Open source software is integrated into nearly every aspect of computing. Indeed, this newsletter is brought to you by countless hours of open source development. It’s important to take stock of this as all may not be well in open source development. Motherboard ran a story that was a deep dive into the rather complicated subject of open source, discussing its lofty, even utopian ideals, and those running up against the hard realities of a market economy.
[Linus’s Law is]the idea that if enough people are working on a software program, any bugs hidden in the code will be caught and patched quickly. In essence, Raymond was making the case for the efficiency of free software development. Since it was developed out in the open, anyone could look under the hood of free software programs, which meant that any bugs that might be lurking in the code were more likely to be discovered quickly. A corollary to Linus’s Law was that free software could develop more rapidly since anyone could come up with their own improvements for the software and send them to the core developers on the project.
But this requires labor, and humans aren’t perfect. In 2012, a major bug was coded into the Open SSL library (one of the foundational pillars of the internet) and wasn’t found for nearly two years.
As Steve Marquess, the former CEO of the OpenSSL Foundation noted in a blog post after the fact, the cause of Heartbleed was attributable to developer burnout and lack of funding. According to Marquess, the foundation was operating on a budget of less than $2,000 in donations and under a million dollars in contract revenue annually. The foundation couldn’t take on more contracts because its developers, many of whom had full time jobs and families, simply didn’t have the time.
In fact, Marquess wrote, Henson was the only OpenSSL developer working on the project full time—and for a fraction of what he could have made taking his considerable technical skills elsewhere. “These guys don’t work on OpenSSL for money,” Marquess wrote. “They don’t do it for fame. They do it out of pride in craftsmanship and the responsibility for something they believe in…knowing that [they] will be ignored and unappreciated until something goes wrong.”
This seems really bad, but security is compromised all the time, even when its software made by developers with 6 figure salaries. The internet survived this issue, and survives issues from other failures, whether made by paid programmers or dedicated open source volunteers. Even if we can continue to survive on this path — a better question might be: should we? Is this equitable? And what does it even look like to pay for open source development, when the degree and quality of contribution can vary widely. The article suggest a few solutions, but even the developers cited in the piece, who would like to see more financial support for their efforts are concerned about compensation and its effect on open source development.
“If you have a project that has a few hundred contributors and you start introducing specific monetary rewards for slices of work here and there I think you get into very dicey territory very quickly,” Hansson said. “People who haven’t valued their work in an economic sense, who were doing it for the community, for fun, or for the creativity, are all of a sudden forced to think about their investment of time in market terms. I think in many cases that can do a great disservice.”
Everyone seems to recognize there is a problem here, or at least an imbalance, but there doesn’t seem to be a clear way forward. Until that’s solved the current paradigm will continue on. For as long as it can anyway.
Read the whole article here.