Most active commenters
  • pjmlp(3)

←back to thread

Rug pulls, forks, and open-source feudalism

(lwn.net)
275 points pabs3 | 15 comments | 06 Sep 25 05:59 UTC | HN request time: 0.001s | source | bottom
1. 3np ◴[06 Sep 25 08:23 UTC] No.45147564[source]
Building the software you rely on from source by default is one way to reduce the impact these events have on you and shift the power dynamic. If you're installing binaries/images from a vendor (free or otherwise), transitioning to a fork may be an undertaking and a sweaty risk-assessment.

Switching your existing build-infra to sync sources from a new remote should be a snap.

Also no major need to hound maintainers to ship a release or merge that neglected bugfix or feature you desperately need - just cherry-pick it.

replies(3): >>45147791 #>>45147874 #>>45148870 #
2. andersmurphy ◴[06 Sep 25 09:16 UTC] No.45147791[source]
Not sure why this is getting down votes but I agree. Also building from source doesn't have to be hard (see sqlite).
replies(1): >>45149104 #
3. pjmlp ◴[06 Sep 25 09:35 UTC] No.45147874[source]
Depends on the actual software licence, many commercial vendors do provide source code, however the licence doesn't allow you to do whatever you feel like with code, even if technically it is possible to do so.

This happens a lot in commercial products where scripting languages are used, for example.

Or enterprise consulting as another example, where the code is delivered as part of the project, but it is bound to the agency for compiling purposes, unless the customer pays extra for that right.

replies(3): >>45147931 #>>45148293 #>>45148606 #
4. anilgulecha ◴[06 Sep 25 09:49 UTC] No.45147931[source]
IMO if you're a technical decision maker, you should ignore fair source/business source stuff with extreme prejudice. These are fundamentally incompatible with the goal of having autonomy for your systems.

Only pick these if they're non-critical, have a significantly higher RoI, or a high commodity item.

5. MangoToupe ◴[06 Sep 25 11:11 UTC] No.45148293[source]
It's hard to feel any sympathy for people who spend money and still bend over.
replies(1): >>45148349 #
6. pjmlp ◴[06 Sep 25 11:29 UTC] No.45148349{3}[source]
For most people it is only business, there is zero FOSS ideology.

A hard lesson many have come to learn when there are bills to pay, and coffee priced donations hardly make it.

replies(1): >>45150639 #
7. zozbot234 ◴[06 Sep 25 12:14 UTC] No.45148606[source]
This whole discussion is about FLOSS projects where the right to "do whatever you feel like with code" is well established - even literally so, in the case of purely private/internal changes that are not distributed to or publicly performed for any third party.
replies(1): >>45149606 #
8. ryukafalz ◴[06 Sep 25 12:54 UTC] No.45148870[source]
This is one of the reasons I like Guix so much: its packaging system treats source builds as the normal case, with binary packages available via caching. So if you go to install a package and there's no cached binary, Guix will happily build it for you on the spot, with bitwise reproducibility if it can. You still get the benefits of prebuilt packages, but you always have that escape hatch.

This also means that it's trivial to install a patched version of a package through the same package manager as everything else. No dedicated build infra required (though of course if you're deploying to a large fleet you may want to set up some build servers to avoid the need for rebuilds on most machines).

replies(2): >>45149278 #>>45150538 #
9. 3np ◴[06 Sep 25 13:28 UTC] No.45149104[source]
> Not sure why this is getting down votes

Guessing unrelated to the comment itself, prolly got a minor downvote army on my back after a different recent comment on Gaza matters.

Downvotes are just a noisy signal in general and I wouldn't read that much into a few here and there, it comes with the territory.

Oh and yeah, this meta makes for tedious threads so site guidelines and all that.

10. hedora ◴[06 Sep 25 13:52 UTC] No.45149278[source]
Debian has been like this in practice for at least 25 years (when I first switched to it).

The builds weren’t reproducible back then, but never mattered in practice for me personally. Now, the vast majority of the packages have reproducible builds, which is good enough for me. (Though these days I’m using devuan because I’ve never seen a stable systemd desktop/laptop that uses .debs)

replies(1): >>45154143 #
11. pjmlp ◴[06 Sep 25 14:32 UTC] No.45149606{3}[source]
Apparently not, given how often people get surprised what happens to their code.

Apparently the do whatever isn't do whatever when it happens to their little bonsai project.

12. Imustaskforhelp ◴[06 Sep 25 16:14 UTC] No.45150538[source]
Isn't nix for the most part same in that sense though compared to guix?
replies(1): >>45151740 #
13. MangoToupe ◴[06 Sep 25 16:26 UTC] No.45150639{4}[source]
It's not about ideology per se—the dark humor in my mind is that you're not just paying for software you run yourself, you're paying to not be able to modify it. There's a reason why that sort of arrangement is dying and SaaS is stronger than ever—paying to access a server at least makes more sense as a transaction, even if it is just about as economically inefficient.
14. ryukafalz ◴[06 Sep 25 18:32 UTC] No.45151740{3}[source]
Probably! I just have more experience with Guix than Nix so I don't know what it feels like in practice on the latter.
15. r14c ◴[07 Sep 25 00:25 UTC] No.45154143{3}[source]
Debian isn't source transparent in the same way tho. (I'm mostly nitpicking). That said, the contributions that Debian has made in terms of reproducible builds can't be understated. They built a wonderful foundation for the likes of nix and guix to build on.