> So it is with free software. You literally cannot pay for it. If you do, it becomes something else.

This is really the crux. Everyone is mad there’s no money in writing free/os software, but if there was money it wouldn’t be free/os software. It would just be like what we do at our day jobs.

You can write the code someone else wants and get paid for it (aka a day job). You also have the option to write the code YOU want to write, but in this case you’ll need to figure out a plan for making money on your own.

When it's written out like that I think most people would recognize why it is not very realistic to get paid for something like that, but it is still a very tempting vision.

Let's say I pick up some trash at the local park. Plenty of positive externalities there.

But if I then send the community a bill afterwards, I don't think it will go over very well. Even if they all appreciate the effort they might object, on any number of grounds:

- There are other trash pickers who are more efficient and can be hired more cheaply.

- There are other higher priority projects to which those funds should be allocated.

- That the quality of the trash picking was not in line with the bill.

- And on and on.

If I want to get paid for picking up trash I'll have to work it out with the community before hand. And then there will be expectations, contracts, a supervisor, and all those things that come with jobs.

Perhaps a more apt analogy: you invent a better water filtering system and provide it to the world for free.

The community immediately starts using it as the benefits are undeniable, but now the community needs someone to do maintenance on their new filter system and you are the only one with the required expertise.

Should they "sponsor" you or is it fair of them to expect you to provide them support for free?

Like the author of the article, I've observed that if you give a gift, it's very hard to charge for it after it’s been accepted. Whether this is innate to human psychology or caused by social constructs, I don't know, but it basically feels like a law of the universe.

“Positive externalities” are irrelevant.

This has gotten more and more restrictive: even in academia today, it seems rare for open ended grants to be given, and even when there are, there’s a lot more competition for those grants than we can sustain with current funding.

Open ended research doesn’t necessarily work in a pure market system. And most open ended research probably won’t provide any concrete monetary benefit to the person funding that research. Even Bell Labs wasn’t really self-funding despite having developed some of the underpinnings of our modern economy. This is an (if not totally compelling) argument for a basic income: anyone can focus on fundamental research without worrying about covering life’s fundamentals, so long as they’re OK living a bare bones life while they can’t get outside funding for it.

Bell Labs in many ways was self funding, 80% of the research the labs did was unglamorous, and wasn't basic research, it was things to directly further the business of AT&T, the Labs did product development and software development directly for Western Electric, which is what the BOC's paid a license for back to the Labs for, and which funded the whole of the Labs operations.

The occasionally glamorous high profile basic research that the Labs did was something AT&T did partially as a public good, and to avoid antitrust scrutiny as well as to develop new foundational innovations for its primary business.

Unless you have a deep knowledge of AT&T's pre divestiture organizational structure, these facts are just not well or widely known.

I agree that open-ended research still isn't very rewarded since it goes too far from immediate wants. But I also suspect we are going to get a quality bump on "small stuff" in the coming decades, because so many of our technologies were rushed to market as soon as they were mature enough, and that was a causal factor in major quality issues like buggy/insecure software. Those issues are not cap-intensive to fix, and could subsist on crowdfunding solutions, but they need awareness.

Not just from the perspective of individual compensation but that billion dollar corporations can be completely exposed due to their reliance on people’s hobbies.

- The amount you can be paid for any sort of work has a range. The ceiling of the range is the value you added, the floor of the range is how expensive it would be to get someone else to do it. Since in open source the competition costs zero, this sets a very low floor for how much you can charge.

- Wanting to be paid is indeed reasonable, but just wanting it is often not enough when it comes to companies. There will be contracts involved, minimum time commitments, purchasing processes if the company is big enough, etc. Navigating all that is what will turn open source back into a job, if you really make work of getting paid for it.

The competition? Does that mean copying the same software without paying it is competing against paying for it? Like how movie piracy competes against DVDs, or not tipping competes against tipping?

It matters hugely, a lot of the good FOSS is good because the people who wrote it were passionate about what they are doing. You cannot create this passion with money, which was one of the largest points the author is making.

If anything, wanting good things and being dissatisfied with what you have is a pre-requisite to having the passion to creating something new. But none of what I am talking about are liquid, they are tangible - you can't have bad money, it's just money.

If you’re asking why people choose an open source license when they expect to get paid instead, the answer is simple: they don’t understand open source.

This is no different than someone putting some literary work in the public domain and then getting mad when their work gets popular, criticized, all without pay.

I'm saying that you're _assuming_ that they are "volunteers" when that is precisely the question being asked.

Thus, "begging the question" -- begging means assuming. Begging us to take for granted an answer to the very question we are debating.

Probably there is a reason the phrase isn't found "in the wild"... people don't understand what it means.

> This is no different than someone putting some literary work in the public domain and then getting mad when their work gets popular, criticized, all without pay.

Federally-funded research is placed in the public domain. Emphasis on funded.

In the absence of funding, people may still perform. If they do, why wouldn't they be upset about the lack of funding?

(In fact, people can be, and are, upset about the lack of funding even if they don't perform. I am personally upset about the lack of funding for many works that are not my own.)

You seem to have a victim-blaming mentality. As if no complaint about the social environment or the treatment of the individual by society can be valid because "you should have known better." The mere fact that people can know about some aspect of society cannot ever justify that aspect of society.

And don't presume people didn't know. They probably knew. Either way, it doesn't invalidate the complaint which has to do with basic fairness considerations.

It’s not being asked. The authors didn’t get confused and expect to be paid for their work. I don’t know of anyone in the open source community who expects payment for their work from the community. If you want to get paid by your users, open source is not for you. I say this as a long time open source contributor.

> Federally-funded research is placed in the public domain. Emphasis on funded.

Open source contributors get funded by corporations all of the time (see Red Hat, Canonical, Google, etc, etc). That’s not new or novel and is a well-known way to get paid to work on open source. That’s still not comparable to complaining that your users aren’t paying you.

> In the absence of funding, people may still perform. If they do, why wouldn't they be upset about the lack of funding?

Again, we’re not discussing lack of funding. Most of Linux contributions come from people who are paid by some party to work on Linux. The important point is that they aren’t trying to turn around and shakedown people who use it under the auspice of being open source.

> You seem to have a victim-blaming mentality.

No, a victim blaming mentality would imply I’m blaming the victim of something. Who is it you think is the victim here and what are they victim of?

> Either way, it doesn't invalidate the complaint which has to do with basic fairness considerations.

“Basic fairness considerations” is a weasel phrase. What exactly is it you think is unfair about people publishing open source work and it being used under that license?

Yet the question under consideration is exactly whether this state of affairs is acceptable or not.

I hope you like what you're doing.

If someone wants to get paid for something, it needs to be explicitly charged for. Can always set up a patreon or something and only give it to backers or whatever. If they give something away for free I think it is a stretch to expect to be paid for it just because someone else finds it useful.

The essay is definitely resonates with me in so many ways, and the whole idea of foundations as a charity structure not a development/company structure was both new and quite profound. I expect charities that get "targeted" donations feel similarly about them as paying for free software. It is all about whose agency is it really?

Note that I may be totally wrong, as I've never found myself in too bureaucratic a team, so have generally found myself able to do whatever I want (within reason ofc, but I try to be reasonable)

I think the developer dream isn't really FOSS, but something along the lines of "very popular, stable API in an API marketplace made by a single person".

Could you explain this a bit please? Or give a few examples? It's getting late here and I can't wrap my head around this. :) Thanks!

https://rapidapi.com/spoonacular/api/recipe-food-nutrition/

There are many other APIs with freemium models at this API marketplace, and there are other marketplaces as well.

Many of my open source contributions came from fixing bugs or adding features because I needed them for my job. Many of the biggest open source projects I use come from big companies that have full-time engineers working on them.

I’ve also worked at two separate companies that have hired developers of very popular open-source projects. It didn’t work out in either case because the company wanted them to prioritize work related to the company, but they wanted to continue focusing on the community as before.

On a micro level, it’s surprisingly difficult to arrange to pay someone outside of a company to work on a project for you. The amount of overhead that goes into arranging the contracting agreement, communicating the issue, setting up the contractor with your environment, and managing it all can quickly snowball into a massive commitment for even small work. The exception is hiring contractors or contracting companies who have made a business out of working in that exact domain and are already up to speed on the project and have good relationships with upstream maintainers, but those are rare.

We're had lots of nasty security breaches lately. These breaches overall have nothing directly to do with free software but it's pretty easy to see what they have in common.

Security breaches grow like hardy weeds on the ground of "I don't have to face the consequences of bad security, my customers do". The Solar Winds and Log4j breach/hole came from wildly different software types but each had the quality of paying for security at the rate that it might harm you, not at the rate it might do harm in general. And comes because security is inherently expensive - since "security is a process, not feature", done right costs the entire organization time and money rather than simply involving a purchase.

