In the wake of the xz exploit, I quipped, “Free software, eh, fine, whatever. What does •sustainable• software look like?”I haven’t heard anybody give a more thoughtful or more useful answer to that question than @jenniferplusplus in this blog post, wh...
-
In the wake of the xz exploit, I quipped, “Free software, eh, fine, whatever. What does •sustainable• software look like?”
I haven’t heard anybody give a more thoughtful or more useful answer to that question than @jenniferplusplus in this blog post, which has not one but •two• crucial insights:
The free software commons
Free and open source software has become a modern commons, but now it's vulnerable. Freedom isn't sufficient to secure it for the future.
Jennifer++ (jenniferplusplus.com)
1/
-
Paul Cantrellreplied to Paul Cantrell on last edited by
The first insight is her analysis of OSS software as a commons. It’s an insight that feels so obvious it almost seems like it doesn’t need stating, yet when she does state it — when she works out what it actually •means• for open-source software to be a commons — well, for me that was one of those moments with a “before” and an “after” where I won’t inhabit the world the same way again. It made me see things I can’t unsee. Read the post just for that.
2/
-
Paul Cantrellreplied to Paul Cantrell on last edited by
The second insight is that OSS is a socio-legal-technical problem, and we’ve given a lot more attention to the technical and the legal than to the socio-. We’ve been neglecting •governance•, the social systems of project decisionmaking.
As she puts it here: “Commons need long term organized care to sustain them. That's called governance.” Without that, there’s no sustainability. It needs the same kind of thought we’ve given to licenses. More, even.
https://hachyderm.io/@jenniferplusplus/112219129715730988
3/
-
@inthehands @jenniferplusplus One of the things that made me view free software as a commons was *exactly* that the moment it got possible for capital to commoditize and plunder it, they did - like they've done with every other commons, ever.
-
Paul Cantrellreplied to Paul Cantrell on last edited by
Open source, she argues, is threatened by both •enclosure• and •extraction•. It’s largely succeeded in defending itself against enclosure, but is failing to fight off extraction.
What’s missing? She writes: “The Freedom promoted by [the open source] movement could also be called autonomy. Proper governance would safeguard that autonomy.”
4/
-
Fish Id Wardrobereplied to Paul Cantrell on last edited by
@inthehands @jenniferplusplus This is extremely good. I think you could argue that a commons is exactly what the original "guys with beards sharing mainframe code" that started all this were trying to build, but either way it seems to me it's exactly how we should view it.
-
@inthehands I increasingly think that copyleft licenses are the only good way we’ve got against Extraction, but it will probably also reduce the contributor base substantially.
-
@joeblubaugh
The point of the blog post, which you should read, is that licenses do not and cannot solve this problem. And I agree. I’m increasingly of the mind that copyleft is a red herring, a non-solution to a whole bunch of problems that’s sucked up way too much air already. -
Paul Cantrellreplied to Fish Id Wardrobe on last edited by
@fishidwardrobe @jenniferplusplus
Yeah, I think a commons is definitely an goal that’s been hovering nebulously in the air since before OSS was even articulated as an idea, but people have just completely missed the ball on the importance of “socio-” in “sociotechnical” and we’re now left with dangerously weak human systems surrounding strong technical ones. -
@inthehands I read the post, and I think that the arguments for improving governance only work for medium-large projects. Like Prometheus and larger. That’s probably also the limit where large-scale extraction happens, and also where licensing works to counter extractive behavior. Licensing probably
Doesn’t change much for smaller OSS projects. -
I don’t think improvements in issue triage would have helped xz, and wouldn’t help a large number of small projects. My own experience of trying to file an issue AND offer code that addresses the issue in OSS projects has been almost universally negative. Often hostile. I only expect that to get worse now because becoming trusted to even offer code is going to be harder.
-
Jenniferplusplusreplied to Paul Cantrell on last edited by
@inthehands @fishidwardrobe I'm speculating, but to me it feels like a commons is the result they actually wanted, but not the result they thought they wanted.
-
Paul Cantrellreplied to Jenniferplusplus on last edited by
@jenniferplusplus @fishidwardrobe
Agreed, and well said -
PointlessOne :loading:replied to Paul Cantrell on last edited by
@inthehands On governance. I tried that. I maintain a medium-sized project (in terms of popularity). For three years I try to explain that while only I can push a packaged release there’s a plenty other people can do on the project. I specifically said that I consider it to be a community project. I asked people to not wait for me and try solving their issues.
Didn’t work particularly well. I still get lots of duplicate bug reports and hardly any contributions. Though, I get pressured by one of the biggest commercial users to give up maintainership. So there’s that.
I’m convinced there’s abstract understanding that anyone can contribute but there are obstacles. Some are objective like not everyone has the skill necessary to contribute a bug fix. The domain is fairly complex in my case.
Then there are obstacles like employers not allowing contributions but this is rather because most use some standard overprotective contract language. In every single time I signed a contract there was no objection when I pointed out the obstacle.
And, of course, we can’t exclude general lack of care. Not everyone cares about the issue so much they want to spend actual effort on it.
But in the end the result is the same: I end up doing most of the work on this community project.
-
@joeblubaugh @inthehands just a couple of points.
1. Governance can and often should happen on a broader level than individual projects. I really do think the best prevention for XZ would have been for red hat and canonical to notice that it was floundering, and reduce their demand on it.
2. The things that are helpful and the things people do with the intention of helping are not necessarily the same things. Maintainers reject code for lots of reasons. Not least that code is a liability.
