back to article When software depends on a project thanklessly maintained by a random guy in Nebraska, is open source sustainable?

It's been nearly five months since the SolarWinds hack came to light, causing lots of chin-scratching about vulnerabilities in the software supply chain. Well, here's a vulnerability for you: what if the open-source project that powers your business software falls foul of a show-stopping functionality bug or security flaw? …

  1. Doctor Syntax Silver badge

    "Companies paying a commercial vendor for their software can typically pressure them for a bug fix, and it's unlikely that the commercial entity will vanish overnight."

    That's a couple of fairly large assumptions. Apart from the bug being assumed to be a feature.

    1. Pete 2 Silver badge

      The dominos fall

      > it's unlikely that the commercial entity will vanish overnight

      Yes. A massive assumption. There is a whole domino effect here.

      An open source developer loses interest (or gets a partner / starts a family / gets a job). They simply stop working on a project. A commercial outfit that relied on it decides that their programmers aren't clever enough to deep-dive into the software and so declare their product as reaching end-of-life.

      All their customers are recommended to use a commercial alternative at a much higher cost (due to the cost of support staff ... and profit)

      1. HildyJ Silver badge
        Linux

        Re: The dominos fall

        It's a false dichotomy.

        In addition to proprietary software, some large corporations hire programmers devoted to developing open source software and releasing it to the community (often to the community's approbation).

        Some companies, and even project teams, offer enterprise support for a fee.

        Some small companies don't have the technical expertise to fork a project or the wherewithal to hire a programmer to do it.

        We tend to mythologize the lone coder in Nebraska working for the love of code. But, ultimately, if open source is going to thrive and not just survive, projects need a business model and, ideally, a succession plan.

        In the meantime, I'm retired and just an individual user but I try to give some money to projects I use, if I can find a mechanism. Hopefully the rest of you are doing the same.

        1. sad_loser

          Re: The dominos fall

          This is why there is very little OS in highly regulated organisations like the NHSD - that and the FUD from existing players.

          What do I do? I have annual subscription to POP-OS but that is only $12. I would quite happily sign up to donate £500 / year to a foundation focused on good quality OS products.

          Meanwhile I show my support by buying System76 products.

    2. Janne Smith

      "Apart from the bug being assumed to be a feature."

      Or Oracle's approach, which is to only fix bugs in a future major release rather than in a minor version of the current release. In several cases that meant waiting literally years for a fixes.

    3. gobaskof Silver badge

      "it's unlikely that the commercial entity will vanish overnight"

      That seems like bollocks, but more importantly commercial entities abandon software all the time. If you build your business on a software/framework that a company discontinues you are out of luck. With OSS, you are in practice out of luck too, but you have the options of trying to maintain the software yourself, or trying to co-fund a developer to take on the project.

      I am not denying there is a problem with OSS funding. But saying that relying on proprietary software is more stable appears to be a statement built upon bias rather than evidence. It depends on the context. We have seen RT linux outlive commercial soft realtime OSes like PharLap. But, that does not mean you should build your business about a GitHub project with a commit a month for the last 2 years (you could always hire the dev to keep the project alive). Context is everything.

      1. snadrus

        Why as are languages open source? Because the commercial languages getting bought by competitors and EOL'ed killed of many programs. I helped scramble a replacement for 2

        apps each in languagess that died suddenly this way.

        This article is a smear piece. Most major open source is corporate-built so the idea that companies must own everything is also bogus.

        Wonder why? Check out the new owners.

        They can't handle open source winning.

    4. John Miles

      Re: unlikely that the commercial entity will vanish overnight.

      Thinks back to last redundancy, to most of the customers and staff a software company did just disappear overnight leaving several companies desperately looking for support/replacement for a critical system.

      1. Muppet Boss Bronze badge
        FAIL

        Re: unlikely that the commercial entity will vanish overnight.

        The comparison made by the author fails to convince, Heartbleed announcement came with a set of patches, Solarwinds issued the first set of patches in 2 days after the announcement and the 2nd set of patches in 11 days. It looks like the open source model provided better response times than a commercial entity.

        It is rather unlikely that a popular open-source product will vanish overnight: if the developers leave, there will be others willing to carry on. Commercial support for popular open-source products is not a problem either. However, it is very real to imagine a commercial product being discontinued and withdrawn overnight or on short notice without replacement options, it is not even that unusual.

        One can only hope that when a product is discontinued, the company open sources it so that it can get a second, hopefully more successful life.

      2. fairwinds
        WTF?

        Re: unlikely that the commercial entity will vanish overnight.

        Let's not forget the whole Final Cut Pro fiasco. Expensive software, terminated overnight. Some of us bought Mac Pro's just to use that software. That isn't even the worst of it. The "replacement" options can't read the old FCP project files. So the only way to modify/update an edit is to recreate it from scratch by looking at the final programme and working out where all the cuts and all the original source materials were. You could make an argument that the editors IP is encapsulated in a proprietary Apple format, never to be retrieved, again.

        This isn't an Apple thing, either. Oodles of companies decide they don't want a product any more and just pull the plug. We've all either been on the sharp end of that practice, or worked on a team who've been told "you're not doing that any more. you're being re-assigned."

        In short, the idea that commercial software doesn't vanish, and OSS does, is silly and suggests a deep bias against OSS.

  2. Ben Tasker Silver badge

    > Companies paying a commercial vendor for their software can typically pressure them for a bug fix, and it's unlikely that the commercial entity will vanish overnight. That's less true for open-source software (OSS) projects, which are often maintained single-handedly by a random person somewhere as a hobby.

    This isn't an accurate representation of reality.

    There's some commercial software we use where the team is 3 people, and support is via a mailing list. The only difference to an opensource project being that the code isn't opensource, which brings the added risk that we can't just fork the software if it goes under or the maintainers walk away etc.

    The article paints it as "opensource vs proprietary" but actually the example it's given is "small dev team vs big software house".

    Microsoft/Oracle etc are unlikely to vanish overnight, but then, nor is Redhat - the fact that MS/Oracle are closed source is incidental.

    Whether it's open source or not, you should be doing some kind of a risk assessment on your dependancies. If something you depend on goes away or doesn't get a fix to a serious vulnerability, the initial impact is the same. Whether or not it's opensource might just decide whether you can continue on from that point or not.

    1. Doctor Syntax Silver badge

      I'm reminded of the situation where we had some commercial source code but not enough to compile the full application. After having the second Friday lunchtime interrupted by a bug in a weekly program run I spent the afternoon working through the code to find the bug. Even after reporting it to them, including how to fix it, it took a few weeks before we got the revised binary. I wouldn't be surprised if the same dodgy coding practices were hidden in more of their programs.

      1. John Brown (no body) Silver badge

        I wondered if part of the reason is that open source is pretty much licenced "as-is" while commercial stuff is paid for and may have legal implications if a fix is pushed out without checking it isn't going to bork your customers. Then I remembered MS updates, especially with regard to printers.

    2. FIA Silver badge

      The article paints it as "opensource vs proprietary" but actually the example it's given is "small dev team vs big software house".

      The example is small _unfunded_ dev team. That's the point.

      In your example I assume you pay for your software maintained by a team of 3, I would hope they charge enough to fund development? If they do then even should they decide to jack it in they still have a commercially viable product that can be sold.

      If an open source maintainer gives up because it's not fun and not worth their time, there's little you can do other than fork it.

