anything not party-approved.... I mean OSI-approved is not open source and it's proprietary is a very myopic thing. For users and developers, it's much more beneficial if they can see or even modify the source even if they don't have an unrestricted right to use and modify it however they want. This absolutist, black-and-white approach could potentially lead to many pieces of software becoming fully proprietary, all-rights-reserved in the future since the open source community harasses source available projects quite frequently, and not many have the patience to put up with that. And that would be a sad outcome indeed for user freedom, repairability, portability and other values RMS and the FSF dearly holds.
> None of these blogposts (including this one) have any realistic solution to the problem of making OSS software and being able to live from it...
Should OSS solve that "problem"? Free software predates billion-dollar OSS / open-core companies, it also doesn't require the maintainer directly earn a living from it. Perhaps the era of OSS megacorps and the concomitant VC/startup dreams is setting, as these large, formerly OSS companies are rejecting OSS licenses in favor of bigger profits. To that, I say good riddance, not every useful git repository has to be incorporated.
> ...and prevent others from exploiting you in the process.
The whole point of free and open source software is anyone can use it and improve it - including Amazon and the person you hate. An OSS license is not a growth-hack for adoption: if you want to discourage Amazon from using your product, use AGPL. If you're worried others won't use your AGPL software, then you're growth-hacking.
FL/OSS will be fine between evening/weekend hackers (xz), small-to-medium companies/consultancies (Rails), and our neo-feudal tech overlords (React).
>Should OSS solve that "problem"?
If you don't want a cyberpunk-like dystopia of megacorps controlling everything, yes. This is not just affecting the VC-funded startups' profitability but it also affects ordinary software developers' lifestyle businesses too. Sure, the core principles of OSS don't require that you'd be able to earn money from your work, but then perhaps it is OSS which is not fit for purpose, not the desire to earn money from creating software.
>if you want to discourage Amazon from using your product, use AGPL.
The AGPL is still not restrictive enough because you can resell the software without contributing anything back if you don't modify it. Stuff like the SSPL or the Commons Clause are much better to prevent that kind of exploitation.
>FL/OSS will be fine between evening/weekend hackers (xz), small-to-medium companies/consultancies (Rails), and our neo-feudal tech overlords (React).
I find the xz example especially funny because that shows how it is very much not fine. Single developer, burnt out, not getting paid a penny for his thankless work, a bunch of state-sponsored actors pressure him to hand his project over -> backdoor injected. If Lasse Collin could get support for his project, this almost certainly would not have happened.
https://xkcd.com/2347/ is very relevant here.
> The AGPL is still not restrictive enough because you can resell the software without contributing anything back if you don't modify it
Why would you want to restrict reselling? If you want free software then you’re going to have reselling. If you don’t want reselling, then don’t make your software free/open source.
I’m not sure why people are getting mixed up. Anyone can make proprietary software and restrict all they want. There’s tons of commercial software. But it doesn’t have the features of free/open source.
>Why would you want to restrict reselling?
Depends on what your philosophy is. You believe in the software commons and the free sharing of software? You would want software to remain as a public good so no one can profit from it exclusively.
Are you a business who made some software? You don't want others to resell it because it's your work, you made it and you don't want others to freeload.
>If you don’t want reselling, then don’t make your software free/open source.
Sure, and the consequences of this will be much more all-rights-reserved proprietary software. A huge loss to users and developers.
>But it doesn’t have the features of free/open source.
Yes it does. Just because it doesn't conform to all tenets of the OSI definition, many useful things are still kept. The most obvious is the right to view the source code - which is highly liberating in an age where many vendors lock their systems down or try to offer everything as a SaaS where you don't even see the binaries.
You usually also have the right to modify the software under most of these licences - you are the user but you find a bug in the software, you don't need to wait for the vendor to fix it, you can fix it and share your modifications to other users (either paid or not).
You can also have the right to contribute changes if contributions are allowed, which is also a positive for everyone.
There are many freedoms which can be granted without necessarily going for a maximalist open-source approach but still preserving the right to exploit your own work and prevent others from exploiting it.
> Depends on what your philosophy is. You believe in the software commons and the free sharing of software? You would want software to remain as a public good so no one can profit from it exclusively.
> Are you a business who made some software? You don't want others to resell it because it's your work, you made it and you don't want others to freeload.
I cant help but notice that you assume everyone uses money as a measure of desirable/undesirable outcomes. Whenever I publish a library/project with a GPL license (my preferred license), it's so that others can use it. I have a well paying job that's enabled in part by others sharing their work[1], so I let the "freeloaders" have at it - I too am one, after all.
At the time I release the software, my problem is adequately solved: I already did the work , maybe someone else may benefit. Creating/sharing value with others is the point - I don't mind if someone else sells it : if they abide by the license, that means I can sell something identical for half of whatever they sold it for if I suddenly felt competitive.
1. I'm amazed that I can use Linux, git, hypervisors, orchestrators, various computers and interpreter, libraries, ops tools and more all for free,and with the ability to pry them open and make any changes I want! How frigging cool is that?! I'm compelled to pay it forward in any way I can.
If money is not important, what's the harm in making it available as open source, but with a non-commercial clause?
Because I don't mind people using my software commercially if they are respecting the license. I wouldn't want to be charged for all my commercial usage of Linux, Git, Postgres, zsh, the rust toolchain, etc.
I believe if everyone in our industry tried to capture all/most of of the economic value of their work, we'd all be poorer for it, metaphorically and literally since a huge part of high SDE salaries is due to high productivity enabled by the open source ecosystem. We are all freeloaders, to varying degrees. Without FL/OSS, most of these source-available companies would never have gotten off the ground.
Exactly. I don't understand the drama on this at all.
"Corporate Open Source is dead"?? I don't even know what that means! Having launched at least 20 open source companies, several that went public -- this is not news that this faction of companies were NEVER going to make it (AND WE SAID SO). And that is ok.
That's entirely fair, but you can tailor the licences to target the biggest freeloaders (prohibit hosting it as a cloud service, allow everything else) while letting everyone else use it without worrying about licensing.
That's the beautiful part - you can choose vastly different approaches with differing levels of freedom/openness, depending on your and your users' needs. A game is licenced quite differently than a library which is also licenced differently than a website. And they can all coexist:)
FWIW, I avoid using and contributing to projects with revenue-based licenses on principle - I hate bait-and-switches and folk who pull up ladders behind themselves. They will have to coexist with the forks with standard licenses.
