Open Source Is Bad

xkcd#2347

Addressing elephants in the room

PyData London, March 2020 2023

Casper da Costa-Luis @casperdcl
  • originally agreed to give this talk ~3ya
  • talk never happened
  • but to my horror, old slides still relevant
  • heartbreaking to see how no progress has been made on this front

Disclaimer¶

  • I am not insane (probably)
  • Nothing is 100% awesome
  • Aim: avoid subjective moral rhetoric, focus on objective legal issues
  • I know my audience, mostly OS champions, so I can feel the skepticism/palpable hostility towards the title
  • The first step to solving a problem is acknowledging its existence
    • There are flaws in the current treatment of OS
    • I think we can fix said flaws
  • will try to focus on concrete legal rather than fuzzy moral isues
    • give you food for thought

Licences: Restricting Use¶

  • Ongoing debate
  • Open Source Initiative (OSI) [1] versus e.g. Hippocratic Public Licence (HPL) [2]
  • Permissive "open" versus Restrictive "do no harm"
  • licensing: think non-arg, but is ongoing debate so should mention
  • OSI standpt: SW can be used for good as well as evil; you (as a dev) not qualified to define let alone stop evil; leave that to police & courts
  • other hand intitiatives like HPL which gives list of checkboxes, add/remove paragraphs from licence e.g. forbidding the fossil fuel industry from using your SW
  • Misses the point: 5 billion online users[3] = unenforcable
[1]: opensource.org
[2]: firstdonoharm.dev
[3]: statista.com/617136
  • IMO debate (permissive vs restricitve) misses the point. impossible police billions of end users. even individual Big Co. ignore licences when gathering data to train ML models
  • I will not comment on CoPilot nor ChatGPT so technically nobody can sue me
  • tackle the millions of developers

Warranty = Quality + Reliability(?)¶

  • OS devs give you free software "AS IS, NO WARRANTY"
  • Problem: applying "buyer beware" philosophy to "users" (NOT "buyers")
  • OS devs provide you free SW, you not paying customer, why provide you with warranty?
  • mixed message/dichotomy
    • MORAL perpective: OS is reliable/trustworthy, devs have so much faith they released code for world to review/audit
    • LEGAL: no warranty/guarantee, no trust/reliability
  • problem: applying "buyer beware" to "users" who didn't pay for anything
  • should "users" have "more" or "less" rights than a "buyer"?
  • 1 million buyers = customers
  • 1 billion (free) users = general public
  • another way of putting this: buyers covered by consumer protection laws
  • but who protects general digital public? lack basic oversight

Hardware analogy¶

  • I generously make a billion rubbish bins for free
  • I clear them regularly
  • ... are you happy with me?
  • ... NO!
  • Public Safety: governments would insist on paid service contracts
    • if I stop being generous, would garbage collect on the streets?
    • need warranties; guaranteed "uptime"; quality control
  • entire govts would say NO purely in interest of pub safe
  • stop me making everyone dependent on my (temporarily free) system and holding the world to ransom
  • if we have checks/balances for physical hardware, why not digital software too?
  • if pkg >100k annual downloads, maybe should have formal support

Supporting Users AND Devs¶

  • Big Co. depends on FOSS; but concerned about supply chain vulnerability[1,2,3]
  • Solution: pay e.g. Tidelift[4] to provide support
    • some payment forwarded to OS devs/maintainers to provide guarantees (security support responsiveness, sensible release processes, licence terms, etc.)
[1]: 2022 theregister.com: NPM faker.js & colors.js
[2]: 2019 arstechnica.com: NGINX police raid after Rambler files crimial (!) case
[3]: 2016 theregister.com: NPM left-pad chaos
[4]: tidelift.com
Casper da Costa-Luis @casperdcl sponsor
  • big co.s realise their dependence on FOSS
  • pay orgs such as tidelift for support
  • Tidelift in turn forwards payment to devs in return for some basic guarantees
  • full disclosure: Tidelift funds some of my projects (less than min wage but at least baby step), though they don't know about this talk
  • need more initiatives like this, NGOs, govts.
  • odd we have honours/awards/grants/knighthoods for work that has physical impact; relatively little recognition of SW
  • anyway, out of time, many other issues & solutions for OS, happy to have a chat about fully & partially OS business models, general SW consultancy - email on GH profile
  • hope I've left you food for thought, not just rant of problems but also practical solutions
  • thx for listening; I wish you Happy Coding