Most active commenters
  • tombert(22)
  • bruce511(4)
  • bigfatkitten(3)
  • bawolff(3)

←back to thread

931 points sohzm | 48 comments | | HN request time: 1.271s | source | bottom
1. tombert ◴[] No.44460923[source]
Things like this are why I have become disillusioned with Open Source, and why latest projects have been closed source. The GPL is a good enough idea but it is basically impossible for anyone to realistically enforce. If a corporation is selling an optimized binary, then it can be almost impossible to prove that there was any violation of the GPL without viewing the source.
replies(4): >>44460940 #>>44461080 #>>44461183 #>>44462047 #
2. rfl890 ◴[] No.44460940[source]
Well, if you're writing open source because you want to write open source, then none of this matters. If you are worried about corporations stealing your work, that should drive you away from OSS. OSS should stay "hobbyist" for the individual developer.
replies(2): >>44460972 #>>44460997 #
3. tombert ◴[] No.44460972[source]
Sure but it sort of devalues labor.

If a corporation is stealing your OSS code (and violating a license) then that implies that they think your code has value, they might have paid a person to write that code but instead some hobbyist built it for free and a corporation steals it.

A few months ago, I made a pull request to LMAX Disruptor, which was merged. I was initially excited because even if my PR was simple it’s still a big project that I contributed to. But after a few minutes it occurred to me that I just did free labor for a for-profit trading company. If they merged in my code then must have thought it had some value, and I decided to dedicate my time to saving this multi million dollar company some money.

My PR there was pretty simple and only took me like 30 minutes (if that), so I am not going to cry too hard over this, but it’s just something that made me realize that if a company is going to use my work, they should pay me. I don’t think it’s wrong or weird to want to be compensated for my labor.

I am still a hobbyist. Turns out you can still be a hobbyist without sharing everything you’ve ever done on GitHub.

replies(4): >>44460995 #>>44462035 #>>44462201 #>>44465292 #
4. nativeit ◴[] No.44460995{3}[source]
It only devalues labor if it's leveraged specifically to do so. You could make this argument about literally any volunteer activity, software related or otherwise. The real devaluation of labor comes from things like the "gig economy" where costs and compensation are abstracted such that companies can exploit the naivete of workers who, generally speaking, are not accustomed to things like amortization and accounting for external costs, thus significantly driving down their own labor, operational expenses, and risks by passing them directly to the workers. At least open source projects are up-front about what's to be expected, and tend not to engage in exploitative practices.
replies(1): >>44461056 #
5. AnotherGoodName ◴[] No.44460997[source]
There’s a million reasons to want to write open source. A lack of attribution in particular is a killer for motivation.
replies(1): >>44461093 #
6. tombert ◴[] No.44461056{4}[source]
I have had a bunch of jobs. When I have wanted to use open source libraries, I have been told “no” because the repo has no recent updates, because that suggests that whomever built it isn’t working it anymore. Conversely, where there are lots of updates, the project is likely to be used.

Why am I telling this story? Because it suggests to me that companies will only use these libraries if there is a guarantee of ongoing free labor; presumably they could use an old appropriate library and pay people to fix any issues as they come up. Admittedly, I know that some companies do exactly that, and that’s great, but I do not think it’s the majority.

I don’t think the people doing Open Source are bad people at all, far from it, in fact. I think a lot of these people are very smart and hard workers, and I think they should be compensated for their work, even if they are just “hobby projects”. If my project is creating value for a company, then that company can afford to pay me.

I don’t like the gig economy either but I don’t think it’s relevant to my complaints.

replies(1): >>44461698 #
7. TheChaplain ◴[] No.44461080[source]
> The GPL is a good enough idea but it is basically impossible for anyone to realistically enforce.

Really? If you find a piece of proprietary software does basically the same thing as yours, and the binaries contains the same strings/artwork, then it's reasonable to make a legal case of it. You can even contact FSF and they'll take it further.

replies(1): >>44461134 #
8. sohzm ◴[] No.44461093{3}[source]
i love open source because it feels like a kind of donation i can't make financially, so in a way, i'm trying to make up for that

but yeah someone claiming it all falsely isnt good for the motivation

replies(1): >>44461141 #
9. tombert ◴[] No.44461134[source]
If you can directly prove a violation dead to rights (or have enough cause for a discovery request) and you have money for legal defense, sure.