Which to say: "Everyone is mad there’s no money in writing free/os software, but if there was money it wouldn’t be free/os software. It would just be like what we do at our day jobs." seems totally incorrect.

QT makes money selling open source software. Red Hat makes money selling open source soft. If there was a market for tightly secure, verified open source software, people would be working writing (and especially testing) that. But companies whatever crap onto their machines, whether barely maintained java or dubious closed source stuff.

Things like Red Hat, GitLab, or MongoDB from a license perspective are free/open source. But these types of projects are a totally different beast than "real" (for lack of a better word) open source projects like the linux kernel, emacs, ruby on rails, or lucene.

2) Tremendous effort and money goes into making the Linux Kernel secure. The fact that you fail to draw a good line between paid open source and "real" open open is indication that this idiosyncratic definition is fallacious and disingenuous.

3) Which brings me back to what I think the real, reasonable line is. The line is between cheap software, software that involves the minimal effort to squeeze out a feature and a full, carefully secured software process. Open source is virtually irrelevant. If some people didn't volunteer to produce free apps that got duplicated everywhere, you'd have a low-paid smuck doing somewhere, probably producing worse quality. Oppositely, highly secure software should be open source or source-available - the eyes the better. Linux, notably, benefits from many, many people testing it and that benefits the very heavy users of Linux who do employ people developing it.

good quality software where people pay for the quality.

You don't pay for the software, but that doesn't mean "there is no money" or that it is very different from "what we do at our day jobs".

Not free as in beer or free as in speech, but free as in choice (or free as in time). :D

For instance, we have collected some money and funneled it to developers to give them time to do what would otherwise either take many years of nights and weekends, or just be too hard to get done without time to focus on it alone. This software is still Free, though.

This doesn't hold up for me. I develop GPL'd software and I get paid for it. I probably wouldn't develop this particular GPL'd software if I wasn't getting paid to do it. The issues of payment and license seem related, but orthogonal.

Different licenses, but working at GitLab or working at GitHub probably feels pretty similar; you have a boss, there are probably sprints, you build features, fix bugs, and so on.

This is fundamentally different than working on a rust port of a GNU utility. This is the sense in which the article is using the word "free." This is idiosyncratic and doesn't align with its either of free's typical usages (free as in beer or free as in FOSS), but there really isn't a perfect word for what the article is talking about.

I read the "everyone is mad there's no money in writing free/os software" as meaning that people are upset that you can't really sell GPL'd software to other parties. Sure, you can dual-license, and require payment for the non-GPL version, but then it's not really "free/os software" anymore, at least not for the part you're getting paid for. You can also sell support and consulting services around the GPL'd software, but, again, that's not really getting paid for selling the software, at least not directly. And if you're writing software for a company that wants to use it directly, and decides to also GPL it, you're not really getting paid to sell GPL'd software, you're just getting paid to write it for someone else, and the license is incidental.

I agree that sometimes people's motivation for working on (or not working on) some piece of software can be tied both to the license it ends up getting released under, and whether or not they get paid for working on it. But I also agree that's orthogonal to the point being made.

It's still true that getting paid to write free software is harder than getting paid to write proprietary software. Companies that would pay you just to write some piece of software are more likely to keep the source closed than open it. If you write something yourself, selling it directly to others is hard enough if it's proprietary, but even more difficult if the code is available under a permissive license. Selling support or consulting services around the software might be viable sometimes, but can also be very difficult, and requires a different skill set from writing the software in the first place.

Perhaps I'm being too literal/granular, but my point is that there definitely is money in writing open source software. There isn't (often) money in selling it once it's been written, no, but I find that to be a more ethical arrangement for everyone involved, so I think of it as a good thing. In my opinion it is better for people to be paid to do work, than for having done work.

Having said that, this does not imply FOSS developers shouldn't have the "product mindset". Quite the opposite, in fact.

Disagree. FOSS developers should have whatever mindset they feel like having. Motivations run the entire gamut. Some FOSS developers really do want to build a polished "product" that others will want to buy (or whatever the non-paying equivalent might be). Others just want to scratch their itch and share what they've made. Telling either of those people (or any of the people in between) that they're "doing it wrong" is incorrect by definition.

I think some of the "no money in open source software" unease isn't because people would like to get paid to write whatever code they feel like, but a desire to retain the benefits of having a massive amount of open source code out there (less reinvention of the wheel by multiple companies, low-cost low-friction way to bootstrap whatever actually interesting/novel software your company is doing, etc) but put it on a more sustainable footing where money is directed reliably enough at the people keeping it together that we can avoid the xkcd "one person in Nebraska" failure mode.

That fear makes it nearly impossible for something like Log4J to charge anything. Even if it's a penny per year per server you don't want to build on it because they can come back next year and make it $10 a year. And what are you going to do about it?

FOSS removes that threat but it also makes the path of least resistance to not pay anything. The ideal solution is something like "You have to pay a little bit but it's guaranteed that it will never be more than a little bit". But I don't see how to do something like that.

I see it more as a function of scarcity. If it was really difficult to write a logging framework, and no one wanted to do it without getting paid for use, then anyone writing a logging framework would release it under a license that requires they get paid for use. But if there is just one logging framework that exists that meets people's needs and is free (as in beer), then you end up with the situation you describe. Then all the other logging frameworks either need to find some sort of big differentiator that is hard to duplicate and that people will pay for, or they just stop charging.

And since we're talking about a logging framework, something that isn't very hard to build yourself if you confine yourself to the likely very small number of features you need... sure, no, of course the idea of paying for one is just silly.

All of this uncertainty is easy to deal with if you have a nice API. Swapping out databases, for example, is (in theory) near-zero cost. If the database vendor tells you they are charging more, it’s somewhat simple to switch (unlike, say, ad-hoc logging).

I hope that we'll see a move away from foss licensing to source available licenses over the next few years and an increased acceptance of this model in more areas.

Dropping the non discrimination clauses in open source licenses while giving licensees the right to view and modify the source and integrate it with their own software, but not the right to redistribute, is to me a good middle ground for a lot of projects. This would allow developers to charge different rates (or not charge) depending on the licensee and ensure that they can capture more of the value from their work if they need to do so in the future, or if their project becomes popular. It works for Epic with Unreal Engine and more generally in the game industry where it is common to have source available licenses.

While free software has its place in certain areas (academia, government, hobby projects), and I agree you should be able to audit and fix the software that runs on your own devices, it also has downsides and I don't think foss licensing should always, or even usually, be the default outside of these cases.

Licensees have that right with (most) free software licenses.

The downside of this is that, if the owner, Epic say, is not interested in changes you need, then you cannot distribute those changes no matter how valuable they are to you or anyone else. Further, you will have to maintain those changes in the face of whatever architectural differences the owner decides to introduce.[1] You are in the same position as the good old days of proprietary software (Believe me, you could absolutely pay IBM to make changes its OS's. If you were, say, Ford.) except that you get to see the source. Yay.

[1] Yes, you should be expected to maintain your own changes if the original maintainers don't want to. However, that's significantly more difficult if the owner is uninterested in your features or is actively trying to break you. (Microsoft waves in the distance.)

The problem with source-available COSS licenses like SSPLv1, BSLv1, Perimeter etc is that, it almost to the point of insulting developers who care about FOSS, wants to have its cake and eat it too: That is, the benefits of both, open and proprietary software. That's a hard sell, and it remains to be seen if they'd be as successful as FOSS for developer tools: http://dtrace.org/blogs/bmc/2018/12/14/open-source-confronts... and https://steveklabnik.com/writing/the-culture-war-at-the-hear...

Another popular strategy is to open source just enough bits, but not all of it: Previously named "open-core", pioneered by Elastic (who have since moved to SSPLv1) and GitLab, but is now accepted as open-source, anyway. Tailscale falls in this category. https://www.heavybit.com/library/video/commercial-open-sourc...

> I hope that we'll see a move away from foss licensing to source available licenses over the next few years and an increased acceptance of this model in more areas.

Nouveau open source strategy is to have a strangle hold on the software itself (think Chrome / Android) by keeping the development tightly guarded along with the business interests of the original sponsor. Typically, these projects are open sourced to commodotise competitor's advantages (Symbian/Blackberry in the case of Android, IE in the case of Chrome): https://www.joelonsoftware.com/2002/06/12/strategy-letter-v/

The traditional way of being in a F/OSS business was through associate services like deployments and consulting ala RedHat for Linux / Acquia for Drupal: http://dtrace.org/blogs/bmc/2004/08/28/the-economics-of-soft...

