Here's a hot take: Name and Shame.
If this story is true, the author should be shouting their names from the rooftop.
Instead, we get this nonsense.
Know your contracts. Read the fine print. Be careful who you do business with. Not all companies selling services for open source software embrace the ethos that we assume they do.
After reading the story, I can understand why somebody would not name and shame. The author could be inviting lawsuits from a company that clearly has no qualms playing dirty.
Don't take the above as we should just accept the flaws. We should not. However what to do about them is a hard problem and we should not do something that makes things worse.
First the US legal system leaves itself wide open to abuse. All the possible legal motions that exist to ensure someone gets their fair day in court can and will be used at the very least to abuse the system and delay, delay, delay that day, and increase expenses.
The courts are also wide open to abusive suits, and consistently fail to crack down on unethical lawyers who abuse the system. I was in a case where the opposing counsel had multiple federal indictments for stealing from his partners, got off on a technicality, and was still practicing law. Since he had no reputation to protect, he used every possible dirty trick to delay and disrupt things for a decade, and in the trial itself, and was still afforded EVERY professional courtesy at every step.
And, judges themselves often have opinions which contrast with the actual law and can put their thumb on the scale in 1000 subtle ways to ensure cases come out the way they want.
The justice system itself is literally failing itself because it is failing to strictly police it's own ethics (and don't even start with the SCOTUS refusing to even make a code of conduct for itself).
Despite all this, it stumbles along with a better semblance of justice than in many other countries, but do NOT expect timely or truly fair outcomes.
The problem with being so lenient with its participants is that it functions until it does not, and when the overall population gets to the point where it perceives the justice system not working, it will build its own vigilante justice system, which will be occasionally more satisfying but will consistently work even worse.
Could it possibly involve a particularly litigious law firm masquerading as a tech company run by one rich asshole?
Even RedHat is capable of such behaviour, and remember that the author is likely based in Italy, where companies run by crooks are the norm.
That's easier said than done, hence why Stefano probably didn't.
The "FOSS" company never directly threatened the author, but the implication of it alone was enough to scare off both agencies. Given a lot of the tech is mixed up here on purpose, there's a few FOSS companies & vendors I can think of with legal departments that I'd describe as "pretty aggressive" and "expensive for a managed solution" that aren't solely about Exchange related services but would definitely behave like this, given their PR over the years at times has had slipped masks.
The point is that without the identifying information it might as well be a creative writing exercise.
Good anecdotes have power because they actually happened and are verifiable to some degree. This is neither.
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk. If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
What’s really important is the laws and regulations governing ownership. Ownership in a modern society is nearly entirely a legal construct. Ownership of data shouldn’t be any different.
We're not talking about "something" in general, but about digital infrastructure.
> Almost all of us have money which is not kept on our persons or property, in banks and investments. I think people would be outraged if someone told them it belonged to the bank.
A better analogy is if you have a cryptocurrency wallet managed by Coinbase. You don't own. And they can in fact suspend your account (and probably take your crypto) if they don't like you.
Maybe possession would be a more accurate legal term? You can own something that isn’t in your possession (eg might have been loaned, stolen, etc) or possess something that you don’t own (eg the other side of the transaction)
You might find it interesting to read about 2013 Cyprus bank levy then. The government unilaterally raided people's savings accounts, taking between 6.75% and 10% as a one-off tax with essentially no warning. When you put money in the bank you are implicitly accepting the (small but real) risk that the government will come along and say "I'm having some of that" and there's nothing you can do about it.
More anecdotally, I once had to help a family friend sue a bank for several tens of thousands of pounds in the UK because they refused to pay him back his balance when he closed the account and refused to explain the reason. It took a little over 6 months to get the money back. While researching the case, I discovered countless other cases in which businesses had gone bankrupt because of delays in recovering their money from the bank. Under UK legislation, banks can and do do this if they have "suspicions" of money laundering (which can be triggered for any reason whatsoever - the suspicion doesn't have to be reasonable). Not only do they not have to explain to the customer what those suspicious are, they are legally required not to. They can hold onto your money for up to 31 days and this can be extended to up to 6 months by a court order after a hearing which you will be excluded from and likely not even know took place until after the fact.
