Open Source is broken


Don Goodman-Wilson

In this session from DevRelCon London 2019, Don Goodman-Wilson invites us to think more deeply about the assumptions of the open source model and whether we should consider other models for building software collaboratively and creating inclusive communities.


Don: Wow, it’s really good to be on this stage. Yeah, so my name is Don Goodman Wilson. I’m very deeply interested and concerned in the open source ecosystem. I’ve spent the last several years, working with the open source maintainers, especially with the Maintainerati Foundation where we’re very interested in understanding the nature of the open source ecosystem, the challenges that they face, the challenges that need to be overcome. And it’s kind of messed up. But I’m optimistic.

Real quick, hat tip to Sy Brand. Yeah. You got new images showing up in here. We did a little thing on Twitter. I’m like, “I’m making my slides. I don’t know what to put up here.” So I solicited some images and Sy and the Data Scientist Radio Show on Kapis FM in New York, have submitted images you will see today.

So I wanna talk about this. Open source won. Right? Like let’s hear it!

Audience: [Cheers]

Don: Yeah, there we go. Maybe this isn’t the talk for, we’re really gonna need a drink after this talk. So this is a narrative. It’s become quite popular lately. Open source has taken over. Many, many facets of what we do, almost everything that we touch as technologists, like it’s touching open source in some way. Like, raise your hand if you’re not using open source in some capacity, in your job? Right, like no hands. Because you’re all shy and introverted and tired. But I wanna ask some questions about this. Like, what did it, when? And what cost? And I wanna explore this narrative a little bit and deconstruct it and critically analyze it.

So part of the narrative is that, open source is inevitable. Actually, kind of, I can feel this. I can feel this in my bones. Like it’s been 20 years coming, but here it is. It’s an unstoppable force. It pervades everything that we do. And there’s no escaping it. And it’s inevitable because, it’s an unmitigated good. Unqualified. There’s no qualifications on it. It is the right thing for us to be doing. It is a good thing for us to be doing. It’s liberating. It’s democratizing.

But I wanna challenge this narrative. I don’t really think these things are true. And I want us to think carefully about the kinds of structures, the kinds of institutions, the kinds of programs, that we’re creating and make sure that what we’re doing, is really equitable and ethical. By the way, the first person to crack a tethics joke… We’re grown ups, right? I’ve gotten enough of this over the last few days.

So if you haven’t seen the dear GitHub 2.0 letter. I’ll have a slide at the end with links to everything. It’s a call from open source developers to GitHub, which I have strong feelings about, but this quote really jumped out at me. “At the core of the open source ethos is the idea of liberty. Open source is about inverting power structures and creating access and opportunities for everyone.” And I’m of two minds about this quote. On one hand, this is a beautiful thing. And I’d really like to think that this is what we’re working towards when we’re working on open source. It’s definitely aspirational. On the other hand, I don’t believe it. I don’t think that we are moving in that direction, that open source actually achieves these things. And I think we have a lot of evidence to the contrary that this is true. But this is, boy that’s just where I’d really like us to be.

So just to take a case example. How many people are familiar with the Hippocratic License? Is there anybody who’s not? well I don’t wanna embarrass anybody. So it’s an MIT style license, created by Coraline Ada Ehmke. But it’s got this interesting no harm clause up here, right? That you can’t use your software in any way that violates human rights, as defined by the U.N. So you would think, if the thing I said previously is true, if open source really does value democratization, the inversion of power structures, liberating people, that this is a very trivial addition, and it shouldn’t actually mean anything in any way that we’ve added this, except, you know, it’s more verbiage, because we’re already on the same page. Of course you shouldn’t use it for these sorts of things, because those run counter to the ethos that we’re trying to cultivate. Of course the reaction to this has been, uniformally negative.

“Licenses should not be political.” This is a direct quote. I’m very curious where the normative force of this should comes from. And I have an answer to that, actually, that we’ll talk about in a little bit. “It’s not open source.” As though that’s actually an answer to anything. But it’s a very telling response. Right, why is it not open source? Well it turns out the OSI them-self have an answer to this. On Twitter they said that it’s not open source. Here’s a very long quote, if you wanna photograph it. But again, links at the end. So, don’t worry about that. Yeah, the OSI doesn’t think it’s open source. Why don’t they think it’s open source? Because, open source is meant not to discriminate against people or fields of endeavor, of which apparently evil is a field of endeavor. This is from the open source definition FAQ published by the OSI. This is worth reading aloud. “Can I stop…”, quote unquote, I love the skirt quotes here. “…evil people, from using my program? “No. You cannot.”