Open source, in particular FOSS (free-as-in-beer), in itself is a business strategy (but not a business model) if one knows how to use it to their advantage (as the author points out, many startups doing so these days): https://a16z.com/2019/01/22/what-comes-after-open-source/

If a developer doesn't do what the community wants, the donations could stop coming. Or not. If they don't do want an employer wants, the paychecks will definitely stop coming.

Sure you can. You can hire someone to fix it to your liking.

As an example, I'm pretty sure that's RedHat's M.O. Pay them to fix whatever you want them to fix.

I don’t know if it’s the book he’s talking about, but Simone Weil makes this argument in the beginning of The Need for Roots[+]—that the correct way to think about our relationship to society isn’t “rights” (someone else’s problem) but obligations (our problem).

[+] https://antilogicalism.com/wp-content/uploads/2019/04/need-r...

Pleading: But sir, you must respect my rights.

Reply: I do not see the necessity of that.

Now, "rights" can be created by law, but those are a different meaning of the word. A more apt word would be one of "privilege", "license", "obligation" or "power".

For example, it is often said that the President has the right to veto legislation. No, he doesn't. He has the power to veto legislation.

The words right, privilege, license, obligation, and power are probably the most misused words in the English language.

But don’t all of the fundamental rights require someone else to protect them for you? Otherwise they aren’t rights, they are just observations of the state of the world.

In the end, what is the difference between protecting a right and defending a right? They both require action and resources, and are both an obligation.

We empower the government to guarantee our rights.

They are rights whether the government exists or not, and whether the government enforces peoples' rights or not.

For example, slavery violates peoples' fundamental right to liberty, whether the government legalizes slavery or not. Rights do not flow from government action. Rights are a fundamental consequence of human nature.

What does that mean? If someone stronger forces you to do work for them and beats you if you refuse, that seems like a “fundamental consequence of human nature” a lot more than saying that they shouldn’t.

To me, the “natural state” is for that you can do whatever you can get away with. Any limitation we place on that is our attempt to impose our conception of humanity on nature.

To put it another way, what about the state of nature would imply that we have ANY of the fundamental rights people speak of as being such? The natural rights I see are what animals have; the right to try to survive as best you can, by doing whatever you can.

Now, I am in no way arguing for anarchy or anything, just that there is nothing ‘natural’ about our concepts of rights.

How we find out what the rules should be is by observation of the results. A very large number of societies have been created, with every set of rules imaginable, multiple times.

By correlating rules with success or failure of the societies, we can begin to tease out what the best set of rules are. Clearly, some sets of rules work a lot better than others.

The best outcomes come from rules that guarantee a set of rights, best excemplified by the Declaration of Independence, the inalienable rights to life, liberty, and the pursuit of happiness, and later by the Bill of Rights.

Some rules work out very badly, like Marxism. No amount of wishing Marxism would work made it work, and no amount of coercion made it work, either.

This strongly implies that rights are natural, innate characteristics of being human.

This is not how we decide what should be considered fundamental human rights. Plenty of rules work out fine (i.e. effectively maintain social order and persist for long stretches of time) for “society” while being disastrous for the disempowered living under them.

> best outcomes come from rules that guarantee a set of rights, best excemplified by the Declaration of Independence

This is entirely circular reasoning. You have pre-determined that outcomes similar to your personal experience should be considered “good”, and then are declaring your society to be best because it led to your experience as an outcome. But you have neither clearly articulated what you mean by “best outcomes”, nor considered the outcomes for the less fortunate in your society. The argument more or less boils down to “Life worked out for me personally, and if it didn’t work out for you in my society, tough luck. If it didn’t work out for you in a different society, well mine is better.”

For example, I might for the sake of argument point out that Cuba clearly provides dramatically better healthcare and education outcomes than America (an astounding accomplishment considering its limited resources), and therefore conclude that Cuban society must be better structured and do a better job guaranteeing basic rights than American society.

How many Cubans want to leave and come to America? How many Americans want to live in Cuba? Venezuela? N. Korea?

Therein lies the answer to your argument.

It's interesting you chose to compare health care and education. Public education in the US is a gigantic socialist system. So is health care. You're not comparing a socialist system with a market based system. You're comparing a socialist system with a socialist system - which says nothing about what market system could do.

And lastly, who collects those astounding statistics on Cuba? The Soviet Union was famous for celebrating astounding statistics on food production, while the people starved. Why should we believe statistics collected by another communist, totalitarian outfit?

Their argument wasn't the specifics of the hypothetical. You're actually supposed to believe that Cuba isn't unilaterally better than America for the example to work.

You're in the middle of a discussion about Rights, why would you think this is suddenly a debate about Cuba?

You should ask the person I replied to, as he brought up Cuba.

How do you measure success or failure? Whoever lasts the longest is the most successful? Because by that measure, the longest lived societies were empires ruled by monarchs.. they did not guarantee rights.

A great question!

Here's one way. Does a country build walls to keep people in, or keep people out?

How about that terrible video of people clinging to a jet leaving Afghanistan and falling off of it to their deaths? Were they fleeing a Taliban golden age in Afghanistan?

I personally know several people who fled the USSR. Ask them about the golden age they risked their lives to leave.

Ok, so this basically amounts to using average life satisfaction as your measurement for success of a country. You could easily use any other measure, though, if you have a different goal... for example, my first thought was that "continued existence" was the measure of success, and whichever nation lasted the longest would be considered the most successful (a sort of Darwinian measure)...

Look, I personally agree with your measure of success. I am a child of the enlightenment, and I do believe that state authority rests with the will of the people. However, that is not an a priori fact... not everyone agrees with that as the criteria you judge a civilization, and it is not some natural fact that everyone is equal and deserves liberty, etc. Natural law is "whoever survives survives".

Can you make this into an actual measurable statistic or does this require us to just guess at the motivations of wall builders?

Or why the Soviet Union built a wall across Europe.

I guess the if we ask the people who built those walls they'll give us whatever answers they think are convenient for their propaganda purposes in the moment.

It seems to me the whole notion is a valuable but entirely human construction, ripe for debate about what counts and what does not.

Over time, by observation, we discover what they are.

For example, do you have a right to not be a slave? If so, why do you think you have that right?

Do you have a right to not have someone clonk you on the head with a pipe and steal your wallet? If so, why do you think you have that right?

I have the right to not be enslaved because the government and broadly society deems that valid. But that's a consequence of government force preventing people from enslaving others. Without government intervention, slavery emerges. It even still happens today, in the US in particular cases (prison, as one legal example). I don't see how something can be considered a fundamental consequence of our nature if, when left without supervision, it disappears.

I don't think that you can provide a clear list of such "natural" rights. If "liberty" is one, why isn't "health"? Improving my health improves my liberty, but (in the US) we don't culturally consider healthcare a "right", although it is considered such in some other countries.

That's one way of looking at it. Another is that you do have the right not to be enslaved, just by dint of being a human being, but that sometimes, someplace, because there are no laws or government to enforce your right, you might be enslaved anyway.

In this second perspective, you have the right not to be enslaved even if you happen to actually be a slave; it's just that your right is being violated.

That is, I think, what is meant by a "natural" -- or, if you are American, in a perhaps more familiar term, "inalienable" -- human right. You always have it; it cannot be taken away (or "alienated") from you.

Yeah, I'm also a bit confused as to why the "Founding Fathers" left out healthcare. But maybe they didn't -- I mean, can you really be "happy" if you're ill...? So maybe they meant for it to be included under "the pursuit of happiness". (Hey, in their day medicine was less advanced -- you couldn't be as almost-certain of a beneficial result from medical care as we can today, so that, too, was more of just a "pursuit".)

But then how do we decide which rights those are? GGP suggested we do so by analyzing society, but that fails when rights are being violated, so...

I jest, but not completely: It'll probably have to be by philosophical introspection. You'll have to look at society -- societies, all over the world and throughout history -- and decide for yourself which of their traits are expressions and which violations of human rights. Figuring out from that which of those rights are "natural" and which not is... Not easy, so I'll leave it as an exercise for the reader.

"Free labor destroyed Nazi Europe."

I cannot even comprehend what this means - how were slaves a major part of Nazi war effort or economy?

In your mind, did they loose a trade war and the 100+ million dead soldiers were a side show?

The Nazis employed slave labor on a massive scale. Their slaves were Jewish prisoners, political prisoners, and POWs.

The US free labor produced plenty of war material for two major wars, and enough left over to supply Britain and the Soviet Union. US troops were well fed, with plenty of gas, bullets, airplanes, ships, aircraft carriers, medical supplies, trucks, everything, and also managed to ship it all to the war zones.

The Nazis and the Japanese never had a chance once the US got going. They had critical shortages of everything.

