This is a good article, and 99% of this article I agree with. I’m going to quibb…

This is a good article, and 99% of this article I agree with. I’m going to quibble at something very small, not because I think the author is guilty or anything or because they’re doing something wrong, but because this is a general pattern I’ve been seeing over and over again in multiple takes from multiple people: it feels weird to me to have a criticism of corporate behavior where corporations don’t know how to ensure the continued success of the commons they build on, and to title this that “Open Source” is broken.

If a bunch of hunters go out and shoot all the ducks to extinction, you don’t title an article that ducks have failed as a species, you say that duck hunting is a problem. And I’ve seen a few different articles now talk about how Open Source devs need to get better about setting up contracts and finding sponsors, or saying that this reveals a fundamental problem with Open Source, and I just don’t get why we’re laying this at their feet.

The big companies who’s stuff broke because of Log4j have both a giant legal department with infinitely more resources than any single developer available to them to figure out how to kick money to these projects. And this is something that article touches on, which it describes completely accurately: there are developers who build this stuff that do not want it to be a professional thing, and they should still be compensated. There are developers who don’t want compensation in the form of money, they want additional development resources or dedicated people helping them triage bugs, and that’s a legitimate need that companies could start learning to provide. Volunteer developers should not need to learn how to set up an LLC or a nonprofit to get some compensation for their work if their work is important; the idea that compensation is dependent on a very specific model of professionalism and that it’s incompatible with people doing something as a hobby is just wrong. The author does a good job of pointing this out that Open Source funding often looks different from commercial funding. A quote even admits:

> Okay, part of this may also be an ADHD thing and not really being able to stick to projects longer term.

But the thing is, that’s OK. Like, you should be able to be in that position and to jump around between projects and if a company really cares about it it’s still their job to give you money or to invest resources and maintainers into the project to make your life easier. This should not be conditional on you turning your work into a full-time job with years of commitment. But even as I praise the article for that phrasing, and even though I suspect this is something a lot of people agree with, I’m still frustrated that we don’t get a bunch of articles that say “corporate financing is broken and unsustainable” or “our culture about funding and who/what deserves money is broken.” We get articles that say that “Open Source” is broken.

I know that I’m kind of just quibbling over something small, and I know this is if anything the wrong article to even post this rant under. I don’t want to make needless conflict over something where the author is mostly just right and in many cases saying the same things I’m saying. But I do kind of think this phrasing is important. My objection is I think the phrasing here implies to people (unintentionally) a kind of unconscious bias that this is Open Source’s problem to solve. But the commercial companies broke and went into panic mode because they weren’t willing to invest into the infrastructure that they rely on. That is their problem to solve, they are the ones on fire. They have the resources and they are capable of learning how to give money directly to developers. Maybe it’s a cultural problem that they need to work on that’s just ingrained in business heads; I somehow doubt we’re going to get a bunch of corporate think-posts on LinkedIn about that framing though. Companies should be expected to occasionally evolve themselves instead of having everybody constantly hold their hands and console them that we understand that large direct donations and regular investments are just ever so scary and difficult to do and that this is a systemic problem with the community, not a direct problem with their individual behavior as an individual company.

Funding for Open Source is a serious problem, but I’m kind of tired of seeing article titles and phrasing implicitly suggesting (again, I think completely unintentionally in this case) that it’s the Open Source community’s problem to solve. You all use our stuff! This is your problem, your stuff broke because projects were underfunded. Why is it our job to make our funding methods more comfortable to you? The company’s stuff breaking because their lawyers are irrationally scared of straight no-strings-attached donations is their problem. Let commons be commons, get over the short-sighted thinking that says companies can’t possibly invest into making their products not fall over and catch on fire randomly unless they get something exclusive out of that investment. Or if they’re incapable of doing that, stop giving them sympathy and treating their irresponsibility like it’s everybody else’s job to solve. They’ll learn to fund Open Source, or their stuff will break in embarrassing public ways that make them look bad, and maybe after a while they’ll start learning some heckin lessons from that.