The Open Source Definition specifies “that open source licenses may not discriminate against persons or groups. Giving everyone freedom means giving evil people freedom, too.” Like… Uh, this is crazy. There’s a tension here, right? On one hand, like I do believe that open source software really is about creating opportunities for people and empowering those without power and on the other hand, we’ve got the very people defining what open source is, telling me I’m wrong. And I don’t know how exactly to resolve this tension.

But we can do a little bit of history. Maybe see where this tension came from. This is a small piece of a very large story. This is my telling of the story, from my perspective. I’ll get some details wrong, probably. Also, it’s really short, because we don’t have a lot of time. I encourage you to read up on the history of open source, even the Wikipedia articles, are pretty good, actually. But it all got started, when a very unpleasant man got into a fight with a broken printer. I’m not going to name this unpleasant man. He does not deserve it. His printer was broken. He did not have access to the source code and thus, he could not fix it, at least not to his own liking. And to be fair, this made him angry and he wrote a manifesto and went on to harass a lot of women. But this manifesto is actually really key moment for open source software, because it was political. It said, “The power structures that exist in the software world are wrong. And we need to invert them.” This is where the sense that I get about the open source ethos comes from. It’s like we should put hands back in the power of the people and take them away from corporations who currently hold power over the rest of us, right? And thus was born the GPL.

Then about 10 years later, another unpleasant man wrote a book, called the Cathedral and the Bazaar. Which decided to take this idea a little further, and roll it back at the same time. His central thesis was that not only should the software be available to other people, but everybody who has access to that software, should also be working on it together, right? So he wanted to take things one step further, and create this notion of a collaborative, software development process. The basic idea was that, I’m sure you’ve heard this phrase before. “Many eyes make bugs shallow.” And it’s true, to a degree. And it was an interesting shift in the way that we think about software development.

But, there’s a subtext here. And that subtext was, we need to make, what came to be called open source software, politics free. We need to de-politicize it to make it palatable to businesses and we need to make a business case, for why businesses should be using it. If open source is going to win, this is what we need to do. “Many eyes making bugs shallow” can save on development costs. If you can get other people involved in your software project, you can save money on these sorts of things. And this really marks the beginning of the open movement.

So this culminates for me and my story, about a year ago. At Amazon Reinvent. This quote is worth reading too. This is from Adrian Crockcroft, the VP of Cloud Architecture Strategy at Amazon. “Open source business is using the developer community as a force multiplier for engineering. It means they don’t have to invest as much “in engineering, as if they were doing 100% of this themselves, because the community is actually doing some of their engineering for them.” And the same thing with using their enthusiasm to be a marketing department.

Now all of this in this room, we can read this quote and we go, “Tell me something I don’t know.” Right, this is super boring. This is a narrative that we all know. We all play in. We all participate in, right? Many of us have open source communities that we work with. Many of us are building open source tools. But this is absurd. This is really absurd. If we can step outside of the box. Outside of the narrative that we’ve been living; what this man is saying is that we can get other people to do our work for free. And we can save money, by hiring a zero cost labor force. Like, there is so much wrong with this quote, it’s terrifying. And the fact that we can’t see that so easily. That’s even more terrifying because we’ve been indoctrinated. That’s us! So I think this is where the central tension comes from. This notion that we need to make a new development model accessible and friendly to business, in the name of reducing business costs, and that way we can legitimize it and we can propagate this practice.

But I wanna take a moment to look at the nature of this tension, as well. How many of you have heard of The Paradox of Tolerance? So I’m actually trained as a philosopher of science, rather than a philosopher of ethics. I’m married to an ethicist. Curiously, this was formulated by a philosopher of science. Karl Popper. And this is a quote from him. “Unlimited tolerance must lead to the disappearance of tolerance. If we extend unlimited tolerance, even to those who are intolerant, if we are not prepared to defend a tolerant society against the onslaught of the intolerant, then the tolerant will be destroyed and tolerance with them. We should therefore claim, in the name of tolerance, the right not to tolerate the intolerant.”