Because software that has a non-commercial clause is not open source. It strips an important freedom from its users.
There’s nothing wrong with it other than being confusing because the software isn’t open source.
Your solution seems to just incorporate OSS and at some point it just isn't OSS anymore. The problem was not the developer of xz, it is the people that build upon it without reflection. Although to be fair, almost every developer has a dependency like that somewhere.
I find it funny that people call to support the developer. That is true, but the scam was exactly about how the dev was pressured to hire more maintainers. The lesson here should be that if third party is nagging you about your open source project, you just hint them on the "no warranty" part. Everything else is their problem.
I wish the developer would swim in money. He did more constructive work than many, many very rich people. Problem still is that there is no entity that could be trusted to pay him. If that would be corporation, the pressure would be even higher. Because then you are essentially a freelancing developer with a corporate contract. You lose freedom and independence, something many OSS developers specifically do not want.
> None of these blogposts (including this one) have any realistic solution to the problem of making OSS software and being able to live from it, and prevent others from exploiting you in the process.
You’re begging the question of whether one should be able to earn a living from making free software.
Free software is not fundamentally about business or profit: it’s about ethics. It’s about the freedom of software users to use, modify and share their software.
How programmers get paid is an interesting question, but it’s not the most important question. The important one is, ‘is it ethical for a programmer to prevent his software’s users from using, inspecting, modifying and sharing modifications to the software they use?’ And the answer in my opinion is a resounding ‘no!’
Sure. If it's about ethics then I could argue that corporations are not people. So I can give the right to all people to use, inspect, modify and share modifications to the software they use, but corporations aren't people so they don't get those rights. :D
None of these blogposts (including this one) have any realistic solution to the problem of making OSS software and being able to live from it
In other words --- developers can not live from Open Source alone.
If all software was Open Source, there would likely be a lot fewer developers. And those that remain would be spending a lot more time and effort on survival and less time creating software.
Open Source is inherently self limiting and unsustainable. It is a utopian concept that defies the basic economic reality we are all forced to contend with.
And the really crazy part --- even the least educated manual laborer can immediately grasp that giving his work away for free invites exploitation. It may be noble and good for somebody --- but ultimately not for himself or others like him.
> "And the really crazy part --- even the least educated manual laborer can immediately grasp that giving his work away for free invites exploitation."
The funniest part is that this outcome was obvious even in the 1990s. Evangelists were begging businesses to start using FOSS with slogans like "free as in beer and free as in speech" and hailing every corporate adoption as a victory. Meanwhile, business were belching contentedly and asking for another free beer while pointedly not giving a rat's ass about giving back or software freedom.
I'm absolutely amazed that it took reality this long to catch up with FOSS.
"Evangelists" = People promoting ideas not firmly rooted in reality.
The software industry seems to harbor more than it's fair share --- crypto evangelists, open source evangelists. As folks from the ghetto used to say, "You gotta be rich to even think like that".
There are uses for CLAs besides rug pulls. For example, if you want to offer software as AGPL, accept community contributions, but be able to _also_ offer a non-AGPL option to paying customers (who effectively pay to be allowed to integrate the license without themselves being subject to licensing risk). Quite a few big orgs have a full ban on internal use of AGPL software so this can be very valuable.
That requires a CLA (as I understand it, IANAL) because you're relicensing a contributor's contribution. At the same time though, I wouldn't consider it a rugpull - contributors lose nothing here, and the open source project gains a funding mechanism (a rare thing in open source).
I think you can do this in a principled way with some extra corporate/bureaucratic machinery, like the Free Qt Foundation, so that it doesn't allow rug pulls.
Even just stuff like releasing a GPL'd game on Steam or consoles can have the same issue if you need to keep some parts proprietary.
There's no such thing as a "GPL'd game with proprietary parts". GPL was designed to prevent that.
You can say "Steam and game consoles only allow publishing software with proprietary components", but don't blame that on GPL.
Funnily, one of the best places for this in practice (IMO) is microsoft. Who is now, again funnily enough, GPLing a lot of their software but have CLAs so they can do long term support for people that want to pay for it.
Latest versions stay fully open source while back ported fixes are a paid feature if you don't keep your software up to date. That, to me, is a win win.
Oracle is doing the same with the JDK.
> Funnily, one of the best places for this in practice (IMO) is microsoft. Who is now, again funnily enough, GPLing a lot of their software but have CLAs so they can do long term support for people that want to pay for it.
Huh, what software is MS releasing under the GPL now?
Not as much as I thought. MIT is more common it looks like.
https://github.com/orgs/microsoft/repositories?q=license%3Ag...
MIT is the standard OSS license for Microsoft stuff that is open source. You also see Apache for some projects that predate standardization on MIT, and GPL where there's no way to avoid it (i.e. when you have to build on code that is itself GPL).
That said, peak OSS at Microsoft is already past. These days, it's all about advertising products as OSS while quietly close-sourcing parts of it (e.g. just about the only thing in VSCode that's fully open source is JS support, every other language extension is closed to some extent).
That's a rug pull for a price. I don't think it's a problem because the software is still there. But it's a rug pull.
Hmm. Orgs which ban AGPL should be marked and targeted for dismantling. Any way to scope them out, or public registry of them we can build? Orgs banning AGPL should not be allowed to exist at all, or use open source at all. They should all be systematically sabotaged by the OSS community, and if possible acquired/reformed, or destroyed.
And it would be very convenient for me to be able to relicense an AGPL contributor's work as if it were mine all along, like an evil genius capitalist, tee hee hee :3
But I would fork a project that tried it, and that is the attitude we should encourage.
Those aren't valid reasons for CLAs in my organizations and projects, since they do damage to AGPL as I envision it.
I wonder if there are other reasons for a genuine AGPL radical to support a CLA? Seems AGPL is good enough on its own, and most CLAs just weaken it - both technically and in a spiritual and ethical sense. Could we strengthen it instead?
Amazon bans it's developers from even viewing AGPL code on corporate devices. Good luck on your crusade.
This is abuse of the AGPL and open source in name only.
Richard Stallman, of all people, is not as intransigent as you.
> I've considered selling exceptions acceptable since the 1990s, and on occasion I've suggested it to companies. Sometimes this approach has made it possible for important programs to become free software.
