20 years ago I gave Dries the domain Drupal.com for free to support open source.
I recently gave the domain MrBeast.org to Beast Philanthropy.
But more important than Open Source is Freedom. I recently acquired the domain antifascist.org to fight the rise of fascism. This will be a website to share information on protecting your loved ones - it will be open source in that everyone can contribute.
I welcome anyone that wants to help - send an email or use the contact form on the website.
I forgot to mention - I won the lottery!
I won the 2nd prize of the recent Powerball - $50,000 and I am donating it to the new AntiFascist foundation.
I am NOT rich. This money could have a significant impact on my life. But I wanted to help others and so I am showing my commitment to fight for Freedom.
I have run OpenDomain for 25 years and have contributed domains to Open Source worth millions all for Free. I am ending that project to fight the rise of fascism.
That sounds really great, but right now the site is still 80% template text/pages. I'll check back and make a donation once it's ready and lists the non-profit receiving the money.
The first two are effectively rituals. If we stopped the such rituals, should antifascism be considered successful?
The military is deployed inside the country, if only law enforcement officers were conducting the same work would antifascism think it was a job well done?
And therefore, exactly what do you consider fascism? Hence my question.
Yeah, no. Nothing of what you said is actually correct, starting with "The connotation for fascism" ending with "naturally fascist". It to an almost impressive degree semantically nonsensical as well as logically incoherent. But at least one can concluded that you don't like the term fascism for some reason, a term that has reasonably well defined and commonly agreed meaning (and nowhere near anything what you said), albeit with a tendency to be overused.
Well, first off: it's not my conclusion (I would likely have used some other and more precise term, like "modern authoritarianism", which has enough similarities to historical fascism to cause alarm). Secondly, "fascism is on the rise" is such an ambiguous statement that could mean anything from "the seeds on fascism is forming somewhere" to "the number of fully fledged fascist states are increasing", which just leads to thirdly: I could certainly continue to help you get out of your mental block where you can only see one absurd reason for fascism being on the rise, but I think we can agree that this really isn't necessary.
I agree that open source infrastructure needs to be funded. I think first there needs to be a mindset shift in who's responsible for open source.
Currently when new vulnerabilities pop up (i.e. xz-utils compromise, log4j shell), people are quick to blame the maintainers for it. Why shouldn't companies instead be responsible for these vulnerabilities?
Currently, companies treat open source code as someone else's, so they don't bother to audit, maintain it, or fund it.
Clearly, this is wrong, and reflected in the oss license, which states that code is solely consumer's responsibility.
> Currently when new vulnerabilities pop up (i.e. xz-utils compromise, log4j shell), people are quick to blame the maintainers for it. Why shouldn't companies instead be responsible for these vulnerabilities?
They are. I've never seen a single example of a company that was able to dodge legal liability for something bad that happened as a result of an open-source software package that they used.
The problem is that software companies generally aren't liable for anything that happens as a result of their software. If you store the code to a safe with $100k in OneDrive and Microsoft deletes that file by accident, they have zero legal liability - regardless of whether the fault was in Microsoft's proprietary code or some open-source library that they use.
That's the more fundamental problem that needs to be addressed first - that tech companies have extremely few responsibilities to their users, in a way that's unlike most other industries that have come before.
What are the penalties? Will they crack down on the buggy WiFi routers which often times have open source software that they never maintain?
Also I see this as a benefit for the major commercial Linux Distribution like Red Hat, Ubuntu and maybe SuSe because small companies can't provide that level of assurance.
"Failure to comply with vulnerability reporting, cyber incident reporting, or essential cybersecurity requirements could trigger administrative fines of up to €15 million or 2.5% of global turnover. Other obligations include €10 million or 2% of global turnover."
Apart from fines, "Beyond financial penalties, non-compliant products may also be prohibited or restricted from being made available on the EU market, or authorities may order their withdrawal or recall. This can lead to significant reputational damage and loss of market access."
I’ve given up on hopes of having funding on open source. My open source packages account for about 1.2% of all PHP code downloaded from Packagist (package manager) but unless there is a commercial effort behind it, I do not see it happening. A couple devs in highly hyped companies is able to generate a following big enough to solicit some non trivial amount of funding but the majority just doesn’t care enough about it to fund it. In the end, is open source maintainers are stupid enough to give our code away for free, so who’s really to blame for this. Perhaps it’s an overly pessimistic view, but not a view that has historically been disproven.
MIT is pumped to enable current ecosystem, precisely. Companies say "This my code when I need it, and it's your code when it breaks", and developers read the fine print very late, because they thought exposure is valuable.
GPL & AGPL is effective against that, but companies are afraid of it since it tells "code is a collaborative effort, and you have to share what you did with the code".
Because of this, I share most of the code I write for myself, and strictly use (A)GPLv3 as a license. I don't care what companies do or what riches I possibly ignore. My principles are not for sale.
Being responsible generates no value for the shareholders. Being able to be reckless and ignore everyone while making business is.
> Companies say "This my code when I need it, and it's your code when it breaks", and developers read the fine print very late, because they thought exposure is valuable.
I think that this is an accurate description of working relationship. But, the fine print (MIT license) explicitly says that the companies are responsible:
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED
That line allows shifting the blame upstream without any friction.
Exhibit A: Company X uses library Y by Mr. Z., which is used by another 100 or so companies. Mr. Z. is happy because he's quasi-famous because of all the exposure. A bug has been found in Y by users of Company X, which is not interested in fixing it.
- Users: Hey Company X, this feature provided by libY is broken.
- Company X: This makes us lose money, but it's complicated. Tell Mr. Z.
- Mr. Z: There's no warranty whatsoever.
- Company X: You either fix it, or we spread the word that you're irresponsible and everyone will inevitably migrate to libW.
- Mr. Z: OK. Lemme look at that.
Mr Z. drops everything, fixes problem, maybe gets a Thanks!, and might feel better. Company X and other hundred gets free labor for their problems, and one person burns out.
Why? Because nobody tried to understand how GPL works, and companies said MIT or no cookie points anyway.