So this is a very important part of political discourse in the United States right now, is we’re having what some have dubbed the culture wars. I’m not especially fond of that term. It’s not a war. We’re seeing people expressing opinions that are, oppressive, that advocate for oppression. And, they continue to make these claims, under the guise of free expression, right? Everybody should be able to express the way that they feel. The problem is that, when you begin to express, or allow all these kinds of expressions, you actually end up building communities of intolerance, within a larger community of tolerance. And the nature in communities of intolerance is that they will eventually eat the community of tolerance. And they will become the dominant community in the end.

We see something very, very similar with open source. Substitute openness for tolerance and you can sort of get there, a little bit. The problem with extreme openness is we’re open to lots of things. We’re open to evil uses of our software, right? On the other hand though, if we want to create a world through openness, that maximizes a liberty, that creates power for the unempowered, right? Then we actually have to think carefully about the kinds of openness that we do allow for precisely the same reason. And there’s a curious paradox here and the open source community in general, has not been very willing to embrace that there is a paradox here. But I think that we need to take this very seriously. And I think this is the source of the tension between the two claims, that open source on one hand, inverts power structures and creates democracy, but on the other hand, has to be available to evil people, as well. It’s the same with free speech, right? Free speech creates opportunities and democratizes populations. But at the same time, you know, if you take it too far, it also creates opportunities through oppressors, to rise out of the population as well. We don’t want that to happen, which means we need to bracket our tolerance. We need to bracket our toleration of openness.

So what do we tolerate in the name of openness? I’ve been speaking a little abstractedly here. First of all, open source exacerbates existing injustices. Open source is a playground for the privileged. How many of you find that you don’t have time to participate in open source? Like that’s me, I have a family. I don’t have time to do this, right? So I’m not really a member of this community, as a contributor, as a maintainer, because I don’t have free time to do it. Now imagine that you’re poor, right? You have to work two jobs. You have a family to take care of on the weekend, because maybe you’re a single parent, right? Just on time alone, these people are already excluded from participating in the open source community. Likewise, it takes money and it takes time to participate in this community. You need to learn how to code software. You need to learn what GitHub is and where GitHub, how things work there. Right, you have to learn Git. These things take time, they take money, they take education. And a lot of the world does not have access to these things. Who does have access to these things? People like us in the room, who live relatively privileged lives. We’ve been trained in some way or other in using computers. We have, some of us, have the spare time.

This isn’t a judgment, right? It’s just a fact. Which by itself is not really sufficient, but then, who do we hire? We hire people who have interesting GitHub pages, right? We hire people who are known contributors, right? We’re gonna take somebody who’s a maintainer of a very popular project, over somebody who’s not a maintainer of a popular project, all other things being equal. Thus, those with the privilege to participate in open source get more opportunities to continue participating in open source. And those who don’t are shut out of the system. Open source prioritizes the wants of the consumers over the needs of the creators. This one’s a little more difficult to articulate.

So thinking back to the Hippocratic License, for example. The idea of adopting this license is to express your need as a creator that your creation not be used for evil, broadly speaking, right? And this is a valid desire on your part if this is something that you’re doing. This is a valid desire to limit the use of your creation to not do bad things, to not increase injustice in the world. That’s not something that you should be asked to give up, right? And the options in front of you right now are “well if you don’t wanna do that, don’t participate in open source” which is not a great response to this. And again, the reason it does it, harkens back to the Cathedral and the Bazaar and the desire to make open source more palatable to businesses.

If businesses have de-politicized licenses to software that they can use without worrying about the legal repercussions, the legal ramifications, then they’re more likely to adopt it. Once you start putting clauses into a license that limit their use to non-evil cases, whatever that means, then these businesses are not likely to adopt your open source software because their lawyers are gonna go a little nuts and justifiably so. Because it may be difficult to unpack exactly what these things mean. But, is that the way it should be? Like why should we put the needs and desires of corporate lawyers, over our own desires to reduce the amount of evil in the world? That seems kind of a weird trade off to me. Nevertheless, it’s a trade off we’re being asked to make.