For example, what did the Nazis do when the battleship Bismarck was sunk? Game over for the Kriegsmarine except for the U-boots. What did the US do when the Japanese wrecked the US aircraft carriers? Built lots more! What did the Japanese do when their carriers were sunk? Game over for naval aviation.

Also, the Wehrmacht in WW2 was still very much a horse driven army. The German propaganda newsreels, shown endlessly in WW2 documentaries, avoided showing the horses and loved showing the mechanized troops. I don't think the US used any horses at all.

Free labor also sunk the Confederacy. The Confederacy was never able to properly supply their troops with guns, cannons, powder, food, uniforms, or even shoes. They were largely barefoot.

A more realistic explanation of course is that the Allied powers had around 3x the population of the Axis, and that America's production infrastructure was never negatively impacted, while German and Japanese infrastructure was routinely bombed.

The UK, for example, despite not using slave labor, wouldn't have been able to win the war without US assistance, and you failed to mention the USSR at all, which beat Germany just as much as the US did, but doesn't fit the market based and slave labor free image you're trying to project.

The better explanation is that when you are already losing a war you need to eek out more production from what you have, and you're willing to sacrifice long-term things for it. Slave labor, in the short term is more efficient for some things, especially when you need the people who would normally be working in the free market to be elsewhere manning the guns. Employing slave labor didn't cause the nazis to lose WWII, at best it was coincidental, and at worst it was a response to the fact that they were already losing.

The German and Japanese homelands were not bombed until they were already losing the war.

The Nazi prosperity before WW2 was fairly limited, as the Nazis couldn't resist endless meddling with it. The suppression of the Jews surely must have had bad consequences for the economy, though I know of nobody who has attempted an accounting of it. The living standard did not approach that of the US.

> manning the guns

Don't forget that the US pressed into military service all the fit men 18-36. Didn't resort to slave labor.

(Footnote: FDR proposed forced labor in his 1945 State of the Union Address. Don't believe me? Look it up! Fortunately, that went nowhere.)

The irony here being, of course, that while the US courts ultimately disagreed, forcing people to join the military is arguably itself a form of slave labor. It is certainly a form of involuntary servitude.

> The German and Japanese homelands were not bombed until they were already losing the war.

The Allies had begun bombing Berlin before the US entered the war. So if your contention here was that the Nazis were losing from day one, sure. Otherwise you're not correct.

> The Nazi prosperity before WW2 was fairly limited

The German prosperity before the Nazis took power was fairly limited. That was in fact one of the primary reasons the Nazis took power in the first place.

Indeed it is. But the soldiers were taken out of production in the economy, which is the point I was responding to.

> The Allies had begun bombing Berlin before the US entered the war.

Yes, the British bombed Berlin early in the war as a propaganda stunt. The US Doolittle raid on Japan was also for propaganda. They were ineffectual from a military perspective. It doesn't alter my point at all.

> The German prosperity before the Nazis took power was fairly limited. That was in fact one of the primary reasons the Nazis took power in the first place.

We both know that. The Nazis were in power from 1933-1939. There wasn't much prosperity.

Right, but the allies had more people, so there's nothing relevant about slave labor. Like I said: slave labor is a tool of last resort, when the market fails. The US had to use that tool to get enough labor in the fighting force, but still had enough humans that market systems (and propaganda) worked in the economy.

> We both know that. The Nazis were in power from 1933-1939. There wasn't much prosperity.

Then I have no clue what your point is. My point was, and continues to be, that Nazi use of slave labor was a consequence of the already relatively weaker economy. You seem to be arguing that slave labor caused the weak economy. My point is that it started weaker and remained weaker, and to try and keep up, they had to force more people to do things.

The USSR likely would not have prevailed against the Nazis if the US didn't supply them. Or at least it would have been far more difficult for them.

Synthetic rubber - "Production of synthetic rubber in the United States expanded greatly during World War II since the Axis powers controlled nearly all the world's limited supplies of natural rubber by mid-1942"

https://en.wikipedia.org/wiki/Synthetic_rubber#World_War_II

Synthetic fuel - "During World War II (1939-1945), Germany used synthetic-oil manufacturing (German: Kohleverflüssigung) to produce substitute (Ersatz) oil products by using the Bergius process (from coal), the Fischer–Tropsch process (water gas), and other methods (Zeitz used the TTH and MTH processes)."

https://en.wikipedia.org/wiki/Synthetic_fuel#History

The V2's were fueled by alcohol from potatoes.

You are picking examples that fit your idea of what natural rights should be, and are ignoring the countless counter examples. If a free society is fundamentally better, why is China so successful? Countless empires have been built on 5e backs of slaves, conquered people, and oppression. Yes, most eventually collapsed, but so have all democracies except the ones that are currently around… and there is no reason to believe the ones around are the “end state” of the evolution and not just a snapshot of civilizations that will eventually collapse like all those that came before. Democracies have fallen, to be replaced by dictatorships… dictatorships still exist, and many are successful members of the international community… Saudi Arabia is a strong ally of the US, and doesn’t seem close to collapse.

> Saudi Arabia is a strong ally of the US, and doesn’t seem close to collapse.

Why not tour Saudi Arabia and come back with a report about how people there live?

Banks, the healthcare industry, the aviation industry and NASA would like a word with you, as well as US import and export control regulators.

Not all software in the US is the vomiting of code cowboys into NPM and Github, by a long shot.

>Incredible progress, world leadership, and plenty of very high quality FREE software.

Sorry, what potentially world-crippling bug are we on this week, I've lost count. Or was it a million dollar company that got hacked and exposed PII because their database layer was written by an intern using open source code written by a high-schooler who thinks writing SQL statements with printf is elegant?

No... the unregulated wild west of software is turning out to be a nightmare. The regulated part, at least, holds bad actors accountable and doesn't depend on "all eyes making bugs shallow" and just hope quality emerges from the aether.

> Not all

Not a single byte of software on any of my computers now or since the 1970s have been regulated at all.

> the unregulated wild west of software is turning out to be a nightmare

How much have you paid for the software you're using right now? How much have you paid to use HackerNews? You're free to go use software written in the 80s, 90s, 00s, etc., if you like. I bet you aren't.

Software these days is far less buggy than it used to be. It may appear more buggy to you, but that is the result of a large increase in the number and efforts of sophisticated (and well-funded) engineers attempting to subvert it.

For another example, the AMA deliberately restricts the number of seats in medical universities. They are empowered to by law. This keeps the number of doctors down, and increases their pay.

I'll remind you, the initial statement you made was "Rights are a fundamental consequence of human nature.", but you're now saying somewhat ahistorical things about slave labor and market economies. Even if what you were saying was accurate, is has nothing to do with how we define rights.

That doesn't make them rights, and it never works.

> You can (and people do) invent and define rights all the time.[...] That doesn't make them rights

Huh?

I didn't say it was. Neither did I say that pi=3 is a right. Please read what I wrote again.

My best guess is that you're trying to make the point that market economies are natural and that the rights we have under them are therefore natural, but this is basically an argument from status quo and it goes directly against what you said elsewhere about healthcare being a right due to government regulations.

And from that you seem to be saying that healthcare is a right due to government regulation, but here you're saying that government decree doesn't make something a right. So like I said, I'm lost.

I read a few of your posts, and it felt like reading the old testament - full of self contradictions, the only constant is you don't like 'government'.

You seem to have little regard for the fact that your countrymen have laid down their lives for your rights. The only reason we don't have 'Divine right of Kings' is because we cut off their heads, and we don't have slavery because those that support it have been shot or convinced at gunpoint. Women have the right to vote because they invented the letter bomb and burned down houses of MPs that voted against them.

Every right you enjoy, from a fair trial to your very freedom, has been won in blood and while you pontificate about 'unexpected, marvelous free market' (which existed for thousands of years, Kongō Gumi was incorporated in 578 CE) society becomes more polarized and likelihood we will resort to good old ways of settling differences increases.

The whole point of calling rights "ineffective" is to say that this idea of fundamental rights that other people aren't obligated to provide to you has no utility. Your definition doesn't really contain any evidence to the contrary.

I never wrote that. I welcome you addressing what I did write.

I mean, people have a fundamental rights to food, water and shelter. So it certainly seems like we have to provide people with those or those rights cannot be satisfied.

This is, of course, totally false. From the moment of birth your parents have to provide sustenance and safety, or you'll die. Similarly, someone must teach you a native language, if only indirectly, or you'll be unable to communicate or acquire skills. If a parent neglects a child and fails to provide them "services" (or whatever), the state will absolutely take the child away and punish the parents.

As an adult, you have the right to a system of justice that allows you to argue grievances and petition for redress against others. You have the right to police and fire fighters. Those are all services provided to you.

