Open Source Considered Harmful

"Meritocratic hubris is the tendency of winners to inhale too deeply of their success, to forget the luck and good fortune that helped them on their way." - Michael Sandel

Those who profit from open source have inhaled too deeply of their own success and forgotten the millions of volunteers who helped them on their way. Now we all run the risk of losing ourselves to an unfinished and deeply privileged ideology that saw the world not as it is or even how it could be, but as it would be were we all Richard Stallman. It is time to rethink the foundations of open source.

--

In December 2021, a serious vulnerability was discovered in a Java logging library called Log4j. It put a significant portion of the online infrastructure we rely on for the functioning of modern society at risk. Government agencies reached out to the developers to get it fixed, only to discover Log4j, like most open source software, is developed and maintained by unpaid contributors.

In response, the White House did the only thing they could do: Reach out to large software companies to find someone they could hold accountable for fixing the problem.

Per White House national security adviser Jake Sullivan: open-source software is widely used but is maintained by volunteers, making it "a key national security concern." 

In other words, the White House considers open source potentially harmful. Let that sink in.

Then on January 9, 2022, a developer deliberately corrupted two major open source JavaScript libraries called "colors" and "faker," affecting thousands of applications.

These corruptions were a political move by a developer to draw attention to the fact most open source developers volunteer their time and skill to build and maintain software others earn billions of dollars from. Per Wired.com: "A massive number of websites, software, and apps rely on open-source developers to create essential tools and components — all for free. It’s the same issue that results in unpaid developers working tirelessly to fix the security issues in their open-source software,"

Saying the quiet parts out loud

I've worked in open source for 17 years. I believe in open source, and I believe the online world we live in today would never have been built without open source. I also believe the open source ideology has become harmful, to individuals and to the community, and we - the open source community - need to rethink some of our core ideals and values and accept some hard truths.

Let me say the quiet parts out loud:

• Most of the online services we rely on for everything from social media to banking to healthcare depend on software written by unpaid volunteers, and when something goes wrong with that software, the responsibility of fixing those issues fall on those same unpaid volunteers.
• The world runs on open source, but with a few exceptions there are no meaningful governance structures in place to ensure oversight or accountability within the open source community.
• Open source software is a multi-billion dollar industry, yet the vast majority of open source developers and contributors never get paid a cent for their work. Meanwhile, corporations built on top of open source software have billion dollar valuations.
• Nobody speaks for open source, so when businesses, organizations, governments and world leaders need to talk to someone about open source, they have no choice but to turn to venture capitalists and large corporations whose financial success hinges on being able to steer open source projects in directions that are profitable to them for advice.
• Most open source projects are governed and controlled by a so-called "Benevolent Dictator For Life" or BDFL - typically a relatively young, relatively white man who either started the project or took control over the project early on - whose power is absolute and unchallenged.
• In many open source projects, that BDFL runs a corporate entity, built on the open source software, that for the average user is indistinguishable from the open source project itself (often going as far as sharing its name) that siphons enormous wealth from the project without distributing that wealth back to the volunteer contributors. In open source speak: They build cathedrals to look like the bazaar, in the middle of the bazaar, and reserve the exclusive right to advertise their cathedral as the bazaar.

Harm to contributors

In my years working in open source I've seen the real harms of this culture on contributors. Doing unpaid work while others profit off that work is harmful. Being told this is the way it's supposed to work, that if you just work hard enough somehow you'll end up being paid, is harmful. Shifting the responsibility of finding funding for mission critical infrastructure work to the individual contributor while large corporations lean on them to immediately fix issues and move the project in directions beneficial to them is harmful. Believing this culture of exploiting unpaid labor is healthy is harmful.

Power in open source projects is distributed based on a meritocratic "decisions are made by those who show up" model meaning if you have something important to say, or a vested interest in the project, you need to invest significant time and effort into the project to be heard. This gives corporate interests and people in positions of privilege power, while the majority of contributors are left to fend for themselves. Why? Because for the vast majority of contributors, this means volunteering their time so other people can make money off their work.

Most people - in particular women, people belonging historically excluded and oppressed groups, and people with disabilities - do not have the privilege of time and money to volunteer "enough" to be recognized in these meritocratic systems. As a result, decisions in these projects are made by an unrepresentative group of people who typically fall in the categories young, white, male, North American, abled, and in lockstep with the ideologies of the BDFL.

