pleroma.debian.social

pleroma.debian.social

i find the regulatory capture of the commons (so-called "supply chain security") to be frustrating

i've written a lot of software over my lifetime, and released the majority of it as free software, because i just wanted to be helpful.

there was no point in hoarding it, and releasing it as free software allowed for others to take it and do whatever they wanted with it. sometimes, they send their improvements back to me. great!

well, not so much with corporations. pkgconf, for example, is in basically *every* major corporation's toolchain.

to make pkgconf scale for these corporations, and their complex DAGs, we had to rewrite the solver. fine, i suppose. some of that work was even sponsored, which is nice.

but the reality is that there are a few utilities in this world that exist in the critical path of basically every corporation. tools like pkgconf, curl, etc. if these tools break because corporations use them in new ways, generally we don't get help with fixing them, but we are expected to.

this position is what leads to critical libraries like libxslt being abandoned, and the same maintainer adopting a laissez-faire security policy for libxml2.

@ariadne
"You don't pay me, get lost" is a perfectly valid response to anyone demanding that you "fix" your tools though?

so maintainers are starting to push back on these requests, and demands for free labor on a project that they give away for free, as if it were a commercial product.

in response, rather than the government scolding corporations for abusing the commons, these corporations have instead pushed for governments like the EU to adopt regulatory regimes such as the CRA which pressure maintainers to do even more free labor, in the name of security.

everyone likes security, right? as practitioners, we don't want to harm anyone's security posture. so there is pressure on maintainers to comply with these regulatory frameworks, in the name of security.

@ariadne nah the CRA requires any commercial company that uses free software to be responsible for its security. Nothing is required from original upstream maintainers. @bert_hubert probably has more accurate info about this.

@ariadne I’ve been throwing around (in my head) the idea of poison-pill license conditions, stuff that would *compel* such entities to make financial contributions, just to sort of see where it goes and how it’d have to be structured and what it would need to even work

and wow damn does a lot of the current state of industry and distribution suck for supporting open code/techa

and that’s before you get to the issues of getting money to developers... AML & related have made things a nightmare

can i tell some corporate employee who makes a burdensome request to get lost? sure, and i have before.

can i tell some corporate employee who makes a burdensome request required for compliance with a regulatory framework like the CRA that i won't do it and they have to do it themselves? sure.

note i ask "can i" here, and the answer is yes.

that's not the point though. the reality is more complicated. do maintainers *actually* have the psychological safety to reject these requests?

what is the actual psychological cost of saying no?

let's talk about pkgconf explicitly as an example here.

what, fundamentally, is the goal of pkgconf? to improve the usability and resilience of the pkg-config ecosystem.

or, in other words, to attain sufficient mindshare that pkgconf can drive necessary changes in the pkg-config ecosystem.

given that, what is the true cost of saying *no*?

we said *no* to windows support for years, because i do not develop software on windows. eventually, we begrudingly merged one of the windows ports that were submitted over the years.

but, because of the lack of prioritization on windows, what was my reward?

a new competing implementation (u-config) which does not fully conform to the expected behavior of the pkg-config tool, maintained by somebody who *does not care about pkg-config* and actively spreads misinformation about pkg-config implementations, but the tool is good enough for people to be interested in it.

this detracts from pkgconf's primary goal of being able to drive effective change in the pkg-config ecosystem, because people will desire to author pkg-config files that are compatible with u-config.

had we prioritized windows support when folks asked for it, u-config simply would not exist.

so when people say maintainers have the right to say "no", that's true, but it may come at a cost.

@f4grx @ariadne @bert_hubert I agree and would add that the CRA is built to help maintainers make the case to manufacturers that they have to support either with money or with helping hands the projects that they rely on. I found the following talk at helpful:

https://youtu.be/OTyz5J8YF4M

@mainec @f4grx @bert_hubert i'm not talking about legally imposed obligations, but how these frameworks harm the autonomy and psychological safety of maintainers.

@ariadne You highlight a subtle but important aspect of maintaining software.

@ariadne @mainec @bert_hubert I hope it does not, and maintainers are solid enough to tell companies to fuck off if they ask for free work related to the CRA.

@f4grx @mainec @bert_hubert the CRA is just an example. this post really has nothing to do with the CRA, except that it serves as an example of the power imbalance that leads to maintainers having reduced psychological safety.

@ariadne @mainec @bert_hubert ok. yes, that kind of pressure is terrible, and strongly depends on the maintainer mood. I see very well how it can end up with psychological damage. I am just the kind of person that can reject this pressure, but I know everyone is not like that.

@f4grx @mainec @bert_hubert downthread, i give an example (pkgconf and windows support), where being stubborn about not caring about windows actively harmed the project by causing new fragmentation in the pkg-config ecosystem.