      Whether it's open source or not, you should be doing some kind of a risk assessment on your dependancies. If something you depend on goes away or doesn't get a fix to a serious vulnerability, the initial impact is the same. Whether or not it's opensource might just decide whether you can continue on from that point or not.

      Yeah, pretty much this. :D

      1. Doctor Syntax Silver badge

        "If an open source maintainer gives up because it's not fun and not worth their time, there's little you can do other than fork it."

        And the ability to do that is because it's open source. I remember looking at the description of some S/W, thought it might be useful to the business I worked for and then the company that wrote it got bought up by Microsoft and that was the last I ever heard of the product.

        1. Cuddles Silver badge

          It depends what you mean by the ability to do that. Sure, in theory it means you can just fork it yourself if the developer stops supporting it. But in practice, the reason you weren't developing it yourself in the first place is likely because you lack the ability to actually do so. It doesn't matter if that's a lack of technical skill, financial resources, or whatever else, if you were having to rely on an underfunded volunteer developer, that doesn't bode well for your ability to replace them if they quit.

          1. Terry 6 Silver badge

            Yes, in effect this is little different from a home user relying on an OSS programme that has annoyances/bugs/incompatibilities. So that even if the developers agree that this section isn't up to standard or whatever, it may never get sorted out. because it's their hobby, and what they want to be doing is writing new and interesting stuff, not going back and reviewing something they finished with a long time ago.

            Except a home user isn't usually relying on it for their livelihood.

            The moral of which is that if you want to use s/w to make money with you should damned well pay the developers for it, just like you would any other business expense.

          2. Anonymous Coward
            Anonymous Coward

            "But in practice, the reason you weren't developing it yourself in the first place is likely because you lack the ability to actually do so. It doesn't matter if that's a lack of technical skill, financial resources, or whatever else."

            That's not always the case - alot of the time on projects I've been involved with there is just no point reinventing the wheel. It's just path of least resistance for many projects.

            When it is path of least resistence though, my big concern is less about needing to fork abandoned projects, and more about what happens if a to-be-abandoned project is randomly given to a new maintainer that has malicious intentions. How often do people vet the packages they're bringing in on a regular basis? Do they freeze versions, or just specify a minimum version etc.

            I've never checked but hopefully dependabot and things like that could flag packages as malicious, as they do for vulnerabilities.

          3. rcxb Silver badge

            But in practice, the reason you weren't developing it yourself in the first place is likely because you lack the ability to actually do so.

            Unlikely. The #1 reason is because somebody is doing it (for free) for you already, so why put any time/effort/money into it when it needs none? When the project dies, that calculus changes.

            Also, if you can't afford to fund a few modifications to an open source project, what are the chances you could have afforded the license cost for the proprietary version in the first place?

            I know of MANY small companies that have gone out of business when a proprietary piece of software (which they relied on) changed its license terms or greatly increased the price. I can't think of ANY cases where an open source project being abandoned resulted in the same... When its open source you have so many options, where with proprietary software you have just the one choice.

        2. Mark 65

          I remember when I worked for a large international bank. For certain key software packages they insisted as part of the licensing agreement that the source be escrowed such that if the vendor went out of business or decided to orphan the code they would get the source code.

          I also worked on the other side of the divide and this type of agreement was commonplace from financial clients.

    3. blah@blag.com

      "Whether it's open source or not, you should be doing some kind of a risk assessment on your dependancies"

      Spot on. If your business is not managing risks then you're a risky business.

    4. tiggity Silver badge

      @Ben Tasker

      "Microsoft/Oracle etc are unlikely to vanish overnight"

      No, but they can stop supporting software / hardware / combinations thereof & leave people in hassle.

      .. one reason why many devs reluctant to jump onboard MS "latest & greatest" new shiny thing as they often end up discarded (SilverLight, windows mobile development (& huge incompatibility between versions) anyone?)

      1. Gene Cash Silver badge

        > .. one reason why many devs reluctant to jump onboard MS "latest & greatest" new shiny thing as they often end up discarded (SilverLight, windows mobile development (& huge incompatibility between versions) anyone?)

        Hell, how many things has Google abandoned? It's so bad, there's whole websites tracking it.

    5. unimaginative
      Pint

      Proprietary software often has open source dependencies, and commercially supported open source is likely to have dependencies

      Here is a list of open source components shipped with MS products: https://3rdpartysource.microsoft.com/

      1. Displacement Activity

        Here is a list of open source components shipped with MS products: https://3rdpartysource.microsoft.com/

        That's impressive. But it would be more impressive if large parts weren't 'Redistributed OSS', bits for Android, and so on.

    6. Max Pyat

      I think the risk assessment comment is almost the key one.

      The scenario painted is of companies that find handy open source projects, and then build critical infrastructure on top of that: paying nothing and assuming the project will be there forever and will deliver the bugfixes and features the companies need.

      This might well be the case, but if so the fault is entirely with the companies using the software: they need to assess and manage the risks. If you're buying from a commercial vendor, you put clauses into your contracts. If you're looking at an open source project, there are ways to do that too.

      On the positive side: the article highlights just how little money it would take to bank-roll some of these projects.

    7. Mark 65

      Companies paying a commercial vendor can be sure they'll be fucked somewhat harder somewhere down the track.

      For OSS you have the source code. If people stop developing it you have the option of continuing yourself or paying someone to do so for you. For commercial software if it is end of life then that's it. If the owner decides to take it in a direction you don't want to go then that's tough.

      Ben's last paragraph is important. I'd rather have access to the source but sometimes you don't have that option.

  3. iron Silver badge

    > what if the open-source project that powers your business software... goes belly up altogether because the maintainer leaves?

    IT'S OPEN SOURCE STUPID.

    You pull the code and fix it, duh. I've done it before and, no doubt, I will do it again.

    Here's a question for you Danny Bradbury...

    What if the closed-source project that powers your business goes belly up because the company behind it goes bankrupt? How are you going to fix THAT code?

    1. Snake Silver badge

      "Fix it"...?

      You are erroneously assuming, as a programmer/techie, that every business house had the ability in terms of technical wherewithal to just open up the source code and make it their own.

      This is the major failing of understanding to the entire OSS / Linux community: the largest majority of those who interact with computers are plain-Jane users and are NOT technically advanced. The vast majority of the users sitting in front of their computers have NO idea how this thing works, let alone how to read a line of code.

      "Just fix it" for these users is the equivalent of Musk calling them from SpaceX, "Our rocket has gone off course, we need a solution now!"

      1. FIA Silver badge

        Re: "Fix it"...?

        You are erroneously assuming, as a programmer/techie, that every business house had the ability in terms of technical wherewithal to just open up the source code and make it their own.

        Even as a programmer I'd say that's a bold assumption. I work with some very talented people but that doesn't mean we could instantly pick up all the open source projects we use, either due to manpower or skillset.

        Not every programmer can program everything in every language.

        1. Terry 6 Silver badge

          Re: "Fix it"...?

          Or, if I remember my amateur programming days of 35-40 years ago, making sense of someone else's code, even if it's full of helpful comments, is a nightmare. And any fork created without a considerable amount of study is likely to be a bug ridden hell-site.

        2. Anonymous Coward
          Anonymous Coward

          Re: "Fix it"...?

          "Not every programmer can program everything in every language."

          Which is precisely why I advocate to only use projects which are in our existing skill base. If we start using something written in Go we are fucked if the maintainer stops. If we start using something in C# we are in a much better position as we are an MS shop. Does this mean we may not be using the best approach for the task? Yes. But we are much better protected from risk.

