daniel:// stenberg://
Josh BressersI love the hot takes that this Trivy debacle will be the end of open source
Heartbleed didn't kill open source
Log4Shell couldn't get the job done
xz tried and failed
This won't kill it either
Free is too good of a deal
I wrote this up in a bit more detail in a clickbait titled article
Eulogy for open source
Thank you for clicking on the clickbait! What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter. The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work.
Thomas Depierre@joshbressers i see that you are using my technique for anger management, seeing some of your takes there :D
@joshbressers also re affecting someone in power. Solarwinds happened and scared the feds to death. Guess what, no real outcome. The SBOM stuff was killed a few months ago by the Trump admin after nearly no results and noone even cared.
@joshbressers also i think i have some ideas on how to fix the burnout. Doesn't mean we will do it, but i think i have a case now
JTI@joshbressers Good take. Cute trash panda. ✅
To your point of
"If those curated services don’t have what the developers need, they will find a way to sneak something through the back door. [...] The biggest threat to open source right now is the lack of support for developers that’s burning them out. Unfortunately we don’t know how to fix that problem yet."
I'd like to offer the comparison of "real engineering disciplines"™️ as amazing amounts of the computer-y and software-y stuff is in risk classes that clearly can compete with machines, buildings, planes and ships, etc.
All burns down to the point of "the effective risk perception of FOSS is not high enough at the right places. Let's make sure it is".
Here goes:
Any leading/acoountable structural engineer, aviation maintenance engineer etc. is responsbile for their work. This means whatever they sign-off on might bring them into jail the express route, very little questions asked, not insurable if it fails.
Thus, they are - in most cases - very inclined to only sign-off on what they believe will not land them in jail. They are very diligent in checking.
The accountable business heads have lesser but similar cases. They invest in protection and control because they are aware of the consequences. The protection is cheaper than the fallout costs.
University education in these fields, at least here, contains substantial education on these rights, requirements, realities, liabilities, etc. They know very well what they are getting themselves into and what they are handling.
The results are that we mostly don't bother about whether a building will collapse on us or - in most cases - use the the absurdly complex aviation system without much care. And rightfully so. There might be some hickups every now and then, but the majority will just work and be failure-operational or failure-tolerant in most cases.
None of this exists in almost all CS or econ/CS mix degree programs. Your average "tech"/"tech adjacent" grad is blissfully unware and ignorant of the reality, their rights, duties and dynamics of what they'll likely be dealing with for the foreseeable future (60-95% FOSS components). This needs to change.
Knowing what can and can not be expected from FOSS will enable people to adjust their engagement and investment in FOSS, make them consider their rights (and duties) and possible ways of enabling sustainability of their engagement before they become a burnt out distress case.
No company or other entity is entitled to free support, free maintenance or even continuation of something they "curbside thrifted" and willingly accepted as "use as is, it's your problem".
If they desire any of the above benefits, they can become the economic counterparty to said sustainability considerations of the origin.
Ensuring uninsurable responsbility for this "curbside thrifting" reliably hits MDs of legal entities of private or public nature will ensure sustained consideration of rights, duties, prevention/mitigation and investment priorities and adjust their risk/reward appetite/tolerance regarding this field according to their risk capability. I have seen substantial amounts of cases where that did happen after only one hit already.
And if properly educated and regulated, this will effective lead to sustained investment in FOSS at scale, in places where it fits the markets demands.
Scale that will clearly be larger and with lesser overhead than all tax money powered indirections I have seen so far, as laudable as the results and intent of them might be.
Paul Wouters 🇪🇺🇨🇦@joshbressers the burnout is real, but also partially self inflicted. I always try to do to much and when for one reason or another I can’t do as much as I want, other people actually pick up things. But still I always feel if I won’t do it, no one else will. Looking at commit stats between 1998-2026 shows interesting things 😀
Lars Wirzenius@joshbressers After 35 or so years, I'm getting a little exhausted hearing the end of software freedom predicted.
I agree there are risks and dangers. I even agree that certain very big, very rich people and organizations want to kill open source. But we keep surviving.
@joshbressers We're stubborn and obstinate that way.
@liw a movement built on spite and rage is probably impossible to kill :)
@joshbressers it is not the free. It is the "easy to use"
@Di4na I won’t argue with that :)
Frank Wiles@joshbressers yeah those issues aren’t going to kill OSS but slop PRs and security reports just might burn out the maintainers. I think that is far more likely.
Bruce Simpson, Ph.D.@joshbressers Yeah the tragedy is that Bruce Perens has cancer, for 30+ years, so he has the sword of Damocles over his head. And it sheds light on why he resigned from the Open Source Initiative. Given the scale of corporate entrenchment at the OSI and Linux Foundation now, the best thing to do for an SME or collaborate organisation may be to divest from the OSI's "open source" definition entirely, as it is now becoming meaningless. Source-available like PostOpen is advocating may be the future
Petr Ferschmann@joshbressers to me is this discussion funny. Open source was never stronger. Everything is based on opensource. Browsers (chrome, safari), servers (aws, gcp, azure), cell phone (android), network devices.
Open source is getting so strong that we realize that it is underfunded and that brings some weakness. All the companies using it should give more back (either money or pay developers).
Annika Backstrom@joshbressers i'm switching to closed-source corporate software, which is famously bug- and vulnerability-free
mbpaz@annika @joshbressers ...and almost always includes open source libraries, often hiding it
@joshbressers Let me pile onto this story of "free food" with two things:
TANSTAAFL: If finance successfully lives by it, it's good enough for the libertarian rooted FOSS field 🤣
- Just like in the past, the task is to find out where the cost of the free food is hidden. You can partially outsource that sleuthing to the RedHats of this world or do it yourself. Or just "invest" the money in mopping up the FO after the FA of careless FOSS consumption.
A tried & tested story that I keep using with clients to make them understand certain aspects of FOSS: People in certain cities do curbside thrifting, i.e. just dump whatever they don't like anymore right there. Not necccarily trash, but also not 1A-prime quality. That oven or sofa might just serve you for 1-3 years, especially if you're low on funds. It might also blow up your kitchen and the house with it. Certain areas might throw out better stuff on average, some lesser. So it's your job to assess and decide on the risk. And you get to own the upside as well as the downside.
So in the end: It'll be yet another case of the figurative blood that is used to write and enforce rules. Maybe we'll see a little less reckless FOSS consumption, maybe not.
I'm stacking up on strategic popcorn reserves though regarding the first cases of large(r) scale enforcement of llm-coded commercial SW that has the FOSS IP enforced or SBOM regulations applied to it on "we mean it" mode. That'll either be a prime smores roasting event or the end of the FOSS IP protection.
Michele Adduci@joshbressers the golden rule has always been: "never rely on 'latest'" without checking