> [..] [S]elling exceptions permits limited embedding of the code in proprietary software, but the [non-copyleft] X11 license goes even further, permitting unlimited use of the code (and modified versions of it) in proprietary software. If this doesn't make the X11 license unacceptable, it doesn't make selling exceptions unacceptable.
> I consider selling exceptions an acceptable thing for a company to do, and I will suggest it where appropriate as a way to get programs freed.
https://www.gnu.org/philosophy/selling-exceptions.html
The continuous-rugpull part of demanding CLAs is selling other people's work as proprietary.
You'll hear much less complaining if you're selling your own work under a second license.
It feels unfair to describe it as a "rugpull" when the first bullet point, in bold, reads:
> *Grant of copyright license*. You give HashiCorp permission to use your copyrighted work in commercial products.
https://www.hashicorp.com/cla
Unless that text was recently changed, or unless Hashicorp went out of its way to verbally reassure people that they didn't intend to ever exercise that option, I feel very little sympathy for any open source contributor who clicked that link and then was dismayed to find Hashicorp using his work in a commercial product.
Read what you sign, and take responsibility.
I'm glad Jeff pointed out the RMS article on Free software
> For the free software movement, however, nonfree software is a social problem, and the solution is to stop using it and move to free software.
> “Free software.” “Open source.” If it's the same software (or nearly so), does it matter which name you use? Yes, because different words convey different ideas. While a free program by any other name would give you the same freedom today, establishing freedom in a lasting way depends above all on teaching people to value freedom. If you want to help do this, it is essential to speak of “free software.”
> We in the free software movement don't think of the open source camp as an enemy; the enemy is proprietary (nonfree) software. But we want people to know we stand for freedom, so we do not accept being mislabeled as open source supporters. What we advocate is not “open source,” and what we oppose is not “closed source.” To make this clear, we avoid using those terms.
People in the FOSS world has been beating this drum since the very beginning. Free software was always an ideology. I get that that turns people off, just like projects wrapped up in religion and politics do, but it's the only way to ensure that stuff like this doesn't happen.
I concede that the people who champion FOSS are not always the kindest people to be around, see the response from people about Guix when I mentioned it as an alternative to Nix.
But when I was in Boston I was a card carrying member of the FSF. I went to a few libre planets, and I met some real nice people in real life who also cared about FOSS very deeply, so I know not everyone in the community is a jerk.
I think the FSF's take is philosophically solid, and I've gotten a ton of of their software and advocacy over the years, as most software developers surely have. However, developers and other technical people are nearly the only people for whom that's true.
So much of the FOSS world blames marketing for the lack of non-technical users, routinely ignore, or even deride the prospect of prioritizing the most important factor non-technical users choosing software: usability. The people who do so dismiss interface and experience design as superfluous aesthetics. It might be true for people with a working mental model of software architecture in their back pocket, but to others, those little 'trivial' bits of prerequisite knowledge aggregate into a giant frustrating roadblock.
"What we advocate is not “open source,” and what we oppose is not “closed source.”
I have zero idea what this means and I've been on Debian since Woody
They mean that what they advocate is “free software”, not “open source”; and that what they oppose is therefore “non-free software”, not “closed source”.
Honestly, how could that be hard to understand from the context of the discussion here?
It's possible that "Open Source" here is the OSI definition, which FSF has some objections to. If "Closed Source" just means "not Open Source as OSI defines it", then it is true that some non-OSI software is "free" software. Free software still requires source to be available and that you're allowed to modify and distribute it.
The GNU philosophy believes Free Software[1] and Open Source are two different things[2].
1. https://www.gnu.org/philosophy/free-sw.en.html
2. https://www.gnu.org/philosophy/open-source-misses-the-point....
Source available from the beginning is ethical. Open source that becomes something else is shady.
I am glad they tried. I know there's lots of cynical stuff on the internet, but realistically the open source progress on stuff like Terraform or similar wouldn't have happened if these companies didn't try an alternative.
I'm not sure what people want these companies to do. If there's no money, if the idea didn't work, they need to pivot to something that does work.
>> Source available from the beginning is ethical.
It's also mostly pointless. If someone wants to develop features for software they pay for I guess that's their choice.
>> I'm not sure what people want these companies to do.
Not rug-pull.
There are many reasons people prefer open source software other than wanting to do their own development: Security auditing, the ability to reverse engineer protocols / serialization formats, or simply to better understand a product's features.
If you do actual open source and your product is any good, somebody else is just going to repackage it and sell it, either as SAAS/IAAS or as a boxed product. So why not get there first? It's depressing. That's been my experience every time I gave code away, at least. Somebody else made money off it.
Why is it depressing? It was your choice to share it.
I think at this point it's undisputed that modern society relies on a lot of permissively licensed software, and the people who maintain that software aren't getting paid enough (or at all) to do it. xz is only the most recent example, NTP and OpenSSL come to mind.
I used to do OSS development full time, but it wasn't financially sustainable for me.
IMO, that's more of a sad story about the state of respect for supply chain risk management in the software engineering discipline. It may be convenient at first to add a bunch of dependencies for free that solve a particular task, and ignore the part that says "AS IS WITHOUT WARRANTY OF ANY KIND". The only thing a FOSS license gives anyone is code. It never gave anyone maintenance or support.
Any organization that uses software that is "as is" should have a plan to maintain that software themselves, or mitigate the risk in other ways. And many of the large players in this industry do exactly that, and their full-time employees are top contributors to many large FOSS projects.
A great many open source maintainers are employed by a corporation that pays them well, if not fantastically well, for maintaining it. Over time, the trend has been increasingly in that direction.
Exactly. If I put something out in the world for the benefit of others, and someone packages it up for profit, I'm still achieving my goal. In fact, that helps my goal to advance even further! That's not depressing to me, that's exciting.
You could make it AGPL if you don’t want that.
Not unless all the contributors signed an Evil CLA first so I can relicense it :-)
I start all my stuff with AGPL .
Haha jokes on you. I sucked your AGPL code into my LLM and now you have to prove I'm actually using your code when it generates the same thing. Good luck with that.
Copyright laundering has never been so cheap.
It's why things like Captura no longer exist. You make something fantastic with an open source license, someone else renames it and sells it in app stores, and the people running the app stores go "the license allowed for this, we see nothing wrong".
