> The culture of companies -- nearly all of them, including the one I work for -- that freeload off this work is what's broken.

Absolutely. Originally, we had free as in freedom software. Then businesses did their best to redefine it as free as in free labor software. That's the entirety of the anti-GPL movement. The thing about the GPL is that you can dual-license your software for companies that don't like the GPL. It works marvelously as a way to monetize your open source work. Releasing under one of their preferred licenses guarantees there's no way to monetize your work beyond charity. That's what businesses want so many open source developers fall into the trap of donating their labor.

The companies are paying exactly what the price tag says it is worth: $0. What is so surprising about that? If you want companies to not “freeload” then change the price tag for companies.

For the record, that's exactly what I'm saying. Don't use a license that allows freeloading, because if you do, that's what you'll attract.

I disagree with "exactly what the price tag says it is worth: $0". That's not what the price tag says it's worth. They wouldn't be using it unless it was worth a lot more than $0.

I think you are confusing "marketplace value" (what they are willing to pay for it) and "intrinsic value" (your perception of what the "real" value is). Intrinsic value is in the eye of the beholder. Marketplace value is decided in the market place. I am only talking about marketplace value. Which is also what FOSS developers are complaining about. How the market doesn't put market $ value on their work.

I really dislike the way you phrased that. Are you saying that things don't have value unless you have to pay money for them?

I regret my use of the word "freeload" because of all the baggage it drags with it. I think companies are perfectly legally and ethically fine paying $0 for something that explicitly comes at no cost. But it's also rare that I see a company think about how critical a piece of open source is to their business, and realize that paying in some way (if possible) can be a good way to mitigate business risk. I think most companies don't really consider that risk in the first place.

I completely agree with you. Having worked for a few very large companies, I can tell you that any thinking beyond the crisis of the hour is very rare indeed.

> no one -- especially corporate users -- gets to complain

Do corporate users of open source really do all that much complaining without contributing? IME the people with the biggest complaint/contribution ratio in open source projects are individual devs (or trolls) who are not participating as a representative of any company.

In the case of core-js the issue isn't that "nobody is contributing", the issue is that there is one guy with commit authority and he's an asshole who reportedly spends most of his days rejecting PRs from people he doesn't like.

IBM, Oracle, Apple, Microsoft could submit all the PRs in the world and it won't do any good if he says "I don't like your coding style" or "this takes core-js in a direction I don't like."

Or he ends up in jail. I thought the author was joking about him going to jail for killing two pedestrians. They were not: https://www.theregister.com/2020/03/26/corejs_maintainer_jai...

But...and bear with me as I'm no JS guy and am unfamiliar with that library...how hard is it for the community to fork it and go on from there?

Literally every time I find an esoteric library on Github the first thing I do before forking it or adding it to my dependencies is immediately pull up the "network" tab to see if there's are active branch downstream I should follow.

Perhaps Github can do a better job of highlighting hidden downstream forks to direct people to find more updated and supported dependencies?

You can fork it til the cows come home, but everyone downloading core-js off of npm gets the one from upstream.

True, I suppose I should have been clearer: fork and resubmit to npm with a new label. 'core2-js' or something.

can't the governance structure of NPM remove and reassign the NPMish "ownership" and authoritative repo to a new fork in circumstances like the maintainer abandoning it, going to jail, being a dumbass or whatever? If NPM is the authority, it's their own rules that would allow/disallow it, right?

(note: I'm unfamiliar with this project, so seriously I'm asking if/why this is an issue)

Why does that make him an asshole? It's his project, he's free to do as he pleases with it. Even my very modest open source projects sometimes get people demanding I fix or change something. It's ridiculous. It's like there's this unspoken expectation that all available software rise to meet all needs.

I've never run into an issue with open source that couldn't be solved by throwing a trivial amount of money at it. Relicensing, bug fixes, feature requests.

Log4J is far from being the standard. As a matter of fact, JBoss, Quarkus, etc, aren't affected by this because they don't use log4j.

> The culture of companies -- nearly all of them, including the one I work for -- that freeload off this work is what's broken.

Capitalism will always try to extract work at the lowest possible cost. If it’s possible to use your work without paying for it, companies will do it. They’ll fund work when funding the work can gain them influence or political dividends.

My two open-source projects, a font and pip-chill, are, respectively, a work of love and something that solves a problem for me. I enjoy working on them. In the past I have worked on other projects, but always to solve issues I had.

Yup, absolutely. I get why this is the case, but when things like this log4j vuln happen, and people at work start complaining the fix isn't released quickly enough, or in a particular way, all I can think is "you get what you pay for, and you were thrilled to pay zero, so here we are".