So, another developer is bought with hope vapor. He gets nothing in the end, while the company is printing money in two ways by not buying an expensive library and selling its capabilities.
I don't claim to have first-hand experience, that was just a suggestion. But there is a recent study on how maintainers respond to bug bounties here: https://arxiv.org/abs/2409.07670 .
The title of the linked HN story is "Microsoft offered FFmpeg small one-time payment instead of support contract".
So FFmpeg said that they need a contract for that, and they have given a couple thousand dollars as a one-time contribution.
I mean, "a few thousand dollars" for something underpinning Teams, is unacceptable. They probably charge 10x much for a small client for their yearly license.
My point is if that FFmpeg, tried to raise more awareness of the issue, say talk to news outlets, they could get much more funding from MSFT.
Furthermore, big companies like Google, Microsoft care a lot about security. So they could raise money for security engineering like fixing memory corruption issues.
Of course, FFmpeg could complain Google, Microsft doesn't care about all the
high severity vulnerabilities in FFmpeg.
That would be much more of an eye catcher.
Please see what Daniel has shared today. Link is in the comment you replied to.
Open Source software became so common that the tragedy of the commons applies to it. IOW, there'll be always someone who will accept exposure as a valid form of payment either being very rich or being desperate or not caring.
I did read that link before commenting, and there's nothing in there about users damaging Daniel's reputation after he declines to do free work for them?
> there'll be always someone who will accept exposure as a valid form of payment either being very rich or being desperate or not caring
Why is this, especially in the cases of being rich or not caring about compensation, a problem? I have done a lot of Open Source work for free, and a lot of Open Source work while paid by companies, and I don't feel like I've been exploited or otherwise mistreated in either case.
It's not a problem, it's just a fact. I personally don't care about the compensation either, but not everyone is motivated the same about developing software.
On the other hand, I believe requesting somebody's time for free is unethical, esp. if you are a company and wanting something from other parties at a certain quality at a certain time.
Somebody using your code and getting business done with it might not feel exploitative, and it might be true for you, and me. However, if they demand support from you, in X hours, at Y quality, and expecting you to "stop, drop and roll" for them, now that's exploitative. This is what I'm trying to say.
Many young people, who happened to write good code and their good code picked up by corporations are exploited like that. Not all of them know the better or have the gravitas to tell "go fix yourself", and this allows exploitation to continue.
I'm very grateful for people who write this code to enable this massive and wonderful ecosystem. I try to help them by filing high quality bug reports, submitting patches if I can and monetarily support a couple of them. I'm not against open source, but prefer Free Software more, because it's fairer towards the developers and the users. I don't like companies running away with someone's effort and come back and low-key threaten for free work.
Also, again talking about Microsoft, there's the WinGet/AppGet saga, which is ugly in its own right.
> Not all of them know the better or have the gravitas to tell "go fix yourself", and this allows exploitation to continue.
Agreed there, but then this is what I think we should be arguing for. Not "companies are wrong to use software without paying" but "companies are wrong to demand work from (and especially to make threats to) volunteers" and "volunteer maintainers should be well supported by the community (and anticipate such) when they decline to extend software".
> Agreed there, but then this is what I think we should be arguing for.
I mean, the original comment (by me) you replied to is intended to portray a scenario where the company threatens the developer for not fixing a bug which affects the company in short notice, for free.
Possibly I read more into your comment than you were trying to say, but I interpreted you as saying "and so we should shame companies for not paying" as opposed to "and so we should shame companies for threatening"?
You dove a little deeper than I intended. In short:
- Companies use Free or Open Source Software: That's great.
- Companies give feedback (bug reports, RFCs, developer time etc.) to said projects: That's awesome.
- Companies wait for the developer and have no hard feelings when their requests are done for free, or rejected because it doesn't fit developer's vision: That's the way it should be.
- Companies pressure/threaten developer for features, timeline, requests and expect the developer to do as they say for free: Hell no!.
If they see eye to eye and let the developer be, it can be done for free. If they try to treat said developer as their employer who works for internet cookie points, now we have a problem.
The GPL can't solve the FOSS funding situation, its relatively easy to comply with, and still not send any money (nor code) back upstream to maintainers.
As our resident GPL expert, you're right, but the reality differs a bit, with all the respect.
Companies doesn't like GPL because it mandates them to show hang their laundry outside. In turn, this creates a code quality pressure which companies doesn't want to pay for. Also, this visibility creates another, more psychological pressure on companies by exposing the external stuff they are using.
As a result, companies become more vulnerable to external pressure since somebody can point out what they are using without supporting and calling them out on it.
This can potentially send more money to developers, but this will not create value for the shareholders. Because having another yacht is more important than a pesky person's mental health and living conditions.
The GPL doesn't mandate public disclosure of code, just offering code to your users, who probably won't even know what source code is, let alone download it, tell anyone about it, modify it or redistribute it.
The EU CRA law is going to start creating the code quality pressure you mention too, with financial and other penalties. So they will have to do the right thing eventually. Hopefully that will make the GPL more acceptable to them.
The external pressure thing applies to the permissive licenses too, since companies have to provide attribution as part of the MIT/BSD/etc licenses, usually by having copies of their copyright notices in the system settings of their devices, for example curl is permissively licenced, all the car companies use it, none of them sponsor curl, and curl is now complaining about that. Of course, its extremely unlikely any of those companies care. The CRA might make them care though.
> The GPL doesn't mandate public disclosure of code, just offering code to your users...
That's the theory, and it's correct. We have discussed this with you before. However, a SaaS running AGPL code has to put it "out there", or mail to any user as soon as they register, so in this case it's moot.
Considering many GPL software is also distributed over the net, the code has to be "out there", again, in practice. Unless you are RedHat and selling the GPL software in question, which is perfectly fine.
> The external pressure thing applies to the permissive licenses too,...
Finding the copyright notices buried at the bottom of a text with the length of a Hollywood movie end-credits roll which is in turn buried 5 levels of menus is practically impossible if you don't try it. I can argue that GPL's condition is "in your face" when compared to permissive licenses.