A lot of open source stuff is libraries and utilities though that is pretty entrenched in the code. It is hard to even find out about a violation, let alone prove anything.

Imagine I came up with a new algorithm to do Fourier Transforms 10% faster than FFTW (or whatever the current market leader is) and make a library and I release it as GPL. A company could fairly easily just import it to whatever project they’re doing, and it would be extremely difficult for me to prove anything, especially if I don’t have any obvious things like strings in there.

That’s not even taking into account that it would be relatively easy for a corporation to just pay a junior engineer to do a direct “port” of the library to another language and pretending it’s their own independent work.

replies(2): >>44461737 #>>44462102 #
10. tombert ◴[] No.44461141{4}[source]
Wouldn’t this still be accomplished with a freeware model? That way hobbyists could still get your stuff for free but a corporation would have a slightly more difficult time directly stealing it.
replies(2): >>44461578 #>>44467146 #
11. qwertyuiop12 ◴[] No.44461183[source]
In general, I try to add a fingerprint into the output.

For example, in a project which generates images I usually set a specific set of pixels.

replies(1): >>44461195 #
12. tombert ◴[] No.44461195[source]
Sure, but if they have access to your code then a company could pay a junior engineer to look for any kinds of explicit fingerprints and remove it.
replies(1): >>44461556 #
13. ValentineC ◴[] No.44461556{3}[source]
Some companies that steal open source code are likely to cheap out on even this.
14. sohzm ◴[] No.44461578{5}[source]
when i started using computer i jumped to linux ecosystem in a month, and have been using it primarily until very recently

i personally dont feel good using things that are not opensource, yeah i use closed source softwares but i try to limit them

replies(1): >>44464837 #
15. bruce511 ◴[] No.44461698{5}[source]
There are different actors in play here, and each one has a different perspective. That's OK, there's enough room in the world for different perspectives.

For the company, making use of Open Source code is free labor. That's good for them. You are free to offer that labor or not.

For some developers, it's cool to write code that's used by zillions. That's reward enough.

Other developers release the code for free, but build an eco system around it. They get paid for related work etc.

New developers use it to flex their skills, and demonstrate ability (and then get upset when someone else turns it into something profitable, but that's another story).

Personally I write code, and ship as source, but it's under a commercial license (cause I like to eat.) Other companies have business models around whatever they do.

You are free to act as you wish. Which is great. We live in an economy that allows each his preferred path.

You're right. Many startups open source their products specifically to get free labor, free marketing, or whatever. As payment they release the code they write to you. Whether you think that deal is right for uou or not us up to you.

If you believe you can add value to a company then reach out to them. It's not like they're "making" you work for free.

replies(1): >>44463673 #
16. bruce511 ◴[] No.44461737{3}[source]
All completely true. And something you can clearly take into account when you decide what to do with your code.

You may decide its worth people using it, reading it, learning from it, exploiting it, or you may not. It's your choice.

Of course your work may be used outside of the license terms. That's pretty much impossible to enforce. That's true for most-all software, commercial or open or free. If that's your main objection to writing code then I recommend a different career. All good code is pirated. That's just how it is.

replies(1): >>44463767 #
17. bigfatkitten ◴[] No.44462035{3}[source]
I submitted a PR to fix a bug in cloud-init a while ago.

It was in my interest to do so, because it means I benefit from fixed packages in the Linux distributions I use. This saves me a ton of time in not having to maintain my own packages with my fix included.

If it helps Canonical make money, then it’s no skin off my nose because I still got the benefit I wanted.

I’m not going around fixing bugs that don’t affect me, or adding features I don’t need.

replies(1): >>44464813 #
18. bawolff ◴[] No.44462047[source]
> If a corporation is selling an optimized binary, then it can be almost impossible to prove that there was any violation of the GPL without viewing the source.

I think you can notice that output looks similar, error messages are similar, etc. If the program is non-trivial its usually pretty obvious if its a copy or a reimplementation.

If it sounds plausible, presumably you could sue and read the source in discovery (ianal, not sure precisely how that works)

replies(2): >>44462205 #>>44465553 #
19. bawolff ◴[] No.44462102{3}[source]
> Imagine I came up with a new algorithm to do Fourier Transforms 10% faster than FFTW (or whatever the current market leader is) and make a library and I release it as GPL. A company could fairly easily just import it to whatever project they’re doing, and it would be extremely difficult for me to prove anything, especially if I don’t have any obvious things like strings in there.