I used to think that everything was a transaction when I was a hardcore libertarian, but I'm not anymore. There are bazillions of things that we take for granted that are just table stakes in a modern society, like the rule of law, an educational system, clean air and water, and yes, healthcare. A hospital can't refuse you emergency care if you can't pay, and that's absolutely a right established in the social contract.

Rights are a mix of inherent and acquired capabilities as well as courtesies granted by a social contract. Until you start paying back every person from whom you've learned a word in the English language, yeah, you are getting tons and tons of things for free without realizing it.

Governments are never "givers" they are just different systems of trade-offs, which can also be in terms of services and freedoms. For example, you have a right to justice if you are wronged. Society can either step aside and let you seek it yourself, or, if that behavior (vigilantism) is outlawed, then they are obligated to instead provide you with a system to seek justice within. Or they could come up with some alternative to allow you to protect your right. From this perspective, your right is not an entitlement and you don't have to postulate a new entitlement every time the govt creates a new program for (ostensibly) helping people achieve their rights better.

Your example is one of the state punishing you, not an example of a fundamental right. Services provided to you is not a right simply because the government provides them.

The proper role of government is as guarantor of fundamental rights.

> you are getting tons and tons of things for free without realizing it.

This is confusing rights with getting things for free. Nothing about fundamental rights prevents you from providing free stuff to others. In fact, you have a fundamental right to choose to give your stuff to others for free. Heck, I work on D every day, and give it away for free. My salary as CEO of the D Language Foundation is $0. There's nothing non-libertarian about that, since I freely choose to do it.

As for children, as a hardcore libertarian you should be aware that the notions of fundamental rights apply only to legally consenting adults. Children enjoy only a subset of those rights.

I'm not sure which example you are referring to; I gave several. But if you're referring to the state punishing you (by taking away your kids for not feeding them), keep in mind the state will by default become the ward of orphaned children and it will indeed pay foster parents to take care of the children.

The broader point that we clearly don't agree on is that rights are in fact negotiated in a social contract. They are an agreed upon set. In man's state of nature before civilization, there are no rights and no authority but power: violence and threats of violence. Even proto-societies that develop in groups of primates, the rules are set by convention and agreement. Almost any statement that either you are I could come up with that starts off with "well clearly the inherent rights include X and Y and Z" is false on its face. We can really only talk about rights in the context of them being respected. By whom? The members of society and particularly its governing bodies.

Again, I gave several examples. Providing for children, even if the state does it, is clearly not in dispute, and that alone refutes your rather bold statement. Emergency medicine is another; that's something that applies to adults. In any modern society it's accepted that my human rights "force" EMTs to render emergency help, regardless of my ability to pay[1].

[1] I can't think of many countries besides America where emergency bills can be astronomical, but even there, regardless, a hospital must make every reasonable effort to save your life and eat the cost if you cannot pay.

Pleading: But, sir, you must fulfill your obligations.

Reply: I do not see the necessity of that.

Replier: I should fulfill my obligations to society.

Pleader: le suffering

Replier: Ya..I should really do that now. It's my duty.

That's the difference, the perspective. You aren't asking someone to fulfill their obligations, people are taking it upon themselves because the mindset has shifted. It's now upon you to do the right thing, not hand-wave say "you have rights..but it's someone else's job to realize them"

Example: https://en.wikipedia.org/wiki/Noblesse_oblige

[1]: https://en.wikipedia.org/wiki/Corelative

Pleading: But sir, you must respect my laws.

Reply: I do not see the necessity of that.

You can't just tell someone they're not allowed to take food from your plate, while simultaneously not providing anything for them to eat.

There is no longer any plot of land anywhere that is not owned by someone else. Think of those plot of land as plates. One who doesn't own any of it is hungry, you tell them to get their own food, but they can't take from any of the plates of anyone else, so you can't use any land to try and get your food from. Now this person tells those who have all the food, hey I have the right to food as well, and people say, I don't think that's a necessity, well why is your right to your land and your plates of food a necessity as well? You can't have it both ways. If you want to have the right to own the plates of food, you must also provide food to others somehow, because you've taken up all of the abilities to get food from others.

You can, and a lot of people do say this. And it was said many times in history, and ... people were maimed for it regularly. (And every day we get the reports, pictures, videos about people inside a fence saying that those who are outside should just go and try their luck somewhere else.)

The whole point is that wordgames are not going to get us the desired utopistic society where people feel that obligation to act to uphold others' rights in accordance to their power/ability for doing so.

It needs a culture that cherishes this, enforces this, perpetuates this.

In essence we need a control loop that keeps society on track, and this system has to be aware of all the usual problems (the optimal set-point of intolerance of intolerance, top-down systems tend to consolidate power, bottom-up systems can easily oppress minorities, political arbitrage of resources for favors is an ever present problem, and so on).

Obviously, you can say that, but the people you say it too now also loses their reasons to uphold your words. If you tell me I can't have food from you, and I also have no other way to get food, I'm going to have to disregard your right to property you were hoping to have and force my way into your plate of food.

And now we're back at the typical human power struggles and infighting.

I think your point is that simply asking for food when you don't have it doesn't magically solve the problem. And I agree, but if you think about who you're asking it makes more sense. You're asking those who have all the food or means of producing food to give you some, or to do something about your lack of food. They were handed ownership of food and food production, now there's people who feel they don't have the food they need. They're complaining to those who own the food and its production, which to me makes sense, since they are the best positioned to solve the problem as the owner of the food and food production. And those who don't own food or food production have little ability to do anything about it. That's what I was trying to convey, there's no where else to try my luck, everything is already fenced up.

This is kind of just a debate on equal opportunity and equity I guess. Everyone should have equal opportunity, and those who haven't in the past might need equitable retribution to make up for it.

Asking for that I think is very different than asking to be handed things without effort. I think most people simply ask for justice, if you had land and couldn't make food with it, so be it. Most people might accept their fate. Now it be nice to also deal with those unlucky in their attempts, but now it's a different debate. If you never had land to begin with, had your land taken, etc., that's another story.

I'm also 100% in agreement with the following:

> It needs a culture that cherishes this, enforces this, perpetuates this.

Even though I'm not so sure how best to nurture such a culture.

Yes, with the added twist that the people who don't have enough vastly outnumber those who have a lot. The real problem is not Elon and Bezos and the other token billionaires. After all their net worth is in their companies, most of it is unrealized capital gains.

The real problem is with the folks making over 150-200K but still think they are living "paycheck to paycheck"

https://mobile.twitter.com/ne0liberal/status/147776715594083...

So in reality it's not as simple as farmers telling homeless people to go somewhere else, but there's no more land left. It's more like the have-lots telling the have-a-bits to watch out for have-nots, and this works perfectly. Conservative populist rhetoric is very effective in suburbia.

> equal opportunity and equity

Yep. The big problem with this is that many people consider one time help as now take this and we're even "equal opportunity". Of course what's needed is a strong social safety net that helps people back on their feet. Shelter, healthcare (mental hygiene too!), education.

Again it's not cheap. And even though the economy is not zero-sum over long term, yearly budgets are. Hence the fight about how much on what to spend.

> culture

I think simply (ah yes, simply! :} ) going incrementally, starting with the best cost-benefit programs and areas. Focusing on cities where there's enough like-minded people to enact the policies, learn from the consequences, course correct, while not losing sight of the goals.

I don't know why people say this.

It's just a fairy tale. Laws aren't agreed upon; they're initiated by conquest and continue through the establishment of institutions that preserve an occupation over generations.

There may be some kind of "democratic" process for public participation in law-making, but that's not the same thing as laws being "agreed upon."

There may be some kind of cultural process for raising children to accept the laws that existed and were put in place by adults before them, but even that's not the same thing as laws being "agreed upon."

> The Future of Capitalism by Paul Collier. There are a lot of insights in there but beware that the writing is kinda problematic in some ways, so it doesn’t get my full endorsement.

https://twitter.com/apenwarr/status/1476590932619567104

> Sometimes liberty is differentiated from freedom by using the word "freedom" primarily, if not exclusively, to mean the ability to do as one wills and what one has the power to do; and using the word "liberty" to mean the absence of arbitrary restraints, taking into account the rights of all involved

It's from Wikipedia, and it implies this is the modern take of the definition. I think it's how I think of it as well. So it is neither of the two you mentioned, but a combination of them with the focus being the balance between them.

Liberty would assume all have rights they are entitled too, and that none shall arbitrarily restrict ones ability to do as they please, where non-arbitrary is defined as not restricting of other's rights.

I don't think it really puts people against each other. Some people simply disagree with liberty and favor freedom instead. Which would mean, some people want to be free to do whatever their power allows them too. You can think of it as whatever I can get away with because I'm more powerful. It would mean if I'm stronger I can strongman my way into doing more things, same if I'm richer, more influence, etc.