          1. Version 1.0 Silver badge

            Re: "Not every programmer can program everything in every language."

            But FORTRAN programmers can write FORTRAN programs in any language ... when I first heard this back in the early 90's, I thought it was a joke but later I worked with a FORTRAN programmer who moved everything to Pascal and C flawlessly.

      2. boblongii
        Flame

        Re: "Fix it"...?

        You are dodging the question - what would you do if a closed-source vendor went bust that is any better or even no worse?

        "This is the major failing of understanding to the entire OSS / Linux community: the largest majority of those who interact with computers are plain-Jane users and are NOT technically advanced. "

        What a load of crap. "This is the major failing of understanding to the entire proprietary software community: the largest majority of those who interact with computers are plain-Jane users and are NOT shareholders able to dictate the company's business practices."

        It's just meaningless gibberish. What do these "plain-Jane" users do when they need a feature added to or improved in Word. What do they do about the fact that Outlook is a steaming turd of an email client? How does closing the source and paying a license fee to the company improve their experience in any way?

        1. Snake Silver badge

          Re: Dodging the question

          You are missing the real point: you are paying for both the software and support of said software.

          Therefore there is a much larger chance that the software supplier will remain committed to maintaining the software and servicing its customers...because they have a direct financial interest in doing so. Staying in business, keeping that software rolling in support and updates, keeps food on their table.

          It that guaranteed?? Not in 1 million years.

          But where's the incentive, beyond pride, for the OSS programmer to continue on a project that has grown too complicated or demanding?? It's simply not there. They are not getting money from it - indeed, as this story proves, it is a drain on his / her personal resources. They continue on the project by the grace of their will.

          Which can be terminated when he / she realizes that the project is just no longer worth the energy put into it.

          1. boblongii

            Re: Dodging the question

            "You are missing the real point: you are paying for both the software and support of said software.

            Therefore there is a much larger chance that the software supplier will remain committed to maintaining the software and servicing its customers...because they have a direct financial interest in doing so."

            You are not making any sort of coherent argument. There's nothing about Free Software that prevents you from supporting it financially while at the same time having much more influence over how it is developed than you ever will with something from Oracle, Apple (ha!), or MS.

            I see this crap all the time: companies who fork out for licenses to use a bloody word-processor in this day and age are happy to base their whole company on a Linux-based fileserver and never consider the idea of contributing to any of the software on that box that they depend on.

            The whole tenor of the argument is that the problem is with the people supplying the free software.

            "Hi. I'm a parasite on your whole industry and I just want to say how disappointed I am in your attitude to continuing to work for free."

            When software depends on a project thanklessly maintained by a random guy in Nebraska, maybe you should be making some effort to make sure he's happy - or to find another less random guy to do work you want done. Which you can, since you have the source!

            1. sabroni Silver badge
              Facepalm

              Re: Hi. I'm a parasite on your whole industry

              You miss the fundamental problem. There's an imbalance in open source software between those who do the work for fuck all and those who are making billions out of it.

              You solution to that seems to be "hope the billionaires will start to spread the wealth around".

              Good luck with that.

            2. Anonymous Coward
              Anonymous Coward

              Re: Dodging the question

              "Hi. I'm a parasite on your whole industry and I just want to say how disappointed I am in your attitude to continuing to work for free."

              If they chose to give it away for free then it is impossible for me or anyone else to be a parasite - it is being used as intended.

          2. Version 1.0 Silver badge

            Re: Dodging the question

            I've seen a lot of OSS written as part of a PhD and worked to help them. But once they graduate they move on to get a job in a related field but with zero interest in continuing to work on an old project. It's OSS so you would think that commercial organizations could take over and maintain it but their programmers virtually never fully understand the field that the original author worked damn hard in for years to get their degree.

      3. HereIAmJH

        Re: "Fix it"...?

        This is the major failing of understanding to the entire OSS / Linux community:

        It's not a failing of the communities, it's a matter of perspective. If you have the code, you have the option of fixing it yourself or PAYING someone else to do it. You don't have to depend on the maintainers to address your concern. OSS isn't a guarantee of a free ride.

        And people who contribute to OSS projects do so in many ways, not just coding. You can code, write documentation, test, give $$$, help manage the community.....

      4. doublelayer Silver badge

        Re: "Fix it"...?

        Most businesses do not have the ability to immediately pick up the source of something that has been dropped. No businesses have the ability to do that with something that doesn't have source available. This is the core difference. It doesn't make open source perfect, and it isn't, but it does mean there are some options available. Only if commercial software has a significantly longer life would the comparison work.

        Unfortunately, it does not. Proprietary software gets dropped all the time. It's very frequent that some business doesn't think a product is worth supporting and cuts its funding. Just because it was charging for it doesn't mean they have the money to afford continued support or were using the money for that purpose. If the company goes bankrupt, cancels the project, fires the workers, doesn't replace the workers when they quit, or anything similar, the software dies. The user of the software has to balance the cost of the support contract with their estimate of whether the developers will continue to support it. I don't have the same confidence you do that a small team with few resources, even producing commercial software, will continue to support it long-term.

      5. Christian Berger

        Re: "Fix it"...?

        "You are erroneously assuming, as a programmer/techie, that every business house had the ability in terms of technical wherewithal to just open up the source code and make it their own."

        Well if your business depends on software you cannot maintain yourself, maybe you should not be doing that business. It's like running a restaurant without having staff that can cook. It's like running a factory without a mechanic on hand.

        1. David Neil

          Re: "Fix it"...?

          So if I decide to use a spreadsheet to do my business forecasting, you suggest if I can't do the same by hand on paper that I should hire a developer just in case?

          1. Max Pyat

            Re: "Fix it"...?

            I think it would be more appropriate to say you need to know enough to manage the risks. So if you're using a spreadsheet package, you need to understand where you use it in your business, what the dependencies are, what the impacts of outage are, and so on.

            At that point you need to manage the risk: if it's a proprietary package, that means reviewing the supplier, including their financials, code-escrow, and so on; if it's open-source, then it could mean hiring a developer yourself, or it could mean getting a commercial support contract outside your firm: that might even be bought from the core dev-team.

          2. doublelayer Silver badge

            Re: "Fix it"...?

            "So if I decide to use a spreadsheet to do my business forecasting, you suggest if I can't do the same by hand on paper that I should hire a developer just in case?"

            No, I suggest you review the spreadsheet program you are using. What is the likelihood that the company that makes it stops supporting it? What will you do in that case? If it's Microsoft Excel, then the likelihood is very low and you have alternatives which support the format. If it's Excel365, the likelihood of trouble is higher so you should ensure the data is also available on-site, but the format is still open so you have alternatives. If it's LibreOffice, then it probably won't get dropped, it will keep working for a bit if it does get dropped, and it can export to common formats. And if it's somebody else's spreadsheet program which doesn't use common formats, then you should at least know what you will do if you need to move elsewhere. It's crisis management. Just like a plan for what you will do if your office power fails, you should have a plan for anything critical to business operation if you are responsible for managing that.

            1. Terry 6 Silver badge

              Re: "Fix it"...?

              An example for consideration here is encryption software. Irrespective of algorithm used each programme only seems to read its own encrypted files (or maybe some forks).

              So if one day you find that the software which reads a precious file has gone wrong and needs reinstalling you'd best pray that either you have a copy to install from or it's still available and compatible.