If you're doing something algorithmically different and unique, presumably that would show up in the assembly.

> That’s not even taking into account that it would be relatively easy for a corporation to just pay a junior engineer to do a direct “port” of the library to another language and pretending it’s their own independent work.

Important to keep in mind that copyright is not patents. If they are just stealing the "idea" of your algorithmic improvement, that probably isn't even a GPL violation. (This isn't fully right as they would probably have to use a clean-room design to avoid copyright infringement. My point is more that such a situation is pretty muddy and might actually be allowed)

replies(1): >>44463728 #
20. bawolff ◴[] No.44462201{3}[source]
> But after a few minutes it occurred to me that I just did free labor for a for-profit trading company. If they merged in my code then must have thought it had some value, and I decided to dedicate my time to saving this multi million dollar company some money.

If you're not ok with that possibility than you probably shouldn't be participating in open source.

And to be clear, there is nothing wrong with that. Its up to each individual to decide how they want to spend there time. There are pros and cons to open source, and you have to weigh how you feel about them yourself.

However, its not like this is some secret trick. Its the central tenant of Open Source (esp. When using that name instead of Free software). It should be very clear that this is happening. Its the entire point.

It kind of feels a bit like someone who doesn't like oranges, eats oranges, and then are surprised that they taste like oranges. By all means if you don't like oranges don't eat them, but if you knew you didn't like them why did you eat it in the first place?

replies(1): >>44463646 #
21. crystaln ◴[] No.44462205[source]
Being obvious to a developer poking at a product is quite disparate from successfully bringing a lawsuit involving source discovery.
22. tombert ◴[] No.44463646{4}[source]
It’s just why I have become disillusioned with it. I think companies exploit well-meaning people that should be paid for their work. I have used Linux and open source tools for roughly the last twenty years, a part of me loves open source, but I think that big corporations take advantage of this love and it devalues labor.

Which is why I have stopped participating in it. If I am doing work that provides value to a company then they should pay me for it.

replies(1): >>44463824 #
23. tombert ◴[] No.44463673{6}[source]
Of course they’re not “making” me do anything, but I think they have weaponized well-meaning people to do work for them for free and masking it under some vague notion of “charity”.

You’re obviously free to disagree, but it’s why I have become disillusioned with it. I think it’s an exploitative relationship.

replies(1): >>44464471 #
24. tombert ◴[] No.44463728{4}[source]
> If you're doing something algorithmically different and unique, presumably that would show up in the assembly.

I don’t think it is realistic to expect a developer to load every executable that might use their software into Ghidra or something and try and find a smoking gun about how their code might be used, and then hire an attorney to put together a case on that. In the case of my example, Fourier transforms are used everywhere in a wide variety of applications, and if my implementation is only like 10% faster it wouldn’t be very clear to an outside observer.

> Important to keep in mind that copyright is not patents. If they are just stealing the "idea" of your algorithmic improvement, that probably isn't even a GPL violation.

I am not saying it’s legal or not, I have no idea, just that that is why I have become disillusioned with the idea of open source, and I am not convinced that a well-meaning license like GPL is a realistic safeguard against corporate exploitation.

25. tombert ◴[] No.44463767{4}[source]
Because I think people should be properly compensated for their labor instead of directly donating it to a mega corporation I should choose a “different career”? Do you realize how utterly insane that sounds?

You’re free to do what you want. I just find a lot of the entire FOSS process kind of exploitative and why I have become disillusioned with it.

ETA:

To be clear, I have a fair active GitHub and I still post stuff on there fairly often, and even a few non-trivial things. I just have stopped compulsively putting every line of code I write in public repositories.

replies(1): >>44464445 #
26. baobun ◴[] No.44463824{5}[source]
Here's what I figured: Company misallocates fund. On the other hand, many engineers are overpaid from the same perspective (most of us here are, have been, or will be at some point, if we step out of the bubble and stop gawking at the acquihire next door). So I'm happy to shift my side of the scale a tad bit by donating a few k here and there. We can do the reallocation ourselves and the more who do, the more difference it can start to make.

Which reminds me, it's about that time.