@ariadne @mainec @bert_hubert I am reading it right now.

in practice, we got really lucky with u-config. it exists, but for the most part, nobody cares. it appears in some distributions, but it is not the default anywhere other than the u-config author's personal windows development toolchain distribution.

but at the same time, it is now an area of risk that now has to be mitigated to protect pkgconf's mindshare.

in the general sense, this also holds. let's talk about the recent Xlibre fork as an example.

freedesktop.org clearly does not care about X anymore for the most part, because they have used their position of mindshare dominance to drive a mostly-successful transition to Wayland.

but now Xlibre is a competitive threat to their transition plan.

it's the same with these software supply-chain security regulatory frameworks: if you *don't* do the work, then somebody else can come along and fork your project and do the work, taking mindshare away from your project.

maybe that matters, maybe it doesn't. it depends on what the end goal of the project is.

and so even though maintainers can *technically* say no to burdensome requests, the cost of doing so may negatively impact the project's ability to meet its end goal.

back to the original point for a moment: big tech's abuse of the commons.

as established, i can (and sometimes do) say no to these companies when they request improvements.

but the risk of saying no is that big tech decides to just write their own version and try to trample you.

which brings us back to pkgconf for a minute, because i have another example!

in the past year or so, the CMake people created a new thing called the "common package specification," which they refer to as CPS (this is a very bad name).

but pkgconf's maintainer (me) is entirely disinterested in windows, and i find windows-specific bugs uninteresting to work on.

another cost of my apathy toward windows? bloomberg contributed heavily to a tool called cps-config, which is a pkgconf clone which supports querying both pkg-config data and CPS data. this is after bloomberg also contributed patches to the original freedesktop pkg-config to improve its performance to be competitive to pkgconf.

why did bloomberg do these things? because they are a windows shop and historically my answer to the windows question was "i'm not interested in supporting windows."

so now i get questions like "why bother improving pkg-config, when we should standardize on CPS instead"?

and don't get me wrong -- CPS is a major improvement over what CMake used to do, and also a major improvement over the pkg-config format for a number of reasons.

however, since it is based on JSON, it takes away from one of the main advantages of pkg-config: the fact that pkg-config files are simple text documents.

our plan to deal with the CPS question is to support CPS, thus making the need for cps-config obsolete.

i could go on and on, but the point is that when presented with "fuck you, pay me" these companies are likely to take actions that are detrimental to your goals, because the reality is that they don't care about you or your project or your goals. they just want things for free.

again, we got lucky with cps-config too, because they need and want the extensions pkgconf has brought to the pkg-config format, at least some of them.

but if pkgconf simply supported windows from the beginning? cps-config also would never have existed.

my point here is: saying no to corporations carries its own risks.

maybe those risks are acceptable, and known up front, but equally those risks may be unknown

@ariadne Hmm, what about the answer "I'll be glad to work on this if you pay me for it" ? Given bloomberg had to spend engineer time on their alternative, they would probably have been able to give out some money ?

@Sobex sometimes that works, sometimes that doesn't. sometimes the ask (windows support) requires engineering capabilities i don't have (such as knowledge about windows development).

@wouter the existence of u-config in debian (which honestly makes no sense to me but whatever) is an example of why telling people to get lost is not necessarily a correct strategy

@ariadne maybe, in the name of security, we stop using the "secure" internet

@f4grx @ariadne @bert_hubert I grew up within the ASF ecosystem at a time when it was normal to push back on pressure with an invitation to scratch your own itch and send welcome patches. There were publicly posted articles explaining to pushy users how only demanding change hurts projects. I believe we need more of a support network also for open source projects outside of the larger foundations.

@f4grx @ariadne @bert_hubert plus we need more voices making it very clear that the CRA is not an excuse for downstream users to demand more from projects, but the opposite - another very good reason to help and support.

@mainec @f4grx @bert_hubert to be super clear, i am just using the CRA as an example here.

@ariadne @f4grx @bert_hubert 👍

Do you think, cra or no aside, having more support along the lines of "yes, this happens, yes, pushback is ok, no you don't have to do this" would help maintainers?

What about more voices talking about a need for more helping hands to keep that vital supply chain alive?

@ariadne you can always just ghost them if threatening to send an invoice doesn't work

@Sobex @ariadne worth also noting that for big companies it can be an incredibly difficult and time consuming process to make arrangements to pay a solo dev or other small oss project. And that's after they've gotten approval to pay out. Often, it is easier (process-wise) for a big company to use their internal engineering resources than to get approval to spend money. So it's not always a conscious choice to actively screw over an OSS project. I'm not defending this; I've just been on both sides of this a couple of times over the years.

@wez @Sobex @ariadne
Hmm so if instead of "pay me", the response they got was "send patches", that'd be easier for the company (but more difficult for the maintainer) ?

@ariadne

I'd say it's a failure of education.
Learning to say no without it bearing any psychological cost is a basic skill that is taught to children in healthy societies.
It's absolutely not about being selfish, on the opposite it allows to help others freely.

I'm flabbergasted when I read about people who don't have this basic skill.

