Open source and its extremely quiet crisis¶

The Patrician has observed that Ankh-Morpork’s infrastructure rests on sewers built by people whose names are lost to history, maintained by people nobody pays, and assumed to function indefinitely because it has functioned thus far. This is, he notes, also an accurate description of the software underlying most of the internet, and the reason he keeps a mental list of which engineers to visit first when the smell starts.

Open source software underpins essentially all of modern computing. Banks depend on it. Hospitals depend on it. Governments depend on it. It is maintained largely by volunteers who receive no payment, variable appreciation, and a steady supply of strangers explaining that their production deployment is broken and asking why the fix is not ready yet. The volunteers are under no legal obligation to help. This fact has not yet penetrated the technology industry with the force it deserves.

The economics of not paying people¶

The model is straightforward. A developer writes code to solve their own problem, publishes it freely, and ten years later a Fortune 500 company is depending on it for significant revenue while the developer answers support tickets in their evenings and is, apparently, grateful for the exposure.

The Patrician considers “exposure” adequate compensation for skilled labour in the same way he considers fresh air adequate compensation for the city’s night soil collectors. The collectors have, over the years, persuaded him otherwise.

Companies extract value. Maintainers provide it. No money changes hands. The industry calls this arrangement a “community,” which is a word that here means “an arrangement in which someone else’s goodwill subsidises your profit margins.”

The inevitable burnout¶

Success, for a volunteer software maintainer, means discovering that a project you wrote to scratch your own itch has become critical infrastructure for twelve thousand organisations, none of which have offered to pay you, several of which have opened issues demanding features by Thursday.

The demand scales with the project’s usage. The maintainer’s available evenings do not. At some point the maintainer, who is a person with a finite supply of patience and an alternative option of simply not doing this, stops.

The Patrician notes that this surprises the industry every single time, which is itself surprising.

The documentation at this point is inadequate. The succession is informal. The next organisation to discover this will do so in production on a Friday afternoon, which is the traditional hour for such discoveries.

The security implications¶

In 2021, a severe vulnerability was found in Log4j, a logging library used essentially everywhere. The global response required millions of hours of emergency patching across thousands of organisations. The people who fixed it were volunteers, who did so because they felt they had to, not because anyone was paying them to. Several large corporations issued blog posts about the importance of open source security, which is the corporate equivalent of watching your neighbour put out a house fire and then complimenting their form.

The Patrician observes that the interesting question is not how this happened. The interesting question is what exactly people expected to happen when they built critical infrastructure on code maintained by volunteers in their spare time, and whether the answer involves any word other than “this.”

Supply chain attacks are increasing because attackers have grasped what the industry has not: compromising one widely-used package produces thousands of victims for the effort of one attack. This is efficient. Someone should write it up as a case study in resource allocation.

The licensing debates¶

MongoDB and Elastic changed their licences when they noticed that cloud providers were offering their software as paid managed services and contributing, in return, essentially nothing. The cloud providers responded to this inconvenience with considerable indignation.

The Patrician notes that the parties most loudly insisting that open source must remain free to use commercially were, without exception, those extracting the most commercial value from it being free. This is a consistent historical pattern that predates software by several centuries and shows no signs of becoming less consistent.

The philosophical debate about what constitutes “real” open source has produced many words and few solutions. The underlying debate, which is about who should be compensated for labour that generates commercial value, has produced fewer words and equally few solutions, but at least it has the merit of asking the correct question.

The path forward (such as it is)¶

Sponsorship platforms allow users to support maintainers financially. Most maintainers receive modest sums. The ten thousand obscure-but-critical libraries beneath the ones anyone has heard of receive nothing, because nobody knows they exist until they fail.

Corporate funding programmes help specific projects when companies notice them. Companies notice them intermittently.

Government funding for critical open source infrastructure is being discussed in several jurisdictions. The discussions have not yet addressed how governments will identify which of the millions of packages are critical before rather than after the relevant package fails, but one appreciates the ambition.

The Patrician finds none of these approaches objectionable. He also finds none of them sufficient.

The Patrician’s assessment¶

The technology industry has built a civilisation on volunteer labour and named the arrangement after community values. The volunteers are not required to share these values indefinitely. The industry has chosen to regard continued volunteer goodwill as a permanent condition rather than a personal favour that could be withdrawn, which is optimistic in a way that experience does not support.

The Roman aqueducts eventually required imperial funding when volunteer maintenance proved inadequate. The internet’s plumbing will likely require something similar. The Patrician recommends not waiting for the dramatic discovery, as these are rarely convenient and, in his experience, tend to smell.

In the meantime, the infrastructure continues functioning because individuals maintain it out of some combination of obligation, stubbornness, and not yet having found sufficient reason to stop. This is not a plan. The industry has confused it with one. The Patrician finds this entirely consistent with how humans have always treated infrastructure they did not themselves build, and only moderately surprising given that the preceding several centuries contain ample evidence of where this approach leads.

He is watching the situation with interest. He is also watching the engineers.