This is something that (outside of the title) the article does a good job of reinforcing: build the software you want to build, and don’t let leaches pretend that gives you an extra obligation to them. Particularly don’t let leaches argue that your inability to keep leaches away is your fault. Honestly, the Log4j maintainers would have been completely justified in saying, “hey, yeah, we see this critical vulnerability, but it’s the weekend, we’ll get to it on Monday.”

I actually really like what you’re saying.

As someone who’s pointed 10’s if not hundreds of thousands of dollars to open source projects, blaming lawyers is unfortunately not the solution either.

Companies have budgeting and legal solutions laid out, its pretty much a first year problem. Engineering and IT want money to go to those developers. The issue is finding and getting money to these developers in accordance to tax code, jurisdiction/etc, its basically a regulation issue. On top of that, many developers don’t want to deal with the tax hassle of getting paid for a $50-200 solution because it opens them up to ID theft and a whole morass of problems.

For the moment the most effective use of my dollars has been to donate to foundations and tag my donation with a “hey, can you use this for $XYZ”, and that works. The FreeBSD foundation does a great job of this and thats why I donate money to them every year.

If there was something like this that encompassed more developers, I’d be really keen to see that as well.

So on some level, I agree, and in particular I think that having these meta-organizations and middleperson organizations that essentially act as money-pits and then put in more of the hard work to distribute funds or support — that’s a great idea, and I’d love to see more stuff like that.

And I am grateful for companies that are putting the work in to try and solve these problems, we need more of that, so thanks for the work you have done and thanks for your thoughts on the problems.

I still have a couple of specific, narrow objections overall:


> Companies have budgeting and legal solutions laid out, its pretty much a first year problem.

> The issue is finding and getting money to these developers in accordance to tax code, jurisdiction/etc, its basically a regulation issue.

Who’s more equipped to solve those problems, companies or unfunded developers building stuff in their spare time? Who has more lobbying resources to change tax laws, Microsoft or Open Source developers? Saying that this is a corporate/business problem is not necessarily the same as saying it’s an easy problem, it’s just saying that the stuff you you bring up above are company issues, not problems with Open Source. Open Source isn’t broken, companies are broken in that they struggle to interact with or support the ecosystem in productive ways.

It’s a business problem that budgeting is so rigid that companies can’t on-the-fly budget (or never thought to budget in the first place) resources to maintaining infrastructure that they rely on. It’s a business problem that businesses don’t understand their supply chain well enough to know what they’re relying on or how to get in contact with or support the projects that they’re relying on to remain stable and secure. These are complicated problems to solve, but let’s be clear about where they lie.

Yes, there are tax complications, there are regulations. These are also problems that companies are more equipped to solve than developers are; companies have legal departments that can help navigate taxes, and individual developers do not. It’s a business problem that companies don’t have mechanisms/infrastructure to distribute support to things they rely on without falling into complicated legal holes. Yes, there are problems of finding the projects that need funding, but once again, businesses are more equipped to examine their own dependencies than developers are to try and figure out everyone who’s relying on them and how important their libraries are to those companies.

And yes, you are absolutely correct that not all developers want to get paid traditionally (or even paid at all), and that’s a choice we should preserve. But in some ways, that’s exactly why this is a corporate problem: it’s good that people get into Open Source with different motivations and needs, and it is better for the tech industry to evolve and figure out how to support those developers through nontraditional means (QA volunteering, patches, documentation, attention/promotion, one-off donations, etc), than it would be to try and “professionalize” Open Source. Even in the scenarios where people want literally nothing, and they don’t want to be critical infrastructure at all, it’s still kind of the company’s responsibility to figure that out and to figure out if they’re comfortable taking on the risks, or if they need to either use something else or fork the project.

For all of its faults, Open Source works pretty well, that’s why companies rely on it. And I think part of that is the messy non-commercial aspects, the accessibility of contributing that means a company might be using a library built by someone who’s only 15 (which for sure makes corporate funding complicated), the lack of hard requirements or contracts that mean a developer might walk away from something a company is relying on — these are not accidents, they’re deliberate parts of the system that allow non-professional people to take part in building the commons and solving their own problems. And yet for all of that messiness, Open Source produces software that’s good enough that businesses rely on it. So when we have a system that is producing good software that people rely on, but the funding methods and support methods that businesses are capable of engaging with don’t always line up with that system — this is a case where businesses and the surrounding tech industry that should change, not the system that’s producing good software that people rely on.