Also, who will dig and find that I have used a specific library if I conveniently forgot to add its copyright line to this already long wall of text? "What will they do? Sue me from their mother's basement?" the companies think 99% of the time.
busybox has a tool to detect their inclusion in an embedded image, but that's GPL to begin with.
The GPL and BSD notices are usually in the same place, in the Settings -> About -> Legal notices dialog or similar.
> Also, who will dig and find that I have used a specific library if I conveniently forgot to add its copyright line to this already long wall of text?
People will still find out. The router I have violates both the BSD license, and the GPL. It simply has no copyright notices at all. The only indication it violates both is the web server 404 page links to the micro_httpd homepage, and the network filesystem feature uses the word samba. Thats probably more common than deliberately incomplete copyright notices. Even more common is wilful deliberate GPL violations.
More realistically, users are going to say "Hey Company X, this feature is broken." They won't know or care about libY. I would have replied with "There's no warranty whatsoever. Please submit a bug report and we will prioritize it accordingly. We do accept pull requests."
The bug might have low impact in most cases but doesn't work with how Company X is using libY, so it might not get fixed for a while. If this is hurting them, they can fix it themselves and submit a PR. Or they can work with them to prioritize their bug, which puts them on the other foot. If it's a huge problem that affects half the web, then Mr. Z will be working on it anyway.
If I were Mr. Z, I would know the problems Company X will have replacing libY with libW, and wish them the best of luck if they bring it up. No one's paying me, if they want to use something else, good riddance. Especially if they are threatening me. But I get it, people are different.
I'm sorry, but what kind of fantasy is this? Here's how it works in reality:
- Customers: Hey Company X, this feature provided by libY is broken.
- Company X: This makes us lose money, but it's complicated. Tell Mr. Z.
- Customers: We don't care who Mr. Z is or who is responsible. If your company does not fix the problem we are going to fucking murder you.
No paying customer will ever accept that a company tries to shift the blame to somebody else. So Mr. Z is free to ignore anything that company asks from him, reputation intact.
This I would strongly dispute. I’ve seen it first hand many times that developers who ignore such things are definitely finding the negative consequences of it. It takes very careful maneuvering not to get burned, either by reputation damage or to burn out.
So your "reputation" among a bunch of parasites takes a hit? Who cares about what they think? They're not giving you any money anyway. They're just using you.
It's like if a group of bums in the park think I'm a cool guy because I give them cigarettes when they ask. Great. And if I stop giving them free cigarettes then they say amongst themselves "man, that guy is a real jerk". Ok, should I care about what a bunch of free loading bums think?
Of course I understand that I will be down voted for this. Because people who love being victimized hates when people point out that they're being taken advantage of.
While you might see them as parasites, their community reputation may be very different. To fit into your scenario, you may need to get work from the other bums.
If people demand that you work for free for their monetary benefit and badmouth you if you don't, then that's not a "community". Those are people you want nothing to do with. Most businesses understand that they have to pay for every benefit or service they get from third parties.
Most professional developers aren't that stupid. The problem is
students, and the underemployed more broadly, write code to make a name
for themselves, which isn't entirely irrational.
I lead open source projects for the United Kingdom National Health Service, specifically for NHS Wales Digital Health and Care. The UK is investing significantly in open source and publishing widely about the importance of open source.
If you're technical and curious, I'm currently porting the UK NHS design system from Nunjucks to more implementations, including vanilla HTML CSS TypeScript, and my personal favorite Svelte Tailwind Daisy UI. Claude Code is churning on it right now.
TLDR "OpenUK is a UK not for profit organisation committed to develop and sustain UK leadership in Open Technology, being open source software, open source hardware and open data, across the UK. OpenUK promotes businesses, projects and people, who use Open and strives to collaborate across all existing organisations for Open by creating a clear and loud voice for the Open Communities in the UK; influencing UK Legal and Policy to make the UK a great place for Open business and by promoting education and learning in skills in Open Technology."
Yes with a twist: the French government design system is purposefully reserved for the use of French government websites. I believe that a great design system will be flexible and more akin to user principles first, then implementation interface components (e.g. we need 200 or so components for one of our medical apps), then skinning such as look and feel and themeing.
As one example I'm very keen on coding techniques such headless components as by Bits UI which provides headless components for Svelte. If anyone here wants paid work to code components like these by Bits UI, come work with us. <3
If you are looking for OSS support for things like libre office, graphics, bluetooth, WSI, upstreaming, kernel and more, Collabora is a UK based company that can help~
Good point. We do use the existing GOV.UK design system, because it's the basis for the NHS.UK design system. Broadly, there are medical-related design aspects that use specific system quality attributes processes such as clinical compliance and formal research to help guide the look and feel and accessbility.
The public barely want to fund public infrastructure, for the electricity they use, the water they drink. And especially not for the electricity and water that their neighbours, or people across town, or people somewhere else in the country need.
I think it is an illusion created by people rich enough to pay for things themselves. it is easy for those with the loudest voices to pass as "the public".
They are not to blame. Why should they care, when open source itself doesn't care about them? The benefits don't go to the public; they go to those who can use it to build a business.
I would be much more excited in finding ways to fund public infrastructure like Amazon does Prime rather than going the other way around. If anything, academic open source which is the closest alternative has not really produced much and the production open source that actually works is by and large corporate-sponsored.
P.S. The article also opens by contrasting open source consumption and contribution. In a certain sense, as the article acknowledges later, I care much much more about government consuming free software, as a neutral platform to avoid lock-in for themselves and the taxpayer, as well as providing an open foundation for integration and letting people use free software if they choose to (and not lock them to iOS and Android, for instance.) That alone is one of the biggest ways they can contribute. The actual code contribution will come naturally if they do that.
> That alone is one of the biggest ways they can contribute. The actual code contribution will come naturally if they do that.
The article claims that this is not happening:
> Procurement practices often make the problem worse. Contracts are typically awarded to the lowest bidder or to large, well-known IT vendors rather than those with deep Open Source expertise and a track record of contributing back. Companies that help maintain Open Source projects are often undercut by firms that give nothing in return. This creates a race to the bottom that ultimately weakens the Open Source projects governments rely on.
