Companies' Dependence on Open Source

03 Apr 2024 10 min See Original (spanish) YouTube

Today I am going to talk about a topic that has been bothering me for a while, and what happened with xz and the exploit has only strengthened my opinion.

 

Table of Contents

 

1 - What is open source?

Let's start with what open source is. By definition, open source means the source code is available to anyone who wants to inspect, modify, or even change it.

 

I'm not going to go into much more detail, because having an open source community like the one we have today is great for development, but to sum it up: there are more eyes to review any code, which implies more people who can detect bugs or oversee what's happening.

 

As a final note, the vast majority of this free code is not only free, but also free of charge, and this is where the main problem lies.

 

 

2 - The Moq Case

A few months ago (August 2023), the famous Moq C# library, which we use to create test doubles in our C# tests, made a change that the community didn't like.

 

The change was as simple as adding a dependency to another library called SponsorLink, and while I don't think the way it was communicated (because it wasn't communicated) was the best, I don't completely disagree with what they did. This change would take the user's git email, hash it, and send it to the Sponsorlink API with the sole purpose of showing a message thanking you for supporting the project or asking you to support the project if you weren't already.

 

The change was minimal and the drama it caused was massive. As I said, I don't agree with the approach but I do agree with the end goal: trying to make some money from software used by hundreds, if not thousands, of companies that generate hundreds of billions in profit.

In the end, the way SponsorLink works was changed and now it only sends the email if it's configured as such in the repo.

Note: I still use moq.

 

 

3 - The xz Case

The xz case is much more recent (March/April 2024) and technically has nothing to do with the other, but the reason it happened is the same as the reason for the moq change.

 

The xz case can be summed up as a malicious actor (a hacker) who inserted a backdoor into the code of the famous SSH-related Linux library. To give you a sense of the scale, the xz library is used by distributions like Fedora, Debian, OpenSUSE, Kali Linux, Arch, and by everyone who has installed the library manually.

 

I'm not going to go into too many technical details about what happened, but I recommend everyone read up on the case, as it is technically fascinating.

Here's an article about it.

 

The reason why this backdoor made it to "production" is that it was highly obfuscated, so the code wasn't readable at first glance, and the people maintaining xz are regular people like you and me who do this in their free time.

 

We were lucky that this hack hadn't been installed by default in major Linux distributions, as it was found in a preview version of Debian by a Microsoft developer while working on another app's performance.

 

No one knows who the hacker is, but what we can say is the software made it to production because the xz maintainers have regular jobs and dedicate their free time to this library for everyone's benefit. The hacker had spent years working with them and earned the group's trust, which allowed them to install the backdoor.

 

 

4 - Open Source Sustainability

As you can see, both problems or scenarios come from the same reason: developers have an 8-hour job like most people and contribute in their free time without compensation.

 

In the first case (moq), it was to make some money, and in the second, it's because the maintainers are very stressed and can't do everything.

The cases discussed in this blog are two out of thousands we have in the Open Source world.

 

 

In my opinion, free open source is completely unsustainable. I personally experience it when every week people ask me to do X or Y because their company wants to implement it and they don't know how. When I tell them that's fine, I can do it but will charge them for the hours, they refuse. In open source, we have volunteers creating software used by big companies to enrich themselves, and not only do they not say thanks, but they also put pressure on us.

 

These days the author of FFmpeg, which is used by Microsoft Teams, also came out saying that Microsoft pressured him to fix a change or look into a certain feature because Teams broke due to it.

 

While it's true that it's not a big deal, the Microsoft person was polite in their request, there's something off: this person mentions that this bug is of the highest priority for the Teams team.

Let's see, if it's such a high priority, assign someone to read the code and fix the problem, or pay the author a monthly salary to work on what they themselves say is a key feature within Teams.

 

NOTE: Microsoft also has the .NET Foundation, which supports popular .NET libraries.

 

 

And in my opinion this is the main issue: doing open source is not sustainable.

 

Companies that make millions depend on and demand content from individuals who work just for the love of it, and that can't be.

If you are one of these companies and don't like the way things work, you can go and do it yourself. But no, it's easier to complain or make a fuss. The moq case was shameful from the community on that front.

 

4.1 - Licensing Changes

From my point of view, there's only one way to fix this problem: change the licenses. Don't get me wrong, the ideal solution would be for companies to donate money to the developers of the code they use, and some do, but they are the exception.

 

Then we have the case of companies that offer open source code and then provide support or sell related products, but this doesn't work for everyone, and for those who do, it's usually a secondary, not the main, source of income.

 

I'm usually more direct in my opinions: every creator of free code who has a popular library should change the license.

Something simple, something that forces any organization to pay for a license once they make more than X amount of money. Even base it on tiers.

 

Neither the author of moq nor I nor anyone wants to work for free, and expecting students or professional developers to pay your salary is unrealistic, but companies that earn more than, for example, 1 million euros can support with 1000 or 2000 euros; yes, for each open source library they use. How much would it cost them to develop a similar library? And to maintain it? Exactly.

Yes, some companies will skip the license, but that’s still illegal, and most large companies are very careful with licensing issues.

 

This post was translated from Spanish. You can see the original one here.
If there is any problem you can add a comment bellow or contact me in the website's contact form

Comparte

Facebook
Twitter
Linkedin
WhatsApp

Next Post: Explicando la refactorización: Mejor código a menor coste

Recent Posts

See all

Uso del bloqueador de anuncios adblock

Hola!

Primero de todo bienvenido a la web de NetMentor donde podrás aprender programación en C# y .NET desde un nivel de principiante hasta más avanzado.


Yo entiendo que utilices un bloqueador de anuncios como AdBlock, Ublock o el propio navegador Brave. Pero te tengo que pedir por favor que desactives el bloqueador para esta web.


Intento personalmente no poner mucha publicidad, la justa para pagar el servidor y por supuesto que no sea intrusiva; Si pese a ello piensas que es intrusiva siempre me puedes escribir por privado o por Twitter a @NetMentorTW.


Si ya lo has desactivado, por favor recarga la página.


Un saludo y muchas gracias por tu colaboración

© copyright 2025 NetMentor | Todos los derechos reservados | RSS Feed

Buy me a coffee Invitame a un café