Fundamentally it's a disagreement with your objective. If you don't accept that the less powerful still deserve certain rights, or that power should not dictate rights and restraints, there's no amount of discourse to be had, you will be optimizing for different outcomes.

I also find the framing of rights as someone else's problem misleading. It is not someone else's problem, oftentimes it is because of restraints society imposes, the other person's problem is due to their restraint on other people's rights. For example, that I can't just walk in your house and sleep in your empty bedrooms as I please, and eat the food sitting idle in your fridge, or build myself a cabin using wood from your trees and on your land, those are all restraints society is imposing on me. So if I'm now homeless and without a job, I cannot just do these things to provide for myself shelter and food. But if you believe everyone has the right to shelter and food, and you are restraining my ability to get them as such, you need to offer an alternative, it isn't entitlement, it's the trade for accepting the restraints being pushed on me.

For me, it's the fundamental agreement, you accept the restraints from laws in exchange for rights. If the rights don't come, you're not getting your side of the deal. Now off course people can impose restraints with power instead, and that's almost always what used to happen and still to a large extent does today, but at least we seem to try harder today to be just.

If I give you a puppy, and it gets sick, should the vet bill me?

If I gave you a car, and the wheels fall off two years later, is that my problem?

In this instance people have been using this Java package for years I gather without problems. Why is the responsibility for changing the package anyone but theirs, the people using it; now that they're decided they have stricter requirements for that need?

Even the entertainment industry's notion of "ownership" isn't so endless. They'd like to be paid every time we use their product, but have settled for "licensed media" ... but that license doesn't extend to replacing the media when it wears out.

Lately I’ve been experimenting with treating many libraries as a starting point in some of my projects. Meaning I read and use the code, often removing things I don’t need.

So I fork and maintain my own lesser / crippled version (and hope authors don’t take this as passive aggressive criticism!). This helps me lower attack surface and better understand what’s going on.

This doesn’t work for everything obviously. I’m not forking an OS or database, so there are still lots of black boxes, but for some stuff for I’m liking this approach.

Now if another dev inherits my code I doubt they’ll see it my way. The industry wisdom points at simply assembling libraries and only writing your specific business logic. So what if you use a library to do one thing that just happens to do 100 other things (this having a much larger attack surface and bug potential)?

I don’t know yet if I’m being foolish or if I’ve stumbled on some ancient programmer wisdom I simply failed to grasp earlier. At least I’ll probably never run into a leftpad issue.

I’ve wondered about this for a while, and one idea that’s crossed my mind is whether compiler stages could be introduced to do this. For example, you add a dependency, you use a few methods and structures. You compile it, the compiler goes through your code, looks at what traits, implementations, etc that you do and don’t use, it grabs just the code required to satisfy these, and proceeds as normal. At the end it spits out a little report for you telling you what specific things it included/excluded from your binary/library. Like tree-shaking in JS but better.

Maybe this already happens during dead-code-elimination passes, or during some other compiler step, maybe most of our libraries are far too interconnected/non-modular to be able to do this without ending up with the whole dependency anyway, maybe it’s computationally infeasible due to some result in Computer Science, I don’t know-and wouldn’t really know where to look to find out-but if it could be done, and if we could go even further to embed this metadata into the resulting binary itself, we’d at least have a provable way of saying “my application is safe from x because it does not include <vulnerable part of lib y>”.

I imagine to do this, you’d need to operate on source code-unless there’s some magic way to do it with precompiled binaries-and runtime dynamism would make things extra difficult, but it’s an interesting idea.

But the log4j thing really isn't in the same class because it's not really "code that wasn't used". It's code that probably users didn't expect was there, and if they knew would probably not want used, but it's there, and the proper functioning of the library included that code path that allowed for JNDI interpolation. Whether or not that code is really "needed" is not something the compiler can really figure out, at least not without teaching the compiler that very very very specific thing (which would be madness). And even then, let's say you bizarrely wanted to be able to do things very much like what the log4j exploits do, there's no way the compiler (or even some kind of specific purpose-built code scanner) can know whether or not some string that might be supplied by a user in the future is going to trigger this JNDI interpolation code.

I log strings at different logging levels, and want to be able to set the level globally at which log lines actually get emitted. My use of interpolation is dirt-simple: I just expect the logging framework to call ".toString()" on the things I pass. I log exceptions, and expect the framework to emit a stack trace in addition to the exception message. I log to stdout, and use pretty much the same log-line format for everything. I like the loggers to be named, and occasionally use the ability to change the log level on a per-logger basis.

I could build this set of features in... I dunno, a day? Sure, it would take me a lot longer to build the entirety of slf4j+logback, or log4j, but I don't need 90% of their features. So, yeah, I'll continue to just use slf4j+logback (hell, maybe I should use slf4j-simple); the idea of writing my own simple logging library doesn't really interest me all that much, even if it wouldn't be too hard to do so. But I'm still carrying around all this extra attack surface, and that's unfortunate.

> Now if another dev inherits my code I doubt they’ll see it my way. . . . I don’t know yet if I’m being foolish or if I’ve stumbled on some ancient programmer wisdom

I have the same fear here. Lately I’ve been trying to keep a similar api to popular libraries so it would be easy to swap in the real library if ever needed.

But yes “at least I’ll probably never run into a leftpad issue.”

Of course no one is obligated to maintain anything, open source maintainers abandon stuff all the time without any repercussions beyond passive internet rage.

It isn't. Every open source consumer is ultimately responsible for the use of the code. That's baked into every open source license I'm aware of. Even the "share and enjoy" mantra is a tongue-in-cheek reference to a rhyme that ends with recommending what porcine orifices you can put your head on if you don't like the software.

... But there's more to be gained by the original authors, in glory and internet points, by publishing a fix for the problem than in washing their hands of the whole affair. Some people want their code correct as a point of professional pride alone.

I don't know of any rhyme, but I always assumed that this was a reference to the Hitchhiker's Guide and Sirius Cybernetics Corporation. Which, yes, does involve a pig: https://www.goodreads.com/quotes/95859-share-and-enjoy-is-th...

Sirus Cybernetics Corporation was best known for having created Marvin, the depressed android, and doors with cheerful personalities:

> “All the doors in this spaceship have a cheerful and sunny disposition. It is their pleasure to open for you, and their satisfaction to close again with the knowledge of a job well done.”

So yes, "Share and enjoy" was originally deeply drenched in irony, and it functioned as a warning to proceed at the user's own risk.

If you don't give any guarantees beside "it's a hobby project", you can't expect anyone else to use your software beyond hobby projects either.

I am happy to provide consulting services and support guarantees through my LLC, and have done so in the past.

Non-paying users who ask nicely might get fixes. Or they might not! Unfortunately, those fixes might also arrive a year or two after they stopped caring, I'm sad to say.

But a project which doesn't bring me any revenue, and which doesn't function as valuable advertising, is only going to receive support when I have the time and the inclination.

Realistically, commerical adoption is only interesting to me if there's some upside for me. This isn't to say that companies should never use my libraries or tools. Just that if they want timely support, they should be prepared to either pay me, or use the "Fork" button.

Can't speak for log4j, but I don't expect anyone to use my SW beyond hobby projects. If they do, I expect them to be responsible for how they use it.

That's a good thing. The companies shouldn't be expecting free code and free support. If they want something for a commercial product, pay for a commercial library with a support contract.

> If I gave you a car, and the wheels fall off two years later, is that my problem?

So in Western culture there's this notion that a gift creates no further obligations. The recipient should just be happy he got what he got and not expect anything more. As if to say, at least you didn't get nothing, you can still get nothing, you want nothing?

I would say with the puppy if it gets sick and the recipient can't afford it, you should accept paying the bill. Before it was the "giftee's" puppy, it was your puppy for some small amount of time after you got it and before you gave it. Surely when you gave me a puppy you expected me to be able to keep it alive, right? And as for the car, it's not right to give someone a car whose maintenance they can't afford. The puppy and the car are two excellent examples of gifts that cannot be given without forming a relationship between the giver and the receiver.

On the other hand a gift you can give and split and that's it is food or money. Just handing money to a beggar, he might ask for more, and you can walk.

In some African cultures it's more like, if you do me a favor, do me another favor, and then we're true blue and you can rely on me to help you in return, but never in a tit-for-tat manner. It's in the book Debt: The First 5000 Years.

The person who chose to put it into _their_ code took ownership of its ongoing maintenance in their instance of its usage (presumably because they felt that would be less work than entirely diy).

There is no puppy here.

But a car is not a liability. They can sell it. It won't "go bad like a puppy" if it just sits in a garage.

(Granted, nowadays, due to the supply chain issues and component shortages, people will pay an arm and a leg for a car that even barely runs, so there's that.)