When questions are asked to the leaders of open source projects about why wealth is so unevenly distributed - why some corporations can earn millions of dollars on the work of unpaid contributors while the contributors themselves are chided for suggesting they deserve to be paid for their work - the answer is always the same: "Open source is volunteer contribution. If you want to get paid, go work in proprietary software."

If you're looking for a textbook example of gaslighting, there it is.

Not paying open source contributors for their work is a political decision based on the ideology established in the GNU Manifesto from 1985 from which the popular GNU GPL license originates. In it, Richard Stallman puts forth a utopian fever dream in which open source software wins the battle for software supremacy, corporations who rely on open source pay a form of tax to the open source community, and contributors magically get paid because of course people who do good work get paid. Think I'm being hyperbolic or unfair in my description? Read for yourself:

"In the long run, making programs free is a step toward the postscarcity world, where nobody will have to work very hard just to make a living. People will be free to devote themselves to activities that are fun, such as programming, after spending the necessary ten hours a week on required tasks such as legislation, family counseling, robot repair and asteroid prospecting. There will be no need to be able to make a living from programming." - GNU Manifesto by Richard Stallman

37 years later and corporations make ever-increasing profits on the unpaid labor of volunteer open source contributors. Open source won the battle of software supremacy, on the backs of millions of unpaid workers.

Here's the thing:

There is no good reason why open source contributors can't get paid by the project for their work.

There is no good reason open source projects can't set up foundations that collect money from investors and those who rely on the software and pay it to contributors based on need. There are models for this already in organizations like the OpenJS Foundation and the newly founded PHP Foundation. The reason this is not happening, in my opinion, is setting up such structures would shift the center of power from the BDFLs and their teams to the community itself. Which should be the goal of any open source project, but would financially impact the people currently in power. Which is why BDFLs and their supporters vehemently oppose any attempt at introducing meaningful governance into open source projects.

As a result, open source projects rarely if ever have any coherent policies, guidelines, or tools for accountability beyond protecting the open source nature of the project. Which is why when an open source project is approached by government because of its effects on society, instead of sending representatives from the open source project to talk to government, unelected and unappointed corporations with a financial interest in the project speak on the project's behalf.

Harm to the community

"Part of the issue, of course, is the overreliance by for-profit businesses on open source, free software developed and maintained by a small, overstretched team of volunteers." - Wired.com

Open source won the war for software supremacy. Now comes the hard part: Taking responsibility for our work by creating a healthy sustainable ecosystem where the people who build the infrastructure of the web can live meaningful lives while doing meaningful work.

The lack of proper governance, funding, and oversight in open source is causing real harm to individual contributors, to the open source community, and to the wider internet community relying on our work. We are acting as if these are still little hobby projects we're hacking away at in our parents basements. In reality, they are mission-critical, often at government levels, and what got us here is no longer sufficient to get us anywhere but chaos.

Here's what's happening in the real world: Governments and large corporations are waking up to the reality our online infrastructure is built on software maintained by unpaid volunteers without any meaningful governance or accountability. To protect themselves, governments and corporations are doing the only thing they can do: Work together to solve the problem. What do you think that solution will be? I know what it definitely will not be: More volunteer contribution.

More likely, government will ask the big corporations to either lean very hard on the open source projects to fix their issues, or more likely inject their own staff into the projects to take over. And while the open source community keeps saying this is an impossibility, it really is not. Open source has largely been taken over by corporations already, both from the inside and from the outside. Just follow the money. And when push comes to shove and governments start getting involved, shareholders and investors will quickly pivot from "let these kids do their magic" to "let's take control over this mess to protect our profits!"

If we don't do the hard work of creating proper open source governance, open source policy, and functional funding of open source contributors, the dream of open source will die in our hands and we won't even notice.

It is time we rebuild open source ideology to be based on equity, inclusion, and sustainability. We built the modern world. Now we need to take care of it and of ourselves.

--

Morten Rand-Hendriksen is a Senior Staff Instructor at LinkedIn Learning (formerly Lynda.com) focusing on front-end web development and the next generation of the web platform. He has worked with and contributed to open source projects large and small for the past 17 years and is a firm believer in ethical open source as the path forward for us all.

Originally posted on mor10.com. Header photo by Julius Drost on Unsplash.