I will note that in the case of log4j, the developers are interested in normal funding — this specific situation isn’t a problem with figuring out in what way to support developers, it’s a problem stemming from the fact that businesses don’t know how to analyze their dependencies and figure out which parts need support (which is why they didn’t realize that log4j devs wanted funding), and that businesses don’t know how to donate to those dependencies or that the businesses aren’t flexible enough to make those donations using the payment systems that many Open Source developers prefer. So there are broader questions about what projects want support, but log4j is kind of one of the easier examples; if businesses can’t figure out how to donate to this project without an invoice process (even if the reason why is complicated and protracted and multifaceted and hard to solve), then businesses really are just broken in this regard.

Thanks so much 🙂 No promises on timing, but sure, I’ll do my best to write something up.

And thanks for commenting as well; I’m honestly really relieved that this apparently didn’t come off as too critical, I was somewhat worried about that. It’s a weird situation where your post is one of the better ones about Log4j2 that I have seen today, and there’s stuff there that I really appreciated you writing and articulating, particularly around your hesitation to make things that companies would start relying on. But it was also the only one that got up to the top of HN that I saw when I logged in, and… I kind of went back and forth whether it was right to complain about a broader trend underneath it, given that the actual substance of your article really isn’t falling into the trap I was complaining about.

Anyway, just reiterating that you wrote a good article and a good take, and it’s not even that the title is egregious or worth a rant in isolation, it’s fine. It was just the Nth title over X months that I’ve seen about Open Source funding that happened to be phrased as the Open Source problem, directly after I finished reading a different article that was suggesting that Open Source devs all need to learn how to set up their own LLCs and invoicing departments.

That analogy is a false one. Duck hunting is a self-selecting, non-mandated recreational activity for privileged people, not an activity that forms a critical role in a global pro-business economy.

The correct analogy is:

If the law mandates the indiscriminate killing of animals, you don’t title an article that some animals have become extinct, you say that the indiscriminate killing of animals has caused the extinction event.

The given analogy misattributes the source of the harm based on proximate factors… in effect it’s saying ‘i didn’t kill the animal… the bullet from the gun I fired caused the animals heart to stop’ – it’s a VERY shoddy argument.

What law mandates that companies can’t donate to someone on Patreon or help triage bugs or dedicate QA/security time to identifying issues? What law mandates that companies have to ignore maintainer burdens? Each company made an individual choice to use infrastructure that they weren’t funding/supporting, to effectively transfer bug-testing and security reviews onto unpaid maintainers. Then the infrastructure they weren’t supporting broke.

The mistake I’m trying to point out is in looking at a corporate problem, where corporations are not doing due diligence to ensure the success of the commons that their own products critically rely on, and then implying that it’s the responsibility of Open Source maintainers to make it easier to fund them or to alter their culture/projects to better fit company priorities. Well if everyone relies on this stuff, then the people who rely on it can figure out how to support it.

That I’m seeing articles suggesting that the problem is that Github sponsorships are hard to explain to accountants — well, it sounds like the giant accountant firms that are being paid a lot of money aren’t doing their jobs well, and aren’t actually able to navigate financial situations that are outside of their comfort zone. But that’s not the Open Source community’s problem to solve, and the law doesn’t mandate that companies be unable to navigate those spaces.

Companies ended up in the situation where an undersupported library that they needed to be stable instead broke because of their individual choices as companies about what parts of their infrastructure they would and wouldn’t fund/support.