It's well past time for getting rid of licenses that say "you can do what you like with this software", and replace them with licenses that allows you to sell as long as the original project gets a cut, without taking on any of the liability.
The idea that you just mark your work as MIT/GPL/CC0 may have made open source more popular, but it also ruins lives when that thing you worked on for years and never made you anything makes a random drive-by asshole more than your annual salary.
There is absolutely nothing wrong with making and selling proprietary software. If you want to make money, you should probably just do that.
I'm very happy to have created a mildly popular permissively-licensed library. It's a contribution to a community with zero intention of profit. That is, for the most part, what open source is all about.
If you read me as saying making and selling proprietary software was wrong, you read a very different text from what I wrote. Making and selling software is perfectly fine, and building that software on top of libraries specifically released for that purpose is equally fine.
Open source licenses that in perpetuity lock you out of any form of gains from your own work, even when that work is the very backbone of someone else's non-open-source, for-pay product, are morally objectionable licenses.
I believe the parent is responding primarily to this point:
> The idea that you just mark your work as MIT/GPL/CC0 may have made open source more popular, but it also ruins lives when that thing you worked on for years and never made you anything makes a random drive-by asshole more than your annual salary.
There's no reason this should ruin your life - your quality of living didn't suddenly decrease. If you are unhappy with this outcome, you probably didn't really intend to create open source software, and should stick to writing proprietary software.
> Open source licenses that in perpetuity lock you out of any form of gains from your own work, even when that work is the very backbone of someone else's non-open-source, for-pay product, are morally objectionable licenses.
It is simply false that open source licenses lock you out of any form of gains from your own work. They allow others the opportunity to benefit from it, as you yourself can too.
It is possible that someone wanted to share their work with others without any payment expectations (but not realize the value of their work) and chooses to license it permissively.The product becomes successful, but the only ones earning money through the product are big companies. ( One may argue that project became successful because of its license or because it was used by the said company, but they are difficult arguments to prove and accept).
I won't fault them for expecting to get paid if they later realize the value of their work and know that it is generating significant commercial money. It is natural to feel like being taken advantage of by the commercial entity when they don't get compensated (even if that was their initial choice).
When someone says "you should have chosen to make it proprietary or use a more restrictive license from beginning", it might come across as a polite way of saying "Too bad, no backsies! You were foolish enough to chose a permissive license. So, accept the consequences".
If a developer wants to get paid for their work with something other than "feel good OSS points", I don't see many options out there. They need to solicit donations(which doesn't have good track record) or re-license.
I think as more products go through this cycle of permissive license, monetization by third-party and re-licensing, we'll be seeing a significant number of projects erring on the side of caution and use restrictive licenses from the start.
I think this discounts the rest of the work required in converting a technological solution into a product. That is, marketing, sales, support, strategy, operations, and oftentimes, UI/UX work.
But in general, yes, I feel that the bigger issue here is a fundamental mismatch between the author's desires and their chosen license. It's not so different from signing a contract with terms you later regret.
Maybe we need better licenses.
>> are morally objectionable licenses.
Easy on the drama there. Nobody makes someone use a particular piece of software. Don't build your product with pieces that don't fit your plans.
> MIT/GPL/CC0
There's (many) different licenses - for a reason.
If someone makes a small game, wants users to enjoy all the freedoms its developer had, but does not want random 3rd party to include it in a product without telling their users about that, use a GPL style license.
If someone is working on a network protocol, an image format, or audio/video codec, and have that go everywhere to become a defacto standard is more important than other considerations, go for a BSD/MIT style license.
Some vendors don't mind their users looking under the hood. But still want to retain control. Enter 'shared source' (=not open source) or dual licensing (eg. free for non-commercial use, commercial users: pay up).
Documentation is different. So is hardware.
If you're a developer (or vendor): think about this, and pick appropriate license. Just don't complain when you did open source something, and a 3rd party runs with it.
The idea that you just mark your work as MIT/GPL/CC0 may have made open source more popular, but it also ruins lives when that thing you worked on for years and never made you anything makes a random drive-by asshole more than your annual salary.
[Citation Needed] (and a couple of questions)
1. How has this ruined someone's life? That mechanism isn't easy for me to see.
2. If the license allowed for it, why should any one see something wrong there?
3. Aren't you putting short shrift on the effort it takes to productize something?
> Why I (A/L)GPL
https://web.archive.org/web/20120620103603/http://zedshaw.co...
> I want people to appreciate the work I’ve done and the value of what I’ve made.
> Not pass on by waving “sucker” as they drive their fancy cars.
This is the correct approach - double license, if you're non-commercial then you'll get GPL/AGPL/etc. and if you're a company and want to use it to make money this way or another then pay up.
A fair approach that provides a way of supporting the people making it and further development.
You do realize, I hope, that if you give even one person A GPL/AGPL version of your software, they can then redistribute it to anyone for any purpose. There's no such thing as "GPL for non-commercial use".
That’s guaranteed to happen. Even beyond that, how are developers going to earn a living with FOSS, at least with open licensing?
We have seen maintainers burnt out. It takes work to write code.
I make substantial income by selling copies of my AGPLv3-licensed program for $12/ea.
You've piqued my interest. Can you share more? Do you have a blog post about your product and how you sell it?
I don't have a post about it, but the equation is pretty simple: good cross-platform software + good documentation + responsive development = good product. The trick is to write good software -- the license doesn't matter so much. But, making it free/libre is competitively advantageous, all else considered. Some customers have told me they would not have considered paying for a proprietary option.
My project is called reMarkable Connection Utility (RCU), and it makes about $2.1k MRR, selling ~200 copies/month. Some months are worse, some are better.
I've never purchased any advertisement. Its users advocate for it through online forums. That genuine attestation, to its quality and also to me as a person/programmer, helps it sell. That its users, too, are free to share their copy with friends helps people encounter the program who otherwise would not have purchased forthright.
I sell it from my personal website with links to PayPal and Stripe. The return URL is its download page. No JavaScript anywhere. I provide the entire Git history of the project, as well as binaries for all major distros of GNU/Linux, FreeBSD, Windows, and macOS. I also provide two mailing lists -- one for all customers to be informed of updates, and another for customers to talk with each other, see my latest code patches, and talk about its general development and the reMarkable tablet.
http://www.davisr.me/projects/rcu/
There's nothing to stop any of your paying customers from setting up their own site and giving away (or selling for cheaper) copies of RCU, right? I'm guessing you understand that and figure the downside risk is low--small numbers, low stakes, consumer focused, good vibes?