> The European Commission runs more than a hundred Drupal sites, France operates over a thousand Drupal sites, and Australia's government has standardized on Drupal as its national digital platform. Yet despite this widespread use, most of these institutions contribute little back to Drupal's development or maintenance.
Much of the actual day to day work is. Typically graduate students, so they’ll be 22-26. That’s not a critique of their intelligence or potential. Students get progressively more experienced of course, but professors aren’t writing code most of the time.
A problem with academia in general is the lack of staff positions. Post docs finish their time then it’s either leave academia or become a professor. There’s few positions for those who want to just do research as a career, rather than pushing for a professorship. This means there isn’t a stable and experienced core of people.
Obviously slanted to certain areas (OSes and languages, rather than say word processors), relevant to research, but still.
It has not historically quite important.
Of course, it would be great to fund experienced people just to do this - and a better use of the money currently subsidising commercial R & D at the moment in many countries.
Yeah, most of it is. I got a look behind the curtain when when my son got a master's. His PI was wrote a huge Python program then left and he inherited it. The new PI is completely clueless. They all have other, more pressing things to do, instead of doing proper software engineering.
When I was at UCB in the 80's, a lot of incredible things happened (Berkeley UNIX), but they had a LOT of staff members that did a lot of the work. And that had PhD students (Bill Joy, Sam Leffler) who were insanely smart and spent most of their time doing proper engineering on their projects. And, btw, I was one of those staff members. I saw all aspects of it, because the project I was on was used by a lot of people in the CS dept.
I wasn't actually criticizing anyone. I think it's just the way it is.
Not sure why you think academic open source is the closest alternative. The article doesn't mention academia, but does explicitly name govt-run public goods like roads, fire departments, etc.
I think looking at those is much more instructive as to what govt-funded FOSS might be like.
Because we already have some government funded open source run by academics, so that is a grounded approximation of how well or poorly it could look like.
I don't know where you live, but I hope OpenSSL is not developed like the roads I drive on. That's not some grand aspiration.
I think the thing about academic open source is that the government is not "funding open source" -- they're funding research, and all the incentives and measurements and funding criteria are set up (give-or-take) to drive towards "better research". Any open source software produced is a by-product. A hypothetical "government funded open source" would hopefully have criteria and incentives that drive towards better software...
A capitalist institution, in this case Amazon, charges some basic tax for providing basic services, e.g. package delivery, that have overlap with traditionally public infrastructure, but executes at a higher quality.
One could imagine something like RedHat or a quasi-coop Apache Foundation that actually employs high-quality people and pays them to develop code and sells subscription/support.
Does anyone work with it these days? I haven’t heard of it for like a decade or two. Truly curious what’s up with it. As honestly, I thought php is long dead, but it looks like it isn’t. I remember WordPress as a much better alternative (in my humble opinion), but perhaps someone still uses it somewhere and can comment. Would really love to learn the state of Drupal in 2025.
There's precedent for this type of thing in the EU. They sponsor(ed?) the bug bounty program for VLC Media Player[0] for example, among a few other OSS projects.
Governments should do this, but as a but as a way to create value and do things that are strategic but not locally optimal. Not just because some lawyer writes in some extra funding for ffmpeg (or whatever).
Small teams making software to solve problems, and then gradually aiming to hire for end users to be able to code (this is a good way of achieving the "less people, higher salaries" dream)
If we treat it as infra then I fear slightly that we'd end up like the Victorian to modern transition where the idea of public infrastructure being run by the people who built lots of it in the first place is unimaginable i.e. Britain's railways and many roads were built to make money, but we are now (I'd argue) so risk adverse and allergic to prices being allowed to signal anything that we would never actually allow this to happen now.
Good article. Could come across a bit like an unintentional bait and switch from the other point of view though, these projects love to see adoption but then require funding to maintain? Maybe setting the project up more commercially that then self funds the open source platform like Laravel is a more sustainable model?
If it's anything like hs2, we'll hire thousands of consultants on huge day rates who have zero incentive to ever build anything. Not an ideal model for open source funding.
but what would be the deducted amount, in dollar value, when the work is voluntary? Do you get assigned a dollar value per line, per hour worked, or you just guestimate?
I’m kinda surprised we still don’t have publicly funded and run cloud yet and really only available in the academic settings if you’re affiliated with a university or research lab (and even then each of those have their own spins with lots of duplication).
Some of these decentralized and open source projects (eg gridcoin.us, or golem.network and akash.network) seem like interesting ideas that would benefit with a public/private incentive system too. Perhaps giving some finite compute to experiment with at little to no cost. Others can donate or are incentivized to provide unused compute.
There’s so much unused / underutilized resources out there that it would be a great boon to somehow make that available and further reduce barriers to entry. Aside from that it’s just a really interesting problem that intersects a lot of different areas.
Fairly comprehensive and good blog post. Possibly too new to make it in, a proposal to take the learnings of the German STF (mentioned in the post) and expand it to the EU level for the next budget cycle (2028-2035) https://eu-stf.openforumeurope.org/
Perhaps open source should update its license so that businesses profiting from it contribute a small portion of their earnings — say, 1% — to a global fund, whether allocated specifically to the open source maintainers and contributors or to the Decentralized Universal Kindness Income (DUKI /djuːki/) for all lives worldwide.
Still, most of these genius engineers likely don’t care much about such a small sum. They earn the honor and move on, while the charitable benefits flow to those who can monetize the software.
After reviewing the definition and interacting with an AI, I see that it does indeed exclude this type of use. However, I feel these definitions create unnecessary divisions and discrimination.
It seems unfair to projects with open source code under non-standard licenses, as they are prevented from using the term that aligns with how most people worldwide perceive it. The definition has also effectively made an enemy of money, which may be the root reason the author advocates for funding open source like public infrastructure.
Personally, I wish “Open Source” could simply reflect its literal meaning—the one that most people perceive: that the source is open for any purpose, provided the specified rules are met. In my view, as long as the rules set by the maintainers apply to everyone equally, they do not constitute discrimination. You just have to follow the rules of the game if you want to play.
> That wouldn’t comply with the Open Source Definition, which prohibits discrimination against any person, group, or field of endeavor.