27. bruce511 ◴[] No.44464445{5}[source]
Oh, think people should be properly compensated for their labor. And I'm still programming.

But lots of programmers don't get properly compensated. Some by choice, some by external factors.

I'm saying that's a reality. How you feel about other programmers and the choices they make for themselves is up to you.

Clearly there's no obligation to post anything yo public repositories, send the vast majority of programmers never do.

replies(1): >>44464758 #
28. bruce511 ◴[] No.44464471{7}[source]
I agree its often exploiting.

But presumably people who choose to participate in that relationship are getting something out of it, or they'd stop.

replies(1): >>44464900 #
29. tombert ◴[] No.44464758{6}[source]
I can’t tell other programmers what to do, nor would I even if I could.

I am merely explaining why I choose not to partake in FOSS when I think it’s exploitive. People are free to disagree, or not care, and that’s obviously fine, but I choose to not directly contribute to it.

30. tombert ◴[] No.44464813{4}[source]
That’s why I made the patch to Disruptor as well, because I needed the change and I didn’t want to maintain it. I’m not saying that that’s valueless but I still think programmers should not be giving free labor to corporations.

Canonical is at least a little better since they’re a much more FOSS-first company as opposed to a trading corporation, but my opinion still is the same with them.

Also, completely unrelated, if anyone at Canonical is reading this, your hiring process is terrible. Making people write nine-page essays about how smart they were in high school and then forcing them to take some absurd pop-psychology IQ tests and then multiple dedicated projects is insane. Whomever designed the interview process there should genuinely be ashamed of themselves and consider literally any other career.

replies(2): >>44470242 #>>44471258 #
31. tombert ◴[] No.44464837{6}[source]
I don’t have a problem with using open source software, I run NixOS with Sway and tmux and Vim and Typst and a million other FOSS things.

I just don’t feel like directly contributing to helping a corporation make money without being paid. I have a finite amount of time on this planet, I don’t need to provide unpaid labor to make Mark Zuckerberg richer.

32. tombert ◴[] No.44464900{8}[source]
People might not be fully aware of harm.

Plenty of people stay in violent abusive relationships when they really should leave, presumably because they feel like they’re getting something out of the relationship. That doesn’t give a free pass to the abuser.

I am not saying that companies using open source software are anywhere near as bad as a physically violent husband, I’m just saying that just because the contributor to OSS feels like they’re getting something from the relationship doesn’t absolve the corporation of its sins.

The current FOSS ecosystem feels like the tech equivalent of the “working for exposure” scam.

33. rfl890 ◴[] No.44465292{3}[source]
That's the caveat, the contract you sign when you start an open source project. You have to have the mindset of simply not giving a fuck about who does what with your code and how much they make from it. Then you can be at peace. If you don't want to (or can't) adopt that mindset for a particular project or at all, that's completely fine and normal. OSS is not for you. As soon as you want compensation for your work, things start to go south. See the whole core-js situation and what went down for an example.
replies(2): >>44465507 #>>44472844 #
34. tombert ◴[] No.44465507{4}[source]
That’s exactly my point though, it’s exploitative. Companies will abuse the fact that you “don’t give a fuck” and make money from it without compensating you for your labor.

I am not trying to really convince anyone of anything, do whatever you want. I am just explaining why I have become disillusioned with FOSS.

35. tombert ◴[] No.44465553[source]
There plenty of things that won’t make a noticeable difference in the output, especially in libraries.

Let’s suppose I make a slight more efficient implementation of green threads, for example. I do not see how that would affect the output in a way that would be obvious, even if the library is non-trivial. Even if I slapped it with a GPL, I don’t see how I would realistically be able to check if they broke the license without first auditing the code, which I couldn’t do without a discovery request, which I likely wouldn’t have grounds for even if I could afford the lawyers for a lawsuit.

36. Pannoniae ◴[] No.44467146{5}[source]
yeah, 100%. although there's strong propaganda to specifically make it open source (capital O and capital S)... the conspiracy-minded part of my brain thinks that it's probably because they can then use it.

But yeah, I've pretty much come to the same conclusion myself too - ship source, but ship it under ARR.