That's right, and they have, but I still earn enough income to develop and maintain the program. Free redistribution does not hurt my sales because people who would have paid for the program do, and those who wouldn't can end up trying it, a fraction of whom go on to become customers because they want updates and support from the most-trusted source (me).
You'll see a very similar thing elsewhere: illicit file sharing increases box office revenue and increases album sales.
Anyone who wants a no-fee copy of RCU can find it many places by searching. If someone ever extends my program with a cool new feature, their version must be released as AGPLv3+, and that means I can re-incorporate their improvements into my own offering. The market dynamics of free/libre software are such that since I have the reputation, the first-mover advantage, and the top search engine rankings, then anyone looking to compete needs to do so on quality of features -- which I have the license to copy, just as they copied from me. Anyone who wants to compete with me needs to compete with all that.
Anyone who shares my program ends up promoting it in the best way possible, by talking about it and telling others it's good and worth using.
fwiw, I agree with your sales model. I have bought software (non OSS) that I have tried from warez simply because it was better.
When copying a business you have to also copy their marketing channels. Product is only half the story.
Thanks! I bought it like a month ago! Haven't had time to use it much, but it came handy to downgrade my reMarkable 2 :)
See his bio http://www.davisr.me/
I'm actually a paying customer of his RCU software (for managing reMarkable tablet firmware, backups, etc).
Thank you. It would not be possible without the financial support and advocacy from people like you.
If you make software with a small team and you have about 2 dozen customers who pay for a support contract, then those contracts are actually surprisingly cheap.
Just because they’re failing doesn’t mean switching licenses will help. HashiCorp did not increase the popularity of Terraform Cloud by clamping down on the ability of other companies to host Terraform services.
There were any number of things HashiCorp could have done to improve revenue generation from their products without changing the source license. When they realized they weren’t building the best SaaS version of their products, they didn’t try to improve their service. Instead they tried to run the competition out of business.
> When they realized they weren’t building the best SaaS version of their products, they didn’t try to improve their service
They went there several versions of their cloud products over the years, and pivoted a few times during that span
It’s a business. It will by default do the easiest and least riskiest thing to make as much money as possible.
> ~~It’s a business. It~~ will by default...
They're humans. They will by default...
Individuals almost always have values beyond monetary gain. Businesses usually don't.
> Source available from the beginning is ethical.
Not to rms.
You must read https://www.gnu.org/philosophy/selling.html
I have but don't get your point. Could you elaborate, please?
[flagged]
"Corporate Open Source" is many things. Look at how many companies are paying for membership on the Linux Foundation Board: Platinum costs $500k a year, gold is $100k a year, and silver is $5-20k based on size: https://www.linuxfoundation.org/about/members
Linux foundation was never about Linux or open source. quite the contrary.
the foundation started as a way for companies to band Against gpl. and they won the day Linus have up and allowed tainted kernel be the default and every device distributor moved their proprietary code to modules and rejoiced.
their focus then was on gpl3 fud because google et al have much more money than modem vendors.
The resistance to GPL isn't just companies, I think you'll find the average programmer prefers using libraries licensed under MIT when given the choice.
It seems like there's a kind of political ideology over what "open source" even means and how it should be practiced.There's a school of thought that says we should switch everything over to viral copyleft licenses. This will "protect" the code and ensure all derivative work is always open source.
Then there's others, like myself, who believe if you want something that's truly "free and open" it should come with as few conditions as possible.
What about LGPL? It used to be everywhere when people were using SourceForge - but post-GitHub it seems to have dropped-off in popularity.
When libs are distributed as binaries (.NET, Java, etc) it feels LGPL vs MIT/Apache is moot as hardly anyone actually modifies libraries, it seems. I wonder how different it is for Go and C/C++…
Unfortunately true. I like to call the Linux foundation the megacorporations LUG (Linux user group). They want to use Linux alright, but they would prefer to do with it whatever they want, so they are not really friends of the GPL and a few other things.
Bingo.
Salty losers can downvote all day with no response :^)
Products aren't projects, which has confused people for decades.
If open source products retreating from some of the "freedom" elements bothers you, then you should be focusing your ire on the megacorporations and overfunded startups who simply refuse to contribute to the financial viability of the products that sustain them.
For some reason "we" celebrate the exploitative, though, so I guess that's out.
Yep. The author complains that there used to be plucky startups with Open Core business models who've now gone "extinct", while simultaneously sharpening their pitchforks because those same companies got successful and _slightly_ amended their licenses to prevent loosing revenue against IaaS giants so that they can, in turn, continue innovating. I guess money grows on trees where they live.
The projects I think of most are redis and ansible—both of which I've used extensively, and quickly went from 'neat thing I spotted on Hacker News' to 'now it's a startup', then a few years later 'it's just another corporation, the open source project is buried somewhere deep inside'.
The projects weren't as much open core as they were literal open source projects made to solve some problem the author had with other existing tooling. The open core part was injected when the startup decided it had to turn into a platform to sustain the beefy staffing budgets while they figured out how to generate revenue off something that was freely available.
I'm not sure what the alternative is or what you are advocating. Antirez stopped working on Redis 4 years ago. We were lucky someone created Redis "for the love of the game". Now before you there are a couple options
1. Antirez2 pops up and works on Redis because they love working on Redis
2. Someone is incentivized, with money, to work on Redis.
(1) didn't happen, so we must go with (2), and with (2) comes the problem of the actual business model that will be used to sustain (2).
A. Donations/Support contracts
B. Open "Core" aka I'm the only one allowed to sell this as SaaS.
Method (A) has shown to be an abject failure while AWS takes your revenue. Companies have successfully chosen method (B). Either you have a method (C) in mind, or you just aren't being reasonable in asking people to work on OSS for free. You can be mad about the "rugpull", but between the choice of "rugpull" and abandon the project, I don't see how "rugpull" is the worse option
There's plenty of people / groups willing to work on Redis without direct monetary compensation, as the plethora of forks have shown. They don't need to be 'asked'.
The only problem is that the people who bought the copyright now want an ROI.
You can add nginx to the list as well.
We saw this with xz. Many, including me, suggested this is an example of how paying developers could reduce likelihood of attack and speed up progress. These people make these products in their spare time. You know... After work. So they clearly would rather do that than their job. But a common response was "what, so we could pay the hacker?" Which missed the entire point.
