Frequent disastrous incidences involving Open Source libraries and software have spurred debates about the sustainability of Open Source. In the most recent installment, a developer named Marak has knowingly introduced malicious commits into two of his packages, colors.js and faker.js, which broke thousands of other projects which relied on these libraries. The “liberty” commit to colors.js has become quite famous, attracting many commentators who expressed solidarity or reacted with cynicism.
I argue that we had this coming, and that Marak’s actions – which are pretty understandable, given the right context – represent the one end of a spectrum, whose opposite end is being taken by other incidents such as the Heartbleed bug and the recent log4j cataclysm.
It’s always about money
Open Source is stuck in a sustainability crisis. This crisis mainly unfolds along one singular dimension, and that is money. The least common denominator of Open Source is that it’s publicly available and free to use. Open Source software is being purported by several groups, the biggest of which are the Open Source movement (focusing on the cheapness of using it) and the Free Software movement (focusing on its liberating aspects).
However, we live in capitalism, so if you do something for free there are exactly three things that can happen: (a) you do it as a hobby and it benefits nobody but yourself; (b) you share it with the world and everyone – individuals and multi-billion dollar corporations alike – can benefit from it; or (c) you monetize it quickly enough to profit off of it. No matter how you turn something, it will always be about money.
Open Source development is – in principle – fine, but it becomes nasty once you realize that large corporations with a lot of money profit off your work without paying a single dime for your time. This happened to Marak in June 2021, when he realized that a multi-million dollar corporation was using his Open Source library in order to build a service they could sell for profit. He emailed them and asked whether he could simply sell off his library to them. They never responded.
Between Depression and Frustration
So what is the spectrum I’m talking about? It’s about the effects the Open Source sustainability crisis can have. On the one end, you have exhausted, burned-out developers who accidentally introduce larger bugs into their software and which can then end up shutting down large parts of the internet. After these bugs become public, those developers collect all their remaining energy and fix those bugs over the holidays – again, without any pay. In effect, when they have to close critical security holes, they have to explicitly work for free.
The developers of OpenSSL have worked hard to close the Heartbleed bug in 2014 so that large corporations such as Apple, Microsoft, Google, and Facebook could return to business as usual and continue to curb large shares of the software market profits. Nobody sent any money towards the OpenSSL developers. The very same then happened with log4j seven years later. And again the same aftermath ensued. The developers never saw any money.
Marak’s actions now show the other side of the spectrum of what can happen: Exhausted developers who rightfully feel betrayed for their time go on a road rage and try to hurt these corporations, oftentimes also hurting fellow developers in the process. It’s a path of action where no one can win, except the corporations who will just copy the source code and maintain it for themselves. The most those corporations will do is shrug and then continue as they were.
Who owns your code?
But the incidence with Marak shows another dimension to Open Source: Software developers are at the mercy of the digital-industrial complex. Once enough packages broke down, GitHub apparently blocked his account, so he couldn’t access his own code. Presumably they did so in order to prevent him from doing more harm, but their action is not justifiable. Marak did not act in disagreement with the terms of service, but this shows that no open source developer who hosts their code on GitHub actually owns their code. In fact, once your code becomes a critical dependency for modern infrastructure as highlighted in the legendary XKCD comic, you effectively have two alternatives left: Either you continue to maintain that code for free for the world to use, or you become dispossessed.
This shows that the labor of developers is being expropriated by corporate capitalism; a modern form of what Karl Marx called “primitive accumulation” (Capital I, Part VIII, chapter 26 ff) almost 200 years ago. He argued that the first properties were created because people simply built fences around pastures and locked out other people.
Arguably, we have a similar situation today, except that everyone fears the symbolicism of fences and thus refrains from building them as long as the developers of free software don’t do anything that could hurt business. Once they do, however, corporate capitalism is quick to rip that piece of software out of their hands and put it into a cage.
Is Open Source dead?
A few months ago, Melody Horn wrote that “FOSS is dead.” They raise some important points. The Free Software movement failed because of their political utopianism. The Open Source movement won because of their capitalist, libertarian values which pair nicely with exploitative structures. And every day we get more evidence that this holds true.
But I think Open Source is not dead. Rather, it suffers a sustainability crisis. The ideals of the Free Software movement still hold true: Open Source does enable developers and users alike to escape vendor lock-in. It does enable people to benefit from the technological revolution regardless of their socio-economic status. And it does have an emancipatory aspect to it. All of this holds true despite still living under capitalism. As some other smart German dude once said, there is no right life within the wrong.
As such, even though corporate capitalism won’t simply back down just because some people demand it, the beneficial aspects of Open Source still remain. It’s still not right, but how should it be, given we live the wrong life?
Discussions on licenses are a red herring
Horn spends a lot of time discussing and, ultimately, rejecting many of the licensing models for Open Source as if they form the core of the crisis. GNU GPL, AGPL, or just MIT – Horn rejects existing licenses on the grounds that corporations will always find a loophole to profit off of your free work.
While that is not completely untrue, this discussion is a red herring – it does not address the real problem. Instead, it is a typical rhetorical tool that leaves you with two mutually exclusive extreme alternatives – either to burn everything down or to give up altogether.
Marak has licensed his stuff using the MIT license, which states “Do whatever you want with this code.” Naturally, this is an invitation to companies to use your code without paying you. And it honestly puzzles me why so many developers still do that. I mean, I am by no means an expert on licenses, but one thing I do know is that some licenses such as the GPL 3.0 (which I use exclusively) require consumers of my code to also open source their code.
Naturally, some people will treat a license more like a “recommendation” rather than a legal document, and if these people work for big companies, there is no way of winning that legal battle. So discussing licenses will not solve the deeper problem of Open Source. Choosing a good license is still important, however, as the German debate about the “Luca” app has shown.1
Making Open Source sustainable through funding
What would be much more efficient in helping Open Source developers, however, is to set up institutional funds to actually pay those people. If some developer who maintains a critical part of today’s infrastructure has a secure funding and can work full-time on their software, this would already offset a lot of the aches that ail today’s software landscape. Bugs would get fixed – not in someone’s free time but during work – and chances of burn out would decrease.
This is something Horn sadly misses. I can only speculate about the reasons, but if Open Source developers actually had secure funding, people like Marak may never come to the conclusion that the only way out is to deliberately break your own code. And indeed there are first signs of that. For instance, Germany’s Federal Ministry of Education and Research (BMBF) has set up the so-called Prototype fund. Using this instrument, the German government is funneling a lot of money to developers of public software.
While being a good start, this is still insufficient. Many more developers cannot benefit from these funds, and have to rely on volatile individual donations via Patreon or OpenCollective that may sustain a life as an Open Source developer, but can just as easily burn away in an instant.
More countries need to set up such institutional funds so that developers are not required to rely on these volatile sources of income. Furthermore, every person already donates – that is called taxes. And we can use these taxes to give back to the developers who maintain the software each and everyone of us uses every day. We need to take the principle of “Public Money – Public Code,” and extend it to every piece of software that is freely available.
Until that happens, Open Source will remain unsustainable, even if it is “too big too fail.”
Unfortunately, I couldn't find English coverage of the case, but basically the situation was as follows: When Covid hit, the neXenio GmbH created a for-profit contact tracing app called “Luca” and they used Open Source libraries to do so. Some of the software they used, however, was licensed via a GPL license, which requires an open sourcing of the app itself. However, the developers did not do so until a public debate ensued and first developers were threatening lawsuits. ↩