Legally you do not own your money in the bank. Instead you own a "chose in action" (https://en.wikipedia.org/wiki/Chose) which is the right to sue the bank for the money. Although it sounds similar to outright ownership, it's not the same thing.
I have some bad news.
There are companies and organizations out there fighting for what’s right in courtrooms. Invalidating troll-owned patents, striking down unfair contracts etc. Agency A was obviously not one of those organizations.
> The company offered a managed version with its own proprietary additions
Doesn't sound like open source to me?
So using open source on someone else's computer technically fulfills that requirement, without completing some of the reasons why the requirement exist (vendor lock-in in this particular instance is particularly laughable).
For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
For two: completely inconsistent. Let's take these two paragraphs:
> A few years earlier, a major public institution - let’s call it Agency A - was still running an ancient Exchange mail server. It hadn’t received security updates for ages, the anti-spam was completely ineffective, and the new regulations were clear: embrace Open Source solutions whenever possible.
> They had already received a proposal - expensive but seemingly reasonable - for a managed service, hosted by an external provider, built on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support. The catch? The price was absurd, and Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything working fine. We had built and maintained that environment for years, and it was still running perfectly.
So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine". Can you really say the infrastructure is solid and working fine if it's preventing you from upgrading your Exchange mail server?
And let's take paragraph two: it says the proposal is "expensive but seemingly reasonable" and then one sentence later says "the catch? The price is absurd". How can the price be both "reasonable" and "absurd?"
Overall an annoying read.
>So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine".
This confused me too, until I realized that he probably meant that his company set up the hardware infrastructure ("reputable IP classes, redundant datacenters"), but doesn't manage the software. Otherwise, why shred your own credibility from the first sentence by crapping on the "ancient," "insecure," and "ineffective" Exchange server?
>How can the price be both "reasonable" and "absurd?"
Agreed, this part makes no sense.
They had already received a proposal - expensive but, when compared to similar offers made to other organizations, apparently reasonable — for a managed service hosted by an external provider and based on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support.
The catch? While such pricing had become almost "normal" in the market, it was still wildly inflated considering what was actually being delivered. Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything running smoothly. We had built and maintained that environment for years, and it was still performing perfectly.
This isn't AI slop. These are real-life experiences. The goal is to raise awareness that open source doesn't always and necessarily mean freedom: lock-in exists.
> For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
I’m not sure why this would be surprising: it’s a personal story shared on a blog, not an investigative article in a newspaper.
I also don’t think it helps calling everything “AI slop” these days only if one doesn’t like it for some reason.
You should do this for consumer stuff, but it's mandatory for business stuff.
...and hope they don't unilaterally amend the contract in the interim to allow them to retroactively extend the termination period.
AFAIK, "unilateral amendment" should be considered at least very suspect by most courts?
So I get a contract and am told it's been vetted and I should sign it. What I found was outrageous.
- If we cancelled for any reason, including if they just didn't do any of there terms in the contract, we owed the full price of the remaining contract immediately.
- The way they structured it was also as a rental, so we were paying full price for purchase of the equipment embedded into the term of the contract, but it was the vendors equipment, so if we cancelled we still paid them full price for the equipment, and they got to keep it.
- If there were any legal disputes, no matter which party was at fault, my side would pay for all the lawyers.
I said nope, can't do it. And my staff were pissed at me for like a year because everyone just signs those things.
Even in the US where the truth is a defense, you still can be out a lot of lawyer fees because you can be sued for things you say and it can cost a lot of hours in court.
Why wouldn’t a person stop reading there, unless they were the author’s mom or roommate or something and were reading out of politeness?
I was once in a confedential "back out" of a system. There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
In less than an hour from that commit(I didn't know at the time) I was in stuck in a firestorm WTF DID YOU DO battle between the two CEO's of the companies. It turns out that the other company was ACTIVELY spying for such terms in the code so they could react if we tried to leave. It was going to be an honest non renewal at the end of the contract so not even anything shady. I didn't find out till later about how they were spying out so there was this huge witch hunt about who was the rat and such. It was awful.
It seems this level of sociopathy is just the norm these days and I'm just an old fuddy duddy doing regular honest work.
OptionOfT•2h ago