I'm also reminded by a relatively recent episode of either PIMA or Freakanomics (I forget which) where Steve asks Bill Gates why charities don't pay as well as corporate gigs and Gate's response was "it's a charity".
We seem to forget that things take work. Just because someone does that work on their own time and without asking for compensation doesn't mean that they don't deserve it. It just means their more passionate.
> By working on a project with a CLA, where you sign away your code, you're giving carte blanche for the company to take away your freedom to use their software.
Ok it's been a while so I don't remember the details or how it played out, but when Linux introduced a CoC, there were people who contributed to the kernel in the past that threatened to withdraw their code from the kernel, which would've been a nightmare to handle and clean up. How much power does a contributor have if my project is using a standard licence like GPL or BSD? Does the contributor hold any copyright over their code? Im not talking about rug pulls here, let's just say the contributor gets really mad at me for some reason.
I don't think a contributor can unilatary withdraw their code from a code base unless there is license change. Then it wouldn't be about "withdrawing" their code but refusing to allow it to be distributed under a different license than the one that applied when they submitted it.
So if Linus wanted to relicense the kernel under a different license than GPL2 he couldn't do it by himself without tracking down all the contributors and getting them to agree to the license change or removing the code in question which, for someting as large and with as many contributors as the kernel, would be basically impossible.
The CoC is completely different. It's not a license change but a process change. If a contributor doesn't like a new CoC or a new processs they can decide to no longer contribute in the future under that process, including no longer maintaining "their" code already in the kernel but they can't force anyone to remove it.
I think that the developer can demand a withdrawal of their contribution, though I don't know what happens to the code that's already published under a FOSS license. Regardless, many projects including the Linux kernel require the developer to sign off their contributions under the terms of the 'developer certificate of origin' [1]. While the developer retains the copyright to the contribution under DCO, they acknowledge that it will be distributed in perpetuity under the original license. So, retracting the contribution may not be an option.
[1] https://developercertificate.org/
The main purpose of a DCO is to take the portion of a CLA that guarantees the developer actually has a right to license the code under the project's license, as it's something that some users worry about using the software without. Basically so if someone copies some code from one of the Windows leaks into Linux and Microsoft comes to sue the Linux Foundation over it, they can point to it and say "we had legal sign off they had the right to license this code, please sue them instead".
In terms of irrevocability, the DCO is not that different from most open source licenses who themselves claim to be perpetual. The arguments for exceptions to that being true all either apply to e.g. both the GPL and the DCO, or to neither.
Generally the consensus is that an irrevocable license grant means irrevocable, though there are some concerns about examples set by e.g. the precedent that lets artists claw back rights from record labels after 30 years.
> I think that the developer can demand a withdrawal of their contribution
I don't. And neither do you, judging from your last sentence:
> So, retracting the contribution may not be an option.
So what did you mean by the first one?
The second statement was specifically about when the DCO is in effect. The first one is about when it isn't.
Ah, OK, gotcha.
Without a separate CLA or copyright assignment, the contributor retains the copyright to their code, and licenses it to the project under the terms of the GPL (or whatever license).
The license is basically a legally-binding promise not to sue, as long as you follow the rules in the license. So the general consensus is that they can't terminate the license unless you violate the license. (Though there are dissenting opinions on that.)
> And they're not even a pointless AI company!
Are you sure? (/s), because IBM mentioned "AI" no less than 10 times in their announcement of the purchase:
> AI-driven application growth … IBM's deep focus and investment in […] AI … The global excitement surrounding generative AI … HashiCorp's capabilities and talent will create a comprehensive hybrid cloud platform designed for the AI era … generative AI deployment continues to grow … IBM's commitment to […] AI innovation … today's AI revolution … AI-driven complexity … IBM is a leading provider of global […] AI, … IBM's breakthrough innovations in AI
Thankfully the press managed to delete most of those, though there were some announcement that nonetheless took the bait.
Ah, maybe IBM was duped into thinking HashiCorp was an AI play?
Obviously, you discover and talk to AI services with consul, store AI secrets in vault, deploy AI platform nomad with AI infrastructure software terraform.
HN title guidelines[0]: If the title includes the name of the site, please take it out, because the site name will be displayed after the link.
[0]: https://news.ycombinator.com/newsguidelines.html
It's weird because in this case you could also read it as "Jeff Geerling says that corporate open source is dead", which just happens to be posted on his personal blog that has a domain name which is his personal name. It's not as if it's the site that called "Jeff Geerling" after all.
The title should be as posted on the blog, it would be weird if he put Jeff Geerling there (and he didn't). Rule's the same for bloggers without their name (obviously) in the domain, e.g. Julia Evans at jvns.ca is often submitted; not with a 'Julia Evans:' prefix.
> The title should be as posted on the blog
Seems the HTML <title> attribute of his page is "Corporate Open Source Is Dead | Jeff Geerling". OK, that's not "Jeff Geerling: Corporate Open Source Is Dead" like on this HN page, but it's certainly not "jeffgeerling.com" either. The difference between a "Jeff Geerling:" prefix and a "| Jeff Geerling" suffix is rather small in comparison. So what, exactly, is "as posted on the blog"?
>it would be weird if he put Jeff Geerling there (and he didn't).
It's not like the main title within the page is just "Corporate Open Source Is Dead" either; there's a more prominent "Jeff Geerling" above that. So yes, he did.
(Personally, I usually go with what's displayed on the browser window title / tab, i.e. the <title> attribute. AFAICR.)
The declining share price and profits is exactly what made it possible for IBM to buy Hashicorp. The license change didn't juice things -- it watered down the price. $6 billion is a snip compared to the $14 billion IPO valuation.
Fintan Ryan has a nice write-up here: https://medium.com/@fintanr/on-ibm-acquiring-hashicorp-c9c73...
If you can't capture sufficient value, you're not going to be able to make a business around it. The problem isn't value creation, which the OSS model does do. The problem is value capture. That's why so many people go around saying "We need to pay X more". That's a sign that creation and capture have a gap.
You'll see that with traditional open-source. With companies that attempt to capture the value, your customers will always hate you unless you're careful.
Of course using the Elastic license family from the beginning is one way there. The Llama license family is another way. But perhaps my favourite observed thing has to be Kong's licensing: the base thing is Apache 2.0 but when you sign a contract with them, they'll give you access to the Enterprise plugins and you can edit their source. I loved working with them.