              Because if that programme isn't still out there you're f*cked.

              There are several promising sounding programmes that deserve a chance- but I'm not going to be the brave soul who uses them.

              1. Danny 14 Silver badge

                Re: "Fix it"...?

                true story in a previous place of work. They had an ancient BMS system that had software designed for windows 2000 and XP with a fairly specific Java JRE. This was windows 7 era circa 2014 so XP was already EOL. They managed to get a VM spooled up with XP on it, had the BMS running on a closed network. The cost of maintaining the VM host and an XP VM was quite high - the licensing for an XP VM was quite odd as MS didnt recognise XP as a valid OSE at the time, the company simply kept an old box copy of XP, licenced the host with server and "hoped this would be fine".

                The plus side was that the VM could be transported to new hardware if it failed. I beleive this BMS and software is STILL GOING. I have no idea how they are licensing JAVA now that the model has changed...

        2. Terry 6 Silver badge

          Re: "Fix it"...?

          Incorrect. If cooking is what they do ( or any other business) then there are a host of other activities that are peripheral that they may/should/could not do for themselves. Like, in that example, such things as oven repair, flue cleaning, even pastry (though that serving a crap artificially coloured, synthetic,bought-in dessert after a good dinner thing is truly annoying)

      6. DevOpsTimothyC Bronze badge

        Re: "Fix it"...?

        "You are erroneously assuming, as a programmer/techie, that every business house had the ability in terms of technical wherewithal to just open up the source code and make it their own."

        The source code is there. Even if there is no one currently on staff who can fix it you can hire someone, or contract out for somewhere to do it.

        In terms of the other side of the argument that seems to be "Closed source is well funded and can fix bugs". My experience is that on a number of occasions the bug fix includes "That is fixed in the next version that is only supported on ..." which forces a company to upgrade the rest of their systems. As most companies have multiple pieces of software with custom code to join them all up effectively negates the fix. After all what good is a fix you cannot apply?

  4. steelpillow Silver badge
    Facepalm

    Bullshit

    If a F/LOSS project goes titsup and it matters, somebody else will step forward and carry the torch. You can even get off your arse and do that yourself. It has happened over and over again.

    If a proprietary project goes titsup, whether by accident or (surprisingly often) design, you are FSCKED. It has happened over and over again. There is even a word for it: lockin.

    Do you want to believe the lessons of history, or this pile of Trump-worthy animal excrement?

    1. hoola Silver badge

      Re: Bullshit

      CentOS?

      Look what has happened with that........

      1. hutchism

        Re: Bullshit

        Forked. Now Rocky

        1. stiine Silver badge

          Re: Bullshit

          Forked and still rocky.

    2. LDS Silver badge

      "somebody else will step forward and carry the torch"

      Wishful thinking - there's plenty of abandoned FOSS nobody stepped forward to maintain them - users just made what they would have done with commercial software - looked for and switched to an alternative.

      1. steelpillow Silver badge
        Facepalm

        Re: "somebody else will step forward and carry the torch"

        "there's plenty of abandoned FOSS nobody stepped forward to maintain them"

        Dear, dear LDS. You appear to have accidentally missed the bit about "if ... it matters" (one cannot politely assume you did so on purpose). I am sure you will agree that there's plenty of abandoned FOSS that didn't matter.

        1. Max Pyat

          Re: "somebody else will step forward and carry the torch"

          And it can almost certainly still be picked up and maintained if it "becomes relevant" or "starts to matter"

          This whole thing is an ill conceived discussion. The issue is about businesses managing their risks.

    3. Snake Silver badge

      Re: Bullshit

      There is absolutely no guarantee of this. A lot of FOSS software is begun by someone who wanted something accomplished, and then it gets out into the wild by others who want the same solution.

      But wanting a solution, and getting involved in crafting the solution, are 100% different things.

      Even programmers must decide if getting involved in picking up someone else's abandoned solution is worth the concerted effort.

      1. steelpillow Silver badge
        Facepalm

        Re: Bullshit

        "There is absolutely no guarantee of this."

        Dear, dear Snake. See my reply to LDS

        You think proprietary product has a better track record? Think again!

        1. Snake Silver badge

          Re: Better track record??

          Absolutely, 100% not, you are absolutely correct.

          My point of the discussion is, still, that pay for work gives an incentive to actually do that work. F/OSS often has very little, if any, financial incentive, so the programmers find other incentives like pride, sharing knowledge, belief in the benefit of free exchange, etc etc. But these alternative incentives can, pragmatically, need to be pushed aside for the attainment of other goals; sometimes the stress or effort of keeping food on the table via your paying gig forces you to push your side/hobby pursuits aside.

          So, if your paying gig is the code, there is a greater chance of sticking with said code versus doing it as an unpaid side, when the manure hits the grindstone of real life difficulties.

    4. Anonymous Coward
      Anonymous Coward

      Re: Bullshit

      How do you define matters? It can matter to 1 person/company, or 1000. Non of which may have the ability to pick it up. Pretty much the same position as proprietary. Now if it matters to millions yes it is likely someone will pick it up, but your blanket claim is, as you so elegantly phrased the title, Bullshit.

      1. Mark 65

        Re: Bullshit

        It may have gotten picked up, but just look at the state of the OpenSSL code base (patch, patch, bolt-on, patch) and how everyone promptly shat themselves when they realised it. It did get done, but just look at the state it had gotten into beforehand and that's one of the most used OSS libraries there is and not one that just anybody can have a crack at.

  5. Anonymous Coward
    Anonymous Coward

    Even little things.......

    Many current laptops don't have CapsLock or NumLock lights on the keyboard.

    For years now I've solved the problem (on Fedora/XFCE) with a little XFCE plugin (called xfce4-kbdleds-plugin).

    Then last month Fedora 34 was released and this plugin wasn't updated and the F33 version wouldn't install.

    *

    Turns out that the original author touched the code last in 2011, and has long since decided to move on. No probs here with their decision!

    But a huge surprise that this useful little utility worked fine for ten years with no maintenance.

    *

    I've written an XFCE notification which pops up if either keyboard lock is pressed.......not ideal, but better than nothing.

    1. oiseau Silver badge
      Facepalm

      Re: Even little things.......

      ... original author touched the code last in 2011, and has long since decided to move on.

      Indeed ...

      Reminds me of the path taken by a very neat, simple and fully functional syncing application writen for Linux and Blackberry phones, Barry.

      Yes, it's 2021 and I still use a 9320 but every so often have to fire up an XPSP3 VM and use RIM's awfully convoluted and (really) shitty software which didn't even include a desktop organizer application.

      All kudos go to the chap who wrote jpilot (www.jpilot.org) for Linux and keeps it current.

      Yes, it's 2021 and I still use a Palm E2 and a Palm T|X.

      And I was using a Palm IIIxe (uses 2xNiMH AAA that do not explode) up to a couple of years ago, just thanks to him.

      Only mothballed it because my eyesight is not what it used to be.

      A.

    2. Ken Moorhouse Silver badge

      Re: For years now I've solved the problem (on Fedora/XFCE) with a little XFCE plugin

      Looks like you're a victim of NumbLockIn.

      Numb is how you feel when it happens.

    3. Anonymous Coward
      Anonymous Coward

      Re: Even little things.......

      Now all we need is a similar example where a closed source product behaved fine over similar timescales and we'll have an end to this argument!

      1. Anonymous Coward
        Anonymous Coward

        Re: Even little things.......

