back to article Open source community split over offer of 'corporate' welfare for critical dev tools

The free and open source software (FOSS) community is caught in a love triangle of sorts. Sourceware, a volunteer group that has been supporting various critical FOSS developer tools for more than two decades, is being courted by The Linux Foundation's Open Source Security Foundation (OpenSSF). The OpenSSF aims to improve open …

  1. ecofeco Silver badge

    They are way overthinking this

    Does the money come with strings attached? If so, how much compromise is required. Too much? Hardly any? None?

    There. Sorted. FFS.

  2. Anonymous Coward
    Anonymous Coward

    It was nice

    while it lasted.

    1. badflorist Bronze badge

      Re: It was nice

      Yep. The same can be said for anything claiming to still be "free" or "open". Everything is now corporate lead or owned.

      1. Snake Silver badge

        Re: It was nice

        Yet everyone needs to eat. FOSS made of the backs of free, yet voluntary, labor, can't last forever.

        Nothing wrong with doing this as far as I'm concerned, yet in any other industry someone would, invariably, start yelling "socialism!".

        Look, FOSS is great for people who choose to participate. However it should be noted that the solutions that FOSS brings to the table are only the solutions that coders are looking for themselves - FOSS only creates code that the voluntary coders are willing to tackle in order to solve their own problems.

        You'll get willing coders for projects such as office suites, because after all almost everyone needs it themselves...yet you'll almost never find FOSS code for urology MRI analysis, because the coders don't require such things in everyday living.

        This is the trap of FOSS, you'll get the popular stuff but be left out in the cold for anything beyond that.

        This is where corporate support can come in.

        So to turn a completely cold shoulder to corporate sponsorship is to ultimately limit FOSS to staying in the realm of only creating and supporting popular projects. FOSS will probably never grow beyond that which the majority of users and programmers need or want, because there will never be enough incentive to create outside the box.

        1. Ian Johnston Silver badge

          Re: It was nice

          yet you'll almost never find FOSS code for urology MRI analysis, because the coders don't require such things in everyday living.

          UMMPerfusion?

          Actually I agree with you, as long as we remember that scientists and other researchers are often quite keen to release free software as part of their work.There is probably a space between so-useful-that-lots-of-coders-need-it and so-specialist-that-researchers-want-to-share-it where FOSS is least likely to be found.

        2. that one in the corner Silver badge

          Re: It was nice

          You are correct that Open Source Software tends to be all about the programmers solving their own problems: "scratching their own itch".

          But I do find your examples to be backwards to my experience. Everyone wants to work on office packages, that is why they are there? Really? How many office packages are there (LibreOffice, OpenOffice, ??) and how many of those were actually started as FOSS when someone had an itch to scratch? (Hint: neither of the two I mentioned).

          On the other hand, proper text editors for programmers, there are far more of those than wordprocessors. And highly functional (but not at all pretty) packages for consistently formatting text into convention posters, publishable papers, formal reports, books etc.

          If you look back on the old collections of FOSS that were passed around on floppy and CDR, you'll find that most of it (once you skip past the games) was written by and/supported by scientists, researchers and the like. Lawrence Livermore Labs was a name I became very familiar with, good software came from there (no doubt still does). We knew about this because, well, you bought a CDR and that was pretty much all of the FOSS available; indexed alphabetically, you couldn't escape knowing about it. Which was a refreshing eye-opener: prior to that you only heard about programs if you happened to read a newsletter or paper that mentioned a new release, or it by word of mouth (literally - Usenet, and access to it, came later!)

          Now, with so much available, perhaps you are only aware of the stuff that is publicised, reported on (El Reg included), that everyone knows about and/or what you yourself have looked for. There is still a very rich vein of FOSS outside of the mainstream, but in an odd turnaround we are back to word of mouth and occasional random references in El Reg comments to obscure packages.

          Having said that, sponsorship is always going to be useful, so long as there aren't too many strings.