They seem to have done a good job with value capture. I think they're leaving a lot on the table, but there is significant path dependence on what they've done, so they don't have the option any more. But good job.
What is dead is the utopian dream that making companies whose main product is raw software, is possible to do in a sustainable way, while keeping everything open source.
There are bills to pay, donations only give so much, very few buy books from community members, consulting doesn't apply to all software, trainings even less, not everything can be a SaaS,...
Most successful open source projects are actually backed by companies and most of those projects are of course alive and kicking. The entire fortune 500 runs on software and the most of that consists of massive amounts of open source with some sprinklings of proprietary stuff mixed in. Linux would have stayed a silly hobby project without the possibility for this.
What's dead, or rather was never really that much alive is the notion of not quite so open source projects where a single corporate entity attempts to dictate the rules and actively discourages outside contributions, and people profiting from "their" source code. As a proportion of most widely used OSS software the amount of software and the number of developers involved with it is a rounding error.
There are two main problems with corporate OSS:
1) it stifles the formation of a healthy community of outside contributors. This endangers long term success of projects. The more restrictions exist (e.g. copy right transfers or aggressively anti commercial usage licenses like AGPL), the more likely it is that would be contributors will take the hint and stay away.
2) it limits growth to the strategy, financial success, and imagination/skills of just one company. Because with projects being bottle necked on the financial success of just one company and cut of from outside help, absolutely nothing happens unless that one company pays for it.
And with finances effectively supplied by VC investors interested more in IPOs and quick exits than good software, OSS is just a buzzword that goes on the investor deck and not something they actively value or appreciate. Hence legal monstrosities like BSL that make no sense whatsoever from the point of view of nurturing a healthy community of external developers. Most VC companies of course fail. That kind of is the point. And most of their restrictively licensed software projects die along with them and don't survive the implosion of these companies. Developers move onto other things and the software gets peddled to hedge-funds or companies like IBM.
The only exception to this is properly licensed open source that can simply be forked. Oracle, Redis, Red Hat, Hashicorp, Elasticsearch, etc. found that out the hard way. The answer is not getting more proprietary about OSS software and preventing forks. The software gets forked precisely because these projects are too valuable to let it rot away behind corporate pay walls. This is not a failure of open source but actually a huge success. The software will long survive the misguided corporate shenanigans. The software and community will be fine. Those companies, possibly a lot less.
Which hard way? None of those forks are relevant enough to matter.
The Jury is still out. I suspect in 5 years, Valkey and OpenTofu will be more popular than Redis and Terraform, at the very least for new products, but probably also for most actually maintained products. There's a good chance OpenSearch will also displace Elasticsearch.
I recently re-licensed a large open source project from MIT to a source-available license which restricts redistribution after someone decided to fork it, completely rearrange the code and introduce subtle breaking interface changes, and then package it up with basic Electron UI for sale on a platform digital store.
I don't know what the answer is, but the OSI definition is clearly not built to withstand this era of late stage capitalism and the "hustle culture" that permeates through it.
Trademark law should handle this (at least in some countries). Register a trademark and then send a cease and desist to the fork as they are creating confusion in the marketplace by distributing something they created using your registered name.
Perhaps consider using Apache 2.0 license, section six has language that specifically addresses trademarks.
A lot of open source devs are allergic to promoting their work so owning the trademark won't help them. For example, the above developer could have created their own official GUI and put it in the app store but they won't. Realistically the value is in GUIs, SaaS, marketing, etc. not in backend code.
Replying to both parent comments here:
I do a fair bit of promotion on YouTube[1] which has resulted in a vibrant community around the software, and I am now creating an official, free GUI[2].
In this specific case even if there had been a trademark in place, the person in question had not used the name of the project at all, but had decided to aggressively market it in community spaces.
Ultimately after much reflection and experiencing first hand how easy it is for people to abuse (in my opinion) the option of deliberately hard-forking and introducing breaking changes to funnel people towards a paid piece of software (in this case, a GUI) that will _only_ work with their hard-fork, I concluded that preventing this kind of ecosystem fragmentation is more important to me than an "OSI-approved" badge.
[1]: https://www.youtube.com/@LGUG2Z
[2]: https://www.youtube.com/watch?v=zZKjBMt4kZ4
It's basically become market research where the amount of devs which get hooked indicate success and these devs also double as the client (a trap). I try to stay with my stack, which also makes me miss out on things like the highly recommended Tailscale-service.
I started (and just published) a website[1] that tries to track relicensing risks across a number of OSS projects. The current methodology looks at trademark holders, licenses, and CLA/DCO requirements. I think there's community value in educating develpers, surfacing risks, tracking when a project changes it's posture, and promoting forks.
If this sort of thing is interesting to you, I'm looking to expand the project listing with community support. I suspect the relicensing trend is on its way up.
[1] https://alexsci.com/relicensing-monitor/
This goes against the foss ethos but given that foss is ultimately rooted in freedom I think what I will suggest can be reconciled with the primary principle.
I’ve been thinking the only way to truly protect freedom of individuals and of foss development is to have a dual license which is foss unless you deploy it to over 10m users or 10m revenue or belong to list of companies like the eu designated gatekeepers. In that case each project should have the latitude to decide if they will enforce terms if any. Meaning that given the needs of the developers being otherwise met they can always forego any additional requirements
I don't blame the big corps like IBM (disclaimer: I work there, I don't speak for them) and Microsoft and Google. I really blame investors who are looking to get their money back. When they force an IPO but there's no business model to sustain the company, this is what happens. CEOs resort to developer-hostile actions which kills off the community and generates ill-will towards the company. People here shit on "lifestyle companies" but IMO that's the best model for sustainablility and developer communities (if that's what you're into).
If you offer something for free. And it becomes popular partly because it is free. Well it should be pretty clear that there is not huge money in free product... And at some level someone packaging with some margin your free product is well...
So the TLDR; is don't trust any corporate open source that requires a CLA and don't contribute to those projects unless you are prepared to fork if the rug gets pulled.
Any project with a CLA was already subject to that stipulation. You get to do work for a company for free with the added benefit that you're now also on the hook for any legal problems that might arise from the code you contributed.
What a deal, you get to put in the time and effort AND potentially fight a legal battle when a patent troll decides to go "wouldn't it be fun if" all on your own!
