I don't think open-source wants this.
IMO we should have an organization to produce publicly funded code (boring infrastructure stuff not R&D), but it should be neither achieved by co-opting existing community projects nor cannibalizing research projects. It should be a new thing.
Making an analogy to physical infrastructure: it would be crazy if we relied on groups of hobbyists to build a bridge, or if we just grabbed a bridge directly out of somebody’s PhD in civil engineering. (I mean the analogy looks ridiculous because the situation is!)
Except this is precisely what is happening… because it turns out the engineering hobbyists often build useful things. At which point, if the government goes and uses it as the foundations of a publicly constructed bridge, it might make sense for the government to invest a bit in ensuring the foundations are maintained.
- Why we would we fund Matrix when XMPP and IRC already exists?
- Software developers earn way more than most public sector workers - is this justifiable?
Because empirically Matrix is what governments appear to be using - e.g. https://tchap.beta.gouv.fr/ for France; https://messenger.bwi.de/bundesmessenger for Germany; Delta for Ukraine; equivalent for UK & US, etc.
Matrix also has a completely different featureset to XMPP or IRC: E2EE by default; conversation history as a first class citizen; HTTPS+JSON APIs by default; E2EE Group VoIP (almost) integrated; etc.
> Software developers earn way more than most public sector workers - is this justifiable?
This feels like a false dichotomy. The implication is that public sector software developers are paid less than average private sector software developers. This may well be the case in some places - but the answer there is SURELY to pay public sector software developers the average going rate, rather than conclude that funding private sector FOSS maintenance is not justifiable(!)
A common sentiment I’ve come across, here and other corners of the internet, is dismay that more organizations have been adopting closed communication platforms such as Discord and Slack. These platforms (probably Discord more so) make it easier for online communities to be set up and offer relatively polished user experience compared to Matrix, IRC, or XMPP.
There was a post shared on HN a few weeks ago by a technical user and their onboarding experience with Matrix https://blog.koehntopp.info/2024/02/13/the-matrix-trashfire.... As someone who uses Matrix, I’m hoping they bridge the UX gap sooner than later.
XMPP and IRC are even further away from being viable alternatives.
If your implication is that the government who's funding it might then try to leverage the project somehow (e.g. insert a backdoor or whatever), then we're back with the original problem of needing to protect FOSS projects from malicious actors wherever they come from.
I'd argue that the benefits of actually being funded massively outweigh the risks of the funder going rogue, given you can use the funding to build checks & balances to protect against malicious activity no matter the source.
I don’t think most open source projects really inspect their dependencies that well. Lots of these projects are community/hobby things, they should be treated as such.
e: To the downvoters, do you seriously believe that Tesla, Apple, MSFT, Amazon, etc require MORE government assistance?
I do realize that living without uber eats/electronic banking/social media for a few days is unfortunately, untenable for the vast majority of the population.
This is just throwing the baby out with the bathwater. Just because big tech companies happen to build on FOSS projects doesn't mean that the FOSS maintenance shouldn't be borne by everyone, given they benefit everyone (including the governments themselves). And in fact, if the Big Tech companies paid their tax, they'd contribute as much (if not more!) as everyone.
Even more frightening, if federal dollars were allocated today, we might all be stuck with Javascript for a century.
OTOH, the government does have a role to play in solving collective-action problems. Perhaps, like X11, it could focus on mechanism, not policy; perhaps free-software-development expenses could get extra, or earlier, tax deductions? Perhaps free software development could count as a charitable purpose (maybe it already does, I don’t know)?
0: Neither do private companies! Indeed, they make poor technical choices all the time. But with private companies, there is competition and at least a chance that the bad ones will fail. States are far more resistant to competition, and their failures are far more catastrophic than a corporate failure.
For instance “xz is used to compress packages for these ubiquitous OSes. please can I get $$K/y for security audits and to cover my time to work on PRs”.
So you would still have the competition for the best tech to get popular and become public infra. But you would be protected against the paradox that the more successful and ubiquitous FOSS projects get, the more they are taken for granted, and the less their maintenance is funded: “I didn’t have to pay for this thing to exist in the first place; why should I start paying for its maintenance now?”
A non-commercial clause basically guarantees that corporations can't hijack OSS projects or they can't pressure the maintainers to the point of burnout.
And similarly, OSS projects who explicitly allow commercial usage could point to their licence and require financial support before fixing issues/merging PRs from interested companies.
For that matter, why should e.g. Warren Buffet personally get to use non-commercial software personally for free, while the bakery down the street must pay for it? That doesn’t seem desirable.
I think the biggest issue is that the companies charging for open source are not turning around and funding everyone the rely on, just a few key projects. If they tried to distribute a little bit to everyone, I think that would go a long way.
The issue I see is figuring out what deserves funding. Is GNU/Linux the thing that we're trying to serve? Who gets to decide what's critical to the operating system? Initially you'll see project jockeying for position, which is going to be a mess. Then you'll see consolidation around projects that can get the funding. Do people contribute to those projects more in hopes of getting paid, at the expense of others?
Honestly just having a decent list of contributors to pick from and knowing who they are personally before handing over maintainership might help.
And of course, there's always the magic word when someone wants you to provide extraordinary support for software that you made for free: "No."
Over time it became clear that it does work to some extent. I became rather fond of FOSS and even embraced the quasi-anarcho-communist aspects of it. In some ways, we can meet each others' needs with even less bureaucracy than with a paid product, just as a paid service tends to have less bureaucracy than a government service. Broad brush, granted.
But it has an interesting relationship with the cash market, in that it does get funded sometimes, despite being non-excludable. There is also a sort of "marketplace of ideas" or perhaps an attention market, that makes certain projects more popular than others and thus get more attention from developers.
Then again, important things like xz have a tendency to fall through the cracks more than in the traditional economy. GnuPG being underfunded was another example. Price signals don't flow as clearly. Also, incentives to fund something crucial that you use aren't there if you're one of many businesses that use the software.
So this is all to say, one could take the argument against government funding in general (picking winners and losers) and apply it here. The reason we're talking about government funding is that perhaps it's better suited toward finding the weak spots like xz. My hope is that (given the alarm bells) the concentrated interests in the market will be able to come in and fill in the gaps themselves. Or, a clever funding method could still arise. My personal idea was insurance policies with stipulations on which software is used, which would give the insurance companies the incentive to find and fix the weak spots.
First of all, the xz incident should be reason to want less government involvement, not more. All publicly available evidence right now points to state actors behind the incident.
Time and time again, we've seen governments abuse technology to subvert democracy and human rights. They engage in illegal mass surveillance. They backdoor encryption standards. They hoard zero days behind our backs. They target journalists and human right advocates. They now even brazenly push for encryption bans and mandatory backdoors. All of these actions pose a serious threat to our society, and yet they're done with little to no oversight. Those responsible have faced no repercussions to date while those who exposed these things have faced retaliation.
Given our reliance on open source infrastructure, it's right that they're desperately in need of funding. However, exactly how we do that is a hard nut to crack.
Open source projects generally don’t have an obligation to their users. Taking money will create that obligation.
If people instead want the government to forcibly limit options, that would be stupid.