The moment you accept the pet you have to think about everything in your future for years. You accept a car? Okay, you might not even see it, maybe you just get a paper and a key fob and an address. And you don't have to do anything for years. Nothing happens morally.

If I give you covid, is that my responsibility?

If I give you a piece of software with a backdoor in it, is that my problem?

In reality, all actions carry various kinds of responsibilities. And well designed backdoors looks exactly like oversights, so the difference isn't all that clear cut in pratice.

If you give me covid, and you did so intentionally or negligently (as in, you knew you had it and yet did not isolate or at least tell me you have it so I can decide not to meet with you), then yes, that absolutely is your responsibility. But if you contracted covid from a trip to the grocery store, were asymptomatic, had no idea you had it, and I got it from you, I certainly wouldn't hold you responsible.

The software-with-backdoor bit is similar. Did you put the backdoor there, and then give me the software with the intent to later use the backdoor against me? That may not be your "problem", but it's certainly your responsibility. Or did a contributor sneak a backdoor into the software, but, despite your best efforts, you missed it? I'd be upset, and might trust your technical judgment less, but I would hold the contributor responsible, not you.

> In reality, all actions carry various kinds of responsibilities.

Yeah. Going back to the covid example, I could imagine an intermediate situation where you didn't know you were infected, but for the past months you'd been engaging in all sorts of risky behaviors: not getting vaccinated, no social distancing, no masking in crowded indoor places, hanging out with unvaccinated people in close quarters, etc., then I'm probably not going to react as severely as if you deliberately gave it to me, or knew you had it and didn't warn me, but I'm certainly not going to hold you blameless either.

Not exactly your question, but there's an anthropological pattern whereby gift exchange between individuals of disparate class or power (eg peasant & lord) automatically create a tradition. If a boss gives his employees a turkey for christmas, christmas turkeys become a permanent expectation. If a lord give his king 20 camels for spring equinox, this can easily escalate into a permanent tax.

Computer science, to people who are picking college degrees, seems like a safe, sterile environment of pure logic. But the only jobs are in software development, which is organic as hell. It's messy, it often smells, sometimes it rots. And sometimes it's just scary. A lot of people seem to be in denial about this for a long time.

Software is full of social capital and emotions, and we often try to conceal both behind a mask of objective thought. I can tell you ten logical reasons we shouldn't write the code this way but the real problem is that I think your solution is going to leave me stressed out of my comfort zone and/or missing life events because I either can't trust that you'll clean up your own mess, or that the business won't let you because you can't do it fast or robust enough. So I'm gonna argue with you about getting anywhere near that cliff edge, but we're not going to talk about the proverbial agoraphobia because that's too hard.

And if my logical, objective, sterile reasons for saying 'no' are deflected, odds are very good I'm going to acquiesce instead of actually agree, and I'll be secretly stressed, possibly grumpy, possibly even ready with an 'I told you so.' All while we're trying to keep hard things 'professional'.

Your solution is nerve wracking. This one is not. We should use this one, because we have better things to stress about. You're goddamned right we're going to trade a little more stress for you now for less stress for the entire company three months from now. It's a fair trade.

Must be a sibling comment. Shoot.

Because for a long time, libraries have been advertised as building blocks that you can quickly integrate into your own application without having to understand in detail how the library works. This assumption has been pretty crucial in the cost/benefits calculation for using libraries vs writing functionality yourself.

Now that internet security is becoming an ever more serious topic, this assumption might be less and less viable to hold. We've walked back on it to an extend already with the current best practice of "you don't have to understand how it works, but at least update frequently".

However, it might as well happen that this is not enough to keep security issues from happening. Things are already moving in a direction where it's absolutely expected that a developer understands and takes responsibility for every line of code that is included in their prodiuct, whether they wrote it themself or not. But if that happens, it will fundamentally change the way we deal with libraries and how software ecosystems work.

Yes, free software devs can smugly repeat their stance of "it's a gift so don't complain, no guarantees about anything" - but if everyone took this serious, no one could use free software for anything critical, so the free software movement would be mostly dead.

> now that they're decided they have stricter requirements for that need?

I think what made the log4j vulnerability so dangerous wasn't the ability to load arbitrary code via JNDI on it's own (even though that was certainly a horribly overengeneered and dangerous feature). The main vulnerability was that log4j was accepting substitution patterns in the "parameters" section of a logging command, the main purpose of which is to accept untrusted input. There has been at least one other CVE which exploits this without needing JNDI at all.

"Don't trust user input" hass been a fundamental rule of security for a long time, and it was reasonable to assume the log4j authors were aware of it. So the current situation is not that requirements have suddenly became stricter, it's simply that log4j broke a fundamental assumption about its API.

(I'm also pretty sure that while the JNDI thing was an unfortunate feature and was "working as intended", the "substitutions in untrusted input" part was likely a honest bug and never intended like that)

Once you see it this way, the whole "open source is broken" debate goes out the window. It was just a bug. A bad one, but not anything that hasn't happened before and won't happen again, open source or not.

"Yes, free software devs can smugly repeat their stance of "it's a gift so don't complain, no guarantees about anything" - but if everyone took this serious, no one could use free software for anything critical, so the free software movement would be mostly dead."

Free software devs have to smugly repeat "no guarantees about anything" in the same way that non-free software development has to do it: Otherwise all software development would be mostly dead.

I don't think they have to smugly reply, it's included in the licence[1] of the software that folks chose to use. See sections 7 and 8

1: https://logging.apache.org/log4j/2.x/license.html

My employment contract states that I am an at-will employee, so my boss could technically fire me because they didn't like my haircut. If they were to _actually_ do this, I would certainly be slighted by this, probably post about it publicly and forewarn others against working for them, although they would not have violated the letter of the contract nor my understanding of its literal meaning.

What is the social context in terms of open source software and licences?

> so my boss could technically fire me because they didn't like my haircut. If they were to _actually_ do this, I would certainly be slighted by this

If we translate this to the log4j scenario: log4j says there is no support or warranty provided in their licence, however if they _actually_ do not provide support or warrant, you would be slighted by this.

To me this does not sound fair at all. Your boss at least pays you for your time as part of your contract. What do the log4j developers get for their time? Absolutely nothing. Yet it is expected they should provide support even when the licence says they won't? That's just comes off as entitled.

Drew DeVault has blog post that covers this better than I can: https://drewdevault.com/2021/06/14/Provided-as-is-without-wa...

Many projects under licenses providing no warranty are nevertheless of high quality and well-maintained. Making the category in question precise is difficult, but it includes log4j. Projects by organizations such as Apache and eminent individuals like Bellard or Valsorda fall in this category. There is therefore an expectation that if you are such a project, yet unwilling to hold yourself to that standard of quality, you should make it clear for your users. Using a license with a no-warranty clause does not achieve it because it is not a distinguishing factor. The license, of course, protects from legal liability and so on, but no one is talking about legal matters here -- only about whether we should be collectively unhappy with the log4j maintainers.

The reason for this unhappiness would not be that they aren't willing to donate more of their time, but that their stewardship of the project is poor. Vulnerabilities are found in FOSS all the time; this instance was special because the misfeature in question was an egregious inclusion in the first place. It appears to be not a case of lack of time for review, but a lack of sense to say, "no, interpreting strings after formatting is insane and will never be part of this library." Obviously, they are entitled to include whatever code they want in their project, but some code is incompatible with it being useful -- if they do not aim to clear that bar, they should make it clear, because others in their position do.

I would say that something like opening your README with "this is not a serious project, you should not use this in prod" would be reasonable. This warning needs to be front and center and explicit, not merely sating "we are unpaid volunteers" or similar. There is precedent for this. Yes, some ignore such warnings and complain -- as long as this verbiage creates a useful distinction, such people are wrong and we should ridicule them. This warning would stand in contrast with the great many projects which aim to be fit for a purpose in practice, such as Postgres, Linux, Blender, etc. Obviously, such projects are usually better funded than log4j -- making it clear that you're not funded well enough to dedicate much time to the project an important part of this warning's content.

To continue the workplace analogy, I would be the unreasonable one to complain if the company specifically warned that they were significantly more trigger-happy that the normal company hiring at-will.

It's understandable that you would assume such a spurious obligation, human history is full of references to such obligations, up until the age of Big Data, which is when we realized that most of these assumptions were false. It's been a painful time for all of us.

In fact, the actual obligation is yours, if you decided to use this logging library. Seems there was a severe vulnerability in the code. It also seems that the people who responsibly forked the code, ran their own security audit, discovered the vulnerability and then patched decided not to make their contributions known to the general community of users of the software. They, if they exist, seem to be acting as if no obligations exist with respect to the code they acquired.