I think there's another innovation which hasn't really been explored yet - an "anti-copyright" cartel-style licencing, where you only have permission to use the product to make something dependant on the original product itself, and whatever you make can freely be used by the original creators and all the other participants in the cartel

The effect would basically be creating a "closed" ecosystem encouraging innovation inside it but protecting it from people stealing shit from the outside...

replies(1): >>44469028 #
37. tombert ◴[] No.44469028{6}[source]
I'm just not convinced that these licenses are realistically enforceable. A lot of binaries aren't going to show obvious signs in the output. I would have to reverse engineer every binary that might be using my code and look for a sign that they are violating the license so that I might be able to get a discovery request and sue them.

As of right now, I just feel like the best thing to do is not put my code out there, and just binaries. If a company likes what they see then they can pay me for the code.

replies(1): >>44507007 #
38. tptacek ◴[] No.44470242{5}[source]
Does Canonical really make candidates take IQ tests?
replies(1): >>44473161 #
39. bigfatkitten ◴[] No.44471258{5}[source]
I almost applied for a job at Canonical once. As soon as I saw the first question about high school (which I finished almost 30 years ago), I closed that browser tab.
replies(1): >>44473179 #
40. immibis ◴[] No.44472844{4}[source]
Or use AGPL.

There's a reason some people call permissive licenses "cuck licenses".

replies(1): >>44473208 #
41. tombert ◴[] No.44473161{6}[source]
They make you take the Thomas General Intelligence Assessment. It's not strictly "IQ" but it's still an "intelligence" metric.

The entire process is absurd. I wasn't joking when I said that the application required me to write a 9 page essay to even move forward. It took me two hours, and then I'm told I have to do some pop-psychology horseshit to prove my "intelligence" to these assholes.

I don't really like insulting people if there's any chance of the person actually seeing it, but I genuinely have to question the competence of anyone who thinks that this is a good use of the company's or candidates time. I genuinely think that the world would be better if they chose a different career.

replies(2): >>44474661 #>>44477317 #
42. tombert ◴[] No.44473179{6}[source]
I was pretty annoyed that I had to try and find my old high school scores and try to sell myself about why I was really smart in high school. I graduated high school in 2009, sixteen years ago, I have attended multiple universities and graduate schools, what could they really glean from shit I did as a teenager?

I'm sure some middle manager read some article about the best way to hire candidates and implemented that, and maybe it really is the absolute best way of hiring, but it certainly rubbed me the wrong way.

43. tombert ◴[] No.44473208{5}[source]
I am arguing that even if the language of the license is perfect by any criteria we define, enforcing them is unrealistic, especially for smaller projects.

I know there's been cases of big projects successfully suing companies that break the license (e.g. BusyBox), but if I just make some small utility on Github, even if it's licensed with AGPL, I don't have a ton of recourse. I don't have the ability to audit every project that might be violating it, and even if I did I don't have the capital to pay an attorney to sue for every possible violation.

If you're working for a company and that company is paying you to work on a project that they decide to FOSS later, great, you're being compensated for your work and I have no objection to that. Hobby projects are generally not compensated and as such I think it's better to keep them closed source.

44. kiitos ◴[] No.44474661{7}[source]
I have worked with a statistically significant number of ex-Canonical engineers and have not come away with a positive impression of that organization.
replies(1): >>44475513 #
45. tombert ◴[] No.44475513{8}[source]
I was pretty disappointed by their entire process, and I guess if their goal was to weed out candidates who don't want to spend days indulging them in pop-psychology bullshit and writing multiple projects after writing nine pages of answers to questions, then they achieved their goal.

I would have loved to be paid to work on FOSS stuff, but this interview process was too stupid.

46. bigfatkitten ◴[] No.44477317{7}[source]
Some of the smartest and most capable people I’ve ever worked with came from government agencies where you send in your CV, write a max 700-800 word spiel about why you’d be a good fit for the role, and then do a 30-60 minute interview if you look good enough on paper to be shortlisted.

It’s a surprisingly efficient and low-bullshit process.

replies(1): >>44477429 #
47. tombert ◴[] No.44477429{8}[source]
Yeah, I have never worked for the federal government, but I have family that does and they said the interview process wasn’t too bad at all.
48. Pannoniae ◴[] No.44507007{7}[source]
fair point... probably easier to detect with bytecode languages.

But even if you put binaries out, they can steal them, it's just harder... I guess, making it harder is the point as a form of deterrence. Dunno, these things are hard questions :)