        @AC

        Well....here at Linux Mansions Visual FoxPro v6 (circa 1998) is still doing valiant service..........

        *

        .........but to your point:

        1. Microsoft dumped VFP a long time ago (VFP v9 ended support in 2015).

        2. VFPv6 is running here courtesy of Fedora 34 and Wine.

        So that would be twenty three years and counting, and maybe twenty years out of support. Still....when someone as talented as Dave Fulton (i.e. not Microsoft) designs a product, I guess the quality shines through decades later!!!!

  6. Janne Smith

    "... it's unlikely that the commercial entity will vanish overnight ..."

    You're wrong on that score. Places that I've worked at have seen vendors or their products suddenly disappear. A couple of examples. A pub-sub event system disappeared because a large dot com bought the vendor specifically for that product, made it solely for their internal use and suspended all existing licenses. In another case, the vendor was bought by a competitor and the new owners dropped one of the aquisition's products in favour of their own much more expensive, incompatible and less featured one.

    1. doublelayer Silver badge

      This is an important point. Proprietary software can die in a number of ways. Since examples are fun, I'm throwing another one in. There was a piece of proprietary software which I wanted and purchased. Unfortunately, it was software with a small market and many of the people who wanted it chose to pirate it instead. The company concerned dealt with this by releasing an update which contained two additions: A) it didn't crash on the weird Unicode characters anymore and B) it checked online for the validity of your license and would stop working if you stayed offline or were found to use a pirated license. People still pirated it. So they went out of business and the licensing server shut down. I was left with the option to use the old version and deal with the crashes or not use the software at all. The older version was only an option for me since I had kept it in a backup; those who purchased later would have had a harder time. Another option was to try to break the licensing server requirement, essentially pirating it myself and breaking the EULA. I had paid them money for it, but it wasn't enough for them to continue supporting the software.

      1. edris90

        Along as you don't distribute your "hotfix" to eliminate the unnnessassy online check, and you have paid the hostage fee to access the software, what's the problem?

  7. heyrick Silver badge

    Two thoughts

    The first is that a company using something open source could, if they wanted, take on the bits that are no longer being developed by that one guy in Nebraska. That's part of the nature of open source.

    The second thought is that not all long ago, the decayed corpse of MSIE6 was still kicking around because various corporate (and health service) things were written to work with IE6 and, well, they would only work with IE6 and something more modern simply didn't exist.

    There's no guarantee at all (unless specifically written into a contact) that any commercial offering is more "secure" (in the sense of not vanishing or being abandoned) than an OSS offering. At least with OSS abandonware, The source is there. It can be fixed. It can be rewritten. It can be replaced with a three line shell script. Whatever, one can look at it and see how it does what it does. Commercial binary blob? Not so much...

  8. Anonymous Coward
    Anonymous Coward

    Discussed previously on the Stack Overflow Podcast

    And it's a problem that's bitten us (hence anon). The closest you're going to get to belt and braces mitigation is, I think, to be employing developers skilled enough to read through and change some potentially icky code, and that's expensive! Back when we started to really embrace open source I already had experience of what can happen when a bug blocks your way and sounded an appropriate warning. Fast forward a good few years and the whole world runs on the kindness of strangers. Consider my focus, web automation. I don't think there's a single entirely closed source solution and WebDriver can be somewhat mercurial bit of software. Thankfully, I've yet to encounter a problem that didn't have a workaround.

    Edit: I should add that I trust a lot of big ticket open source software more than I'd trust closed source (e.g. Postgres over Oracle MS SQL any day of the week).

  9. fishman

    Happens with closed source.

    Years ago we had a project that used Informix. They got bought out by IBM who dropped some of their products - including one that we required for our project. To "fix" our problem would have required a good chunk of funding and manpower - something that wasn't available. So the project got shelved and died.

  10. Doctor Syntax Silver badge

    Non sequitur alert

    "it would make more sense for companies to just fix the bugs themselves and then commit them back to the project ... Often a company's employment contract will insist that it has complete ownership over all intellectual property that an employee creates."

    There's absolutely nothing in the second part of that that stops the company committing back to the project. The company owns the IP and can do with it as it wishes.

    There could, however, be a problem with companies who claim IP ownership of what employees do in their own time.

  11. trevorde Silver badge

    Elephant in the room

    Is all the cloud vendors who simply rehost open source projects without contributing anything (Amazon, I'm looking at you!)

    1. John Brown (no body) Silver badge

      Re: Elephant in the room

      ...and the other elephant in the room is...cloud vendors hosting "solutions". At least if you bought the install media, if the company goes under, you still have the software installed and running. If the cloudy instance evaporates, you're screwed NOW!

      1. Dave 15 Silver badge

        Re: Elephant in the room

        Cloud... well, easy enough sounding but honestly your data, your company, everything reliant on someone else - a corporation whose aim is to make money. HOW the HELL is it CHEAPER for someone else to host the servers, pay the electric bills, maintain it AND make a profit than it is to do it yourself? The last cost - the profit - is the part that they charge you more than you would have to pay to do it yourself.

        1. doublelayer Silver badge

          Re: Elephant in the room

          "HOW the HELL is it CHEAPER for someone else to host the servers, pay the electric bills, maintain it AND make a profit than it is to do it yourself?"

          You know this. It's a scale thing. The same reason it is usually cheaper for someone else to generate your power rather than building a plant next to the office. At some point, the benefits of having your own power generation are high enough that you'll buy the equipment and hire a maintenance team, but most places choose not to. The costs of running systems on-site are lower so more places can save money by not using cloud services, but there are places who either don't have enough equipment to justify the cost of on-site installation or who want things that the cloud can do more cheaply. For example, it's easy to have identical servers on multiple continents using a cloud service, but much more expensive to have maintenance teams in multiple countries to do it yourself. That's how.

          1. Mark 65

            Re: Elephant in the room

            You know this. It's a scale thing. The same reason it is usually cheaper for someone else to generate your power rather than building a plant next to the office.

            True, but in the case of cloud the economy of scale is generally their profit margin not your saving. To most it becomes an op-ex vs cap-ex thing.

        2. jtaylor Bronze badge

          Re: Elephant in the room

          HOW the HELL is it CHEAPER for someone else to host the servers, pay the electric bills, maintain it AND make a profit than it is to do it yourself?

          The same way it's possible for someone else to manufacture a car, grow rice, provide health care, give legal advice, transport packages, etc etc. The marginal cost of what you purchase is far less than what it would cost you to perform the work yourself.

  12. Neil Barnes Silver badge

    When I was a beginning engineer

    The company for which I worked noted this problem and began to require all equipment vendors whose product included software - usually for microcontrollers - to lodge copies of their code with a third party, to be released if the company ceased trading or otherwise failed to support it.

    This was in the days before desktop computers were in any way common. The company was big enough to be able to enforce this policy.

    Somehow, I don't think they're enforcing it any more...

    1. DevOpsTimothyC Bronze badge

      Re: When I was a beginning engineer

      I've worked with a bunch of companies who have had escrow agreements.

      If the software supplier went out of business, or decided to EoL the product then you'd get the source code.

  13. Gene Cash Silver badge

    Has happened before in 2011: TZ database

    You know the UNIX TZ database and how it has a complex set of rules determining what was the time in a particular date at a particular place tracking all the legal changes and stuff?