There is a systemic problem here, but it’s not systemic in the exact same way as many other systemic problems that we face — it’s not systemic primarily due to outside pressure or laws, it’s only systemic in the sense that companies are systemically and culturally unable to think about infrastructure or the commons in a responsible, long-term way. Sometimes systemic problems are really hard and complicated, but sometimes there are systemic problems that basically boil down to, “a bunch of people are irresponsible, and if they stopped being irresponsible the situation would get somewhat better.” I don’t think that Minecraft is the victim of circumstances outside of its control, I think it’s really reasonable to expect a game bringing in that much money for Microsoft to be able to look at its dependencies and proactively identify/reinforce fragile parts of their infrastructure. Minecraft wouldn’t have needed to solve the entire Open Source funding problem to avoid this bug, they would have needed to figure out how to support the extremely finite number of libraries that they rely on and that are directly linked to the success of their product.

And we can talk about wide-scale problems that hold Open Source back, we can get into the weeds on concepts like UBI, or better payment platforms, of IP laws, or whatever. It’s not that those conversations are bad to have or that they’re not important in their own ways. But they’re not prerequisites for Microsoft giving money to people. And even in a world with full UBI or in a fully post-Capitalist society, you still might have Open Source developers making really useful stuff, where those developers don’t want to spend all of their time or energy on that project or want to take it in a narrow direction, and that’s fine. That shouldn’t be a situation that we’re trying to eliminate. Open Source is accessible and it allows people to dip their toes in, to solve narrow problems, to pick up and port/extend other libraries without a complicated legal process, to collaborate across national borders, to evolve their priorities and to jump between or even abandon projects — and it turns out despite everything that is a really great ecosystem to live in. I don’t think it’s right to try and tear that ecosystem down and rebuild it into something that’s purely professional, which is what I think a lot of corporations want. I think it’s a lot more reasonable to ask businesses to learn how to interact with and support developers who may or may not be professionally working full-time on each project; I think it’s more reasonable to ask why when the Open Source community is building stuff that other people find useful, that it is also our job to figure out how to make funding us attractive. And more directly relevant to your argument, I don’t believe that there’s a legislative reason why companies like Microsoft/Google/Apple can’t get better at this stuff right now.

The law that mandates that companies can’t donate to someone on Patreon or help triage bugs or dedicate QA/security time to identifying issues is the requirement for CEO’s to demonstrate good judgment in managing the company by maximizing profit for shareholders. The law that mandates that companies have to ignore maintainer burdens is similar, but much more obtuse, mainly concerning commercial and workplace agenda issues founded on aversion to risk.

The mistake I’m trying to point out is your analogy is wrecked, it’s only a very small, but well scoped rebuttal. Your analogy, granted it has been taken out of the context of the comment, but it’s important that analogies used to make a point actually map on to the concrete situation, and your analogy clearly doesn’t achieve that. Anyway, let’s move on to the substance of your comment. You want to shift the burden of fixing what is a very well documented and well understood market failure (free riding) on to corporates. I get that. You want to do that by shifting the burden of the fix to them. What you fail to grasp are the free market maxims which rule these companies. You are, in effect, asking people to stop writing articles about (say) wearing a face mask in public when faced with a public health epidemic and instead write articles about how animal husbandry practices in a small market in Wuhan is the real story. What your comment fails to capture is the systemic failure of Open Source. In the same way, an article about how a virus that is harmful to human health that focuses on hygeine ina market in Wuhan won’t help anyone stay safe once it becomes an epidenic. You are, mistaking an epidemic for a malpractice suit. You don’t solve an epidemic by suing the market traders in Wuhan, you write articles about wearing face coverings and public helath policy programmes like vaccines.

So, your argument is bogus.

Open source is broken, as a system, it is meant to be broken, it was designed to be broken in the same way Windows is designed to be broken, because it suits people that promote it.

If you are making FOSS you are perpetuating a broken system and are accountable for that.

If you design your house with no doors or windows and then proudly announce the fact it has no doors and windows and everyone is welcome to take a look around you don’t get to blame people who wander in from time to time and take a look around.

The rest of your comment here seemd to flip flop between whether the problem is systemic or not based on ideas of what the system is, and what it is not.

I am not convinced by that analysis because the systemic failure is self-evident here and so to discuss whether open source software production is a system or not, or it is interacts with other systems or not seems naive.

Your point about Minecraft seems to show some naivety around the way production systems interact with economic systems.