        3. that one in the corner Silver badge

          Re: It was nice

          Almost forgot:

          > This is the trap of FOSS

          Why is this a "trap"?

          Are you referring to some commercial program that is only available on a commercial/non-free OS and having a FOSS counterpart would mean you could get away without the commercial OS, but you can't find such a FOSS program? Or an alternate commercial package that runs on your OS of choice?

      2. gerdesj Silver badge
        Linux

        Re: It was nice

        There is still plenty of free as in libre in the old dog yet as the tired old mixed metaphor goes.

        Linux itself seems to work OK despite every sodding great entity contributing in some way. There are quite a few *BSDs running around and pissing on your foot to remind you they are in rude health (thank you very much)

        Oh what about (in no particular order and just a short sample):

        Blender, Krita, OpenSCAD, Pipewire, Mediawiki, Apache, nginx, caddy, Mesh Central, Rustdesk, LibreOffice, Nextcloud, NetworkManager, OpenVPN, KDE, Gnome, OpenNMS, Nagios, Icinga, Zabbix, Samba, MariaDB, Postgres, redis, MongoDB ...

        ... I've barely begun.

        Open Source is working fine.

        1. CommonBloke
          IT Angle

          Re: KDE and Gnome

          Now they're fine. They weren't so much some years ago, back on their respective 3.x releases. Also makes me think of GTK and how each major version seems completely incompatible with the previous one without being much better. They're the microsoft c++ redistributable packages of Linux.

  3. rnturn

    Is this really needed?

    How will this new organization prevent something like the Solarwinds fiasco? Refresh my memory... Wasn't that the result of a corporate network security screw-up allowing black hat access to commercial source code?

  4. amanfromMars 1 Silver badge

    The Otherworldly Power and Radical Energy of Spontaneous Unprecedented Majestic ACTivIT

    A simple priceless tweak and furthering development to bypass stalling circular discussion/cat herding in another way well suited to FOSS nature and culture is you put together a proposal, you start sharing that proposal with people you know, and you trust with leadership in the community. And then you and/or they expand that proposal to any number of public demonstrations/secure immediate applications, for there is nothing really able to stop them*, ..... an activity which is sure to cause more than just a little consternation to entrenched established hierarchies and autocracies, faux democracies and wannabe oligarchies for most of those have many guilty secrets to hide and not share, exposing as they would crucial information and critical intelligence easily proven decidedly designedly threatening whenever laid out bare for all to see with the disgust delivered by the despair and dysfunction endured because of its constant corporate pimping/pumping and dumping.

    Free and Open Source Software community opponents may squeal such actions with/in IT and AI be Great Game Changing Ventures on Global Reset Courses of Virtual Endeavour ..... and who/what would want to deny it and them that worrisome pleasure? They've earned it and all of the degrading and debilitating stresses which now follow accompanying novel changes and fundamental resets for all of their due diligence in the past, should they be responsible for it, to prevent the future finding any other way than that which exclusively fought and sought to server the obscene success of fabulous fabled fabless excess and great fortune theirs alone and to hell with all of the rest on the planet.

    * ....., other than fickle doubts which may bubble up to cause phantom troubling uncertainties within their good selves which are always best considered wisely ignored and left behind for the past to ponder on and wonder at.

  5. ChoHag Bronze badge

    > Over the past few years, it has become apparent that the open source ecosystem – which provides the software to run much of the internet, the economy, and our critical infrastructure – would benefit from a bit more rigor.

    Misattribution (aka. Bullshit).

    The open source ecosystem is doing fine. It has some complainers in it who think that "give stuff away for free" is the same as "gets paid for stuff", who can largely be ignored, and money-makers who take said free stuff, use it blindly and then later discover that they have got just what they paid for.

    Corporates are using the noise from the "free == paid" crowd as leverage to blame developers for their own lack of due diligence.