    Turns out that was maintained by ONE bloke, Arthur David Olson for decades. He got sued because some company got stuffy about him using their maps, and decided to retire and nobody else wanted to take it over, so IANA had a shitfit because it was so important and everybody figured there was this big group somewhere doing it because all this work couldn't POSSIBLY be done by one person.

    https://en.wikipedia.org/wiki/Tz_database

    I remember this because there was a big furor on Slashdot (remember them?)

    1. yetanotheraoc

      Re: Has happened before in 2011: TZ database

      A surprisingly large percentage of the work is done by a surprisingly small number of the workers. Corollary: A surprisingly large number of the workers are spending a surprisingly large percentage of their time producing heat instead of light. The only ones actually surprised by this are management types.

      "He got sued because some company got stuffy about him using their maps"

      Did anybody point out to the map company that they were relying on the TZ database way more than the TZ database was relying on their maps?

    2. Christian Berger

      Those things happen all the time

      Essentially many important projects are "maintained" by a single person. The IANA used to be a single person.

  14. ButlerInstitute

    Escrow

    We, a small software dev group (a tiny part of a big company) write software that is vital to at least one much larger company's operations.

    On at least one occasion we have been requited for a project to put our source code in escrow. So that if we disappear the big customer will at least get the source so they can continue to (try to) maintain it for their own needs.

    So closed source does have ways where a customer, if large, can take steps to ensure its continuity.

    1. Anonymous Coward
      Anonymous Coward

      Re: Escrow

      Escrow is ok if the response from Big Software Company isn't "fuck you"

      Can you imagine MSFT putting the source to IE6 in escrow? Yeah, me neither. Yet, my company depends on it until they can EOSL some of their own stuff requiring IE6 which is supposed to happen Real Soon Now.

    2. Ken Moorhouse Silver badge

      Re: Escrow

      I've offered some of my clients this option in the past but none has ever taken me up on it. Cost of maintaining code in escrow looks to be quite prohibitive on a very active project - in terms of money and time, meeting the standards required by the repository hosting the software.

  15. mercyground

    obligatory XKCD https://xkcd.com/2347/

  16. mark l 2 Silver badge

    As many others have pointed out, the advantage of open source over closed is that if a 1 person developer stops developing it because they die, goes to prison or whatever. There is the option for someone else to fork it and take over development. if it was a critical piece of software for your business and you don't have the in house skills to fork it yourself, you could even pay a coder to do it for your business. That is something that you would find a lot more difficult with a closed source project.

    I do wish that these big tech companies such as Google, Facebook, AWS etc gave some of their huge cash reserves back to these develops whose open source projects they have built open have made them billions.

    1. gerryg

      If only...

      ...one of these behemoths could create a scheme which paid developers to produce software to be released under an open source licence.

      If they were really imaginative they could fund a mentor to help the project along.

      It would be really nice if all open source projects could submit proposals for consideration, improvements, infrastructure, itches that needed scratching.

      If it were aimed at students looking for paid work between exams and the new academic year, they could call it something a little bit goofy such as "summer of code"

      https://summerofcode.withgoogle.com/

      As the website says 16,000 students, 111 countries, 715 open source organisations, 10 years and 38,000,000 lines of code

    2. John Brown (no body) Silver badge

      " if a 1 person developer stops developing it because they die, goes to prison or whatever."

      Wasn't the supa dupa new filesystem that was going to take over Linux...until the dev murdered his wife and went to prison? (Vague memories from a few years back)

      1. oiseau Silver badge
        Linux

        ... going to take over Linux...until the dev murdered his wife ...

        Yes, that was back in 2006.

        Arrested:

        https://www.theregister.com/2006/10/11/hans_reiser_arrested_in_missing_woman_case/

        Convicted:

        https://www.theregister.com/2008/04/29/hans_reiser_found_guilty/

        Parole denied:

        https://www.phoronix.com/scan.php?page=news_item&px=Hans-Reiser-Locked-Up-No-Parole

        A.

      2. DevOpsTimothyC Bronze badge

        The comment would be very different if the file system had taken over BEFORE the murder was committed.

        As others have commented if it's important enough it will get picked up by others. At the time this wasn't.

        1. gerdesj Silver badge
          Linux

          reiserfs 3 was very popular before Hans Reiser was convicted. It was the default for SuSE and Mandrake at least. I used it on many Linux boxes. /boot on ext2 and / etc on reiserfs.

          When he was removed from society the remaining fs devs kept it patched. Everyone switched to ext3 or 4 as boxes passed away naturally and the world moved on. There probably were a few advanced migrations away but I don't recall there was much pressure to do so.

          1. John Brown (no body) Silver badge

            Did it retain the name after the conviction?

    3. kwh
      Alert

      There's an associated risk here, particularly with security critical software. Is it a team of three named identifiable individuals working on something that directly or indirectly underpins the security of 90% of the world's data? Better hope the 3 of them are incorruptible, & haven't either so far got away with cheating on their wives, a drunk hit & run involving a homeless person, or downloading child porn from the dark web (to pick a few from thousands of extortion vectors) but also as they live on three day old cold pizza they won't have their heads turned by a wallet full of bitcoin.

      Humans will always human, & the Russian mob are the Russian mob, so if this hasn't happened yet, it surely will...

      1. doublelayer Silver badge

        Of course this is a risk. There are three solutions to this: 1) put more people on it so you don't have that much of a risk, 2) give the people more money so they're harder to tempt, or 3) don't rely on it because you need something maintained by more people. Just going commercial doesn't fix this, as the company can still give the project to a small team.

  17. StuntMisanthrope

    Put your left foot in.

    Open source is a charitable endeavour last time I looked. First, second and third yourself with a furloughed pass. Submit your accounts via the nearest offshore isthmus and claim an ever reducing Jedi binary paper offering. #buellertime

  18. Pirate Dave
    Pirate

    "it's unlikely that the commercial entity will vanish overnight "

    I don't know about that. We have several pieces of "commercial" software that do various small things in our workflow. Well, commercial in the sense that at various times in the past, the company paid some small dev companies or individuals to write the code. It's definitely not open source. Some of those companies/programmers are still around and available, some are out of the business now. But the code still does what it needs to do, and we're still shipping product, so nobody wants to look the gift horse in the mouth. Yeah, it ain't "right" but it works, and in manufacturing "working" seems to be job #1.

  19. Norman Nescio

    Forking

    If FLOSS (e.g. GPL2) stops being maintained by whoever is doing the maintaining, anyone can (as a result of the licence) pick up the pieces, fork the project, and continue.

    If closed source stops being maintained by whoever is doing the maintaining, copyright laws prevent the software from being forked and continued for anything other than private use. You'll need to negotiate for rights first to do anything else. So as a company reliant on such software, you cannot spread the cost of continuing without getting the rights to distribute/publish.

    Immediately the risk becomes huge. If you are big enough you can enter an ESCROW agreement so you get the source if the original owner fails or decides to walk away: but you really need to get distribution rights as well.

    Back to FLOSS: if your company is dependant on a defunct FLOSS project, you can pay someone else to pick up the pieces. There's no licencing issue. You can do it in-house if you have the resources, or you can pay external programmers. You are free to do what you want with the code, and collaboration with other groups who need the same thing to spread the cost is easily possible.

    Choosing closed-source is taking on a whole lot of risk, and leaving your crown jewels in the velvet-gloved fist of the software supplier. Choosing FLOSS means you have the means to control your future use of the software. Whether you choose to use that control or not is up to you.