Some form of interpretation from either the history of the industrial revolution or the economics corpus would probably be enough to disabuse you of your reluctance to admit the interplay between economic and technological systems.

Your opinions suffer from a widespread tendency for peoples opinions to be wrong. I include mine in that category too, but at least readers may benefit from beinga given a choice as to how wrong they wish to be.

Sorry, I didn’t mean ‘mandate’ as in ‘legal’, I meant more like ‘Social License to Operate’ (SLO) which is more at the social/cultural level, although there are of course legal ways to keep corporations away from code… AGPL/Copyleft/Ethical Source/Noncommercial licening and Social Domain licenses all seem to be pointing to a new economic future that, despite outr differences in opinion here, I think we can both agree on, would be more desirable than the current situation?

> the requirement for CEO’s to demonstrate good judgment in managing the company by maximizing profit for shareholders.

this is an inanely incorrect urban legend of a claim. The business judgement rule overrides it except in amazingly egregious circumstances, and paying the maintainers of business-critical upstreams would be profoundly unlikely to be such a circumstance.

> The law that mandates that companies can’t donate to someone on Patreon or help triage bugs or dedicate QA/security time to identifying issues is the requirement for CEO’s to demonstrate good judgment in managing the company by maximizing profit for shareholders.

People place an over-emphasis on this. Minecraft broke, the situation they ran into is no different than if their engineering team had introduced an XSS error in their own codebase. If this isn’t something that’s affecting company profits, then why are they complaining? And if it is affecting company profits, then it’s in the shareholder interest to figure out how to support the work so their stuff doesn’t break. Nobody says that the law mandates that companies can’t have a QA team, companies are allowed to care about reliability. So if donating to someone’s Patreon or kicking resources their way improves the stability of a product, then that’s in a company’s interest, it’s not violating shareholder rights to take tangible steps to make your product more secure/reliable.

In general, companies are not quite as constrained as you are suggesting by requirements to pursue profit in the first place, but even from that perspective if we assume they are completely bound in that way, this is still either:

A) not a problem they should be complaining about since apparently it doesn’t affect their profits, or

B) their problem to solve, since it affects their profits.


> If you design your house with no doors or windows and then proudly announce the fact it has no doors and windows and everyone is welcome to take a look around you don’t get to blame people who wander in from time to time and take a look around.

I don’t think anyone here is blaming people for using Open Source projects for free, that’s by design. I’m blaming them for then turning around and saying, “hey, this thing we’re using for free without contributing at all broke, something is clearly wrong with your process, why didn’t you stop us from using your thing for free?”

It is directly by design that people can use Open Source projects without contributing back. That’s not really the issue here.


> If you are making FOSS you are perpetuating a broken system and are accountable for that.

See, this kind of gets at the core of my criticism. The log4j devs didn’t wake up in the morning with their house on fire. Minecraft did. Log4j devs didn’t have a contract with Minecraft, they weren’t losing money because Minecraft’s house was on fire, none of this had to be an emergency for them. But somehow, not only is this suddenly log4j’s problem to solve, but also it’s their fault that Minecraft used their code and they’re somehow responsible for perpetuating a ‘broken’ system?

It just doesn’t make any sense; if you don’t think that Open Source is maintainable or safe, then don’t use it in your company. If you think it’s valuable, then think more than 3 months down the road and commit to helping it thrive so you can continue to rely on it (and explain to your shareholders that sometimes share price is affected by zero-day vulnerabilities in products). Or don’t, but then don’t expect us to do a bunch of soul searching over how we can serve you better or change our culture to suite you.

Feels very weird to be relying on a commons as critical infrastructure by your own choice, and then complaining that the people building the commons are the problem because they’re somehow enabling the system.

> AGPL/Copyleft/Ethical Source/Noncommercial licening and Social Domain licenses all seem to be pointing to a new economic future that

I don’t understand why it’s the job of people working for free to not only give people their code for free, but also to figure out the entire social/economic structure for how to get companies to contribute to the ecosystem.

Leave a Comment

Your email address will not be published.