If a DUKI-licensed project (similar to MIT, but requiring a business using it freely to “donate 1% of its net profits to a global fund”), how does this conflict with the Open Source Definition and prevent it from being called open source?
This is the discriminatory part. If you made the fee requirement of everyone regardless of the type of organisation they are part of or not part of, then that might be OSD-compliant.
To support open source projects and developers, a GitHub-like platform managed by a nonprofit organization should be established, and it should issue its own token. Similarly, a fair system that distributes these tokens according to developers’ contributions would be much more appropriate.
Isn't this what the "Freemium" model is supposed to resolve? If a open source package is popular, people will build businesses around it and people who use it can then purchase support and get bonus features.
This allows the marketplace to determine which project get supported rather than bureaucratic decree.
It's usually the more user-facing products that can thrive on this freemium model (probably full web apps or a lot of code). For example, laravel might get a lot of funding from this.
However, the underlying infrastructure libraries, will not get any funding from this, even though they have much more users. For example, libxml2, xzutils, http parser ...
You can't build any product off of an infrastructure library, purchasing support doesn't make sense, and there are little bonus features to be made.
One way to remedy this, is to have well funded open source projects take ownership of its dependencies.
Careful what you wish for. Government funding almost always comes with strings attached. Once a project becomes dependent on government, they will call the shots. Do what they want or get your funds yanked! This could include stuff like coding back doors for the NSA or implementing spyware.
Isn't that how it works now too? Contributors are often contracted companies that develop features that they upstream. If you don't do what the company tells you, you won't be able to upstream any features on their dime
Like already mentioned, this is not in any way unique to open source software.
On the contrary, being open source adds the opportunity to understand what the software does on a deeper level, and you can always fork (Librewolf is one of many examples that comes to mind).
Do you have any examples where large entities taking over open source project having lead to the project's total demise? This sort of thing happens all the time the in the commercial space.
It of course also happens to some extent to open source projects, but usually that results in forks if the demand is high enough. For commercial software, you don't have many options - especially for subscription based licensing, which is pretty much the norm nowadays.
I was not suggesting that demands from those paying the bills does not happen in proprietary software or that big companies don't do the same for open source projects today.
The article was written as if there are no downsides to government supported open source projects. I just wanted to point one out.
Quite often the public infrastructure (at least in some EU countries) is funded in the way so that the investors give the funds and then a small fee is collected and used to pay for the loan and maintenance. Sometimes after the loan is fully paid the infra usage fees are waived.
In some places, funding public infrastructure like public infrastructure has barely proven to be successful and sustainable. Some places are underfunded, and it shows, and other places are well-funded but in crippling debt.
The average developer, whether of open source or otherwise, refuses to use even the bare minimum of engineering discipline in realizing their programs, thereby resulting in an explosion of bugs that the rest of us have to pay for with our time, effort, and sanity.... and they want taxpayer money for that? HOW ABOUT NO. And don't tell me things would be different if we paid them since commercial software developers are certainly incentivized to do things properly and they STILL refuse to use proper engineering practices.
I think those who believe a companies will pay to you for a random OSS is just a kids. Ask people who can use a sheets, they explain you why your product will die with this approach.
No one owes anything to any particular project or developer.
The thing to understand about discussions around funding FOSS projects is that it should be clear that society as a whole would benefit immensely from a strategic investment in commons-based software infrastructure.
sure. But companies believe that open source developers owe everything to the them (i.e. fixing bugs, contributing to feature requests, critical security releases ...).
A society would owe something to person picking up trash in their free time. But I am pretty sure society will never end up paying even minimum wage for that labour...
It is similar to open source... Something has value and is good for society, but society neither has willingness or ways to reward it.
Where I live in Seattle we fund keeping the streets in good condition. I see city staff roaming around during the day from time to time wearing hi-vis, doing stuff like picking up trash or removing graffiti.
If trash is lying around only getting picked up by generous citizens in their spare time, what that implies is that the city/county have chosen not to invest in maintaining the streets, and the citizens have elected to throw trash everywhere. I don't think we should take either of those conditions as a given. Better things are possible.
Quite interesting that I didn't mention money, but that seems to be the only language many people speak. Anyway, maybe go ask the Blender folks (and I'm quite sure others can provide some more examples)
Also, please read the HN guidelines [0]
> Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
You don't know anything about me, including my age, nor my motivations or history.
but software is just not-a-base thing - it needs cpu's, computers. If you want
realy independence do base thing - computer hardware ! Make small hardware that just can run Linux, can display things and use keyboard and mouse... Do eg. Dennmark do this ? Or Bosh ? Or...
Computers just to connect to internet and send some messages via IRC or something... ;)
20 years ago I gave Dries the domain Drupal.com for free to support open source.
I recently gave the domain MrBeast.org to Beast Philanthropy.
But more important than Open Source is Freedom. I recently acquired the domain antifascist.org to fight the rise of fascism. This will be a website to share information on protecting your loved ones - it will be open source in that everyone can contribute.
I welcome anyone that wants to help - send an email or use the contact form on the website.
I am NOT rich. This money could have a significant impact on my life. But I wanted to help others and so I am showing my commitment to fight for Freedom.
I have run OpenDomain for 25 years and have contributed domains to Open Source worth millions all for Free. I am ending that project to fight the rise of fascism.
I welcome ANY help or criticism - https://Antifascist.org
We have registered as a non-profit as “AntiFascist Foundation” and should finalize our paperwork this week.
Please note that since the goal is social activism, we are a 501c4 and donations may not be tax deductible.
We also would love any help on the design or messaging - any help would be greatly appreciated. Contact me and you can be part of the project
Marches of masked men with flags bearing nazi symbols?
Perhaps you have heard of deployment of military inside the country used for oppression?
Seizing people without hapeas corpus? And then deporting citizens without any criminal record at all?
The military is deployed inside the country, if only law enforcement officers were conducting the same work would antifascism think it was a job well done?
And therefore, exactly what do you consider fascism? Hence my question.
Where?
Currently when new vulnerabilities pop up (i.e. xz-utils compromise, log4j shell), people are quick to blame the maintainers for it. Why shouldn't companies instead be responsible for these vulnerabilities?