    1. Claptrap314 Silver badge

      Re: Forking

      From a relative risk perspective, that's pretty much correct. From an absolute risk standpoint, that's really problematic.

      As another pointed out, if you cannot immediately take over a piece of code that you're using, that's a business risk. If, to pick an example, your company was using OpenSSL when heartbleed came out, would you have been able to implement a fix yourself?

      There is a terrific difference between maintaining reasonable proficiency in a language that a tools is written in and having the proficiency to actually maintain the tool itself. Even a relatively small tools might easily take weeks to get one's head around the idiosyncratic methodologies in some relatively small tool.

  20. This post has been deleted by its author

  21. Christian Berger

    That's why Free Software needs to be small

    And that's why the Unix philosophy works so well with Free Software. If your program is small and simple enough that someone can just take the manual and re-implement it from scratch, the software is truly free. If your software package is huge and it takes dozens of people just to maintain it, it cannot be free.

    BTW this has nothing to do with funding. Mozilla, for example, is a hugely overfunded company which could hire hundreds of programmers for decades on a singe year of income. Yet they let their main "product" fall into disrepair.

  22. This post has been deleted by its author

    1. TheMeerkat Bronze badge

      Re: Elephant in the room

      And why should they be “contributing back”? You have chosen to give out your product for free, live with it.

  23. Richard 12 Silver badge
    Childcatcher

    A lot of commercial software has vanished overnight

    And even more commercial software has changed its terms of use and licensing arrangements overnight.

    The effect of that is far, far worse.

    What do you do when software you rely on suddenly becomes a lot more expensive, or even impossible to licence?

    At least when a package stops being available you still have the last-shipped version (commercial or otherwise), so you have breathing space to find an alternative.

    In many real circumstances you can stay on that old, unsupported software for many years - until the hardware fails and you can't get parts, or a vulnerability is found that you can't mitigate.

    But if licensing terms change, you may very well be utterly done for.

  24. TheMeerkat Bronze badge

    You kill your potential pair-for competition by providing your product for free. Good for you.

    Just don’t complain that nobody funds you to continue your product development once it became popular (which it would not be if you charged for it).

  25. PCarnelley

    OSS Little Secret

    Great points Danny. It surprises me that this issue hasn't caused large-scale problems yet.

    1. Intractable Potsherd Silver badge

      Re: OSS Little Secret

      See all the comments above showing that it isn't a particularly great article. Yes, it raises some interesting points, but there is nothing about the problems that is unique to open source.

  26. Big_Boomer Silver badge

    Outsourced

    If anything you reply on in your business is out of your direct control, then you are vulnerable. What if your outsourced IT management company folded? Who is going to help your staff reset passwords? If you haven't planned for that eventuality, then you failed. Ask the IT Managers of a certain US Oil pipeline right now. Anything that is critical to your business needs a recovery model, not just software. Whether the software is OSS or proprietary is irrelevant.

  27. WilliamBurke
    Linux

    Individuals vs companies

    This is a rehash of a 30-year old discussion, when "you need commercial support" was the paradigm. Not that FOSS precludes commercial support.

    TBH, a FOSS project needs a certain critical mass to be secure. I have seen many 1-person projects retire with the single maintainer. A bus factor of > 3 helps. Linux will survive without Linus, and emacs without Richard Stallman. What gets me REALLY worried is when a project is "adopted" by Google. Then the countdown to abandonment starts ticking immediately.

  28. dakliegg

    El Reg does a pretty good job describing the problem of open source. I remember when open source was a new movement and people like Stallman were idealistic middle age guys. It all sounded pretty good to me, but one of the upsides espoused by Stallman was that proprietary software gets canceled and lost. Open source would enable the project to carry on.

    That wasn't something that made sense to me. I could, for example, see Stallman's C code and know without a doubt I wouldn't carry it on. If I'm going to work for free on something, it better be fun and not an example of a rat nest.

    And the problem gets worse than that. It is very difficult to hire engineers to work on any software, so is a company going to spend that rare resource on open source? Maybe if the open source is your product and the openess is a marketing tactic. But things that are difficult to monetize like open SSL or BouncyCastle?

    When I was a technical evangelist at Microsoft I would hold events for developers of plug-ins and libraries. I noticed that all of them were very underpaid and it visibly showed in their clothing and gear. Even the most successful tools struggled to break a few million in revenue. Often at the same time I'd have some other event for business or consumer software companies and they were all well paid or even personal millionaires with nice clothes and epic laptops.

    Tool and library development is a labor of love. No one gets rich from it, except when they abandon the project and use it as a portfolio piece to get a high wage position.

    1. doublelayer Silver badge

      "It is very difficult to hire engineers to work on any software, so is a company going to spend that rare resource on open source? Maybe if the open source is your product and the openess is a marketing tactic. But things that are difficult to monetize like open SSL or BouncyCastle?"

      What would they do if those things didn't exist? They would still need the library. Someone would be hired to write it. Likely several companies would need it and hire developers to write their own custom versions. In this case, it's a lot easier to contribute with smaller donations because those can be pooled and the library created for everyone who needs it.

      Being an open source developer does mean there's a lot of unpaid work, but companies use the software all the time. If it wasn't available elsewhere, it would have to be created by someone, which would be at least as costly and likely a lot more so for all the users.

      1. This post has been deleted by its author

  29. dbCooper

    A true Nebraskan would not abandon customers as implied by the article. I know, I live in the state.

    On the other hand, if your support is in Iowa, you may have cause to worry.

  30. Ozan

    Open your f.ing wallet and pay that lone guy in Alaska.

  31. Dave 15 Silver badge

    a few thoughts

    Perhaps it is incumbent on the companies that use this stuff to fess up some contribution to the project.... after all its saving them a packet.

    The open SOURCE nature means that if you are too tight to pay the people that created it you have the source so can pay someone to work out a patch. Now this is likely to cost more than paying the creator as you have to work your way through the code but its your choice.

    If you dont like open source you can always set about writing your own, that will open your eyes to the real costs pretty quickly.

    You could bolt for the alternatives like Microsoft - and find the constant 'upgrades' the uncertain nature of what is hidden from you makes you nervous and the sheer bulk of your product afterwards adds to your costs in hardware requirements.

    Lots of choices, the first seems the cheapest

  32. Claptrap314 Silver badge
    Mushroom

    opensource.com

    While RedHat went to the dark side a long time ago, I think that their basic model was probably the right one: Pay us some money, and we will ensure that a collection of software that you need is properly supported.

    The real problem is risk assessment & free riders. I never had any qualms about running CentOs as an individual at home, but I have always had some really nasty things to say about a business running it.

    Now, if you ignore the moral issue, and the long-term problems of freeridership, just examining business risk, running the free version is mostly fine for R, D & T. But in prod? If the bean counters were responsible, they would be screaming bloody murder. We can and have had rubygems.org go offline for a week. We can and have one of the most popular node.js packages yanked by the dev in a fit of pique. We can and have licenses cut off access to critical infrastructure numerous times. These are not hypothetical or theoretical risks. These risks have been realized, over and over.

    Any business that does not conduct regular robust reviews of its risks in this regard is just begging for a shareholder lawsuit. The SEC should be requiring this stuff at least in the annuals.

    1. Anonymous Coward
      Anonymous Coward

      Re: opensource.com

      " I never had any qualms about running CentOs as an individual at home, but I have always had some really nasty things to say about a business running it."

