This passive approach of libxml2 where the software remains community only is just fine and totally fair, but corporate users can pay up if there's a clear offering. What they actually get doesn't need to be much, but if it does need to be clear. Of course this does change the project into hybrid community/corperate open source but there can be a spectrum there where a lot of time and resources is carved out for the community approach and the corperate sponsors are given just enough to keep them happy. In a way some more corperate focussed Linux distributions are also an example of a hybrid approach really given the two worlds are very much linked.
This is an understated but brilliant framing. Oh I know they won't contribute, users will continue to apply pressure through issue threads saying that their clueless security teams are breathing down their necks. But at least you'd hope this gives pause.
The linked issue is worth a read, it's a shame the burden that corporate leeches like apple and google have placed on him. To them this project is simply free labour they have assumed they are entitled to and by extension are subject to their individual security theatrics.
The bug has no actual example of them making demands, "leeching" or acting entitled.
The security issues would be security issues just the same even if the library was only used by Linux desktops. (And if the library is unfit for use in other operating systems like the author suggests, feels like it probably is equally unfit for use in Gnome.)
ratio = (contributions - demands) : earnings
If you contribute nothing, demand nothing, and earn nothing, carry on. “Nothing” is loosely defined as “near enough to zero in the context of a specific project”.
If you contribute nothing, demand nothing, and earn (DL) a million dollars using it somehow, you’re a leecher. Your U/D ratio is 0.0. That should be an uncomfortable realization. One way to cope with that is to raise your ratio to 0.1. If you make a million dollars of revenue using libcurl, how much are you allocating to donate back?
If you contribute nothing and demand security fixes, then you’re not a leecher — you’re a parasite, because your demands exceed your contributions; your sign bit is still negative even if your ratio is 0.0 or NaN. It has been zero days since this workplace had a maintainer injury due to parasitic behavior.
Leechers are demoralizing when the revenue earned would let the author quit their day job to do more fun work instead. Parasites leave a trail of damaged and dead projects in their wake. libxml2’s maintainer made a policy change that cuts off the food supply for parasites; good. They’ll still burnout someday due to the untreated morale damage being done by the billionaire leechers, though.
If an author accepts contributions and you feel like a leecher, do something about it. If they do not accept contributions (including money) or if the anccepted contributions are incompatible (their code is in COBOL and you only know Rust, they only offer “donate bitcoin”, you’re a broke student funding school with your project) then maybe write them a thank you letter? and revisit this if your or their circumstances change someday.
As a former open source maintainer, I don’t mind it when people leech. That’s chill. Go for it. I don’t have a tip jar because I don’t expect a tip. But I mind when people DL a million dollars of revenue using my work and have a UL:DL ratio of 0.0 with me.
Corporations, formally do not care whether users are hobbyists, leechers, or parasites. Maintainers do. The OSI continues to reject as Open Source any licenses attempting to stop the morale impact of millionaire leechers and the time and effort drained by parasites.
Which is more important to the future of open source: the right to be a leecher or a parasite, or the maintainers that they feed upon?
There's the "demand" word again. Who is that demanded something from the maintainer, and where? I saw no indication in the original bug of any demands from big tech companies.
(Just the act reporting a security issue is not a demand. A verifiable bug is a bug whether it was reported or not, and reporting one is a contribution.)
When the demand part of your torrent-inspired equation is zero, how is it leeching? It's just zero, no matter what the earnings are.
https://gitlab.gnome.org/GNOME/libxml2/-/issues/905#note_243...
Psychologically, it hits different when a leecher — someone whose uploads are not greater than some minimum threshold — begins demanding something; what they receive then is not just a free copy of the maintainer’s work to profit from, but also the specialized work of the maintainer to satisfy or reject their request. The cumulative impact of dealing with parasites is distinct from the demotivating effect of profitable leechers who silently download their work and never say anything at all?(and also from the motivating effect of seeing millions of people benefiting from leeching — adoption is often a significant reward). Torrenting has no language for this difference, as in torrenting there is no such problem; so I did some research and chose ‘parasite’ here. I recognize that, scientifically, the animal ‘leech’ tends to be viewed as ‘parasitic’; but there’s a clear difference in connotations, as a torrent leecher is not viewed with – does not view themselves with — the same disgust and loathing as parasites are.
Yes, those alleged demands by "leechers" are exactly what I've been asking about. From the lack of specifics, it is starting to be pretty obvious that they do not actually exist.
I'm not saying that the maintainer did anything wrong. They don't have to give anyone the time of day, and everyone should be happier now that expectations have been set appropriately.
But why can't we just accept that it is a choice he has the right to make? Why do we need to fabricate villains by making up stories about demands, entitlement, and billions in profit?
Is the behavior of these corporations towards maintainers something that we should evaluate against moral standards — i.e. by considering “are they villains in this story?” — or are they exempt from such moral judgments so long as they complied lawfully with the licensing terms?