OT: if the author of the article sees this, there's an error in a quote. You quote HN user skywhopper as saying
> HashiCorp already did a great job pre-draining all their flavor
but their quote actually says [1]
> HashiCorp has done a good job of pre-draining any flavor it once had
[1] https://news.ycombinator.com/item?id=40135686
Ah sorry about that, was paraphrasing for the video, but the blog post should have the direct quote since I don't have a snapshot. I'll update the page when I'm back at my computer later!
Always remember: It's either AGPLv3 or proprietary all rights reserved. Anything else means you're giving your labor away for free to the beggar barons. Biggest wealth transfer in history, from developers and straight into the pockets of billionaires. It's just irrational.
Also remember: Whoever owns the copyright gets to do whatever they want. The licensing security of free software, defined here as the likelihood of free software remaining free software, is proportional to the number of copyright owners involved. Changing the license requires agreement between all copyright holders, once a sizeable number of them has built up it becomes all but impossible. Therefore, anyone who asks you to assign your copyright to them should be viewed with suspicion. A true proponent of free software would want to maximize the number of copyright holders involved, not centralize the copyrights under a single entity.
Maybe I like writing software that I don't bother to monetize but allows anyone who wants to come along and use it to eat to do so.
Don't give things away if you care about what happens to them afterwards. So many people completely misunderstand what open source is about.
> Don't give things away
That's exactly the point I was making. My whole point was: DO NOT just give things away. That's just irrational. It brings you no profit and doesn't actually create long lasting wealth and freedom in the form of copyleft software. All it does is enable your exploitation. All it does is enrich billionaire corporations who are free to take the work of others, use it to make a killing and then laugh all the way to the bank at the suckers who made it all possible for free.
Don't just give your code away for free. Either make it proprietary all rights reserved, or make it AGPLv3. Those are the two choices. Maximum profit or maximum freedom. Either they pay you lots of money, or they adhere to the full set of conditions spelled out by the AGPLv3.
Don't just give your stuff away. Attach lots of strings to it. Strings that force others to benefit you in return for your generosity. Either by paying you lots of money or by being equally generous to you in return.
Don't just give software away. That was the point.
There is exactly one scenario where "permissive" licensing makes sense: a world without copyright. In other words, a world without licensing at all. They can copy your software and you can copy theirs. Until such a day comes that copyright is abolished though, "permissive" licensing is just nonsense, it just gives away all your leverage.
You cut off “if you care about what happens to them afterwards”. It’s perfectly fine for somebody to just give software away as long they’re fine that someone else will make money off it. You don’t seem to be fine with it, but others are.
I've seen quite a few of these people become very bitter over the years. Taken for fools and exploited. They were supposedly "fine" with it at first. At some point it must have hit them.
I don't blame them. Their reaction is understandable. I blame whoever came up with this "permissive licensing" psyop.
That's not correct though. Charity is a valid thing.
Expectations-based giving should honestly always be frowned upon. Once you give something up it's no longer in your control. If somebody has a problem with that, it's actually them that's the problem.
I think a lot of folks don't think through the licenses they choose before they use them. They never really thought about if they'd be mad if somebody else commercialized their code. You give up that right when you chose that license but that's okay. Licensing is a choice.
You're also free to use AGPL if you want or even go proprietary -- but don't blame open source licenses if you chose them by mistake.
> Expectations-based giving should honestly always be frowned upon. Once you give something up it's no longer in your control.
Licensing something as Free Software (i.e. under a copyleft license) isn't "giving it up", so there's no contradiction with retaining (some) control.
> If somebody has a problem with that, it's actually them that's the problem.
Or the problem is with the people who want to take control because they thought the original creator "gave it up".
> I think a lot of folks don't think through the licenses they choose before they use them.
Yup, better make sure to go with a copyleft license.
Who's doing this out of charity though?
I'm willing to bet almost everyone who does free and open source software is secretly hoping it will come back to them somehow. Usually as an actual job, maybe as a consultant for the software they created, maybe custom feature work. These days it's often a patreon or github sponsorships which are ethical ways to make money. Maybe it's the prestige of having one's full name attached to some major project that drives them. Maybe it's the enthusiasm for computing freedom and the copyleft ideals: sharing your work and benefiting from the work of others in return, knowing that you're adding to a commons and that your freedom is ensured.
Expectations can be as low as basic respect and acknowledgement. But they do exist.
You're absolutely right that most people don't seem to think through the licenses that they choose. That's my point though. That's why I came here. To tell everyone that it makes no sense to choose anything but AGPLv3 or proprietary. If you agree with me, then upvote the comment so that more people will see it and hopefully avoid falling into the permissive licensing trap.
Most of my open source contributions were because I was a user and had a problem to solve. Usually in the course of doing my paid job, but not always.
Then you do have expectations.
Of continued maintenance.
I hope whoever was maintaining the software had their expectations fulfilled too. We've all seen what can happen when they aren't.
Those “robber barons” are also the source of most tech jobs and how most of us here earn a living
Not robber barons. Beggar barons.
https://zedshaw.com/blog/2022-02-05-the-beggar-barons/
Trillion dollar corporations. That beg for free labor. That exploit the good will of free and open source software developers.
Here's the latest example:
https://news.ycombinator.com/item?id=39912916
https://news.ycombinator.com/item?id=39909949
The source of most jobs (tech or not) are, ultimately, people and their needs.
Teraform and serverless doing the exact same thing at the exact same time really indicates that the market conditions that allowed for software like this was not long term sustainable.
As a builder that leverages them both, I'm saddened, but I get it.
I just watched this interesting Node.js doc (Open-source Node.js was purchased by a corp and there was some drama along the way).
https://youtu.be/LB8KwiiUGy0
> Bryan Cantrill's been sounding the alarm for years—yes, that Bryan Cantrill, the one who posted this gem
The video is of Brendan Gregg, not of Bryan. Am I missing something?
Yes: Bryan posted the video of Brendan shouting.
In 2024 a whole lot of ideals have been shattered... It is a wake up call for each one of us
I think the anger comes from the rug pull, not that they chose to be source available, right?
If they chose to be source available from day 1, then no harm done?
Yep; though HashiCorp would be a much smaller company had they not started with an open source license.
What is C
[dead]
TL;DR: Once again, capitalism takes it's toll.