      Well, that's an opinion, I guess. Probably not shared by the bulk of people who run (or used to run) CentOS on their production boxes. Possibly not even shared by the pre-Redhat CentOS team. Hell, they put out a "server" installer specifically for servers, with not even the faintest hint that those servers shouldn't be production boxes. MY opinion is - you're boxing yourself into a self-righteous ivory tower for no real reason at all, other than an overbearing need to soapbox.

      1. Claptrap314 Silver badge

        Re: opensource.com

        So you're a fan of free riders?

        Give. back.

        1. doublelayer Silver badge

          Re: opensource.com

          "So you're a fan of free riders?"

          Yes, I am. In fact, I donate to projects primarily because they're free for others. Free to use for those who can't afford it. Free to use for those who can afford it but should figure out how good it is before we ask them to donate. Free to me if I should decide I still want the software but don't agree with the developers anymore. Free to get the source and modify it. These free-of-cost and free-in-spirit aspects are important to me.

  33. Anonymous Coward
    Anonymous Coward

    This is Old News

    This is old news, open source has always been plagued with spotty maintenance and support.

    From key players leaving, going nuts and down some peculiar feature rabbit hole, getting replaced-forced out by aggressive upstarts with completely different intentions for the software, generally awful to no support of anything other that what ever the dev uses ( a dot matrix line printer), support palmed off to obscure message boards, and updates that more often than not, break at least one functionality every time, open source has always been a mine field chose first and for most because it is cheap to get up and running initially.

  34. dakliegg

    Rare resources do not generate infinite goods.

    If face masks could only be made of gold and platinum few people would give them away even when it was in their best self interest.

    Skilled software engineers are also very rare and are more valuable than platinum and gold. If you had to "consume" an engineer to make a piece of software there wouldn't be much software and they would be the most expensive things in the world. However, their work product can be duplicated at very low cost, so the things a software engineer produces can be widely shared generating an enormous amount of value. Software I wrote three decades ago is still generating value for people.

    But that doesn't change the rarity of the original resource and that effects the number of software engineers available to maintain software. No matter what, software packages will get abandoned. It doesn't matter what the licensing model is.

    Another nasty effect of software is its use doesn't satiate the demand for it, instead it creates demand for even more software. The effect it has in multiplying productivity just creates more demand for the stuff. I suspect that even if every human on the planet could code, the demand curve would grow even faster.

    We just have to get used to software getting abandoned.

  35. grumpy-old-person

    Why pick on open source when commercial software is so bad?

    Open source may be somewhat weak, but how is it the companies with thousands of employees have software that is like Swiss cheese?

  36. MachDiamond Silver badge

    Hardware too

    I principally work on hardware and I contribute to the river of circuit designs and dip in and out of some forums and boards. What I see in the tangible world is a vast ocean of building blocks more than complete designs. For big projects, there almost needs to be a commercial entity behind it to see it through and offer some support and maintenance. I can look online for a design of a 24vdc spark driver, but I'm a lot less likely to find an open source control and sense package to use on a small bipropellent rocket all neatly packaged.

    Open source has its place. To think it's going to take over the word and supplant commercial companies is silly.

    I sometimes upload a small circuit design with some explanation to "pay it forward". Since I work for myself most of the time, I can do that. When I am working for somebody else, they often have me sign an NDA that prohibits me from doing that which is one of the reasons I don't like working for The Man. Obviously, I'm not going to publish the work I've done for somebody that's paid me. Part of that is somebody else might be willing to pay me again for pretty much the same sort of project. I also want the company to hire me again and they might be sort of miffed that I've given away what I initially billed them real money for.

  37. BobC

    Working from Within

    At each of my past three employers, one of the first actions I perform when diving into our product repos is to assess our "OSS Vulnerability" (an intentionally trigger-worthy phrase). I make a list of all external dependencies, ensure each is explicitly referenced (not just an anonymous import from some repo), check their versions, and check for CVEs against each. I also check for each OSS project license and if it is included in our releases to our customers. For OSS code that we've modified, I also check that we provide repos our customers can access (for GPL compliance, at least the base code with patches must be publicly shared, but the metadata is exempt).

    I then try to approximate the overall product dependency for each OSS project used, starting with how much of it is used (mainly by execution profiling), from as little as a single function call, to being a central piece of the product architecture. I send the resulting list to Management, and ask what level of paid support we have for each OSS element we use, and if we have contingency plans for if/when each OSS project, for whatever reason, stops getting updated.

    It's not what Management typically wants to hear from a new hire, but it cements my place within the organization as someone willing and able to do the due diligence and start the risk assessment. After the initial reaction, I then advocate for adding paid support for our most critical OSS components, and also provide a system for employees to create and share OSS PRs upstream without violating their employment contracts (such as by making the company itself the author/contributor, removing the engineer's name from the PR, but tracking it internally).

    The biggest push-back from Management is the cost we pay to stay current with the OSS releases we rely upon, as if the churn in our codebase is somehow the responsibility of the OSS project, rather than of our use of it. Politely pointing out such illogic is the most delicate part of my effort.

    The biggest battles come when we rely on very large OSS projects (say, Yocto), that are themselves amalgamations of other OSS projects. Some tweaks we make can't be publicly shared due to restrictive hardware vendor IP agreements (I'm lookin' at you, Broadcom and Qualcom), in which case we must "embarrass" such vendors into DTRT ("Doing The Right Thing") when we pass our patches upstream through them. (We even had one such vendor claim we couldn't publish our source changes under the OSS license terms because their IP license took precedence: I typically ask Management to punt such silliness to the lawyers.)

    Another part of the process is to get customers on-board with our desire for OSS compliance in both sprit and letter. I have worked on bespoke products that were central and critical to a customer's very existence (not just competitiveness), making them apprehensive concerning any form of disclosure, especially intentionally. One approach that helps is presenting an estimate for the work needed to replace an OSS component with bespoke code, and the ripple-on effects of project delays and increased collateral costs. Money talks. But getting Management and the Customer to add lines to a contract to explicitly fund OSS support is always a Sisyphean effort.

    The final battle is convincing the company to be a "Good OSS Citizen" by publicly sharing code that's useful to us, but not core to our products, yet would almost certainly be of general benefit. I try to make the point that, even if we can't release core code, we can at least attempt to strike a balance by releasing other code instead. I have never succeeded in getting an employer to create public repos. Not even for little things, like some scripts used to help our use of cmake be faster (better cache management), easier (automated reminders and sanity-checks) and more reliable (isolated cmake testing).

    If you look at each of the above as chokepoints, then the next realization is the existence of a large "impedance mismatch" between OSS projects and their use by most commercial entities.

    Are there ways to improve this situation? I'm no Manager or Corporate Officer, so I won't make remarks in those domains. I do believe the best solutions lie in evolution both in corporate structure and regulatory structures (to "level the playing field"), but am unsure what such changes would look like or how they would be implemented.

    In the short term, however, we must be pragmatic, and at least try to learn about improving OSS participation by actually doing it, while ensuring minimal risk if over-disclosure occurs. From an engineering perspective, the I have suggested we ensure our software is useless without our bespoke hardware, and to make it extremely difficult to reverse-engineer our hardware. This can be done by implementing key algorithms in FPGAs rather than as executable source code, and storing the FPGA blobs in encrypted memory. Then start with limited increases in OSS participation, staying far, far, far away from OSHW, at least for the moment.

    Not an ideal approach, to be sure, but it is, at least, a way to crack the door open, if only slightly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021