Currently, companies treat open source code as someone else's, so they don't bother to audit, maintain it, or fund it. Clearly, this is wrong, and reflected in the oss license, which states that code is solely consumer's responsibility.
They are. I've never seen a single example of a company that was able to dodge legal liability for something bad that happened as a result of an open-source software package that they used.
The problem is that software companies generally aren't liable for anything that happens as a result of their software. If you store the code to a safe with $100k in OneDrive and Microsoft deletes that file by accident, they have zero legal liability - regardless of whether the fault was in Microsoft's proprietary code or some open-source library that they use.
That's the more fundamental problem that needs to be addressed first - that tech companies have extremely few responsibilities to their users, in a way that's unlike most other industries that have come before.
Also I see this as a benefit for the major commercial Linux Distribution like Red Hat, Ubuntu and maybe SuSe because small companies can't provide that level of assurance.
"Failure to comply with vulnerability reporting, cyber incident reporting, or essential cybersecurity requirements could trigger administrative fines of up to €15 million or 2.5% of global turnover. Other obligations include €10 million or 2% of global turnover."
https://www.windriver.com/resource/eu-cyber-resilience-act-f...
Also more details in this one:
https://codific.com/cra-fines/
Apart from fines, "Beyond financial penalties, non-compliant products may also be prohibited or restricted from being made available on the EU market, or authorities may order their withdrawal or recall. This can lead to significant reputational damage and loss of market access."
https://openssf.org/blog/2025/02/20/does-the-eu-cra-affect-m... https://www.cra-guide.com/2025/06/09/cras-impact-on-small-an...
GPL & AGPL is effective against that, but companies are afraid of it since it tells "code is a collaborative effort, and you have to share what you did with the code".
Because of this, I share most of the code I write for myself, and strictly use (A)GPLv3 as a license. I don't care what companies do or what riches I possibly ignore. My principles are not for sale.
Being responsible generates no value for the shareholders. Being able to be reckless and ignore everyone while making business is.
Don't get distracted. It's about monies.
I think that this is an accurate description of working relationship. But, the fine print (MIT license) explicitly says that the companies are responsible:
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED
Exhibit A: Company X uses library Y by Mr. Z., which is used by another 100 or so companies. Mr. Z. is happy because he's quasi-famous because of all the exposure. A bug has been found in Y by users of Company X, which is not interested in fixing it.
Mr Z. drops everything, fixes problem, maybe gets a Thanks!, and might feel better. Company X and other hundred gets free labor for their problems, and one person burns out.Why? Because nobody tried to understand how GPL works, and companies said MIT or no cookie points anyway.
So, another developer is bought with hope vapor. He gets nothing in the end, while the company is printing money in two ways by not buying an expensive library and selling its capabilities.
Edit: One Daniel Stenberg of curl:// has dropped this: https://mastodon.social/@bagder/115025727082593712
Another (good) write up from LinkedIn: https://www.linkedin.com/posts/troed_how-many-open-source-pr...
- Mr. Z: There's no warranty whatsoever. However, I might fix it for a small consulting fee.
- Company X: You either fix it, or we spread the word that you're irresponsible and everyone will inevitably migrate to libW.
- Mr. Z: Ok, and I'll spread the word that you are a cheapskate.
So there's some more words from the mouth of the people inside this.
So FFmpeg said that they need a contract for that, and they have given a couple thousand dollars as a one-time contribution.
I mean, "a few thousand dollars" for something underpinning Teams, is unacceptable. They probably charge 10x much for a small client for their yearly license.
C'mon now. This is not even satire.
My point is if that FFmpeg, tried to raise more awareness of the issue, say talk to news outlets, they could get much more funding from MSFT.
Furthermore, big companies like Google, Microsoft care a lot about security. So they could raise money for security engineering like fixing memory corruption issues. Of course, FFmpeg could complain Google, Microsft doesn't care about all the high severity vulnerabilities in FFmpeg. That would be much more of an eye catcher.
Z should ignore or publicize the threat, not give in to it.
(If someone tried this approach with software I maintain I would absolutely not fix their problem.)
Open Source software became so common that the tragedy of the commons applies to it. IOW, there'll be always someone who will accept exposure as a valid form of payment either being very rich or being desperate or not caring.
> there'll be always someone who will accept exposure as a valid form of payment either being very rich or being desperate or not caring
Why is this, especially in the cases of being rich or not caring about compensation, a problem? I have done a lot of Open Source work for free, and a lot of Open Source work while paid by companies, and I don't feel like I've been exploited or otherwise mistreated in either case.
On the other hand, I believe requesting somebody's time for free is unethical, esp. if you are a company and wanting something from other parties at a certain quality at a certain time.
Somebody using your code and getting business done with it might not feel exploitative, and it might be true for you, and me. However, if they demand support from you, in X hours, at Y quality, and expecting you to "stop, drop and roll" for them, now that's exploitative. This is what I'm trying to say.
Many young people, who happened to write good code and their good code picked up by corporations are exploited like that. Not all of them know the better or have the gravitas to tell "go fix yourself", and this allows exploitation to continue.
I'm very grateful for people who write this code to enable this massive and wonderful ecosystem. I try to help them by filing high quality bug reports, submitting patches if I can and monetarily support a couple of them. I'm not against open source, but prefer Free Software more, because it's fairer towards the developers and the users. I don't like companies running away with someone's effort and come back and low-key threaten for free work.
Also, again talking about Microsoft, there's the WinGet/AppGet saga, which is ugly in its own right.
Agreed there, but then this is what I think we should be arguing for. Not "companies are wrong to use software without paying" but "companies are wrong to demand work from (and especially to make threats to) volunteers" and "volunteer maintainers should be well supported by the community (and anticipate such) when they decline to extend software".
I mean, the original comment (by me) you replied to is intended to portray a scenario where the company threatens the developer for not fixing a bug which affects the company in short notice, for free.
Or, did I word it wrong?
The GPL can't solve the FOSS funding situation, its relatively easy to comply with, and still not send any money (nor code) back upstream to maintainers.