    1. Ian Johnston Silver badge

      FOSS developers: Our stuff is super-secure because so many people check it

      also FOSS developers: You need to check our stuff yourself because it may not be super-secure

      1. ChoHag Bronze badge

        > FOSS developers: Our stuff is super-secure because so many people check it

        This is self promotion & wishful thinking. It reveals more about anyone who believes it than anyone who says it.

    2. withQuietEyes

      I had the same reaction to that line. I'm not hugely up on the open-source community, but I cannot think of any part of it that has noticeably benefited from the "increased rigor" of being corporatized (because it provide any that I've ever seen).

  6. Missing Semicolon Silver badge

    Ah, control.

    The Linux Foundation is offering infrastructure,not money. Infrastructure ultimately under the control of the corporate members. Fishy?

  7. tekHedd

    Poettering

    Yes, let's make sure that every FOSS project has a Poettering driving its development, or at least checking that its goals and requirements are on board with the community's (aka big corporate's) best interests.

    There's a lot of misdirection and weaseling here but we all know what the core goal is. Now that we've got Linux under our thumb, what's next? Everything else.

    While I'm being skeptical, the whole "community is split" argument seems like it makes an assumption? Split? Sounds to me like only a few people want this. Title is equivalent to "let's teach the controversy" about evolution... there's no controversy--the first step in getting us to accept something nobody wants is to get us to accept that it's supposedly "controversial" because "some" of us want it.

    1. gerdesj Silver badge
      Linux

      Re: Poettering

      I've been a Linux sysadmin for roughly 20 years. My first computer was a Sinclair ZX80 and I still have my C64 (it has USB these days).

      I have written some awful Miguel van S type initscripts that worked on Redhat/Mandrake and the like but failed on SuSE (int al) until I fixed (bodged) them there. I've written some awful Gentoo run/init scripts too. I shuddered at the Ubuntu init->upstart->systemd thing but put up with it for about a decade.

      That German bloke and his mates have come up with systemd and suddenly I'm able to write a pretty simple config file and drop it in and stuff just works. It is still sodding complicated and some of the design decisions are not my favourite but it is consistent and I can run up a unit that will work on Arch or RedHat with minimal effort.

      Windows and Apples had an init system that worked asynchronously and was modern. We had a load of things that looked like shell scripts but had a lot of overload - stuff that was added to $SHELL for boot. All that run level S and K stuff was proper old school. I remember fiddling with symlinks manually.

      I also remember using daemontools or named something similar to run Qmail and a DNS daemon. I think it was a Dan Bernstein effort to do init well. It went so far but not far enough. It did keep my Qmail daemons running very well for some years.

      That's why systemd has taken over PID 1. It is modern, pervasive and works well. Feature creep? Perhaps but you don't have to use all of it. I often switch out networkd for NetworkManager.

  8. Anonymous Coward
    Anonymous Coward

    "The Linux Foundation, also a non-profit entity, is sponsored by, among others, Microsoft, Google, and Verizon; the conservancy is supported by Google, Mozilla, and others."

    So you either dance with the Devil or his wife. That's a helluva choice. Kind of looks like a US Presidential ballot...

  9. Henry Wertz 1 Gold badge

    Build infrastructure

    So, I saw the paragraph about the build system being owned by OpenSSF and run by a committe of companies with the actual technical people (who are after all the whole point of a build system...) getting 1 vote on a board, and I can see why there's some concern. To be honest, it'd probably be fine, but you effectively have an outsourced build system with 1 vote out of a committee deciding how it's run. If the board went crazy and were like "OK, we're running Windows 10 with Cygwin*" there's nothing the actual users could do about it.

    *Cygwin provides a more or less UNIXey environment on top of Windows API (it's not using the NT POSIX subsystem or anything like that AFAIK), but fork() in it is quite slow in it and these build processes tend to be heavy on fork()'ing off many short-running processes, almost worst-case perfromance for a build system.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like