Free or Open Source software, and the 100k lb gorillas in the room

A couple days ago, I was listening to Coder Radio episode 448, and they mentioned the whole faker.js and colors.js fiasco that went down last week. Work's kept me quite busy this past week or so, so I missed the whole thing as it was unfolding.

Short recap:

The developer and creator of 2 popularly used JavaScript libraries updated both in drastically different ways. faker.js he removed the data and replaced it with a readme that says "What really happened with Aaron Swartz?", with colors.js the version number was bumped to 6.6.6 and entered an infinite loop printing garbage data into the console after 3 lines of "LIBERTY LIBERTY LIBERTY". NPM reverted the version and hit github account was suspended (access was restored later). News articles from the likes of forbes, and other people in online circles resorted to calling him a terrorist for these actions.

These actions that he performed on his own code do not make him a terrorist.

FULL STOP.

He's done some things in his past that can classify him as a potential terrorist (if you want to learn what, that's on you to figure out. This is a story of a larger problem, not a man's need for specialized help), but it does not make it right to label his current actions as such.

faker.js and colors.js were packages made my this person, he technically is in his right to do whatever he wants with the code up on GitHub and push to NPM.

The issue, as I see it, is companies like Amazon have used his projects both internally and included as part of AWS development kits for prototyping things to run on lambda. The issues roll down to the creator and starts to feel burned out on top of other issues going on in his life.

I'm with him on this. If a project like this is so integral to how they, or their services function, there should be compensation. I don't think 6-figure contract is fair, but definitely more than a couple thousand thrown their way (if at all).

The same thing could be said about all the development efforts of log4j. With the 0-day vulnerability that showed up back in December, thousands of companies and applications were made vulnerable. Even the main developer for that project had gotten little in terms of donations prior to the 0-day. Prior to the 0-day being announced, there were no sponsors, that slowly changed after the release of the CVE on the 10th of december. Now, they have 74 individual sponsers, but that doesn't help secure the future of an integral piece of code that thousands of companies are using in their applications. In the case of Log4j, there are about 6 companies supporting his efforts on the sponsor page, but that's not nearly enough. The team I was formerly on supported various different development teams that were using Log4j in the project and while I can't be sure, it's a good chance that nobody at the company, or the company itself has made a donation. While Ralph Goers is employed as a Software Architect, that should not diminish the fact that it takes time and effort to write software.

faker.js creator shares a similar story. There's only 10-12 consistent sponsors prior to the incident on the 7th of January. There's 48 now, but none of the public sponsors are corporations.

What should you, as an individual do?

If you can afford to, you should donate to any Opensource developers or projects that are integral to your everyday workflow. Any large video game streamer should seriously consider donating to the OBS Project on the regular. If you can't afford to, go out of your way to try and support the developer or project in anyway you can. It could be as simple as a thank you, helping fix a bug, or helping them improve documentation. Start being the change in the cycle.

What should coporations be doing?

Donating a lot more than they do now. Hiring integral contributors and maintainers of projects that their company relies on. Some companies already do this. Facebook employs one of the developers of BTRFS. wolfSSL employs the sole founder and lead developer of cURL. Amazon contributes back to the Rust language. Those are the ones I know off the top of my head.

As an individual inside large companies, you should try and push for a change on what kind of donations they make. It won't be easy to change the norm.

The name Free and Open Source Software is a blessing and a curse at the same time. This model has greatly allowed for people like me to excel in their professional career, allowing us to learn on and off the job and not being locked into a specific company's way of doing things. But it's also the bane of anyone who's written a popular piece of software, even if it's not integral to a large corporation. Many open-source developers end up experiencing some form of burnout when the projects get too large and users are asking of too much from them.

Us as users should try and be more respectful of these individuals time and effort that they put into these projects.