Companies doesn't like GPL because it mandates them to show hang their laundry outside. In turn, this creates a code quality pressure which companies doesn't want to pay for. Also, this visibility creates another, more psychological pressure on companies by exposing the external stuff they are using.
As a result, companies become more vulnerable to external pressure since somebody can point out what they are using without supporting and calling them out on it.
This can potentially send more money to developers, but this will not create value for the shareholders. Because having another yacht is more important than a pesky person's mental health and living conditions.
The EU CRA law is going to start creating the code quality pressure you mention too, with financial and other penalties. So they will have to do the right thing eventually. Hopefully that will make the GPL more acceptable to them.
The external pressure thing applies to the permissive licenses too, since companies have to provide attribution as part of the MIT/BSD/etc licenses, usually by having copies of their copyright notices in the system settings of their devices, for example curl is permissively licenced, all the car companies use it, none of them sponsor curl, and curl is now complaining about that. Of course, its extremely unlikely any of those companies care. The CRA might make them care though.
https://mastodon.social/@bagder/115025727082593712
That's the theory, and it's correct. We have discussed this with you before. However, a SaaS running AGPL code has to put it "out there", or mail to any user as soon as they register, so in this case it's moot.
Considering many GPL software is also distributed over the net, the code has to be "out there", again, in practice. Unless you are RedHat and selling the GPL software in question, which is perfectly fine.
> The external pressure thing applies to the permissive licenses too,...
Finding the copyright notices buried at the bottom of a text with the length of a Hollywood movie end-credits roll which is in turn buried 5 levels of menus is practically impossible if you don't try it. I can argue that GPL's condition is "in your face" when compared to permissive licenses.
Also, who will dig and find that I have used a specific library if I conveniently forgot to add its copyright line to this already long wall of text? "What will they do? Sue me from their mother's basement?" the companies think 99% of the time.
busybox has a tool to detect their inclusion in an embedded image, but that's GPL to begin with.
The GPL and BSD notices are usually in the same place, in the Settings -> About -> Legal notices dialog or similar.
> Also, who will dig and find that I have used a specific library if I conveniently forgot to add its copyright line to this already long wall of text?
People will still find out. The router I have violates both the BSD license, and the GPL. It simply has no copyright notices at all. The only indication it violates both is the web server 404 page links to the micro_httpd homepage, and the network filesystem feature uses the word samba. Thats probably more common than deliberately incomplete copyright notices. Even more common is wilful deliberate GPL violations.
The bug might have low impact in most cases but doesn't work with how Company X is using libY, so it might not get fixed for a while. If this is hurting them, they can fix it themselves and submit a PR. Or they can work with them to prioritize their bug, which puts them on the other foot. If it's a huge problem that affects half the web, then Mr. Z will be working on it anyway.
If I were Mr. Z, I would know the problems Company X will have replacing libY with libW, and wish them the best of luck if they bring it up. No one's paying me, if they want to use something else, good riddance. Especially if they are threatening me. But I get it, people are different.
It's like if a group of bums in the park think I'm a cool guy because I give them cigarettes when they ask. Great. And if I stop giving them free cigarettes then they say amongst themselves "man, that guy is a real jerk". Ok, should I care about what a bunch of free loading bums think?
Of course I understand that I will be down voted for this. Because people who love being victimized hates when people point out that they're being taken advantage of.
Most professional developers aren't that stupid. The problem is students, and the underemployed more broadly, write code to make a name for themselves, which isn't entirely irrational.
https://www.england.nhs.uk/digitaltechnology/open-source/
If you're technical and curious, I'm currently porting the UK NHS design system from Nunjucks to more implementations, including vanilla HTML CSS TypeScript, and my personal favorite Svelte Tailwind Daisy UI. Claude Code is churning on it right now.
https://github.com/joelparkerhenderson/public-good-design-sy...
AMA. And we're hiring. Feel free to message me.
https://www.sovereign.tech/ https://nlnet.nl/
TLDR "OpenUK is a UK not for profit organisation committed to develop and sustain UK leadership in Open Technology, being open source software, open source hardware and open data, across the UK. OpenUK promotes businesses, projects and people, who use Open and strives to collaborate across all existing organisations for Open by creating a clear and loud voice for the Open Communities in the UK; influencing UK Legal and Policy to make the UK a great place for Open business and by promoting education and learning in skills in Open Technology."
React implementation : https://github.com/codegouvfr/react-dsfr
Main website : https://www.systeme-de-design.gouv.fr/version-courante/fr
As one example I'm very keen on coding techniques such headless components as by Bits UI which provides headless components for Svelte. If anyone here wants paid work to code components like these by Bits UI, come work with us. <3
https://github.com/fossjobs/fossjobs/wiki/resources
Most people like working societies and a huge part of that is reliable infrastructure.
My guess is that real rich people love public funded stuff as it's basically free for them.
P.S. The article also opens by contrasting open source consumption and contribution. In a certain sense, as the article acknowledges later, I care much much more about government consuming free software, as a neutral platform to avoid lock-in for themselves and the taxpayer, as well as providing an open foundation for integration and letting people use free software if they choose to (and not lock them to iOS and Android, for instance.) That alone is one of the biggest ways they can contribute. The actual code contribution will come naturally if they do that.
The article claims that this is not happening:
> Procurement practices often make the problem worse. Contracts are typically awarded to the lowest bidder or to large, well-known IT vendors rather than those with deep Open Source expertise and a track record of contributing back. Companies that help maintain Open Source projects are often undercut by firms that give nothing in return. This creates a race to the bottom that ultimately weakens the Open Source projects governments rely on.
> The European Commission runs more than a hundred Drupal sites, France operates over a thousand Drupal sites, and Australia's government has standardized on Drupal as its national digital platform. Yet despite this widespread use, most of these institutions contribute little back to Drupal's development or maintenance.
If it was a primary function and was staffed independently of educational programs, it could work and be a great teaching tool for actual students.
A problem with academia in general is the lack of staff positions. Post docs finish their time then it’s either leave academia or become a professor. There’s few positions for those who want to just do research as a career, rather than pushing for a professorship. This means there isn’t a stable and experienced core of people.