(and yes, I understand that an educational failure is not the responsibility of the one who was failed)

@ariadne I think there's an important distinction between

the goal of someone just releasing their code as FOSS in hope it'd be useful (it might be "I need this to work on my computer, and it'd be a nice bonus if ot helps sb else")

and the goals you described later, like "I want other people to move to Wayland" or "I want pkg-config ecosystem to improve".

The latter are political goals - goals about changing other people's behaviour.
1/

@ariadne the CRA had massive corporate opposition. Where do you see burdens on you as a maintainer from the CRA? It doesn't apply to you.

@ariadne really interesting thread - thank you 🙏🙂

@ariadne
So while I agree people who just release software that they wrote for themselves have the right to be left alone by corporations, for projects with oolitical goals I think the best we can hope for is that people know what they're signing up for.

@ariadne

I have already sent a couple of answers that simply amounted to "I'm not getting paid to sort this out, you are."

@ariadne wow so many replies missing the point

@ariadne

At the point of attaining "sufficient mindshare that pkgconf can drive necessary changes in the pkg-config ecosystem" we've left the much more narrow scope of "releasing it as free software allowed for others to take it and do whatever they wanted with it", haven't we?

I can understand your frustrations, but I can't help but wonder if this is eventually bound to happen even without corporations, as shown by the xlibre example.

@ariadne this is why it is so important to be very loud and up front about expectations, and stop bailing them out.

"But so-and-so is broken! Our business depends on it!"

You were told: things get done as I have time and feel like it.
I am not in any way obligated to nor am I going to interrupt my life and develop an ulcer again so you can make line go up. I don't care how critical it is to your chain. You were told clearly. If it's that important, *PAY*.
I am not your [free|slave] labor.

@wolf480pl @ariadne i think distributing source code with your work and inviting contributions is, in and of itself, a political act. it's just one you're familiar with enough it does not seem political to you

@wolf480pl @wez @Sobex @ariadne Yes. And if it is regulatory pressure, THEY are also on the hook for support and maintenance and liable, so them building up the required capabilities inhouse (or outsourcing them) is unavoidable.

@ariadne How mean!

They contribute by creating sTeErinG cOuNciLs to tell you what do to!!!

@ariadne What's the cost of saying yes?!

@ariadne
Yes, that is your trade-off. But if you are okay with that risk, and if your project's success does not depend on getting a lot of mind share, then saying no is perfectly valid.
replies
0
announces
0
likes
0

@whitequark @ariadne
hm....

how do we define politics?

And assuming non-political things exist,
can one incidentally commit political acts while pursuing non-political goals, without care for the political effects?

@wolf480pl @ariadne even just going by your own definition it counts: "encouraging contributions of labor without compensation" and "normalizing exchange of complex works for free" both relate to changing other people's behavior

(both the free software movement and the open source movement are political, for the same reasons and more)

@whitequark @ariadne
Right.

But if I can succeed at my goal even if my acts do not sufficiently encourage contribution or labour without compensation, and don't sufficiently normalize the free exchange of complex works

then it's easier to say "no".

you didn't ask, but to me the work "political" is tautological.
Pol means people
so political is anything that involves people
which when applied to people, is everything
@wolf480pl

@wolf480pl @ariadne sure. i just don't think the distinction you're talking about exists as a bright line. open source software doesn't exist in a vacuum, you're able to achieve these goals--to some extent, even _conceptualize_ them--because thousands before you pursued these other ones

@whitequark @ariadne
Is it political for a state to set limits on emissions of particular pollutants into the atmosphere? Hell yeah.

But is it political for me to breathe that air?

@wolf480pl @ariadne i don't think this is a reasonable comparison. one is an involuntary function that you literally cannot survive without. another is something you go out of your way to do with your free time, entirely unrelated to your survival

@p I thought it was derived from "polis", the city-state, and thus "political" in the strictest sense would mean "relating to what the state should do".

I think that'd be a very narrow definition, but at least it'd be useful as it doesn't encompass everything

there is no state without people
I'm not against distinctions, but sometimes they're just superfluous
@wolf480pl

@p yeah but if everything is political then the word is useless

yeah, so I avoid it, similarly with the "populism/ist" as it's been bastardised
@wolf480pl

@wolf480pl @ariadne you opt into participating in a complex global web exchanging their labor and ideas, every one of them making a purposeful decision to do so; on top of that you use their infrastructure, which would not exist without fragile political alliances (your website is hosted by github!)

@p remember when words used to mean stuff instead of just being banner to rally your supporters?

funny you should say that, I was literally in the middle of typing out this

:> I think there's lots of word games out there people use a distractions to ward off any usurpation/competition

@wolf480pl

kinda feels like a tower of babel type situation

lots of people shouting at each other in the same language, but no one actually communicating

@wolf480pl

@p people letting their traumas speak

quickly

make someone else remember theirs

they can't hurt you when they're triggered