I think the former. If I interpret your question correctly, you think the latter? I’m not open to persuasion on this specific viewpoint, so we’re probably at an impasse here.
I certainly can't agree with the maximalist interpretation of what you're ascribing to me. There's all kinds of things that are lawful and within the licensing terms but that would still be unacceptable.
But I do not think that mere use of open source software is abuse of the maintainer, even if the use is for profit. Nor is security research or reporting bugs. (But inversely the maintainer has no obligation to those users, no obligation to fix or acknowledge the bugs. The new security disclaimer seems like a great way to change the userbase without having to change the license.)
Nobody should be giving Bezos free work.
And you can tell by the way they move, they do not want to hurt each other- a cartel of toe-owners. Otherwise, what happened to gaming with the steam-deck, could have happened with linux to the desktop world years ago. Especially now, where the owner describing his intent, transfers to scripting glue code.
Just use the GPLv3 or AGPL, problem solved.
I think you pattern-matched to a different argument.
The FOSS era can be distinguished from the BSD/MIT era preceding it by its dedicated promotion of libertarianism in all shared source code conversations, which celebrates (quite defensively!) the resulting exploitation and free-riding as beneficial. While this is often presented as a natural outcome of BSD/MIT licensing, that FOSS viewpoint hinges on assumption-by-framing of exploitation without compensation as being morally neutral or positive. That framed assumption is false: the “scientists publish their work to each other” social climate that preceded it was openly hostile to entities who profited from work without ‘uploading’ via publication back to the community in return. Thus, the innovative social bargain of the GPL: you receive legal certainty that improvements to your source code will be shared back to you; then, FOSS advocacy uses adoption of the GPL as proof that exploitation without compensation is beneficial.
Quit focusing on just the part you like.
Sharing the result of collaborative efforts liberally makes sense. Wanting to be able to modify software and redistribute modifications makes sense. Allowing software to evolve in a broader eco-system makes sense.
What isn't seeming to make sense is how OSS software is used commercially and the way that skews the culture and priorities of open source projects. What purpose does the lack of commercial restrictions serve?
No restrictions on commercial use at all seems naive (and perhaps plain ideological) at this point. I used to think that things were too embedded to change but it does feel like a major shift is fermenting and has been for a while.
If your intent is just "I wrote this thing, sharing the code" license as restrictively as you'd like. If your intent is "I want to build (and/or get others to help build) a bigger thing", restrictions scare folks off.
It's trivial for me to get approval from my employer to do almost anything in almost any MIT-licensed codebase; we use and contribute to a number of GPLv2 codebases. However GPLv3 is a very rigid line in the sand that I do not expect to ever change.
The source distribution, modification and reinstallation requirements are pretty much identical, at least according to the main folks doing Linux kernel GPL enforcement for the last decades.
https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...
> Existing open source licenses, practices, and culture don't draw this distinction
I disagree for the most part. Corporations avoid copyleft licenses like the plague. It's the term open-source that includes 'free beer' licensed software that created this confusion.
I will say that all of the comments saying that open source licenses should change to formally prohibit this behavior are a bit naive. Ever since the Open Source Initiative was founded in the late 90s, its express purpose has been to boost the adoption of free (now "open source") software by pitching it to corporations as a way to cut costs. This means that they'll never approve a license that requires certain users to contribute to the project, monetarily or otherwise. Of course anyone's allowed to license their project any way they see fit, but they'll have to call it something other than open source and accept the limited distribution and userbase they'll see as a result.
This doesn't require abandoning open source. The GPL and AGPL serve precisely the purpose of preventing open-source software from being exploited for closed-source purposes.
Obviously hindsight is 20/20, so this doesn't help maintainers who have already chosen a permissive license and don't want to rugpull their users. But to say solving this problem requires adopting a non-open-source license is not correct.
Another option is dual-licensing - GPL/AGPL for all, or a permissive license that can be purchased for a fee.
I think that many people have done this, and all of them were deposed and replaced with someone who would "play ball" (I.E., work for free). Go ahead, keep an eye on Libxml2, we'll either see this reversed, or we'll see libxml3 promoted from all angles and libxml2 decried as "deprecated".
Note that if that happens, it doesn't mean libxml2 is actually bad, it just means that it no longer fits the needs of the corporate overlords, and they need YOU to believe that it's no longer good so you won't waste their time with support requests.
CaptainFever•7mo ago
So like, regardless of the user of the software, one should understand that there really is no warranty, or promise of quality or support from FOSS.
If one (whether it be Debian or Apple) needs a feature, bug fix, or security fix, one can ask for it, but don't expect anything.
The best way is to do it themselves, and share their code if they wish to or are obligated to under the GPL. Or commission a programmer or the maintainer to do it. Or buy a support contract from the maintainer. Or encourage it by doing micropatronage and voting for it.