Open source incentivizes exploiting a volunteer labor force. I mentioned this a little bit earlier, with the quote from Amazon. But one of the consistent complaints that I receive, at maintainer Audi events from open source maintainers, is that they don’t have access to the resources that they need, to continue maintaining and developing that open source software. One very famous example, is a project called, EventStream. Some of you may be familiar with this. Did anybody know the story of EventStream and Dominic Tarr? So EventStream was, a very small piece of code created by Dominic Tarr, in New Zealand. He just, he needed it. He had an itch to scratch and he’s like, “Well you know, I’ll make it open source because why not?” It turns out other people had a need for it too and that was great in this small community started to grow up around it and then Dominic no longer needed it. He’d moved on to a different job. This piece of software’s no longer relevant to him. Nevertheless, the issues continued to pour in. “Hey here’s a bug.” And he wanted to offboard himself because he didn’t have the time, he didn’t have the incentives to continue working on this sort of thing. And so what happened was, he made a call for volunteers to help take it over. Somebody responded. He’s like, “Hallelujah. Here you go. Keys to the kingdom.” Two weeks later, malware had been injected into EventPad, sorry, not EventPad, EventStream. I’m confusing Left-pad and EventStream. Left-pad’s a different story. It was a crypto currency miner that targeted a particular downstream user of the software. And it took a few weeks to discover.

It was really ugly. It was really bad. It could’ve been a lot worse. It could’ve been, catastrophic. Left-pad was almost catastrophic, but that’s a story for another time. Why was it almost catastrophic? Because nobody’s paying the guy. He doesn’t have the time to do this. Nobody’s offering him the support that he needed. He no longer needs it. That he needed to ensure that what had become a critical piece of infrastructure for other people, was being maintained properly. But why should he be paid? It’s available for free. The license said so. I don’t even know that I’m using it, because it’s actually a dependency, of a dependency, of a dependency, right? We often don’t have insight into the dependencies that we use. And we frequently just don’t pay for them, because there’s no incentive for us to do that.

So now we’ve got a volunteer labor force out there. Building software for us, which is fantastic, but it is a house of cards. It’s a house of cards that could fall down at any moment and it’s gonna be our fault when it does. It’s not gonna be the maintainer’s fault. So, let’s de-normalize this behavior. If we wanna make forward progress and create an ethical, collaborative software development program, let’s work on de-normalizing this behavior, right? So, what do we do? We need to stop asking the wrong questions, first and foremost, right?

So don’t ask is it open source? I mean, that’s demeaning for one thing. But it’s just a way of reinforcing the status quo. It’s a way of excluding anything that’s threatening to the status quo. It’s a way of excluding potential explorations into other things. Like, is the Hippocratic License open source? “Moo” I only ask the question. Completely irrelevant. I don’t care. The better question is, can we use it as a foundation for creating ethical software development processes? I don’t know what the answer to that question is. I’d like to think is yes, but there may be other ways. We need to explore and experiment and when we ask this question, we’re cutting off that kind of experimentation.

We need to stop asking if something is politics free. I think most of us in this room are pretty good about that. But a lot of the people that we deal with on a daily basis are not. What does it mean to ask if something is free of politics? It’s just another way of saying, “Is this a safe place for cis-het white men to be comfortable and talk about men’s rights and white supremacy?” It’s a way of establishing the status quo is the default way to be. And that anything that’s not the status quo is political. This is not a very valuable question and again, I don’t think we’re asking that, but people are asking that, broadly speaking.

Right now, a lot of the experimentation in this space, is with software licenses and the big question is, is it enforceable? Bruce Parens just published an essay, actually probably about a month ago now, on the Hippocratic License and other similar licenses where he just rants on about, “Oh, it’s not enforceable.” It’s not actually the point. Maybe it isn’t enforceable. Maybe that’s okay. Maybe it’s a political statement. Maybe it’s a rallying cry. Maybe it’s a way of starting a conversation about what’s possible, even if we’re not there yet. People had the same questions about the GPL. It didn’t stop them, right? People had the same questions about other open source licenses. It didn’t stop them either, right? This is a question again, meant to reinforce the status quo and cut off any further conversation about things that are not open source. So don’t buy into that one. ‘So what questions should we be asking?’ I hear you say, I heard somebody back there say it. “What should we be asking?” This is a really good one to start with. As a philosopher, I have no answers. My role is to help you figure out, the difference between a good question and a bad question, and that’s a really good one.