Speaking of assumptions, your proposed actions regarding your employment assume that your boss was obligated to tell you the reason your contract was terminated. Again, no such obligation exists. They can't fire you out of disgust for your Satanism, or because of your Innuit heritage, or because there are ambiguities regarding your gender. Luckily for them, at-will employees can be terminated, well, at-will, so there is no need for them to specify that it was not, in fact, because of your quite stylish haircut. Your public postings might in fact earn you a letter from the legal department, since you have no way of knowing the real reason was that you downloaded logging code on to mission critical servers, and lacked either the inclination or capacity to verify this internet code, and then when asked about your decision to do this thing, you quoted an imaginary "social context," an unwritten, unknown construct, that in this case silently tacks on the term "users of this library will receive free, unpaid support in perpetuity" that functioned exactly like Adam Keynes "invisible hand," that is, some rationalization to absolve you of the responsibility for explaining problematic aspects of the mental model used in your decision making. This was a vast surprise to the administrators of your company, who, understandably, know very little about logging libraries, which is why they hired someone to provide the required functionality.

I'd argue if there is an application that being built on libraries with out a full understanding of keeping them maintained over the years you will get a massive cluster fuck with code rot. These are things that are learned with experience, as a dev starts they take short cuts and learn from the mistakes. It is not a bad system when you are learning from your mistakes. There are simple solutions like using an operating system that is maintained. Log4j and java packages exist for example in operating systems that get security updates - and continue to do so for the life of the operating system.

> Log4j and java packages exist for example in operating systems that get security updates - and continue to do so for the life of the operating system.

But how does an updated OS help if the packages themselves are not updated?

Package maintainers apply patches and roll a new package version (e.g., +deb11u1).

At some point the package maintainers themselves may not want to babysit things anymore and deprecate the package. But most packaging systems that I'm aware of have mechanisms for applying patches.

In many cases even if the software itself is still maintained, the package maintainers may only apply a specific patch to ensure maximum compatibility.

It's why many of us prefer 'slow moving' distros with "old" packages: minimal change for a given version and then only when 'necessary'.

I very much hope not.

I would greatly prefer to see some certification bodies arise that can vet libraries for exploits like this and give a certificate of some sort saying "This library is safe to use".

Of course, that requires them to have some extremely good exploit-finders.

Log4j commoditized log formatting, appending, and rolling for Java. If all my competitors use it and I don't, then I'm behind them in the market. I spent engineering resources creating my own, and add another layer to the NIH snowball which will eventually start rolling all on its own if I don't constantly invest a small amount of my limited attention into stopping it.

I only win if my competitors don't get away with it. Whole empires have been built in the time between log4j being 'production ready' and the discovery of this RCE bug. I'm reasonably sure that the majority of software companies that have ever existed, existed during this period, and any of them who used Java got away with it, and trillions of dollars to go with 'it'.

That's one of the differences between coders and engineers.

Coders just import libraries to avoid re-inventing the wheel. Engineers consider each import as a dependency they'll have to maintain, buy support for or replace. Log4j just highlighted this difference, with some knowing exactly what to patch and others franctically trying to determine if one of the thousands of dependencies they imported into their app actually used it.

> Yes, free software devs can smugly repeat their stance of "it's a gift so don't complain, no guarantees about anything" - but if everyone took this serious, no one could use free software for anything critical, so the free software movement would be mostly dead.

There's a simple alternative: hire the devs.

As a developer that was a bit of a pain since you had to get purchase approval instead of just adding a dependency to a build file.

But, I'm feeling that is actually the better model the industry should go back to. It meant that developing libraries was actually a viable business. Today companies just leech off the open source everything, externalizing all their costs and dumping the maintenance burden on unpaid volunteers.

How much of a pain was it when the vendor refused to fix your bug because it, or you, weren't important enough? When the vendor went out of business, or was bought by a company uninterested in the product you were using?

Oh, and when you consider writing a library internally, keep in mind that patents are a thing.

"It meant that developing libraries was actually a viable business."

Yeah, I remember that. I remember when there were a million billion little companies producing C++ libraries. Then C++ started to get really popular, and those companies' customers went from a small group of experts to a large group of, uh, non-experts. Then they discovered that support was hard and all went out of business.

I really wonder what would have happened it HP hadn't open-sourced the STL...

Libraries in general have been advertised this way, but it's not true for any given library, unless the library maintainers make that claim. In fact, it's quite common for people to release libraries with the exact opposite claim: They are not liable for anything that goes wrong, and they don't promise any support.

It is a bit offensive to have expectations from someone when the person makes it unambiguous how their SW can be used, and where their responsibility lies.

Now yes, it is true that many major, popular open source libraries do make a show of their libraries being reliable, and do provide support. And those that do tend to have more adoption. But even a number of those do say "Hey, we're putting in this effort, but are not promising bad things won't happen."

> Yes, free software devs can smugly repeat their stance of "it's a gift so don't complain, no guarantees about anything" - but if everyone took this serious, no one could use free software for anything critical, so the free software movement would be mostly dead.

This is transforming a continuum into a fairly worthless binary scenario. You're not going to have every library say "We won't provide support" just as you won't have every library say "We'll follow best security practices" - so why bring it up? It's trivial to show the latter would have likely killed the free SW movement too.

The reality is a continuum. And that is how the free software movement succeeds.

> how startups tend to go bankrupt and their tech dies with them

I have this mental model, which may not be entirely accurate, that the original Iridium corporation successfully launched satellites into orbit, erased the multi-billion dollar costs of the launch using bankruptcy, and then handed over control to a successor corporation who inherited control of the constellation but none of the startup costs.

Do I have the story right? Is there any other example like this where a failed company manages to leave us with something useful while its immense costs were just … evaporated?

Blender's original investors' capital not totally evaporated but the $100k buyout to release it as open source was a small fraction of their $4.5 million:

https://docs.blender.org/manual/en/latest/getting_started/ab...

Where a legacy Internet behemoth mistakenly clicks "Buy It Now" on a startup for eleventy billion dollars during some drug-and-drink fueled bender and then wakes up the next day and offloads it to some rando on Twitter for whatever they have lying around in their PayPal balance.

So funny.

You give it away for free, no guarantees and such? Great, we appreciate it.

You sold something to someone? Okay, well, like with food and buildings and cars and airplane rides, we understand that if it's done wrong it can be really harmful, so we have real legal consequences for getting it wrong. Where you sourced your inputs is not my problem when it does -- whether that input was "free software" or "rotten ingredients" or "faulty concrete."

We have liability regulations for the actual things that use software. (And in some cases too much and in some cases too little. See healthcare, medical devices, FDA on one end, and Boeing and the MCAS fuckup on the other end.)

One reason Amazon got sooo big is that they do have a consumer protection regulation. (The return everything no questions asked policy. Of course they also have a fucking big problem with scams, and they are too hostile with merchants, because they are a fucking de facto monopoly, and are not forced to work much on those problems or "metrics".)

Isn't there a risk it software would become as ineffective as healthcare?

It seems to me that private enterprises aren't good at handling huge uncertainties (like liability). So businesses would aggressively minimize liabilities. Sure we would get better software, but we might get less competition, higher barriers to entry, more expensive products, and less capable products.

Suing companies for doing the wrong thing is an expensive mechanism. Gradually regulating supply-chain documentation is probably cheaper.

I'm aware that a world in which e.g. Microsoft was actually sued to the extent of the damage it has caused is hard to envision, but I can't help but think breaking that sort of thing up by whatever means gets you more visibility, more localism, more shallow bugs, etc.

This resonated with me. When opensource involves money, incentives become misaligned... And all the bad parts of a SASS product become important, vendor lock in, upselling etc...

Fred comes clean: “I owe Barney $10,000 and I promised to pay it tomorrow. And I know he needs it, because he bought a new set of golf clubs to use at the company golf tournament this weekend on credit, and if he doesn’t pay, he’ll have to take the clubs back.”

Wilma picks up the phone. “Betty? Sorry to call you so late, but would you give Barney a message? Tell him that Fred doesn’t have the $10,000 he promised. Yes, that’s all. Good night!”

Fred stares at Wilma, aghast. “What did you do THAT for?”

Wilma smiles. “It’s Barney’s problem now. Let him toss and turn, we can go to sleep!”

Note. qcad is open source.

But yes, there is a limit for what you can charge and how far you can scale that model :)

A few. Most people leech.

Is this not a quote from Stallman? Is he really so badly in the internet's doghouse that we can't even say his name?

I honestly got a bit bored of reading it and stopped, but the idea stays with me. This essay captures some of that idea - why you can't pay for a gift, how gifts work differently. They are a form of capital in that gift givers get social credit or something, but it's a very different system, a more traditional one than capitalism.