Obviously slanted to certain areas (OSes and languages, rather than say word processors), relevant to research, but still.
It has not historically quite important.
Of course, it would be great to fund experienced people just to do this - and a better use of the money currently subsidising commercial R & D at the moment in many countries.
When I was at UCB in the 80's, a lot of incredible things happened (Berkeley UNIX), but they had a LOT of staff members that did a lot of the work. And that had PhD students (Bill Joy, Sam Leffler) who were insanely smart and spent most of their time doing proper engineering on their projects. And, btw, I was one of those staff members. I saw all aspects of it, because the project I was on was used by a lot of people in the CS dept.
I wasn't actually criticizing anyone. I think it's just the way it is.
I think looking at those is much more instructive as to what govt-funded FOSS might be like.
I don't know where you live, but I hope OpenSSL is not developed like the roads I drive on. That's not some grand aspiration.
I’m not sure I understand what you mean by this?
One could imagine something like RedHat or a quasi-coop Apache Foundation that actually employs high-quality people and pays them to develop code and sells subscription/support.
But more importantly, tell me more about the scandals, I love good gossip :)
[0] - https://portswigger.net/daily-swig/vlc-patches-critical-flaw...
Small teams making software to solve problems, and then gradually aiming to hire for end users to be able to code (this is a good way of achieving the "less people, higher salaries" dream)
If we treat it as infra then I fear slightly that we'd end up like the Victorian to modern transition where the idea of public infrastructure being run by the people who built lots of it in the first place is unimaginable i.e. Britain's railways and many roads were built to make money, but we are now (I'd argue) so risk adverse and allergic to prices being allowed to signal anything that we would never actually allow this to happen now.
Some of these decentralized and open source projects (eg gridcoin.us, or golem.network and akash.network) seem like interesting ideas that would benefit with a public/private incentive system too. Perhaps giving some finite compute to experiment with at little to no cost. Others can donate or are incentivized to provide unused compute.
There’s so much unused / underutilized resources out there that it would be a great boon to somehow make that available and further reduce barriers to entry. Aside from that it’s just a really interesting problem that intersects a lot of different areas.
Open source can use ways to encourage donations and participation: one good way is adding some form of excitability. This could mean:
- increased access or influence over the project management and/or timeline
- increased access to the core team for troubleshooting, debugging, etc
- co-branding
- white labeling (maybe?)
- and so on
Still, most of these genius engineers likely don’t care much about such a small sum. They earn the honor and move on, while the charitable benefits flow to those who can monetize the software.
https://opensourcedefinition.org/
After reviewing the definition and interacting with an AI, I see that it does indeed exclude this type of use. However, I feel these definitions create unnecessary divisions and discrimination.
It seems unfair to projects with open source code under non-standard licenses, as they are prevented from using the term that aligns with how most people worldwide perceive it. The definition has also effectively made an enemy of money, which may be the root reason the author advocates for funding open source like public infrastructure.
Personally, I wish “Open Source” could simply reflect its literal meaning—the one that most people perceive: that the source is open for any purpose, provided the specified rules are met. In my view, as long as the rules set by the maintainers apply to everyone equally, they do not constitute discrimination. You just have to follow the rules of the game if you want to play.
If a DUKI-licensed project (similar to MIT, but requiring a business using it freely to “donate 1% of its net profits to a global fund”), how does this conflict with the Open Source Definition and prevent it from being called open source?
This is the discriminatory part. If you made the fee requirement of everyone regardless of the type of organisation they are part of or not part of, then that might be OSD-compliant.
I have so much respect for the selfless 5%
This allows the marketplace to determine which project get supported rather than bureaucratic decree.
However, the underlying infrastructure libraries, will not get any funding from this, even though they have much more users. For example, libxml2, xzutils, http parser ...
You can't build any product off of an infrastructure library, purchasing support doesn't make sense, and there are little bonus features to be made.
One way to remedy this, is to have well funded open source projects take ownership of its dependencies.
On the contrary, being open source adds the opportunity to understand what the software does on a deeper level, and you can always fork (Librewolf is one of many examples that comes to mind).
Do you have any examples where large entities taking over open source project having lead to the project's total demise? This sort of thing happens all the time the in the commercial space.
It of course also happens to some extent to open source projects, but usually that results in forks if the demand is high enough. For commercial software, you don't have many options - especially for subscription based licensing, which is pretty much the norm nowadays.
The article was written as if there are no downsides to government supported open source projects. I just wanted to point one out.
This is something like commercial open source
https://github.com/fossjobs/fossjobs/wiki/resources
Contribution to existing projects lacks behind, but it's getting better.
I believe, once in deep future, an open source developers will grown and stop repeating this sectarian mantra.
No one owes you anything. If you do opensource and you need in money - use your open source as marketing tool to promote services you sell.
It's simple as 2+2, I've mention it in my blog post https://vitonsky.net/blog/2025/06/24/open-source/
I think those who believe a companies will pay to you for a random OSS is just a kids. Ask people who can use a sheets, they explain you why your product will die with this approach.
The thing to understand about discussions around funding FOSS projects is that it should be clear that society as a whole would benefit immensely from a strategic investment in commons-based software infrastructure.
It is similar to open source... Something has value and is good for society, but society neither has willingness or ways to reward it.
If trash is lying around only getting picked up by generous citizens in their spare time, what that implies is that the city/county have chosen not to invest in maintaining the streets, and the citizens have elected to throw trash everywhere. I don't think we should take either of those conditions as a given. Better things are possible.
Currently it sounds you just a kid who want to be paid. Is there anything more except "you all owe to me" in this claim?
Also, please read the HN guidelines [0]
> Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
You don't know anything about me, including my age, nor my motivations or history.
[0] https://news.ycombinator.com/newsguidelines.html
but software is just not-a-base thing - it needs cpu's, computers. If you want realy independence do base thing - computer hardware ! Make small hardware that just can run Linux, can display things and use keyboard and mouse... Do eg. Dennmark do this ? Or Bosh ? Or...
Computers just to connect to internet and send some messages via IRC or something... ;)