Two deeper questions that I wanna ask are, what are the forces that have led us to this moment in time? I talked a little bit about the history of open source, that describes some of the forces in play. We have the Free Software Foundation. We have the Open Source Initiative. We have a few other foundations in place, that are invested in the status quo. Related question, what forces do we need to create if we want to see change in the world? What do they look like? What do the institutions need to be, in order to support and sustain growth in this field of inquiry? The question I really like though is, what do we owe to each other as people? If you saw my talk last year, I spent a lot of time on this question. And if you haven’t seen my talk from last year, it’s on YouTube, you should go see it. The basic premise behind this is that people are more important than code. We write code in the service of other people, whether we recognize that or not. And in so far as we’re working in the service of other people, we need to make sure we have those other people’s interests in mind. We need to understand who those other people are, right? If it turns out those other people are ICE. Like maybe this question is not very interesting. We don’t owe them anything. But maybe we should re-evaluate the software that we’re writing, if it turns out it’s going to be really useful for separating children from their families at the border. So this just means, be thoughtful about the fact that software that you write, is always for other people.

What does this mean for us in the room? Let’s bring this home. Let’s talk this endeavoral terms. You know, many of us are responsible for hiring. Many of us are responsible for managing sponsorships. Many of us manage open source programs. There’s a lot that we can do. There’s a lot that we can change. First of all, don’t be exploitative. Yeah, I spelled that right. Exploitative. So your community deserves more than just an open call for PRs. If you’re running an open source program, make sure the software is genuinely useful to your community. It isn’t just self serving, right? That you just want other people to collaborate with you. One, they’re gonna be less interested in participating, if that’s the case. And they’re gonna be more interested in participating if there’s something really in it for them. I mean that’s just Community Building 101, right? But we still run a lot of our open source communities as though they’re just like human resources to be mined. And to the extent that you can, pay your developers, right? If you’ve got this one person who’s really turning out some high quality PRs in their spare time, like hire them. Pay them for their work. Don’t be duplicitous. Don’t lie about what your code is for. If you’re building an open source project that crowd sources facial recognition models, maybe you owe it to your community an explanation of why you need that and also, what’s this contract with the Chinese government. Like, there are stories, people are gonna find out about. They’re gonna ask questions about. They’re gonna feel exploited if they discover that they had been lied to. Don’t be duplicitous with your developer community.

Imagine worst case scenarios and act on that knowledge. I have some friends who work in forum moderation and they can foresee things long, long before I can, because they do exactly this. They’re like, “If we build this feature, it becomes an abuse vector”. They can just see this, because they’re really good at imagining worst case scenarios. So when you’re building software, deploying software, encouraging people to participate in a software community, think about this. Think about the worst case scenarios. Can the software be used to oppress people? And then act on it. Right, don’t develop the software. Or, adjust a set of features, so that they’re not abuse vectors, right? Think about it very carefully. A big part of this is bringing diverse voices to the table, right? As a white man, there’s a lot of things I don’t see and I need sometimes, other people to help me see these things. Especially when it comes to building tools of oppression, intentional or not. And I encourage you and again, I think this is a good room for this, to bring diverse voices to your table, to help you understand what the worst case scenarios look like, to help you understand the impact that they could have on communities that you’re not a part of. And that you don’t understand so well. To fill the gaps in your knowledge. Don’t over index on OSS contributions when hiring. Again, it’s a simple privilege problem that I mentioned earlier. Not everybody has the time or the ability to commit to open source. Don’t over index on that. Find other ways to evaluate candidates beyond that. They’re a good coder, it’s gonna show up in lots of different ways.

Never forget that all code is political. To deny that code is political, again, is to reaffirm that the status quo is the default and is the correct thing to be. And is also to deny that the code that we write, is for the use of other people and for the benefit of other people. And that also is false.

So, we’re not in this alone. That’s the good news. That’s the lovely thing about ethics, is when you’re thinking about other people, it reminds you that you’re not in this alone. That we can work together, really and truly, to do something fantastic. And we have an opportunity in front of us, indeed, a moral responsibility in front of us, to do better. I thank you for your time. Here are the links. The QR code this morning, that was brilliant. I copied that. It’s also a GitHub repo, so, if you have more links that you want to add, I’m gonna put the slides up there afterwards, like let’s collaborate. I’m building a set of resources that we can all use. Oh yeah, and GitHub, drop ICE. Thank you.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.