Just a sidenote: some publicly funded code is produced as a side-effect of the government funding scientific research. The government is buying the research, not the code, so it should not have oversight on the coding process except inasmuch as it impacts the research. This could require open sourcing, but there ought not be an expectation that the code is particularly bulletproof.
IMO we should have an organization to produce publicly funded code (boring infrastructure stuff not R&D), but it should be neither achieved by co-opting existing community projects nor cannibalizing research projects. It should be a new thing.
Making an analogy to physical infrastructure: it would be crazy if we relied on groups of hobbyists to build a bridge, or if we just grabbed a bridge directly out of somebody’s PhD in civil engineering. (I mean the analogy looks ridiculous because the situation is!)
> Making an analogy to physical infrastructure: it would be crazy if we relied on groups of hobbyists to build a bridge, or if we just grabbed a bridge directly out of somebody’s PhD in civil engineering.
Except this is precisely what is happening… because it turns out the engineering hobbyists often build useful things. At which point, if the government goes and uses it as the foundations of a publicly constructed bridge, it might make sense for the government to invest a bit in ensuring the foundations are maintained.
If we required that government invested in open-source to use it, the only thing that would happen is that projects would be outsourced to the private sector (either explicitly by the government tendoring, or implicitly by the government offering tax incentives to build the project), and the private sector wouldn't fund it.
Matrix also has a completely different featureset to XMPP or IRC: E2EE by default; conversation history as a first class citizen; HTTPS+JSON APIs by default; E2EE Group VoIP (almost) integrated; etc.
> Software developers earn way more than most public sector workers - is this justifiable?
This feels like a false dichotomy. The implication is that public sector software developers are paid less than average private sector software developers. This may well be the case in some places - but the answer there is SURELY to pay public sector software developers the average going rate, rather than conclude that funding private sector FOSS maintenance is not justifiable(!)
I don't think this is a competition, but to clarify: XMPP has long been used in the public sector (via suppliers such as Isode) since before Matrix was conceived, and continues to be still. I've spoken with multiple organizations for whom the Matrix data model was not a good fit. As you say, they are quite different and each has strengths and weaknesses.
Yup - XMPP clearly has a lot of public sector traction too (e.g. in NATO's Federated Mission Networking), and each protocol has its merits. I was just trying to explain that the current "how can Governments better fund Matrix" is borne out of a glut of Governmental Matrix deployments as a WhatsApp/Teams replacement.
The OP is calling out the need for any large org that depends on a FOSS project to contribute to its maintenance.
Currently we don’t have good mechanisms to make this happen.
The post uses Matrix as an example but it applies equally to any project deemed as critical infrastructure which would of course include XMPP, IRC and plenty of others.
To solve this, FOSS projects must work together to advocate for practical funding mechanisms. This is not a zero sum game.
> Why we would we fund Matrix when XMPP and IRC already exists?
A common sentiment I’ve come across, here and other corners of the internet, is dismay that more organizations have been adopting closed communication platforms such as Discord and Slack. These platforms (probably Discord more so) make it easier for online communities to be set up and offer relatively polished user experience compared to Matrix, IRC, or XMPP.
There was a post shared on HN a few weeks ago by a technical user and their onboarding experience with Matrix https://blog.koehntopp.info/2024/02/13/the-matrix-trashfire.... As someone who uses Matrix, I’m hoping they bridge the UX gap sooner than later.
XMPP and IRC are even further away from being viable alternatives.
I dunno; if an open source project wants to take public sector funding, then some kinds of public sector oversight (e.g. public sector requiring security audits, or SBOMs, etc which they pay for) could be very desirable indeed.
If your implication is that the government who's funding it might then try to leverage the project somehow (e.g. insert a backdoor or whatever), then we're back with the original problem of needing to protect FOSS projects from malicious actors wherever they come from.
I'd argue that the benefits of actually being funded massively outweigh the risks of the funder going rogue, given you can use the funding to build checks & balances to protect against malicious activity no matter the source.
IMO we should start an Office of Digital Infrastructure if we want things like software BOM and software oversight. If the government wants secure code they should write the code in a controlled environment. They can run it similarly to an open source project (take pull requests from the general public) but it should be clear that the responsibility lays 100% at their feet.
I don’t think most open source projects really inspect their dependencies that well. Lots of these projects are community/hobby things, they should be treated as such.
I found this post to be interesting discussion on how a not profit organisation could practically operate to support FOSS maintenance. It still has risks surrounding infiltration by bad actors, but mitigation is easier since staffers are paid.
https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI
Making open source publicly funded will inevitably grant governments more influence over it. Considering all the things that happened in the past decade, it's hard to trust governments to be good stewards of open source.
First of all, the xz incident should be reason to want less government involvement, not more. All publicly available evidence right now points to state actors behind the incident.
Time and time again, we've seen governments abuse technology to subvert democracy and human rights. They engage in illegal mass surveillance. They backdoor encryption standards. They hoard zero days behind our backs. They target journalists and human right advocates. They now even brazenly push for encryption bans and mandatory backdoors. All of these actions pose a serious threat to our society, and yet they're done with little to no oversight. Those responsible have faced no repercussions to date while those who exposed these things have faced retaliation.
Given our reliance on open source infrastructure, it's right that they're desperately in need of funding. However, exactly how we do that is a hard nut to crack.
While I can certainly understand why whatever organization published this wants free money to work on whatever they want to work on, the reality with all that other infrastructure they cite, bridges, roads, sea defense, is they aren't just publicly funded. They're publicly owned as well. This means the public also gets to say how they're run. The government doesn't just give unconditional money to someone who happened to build a bridge a while back and opened it to public use with no warranty (which presumably isn't even legal to do in most places).
hey, this is my blog post. I wouldn't expect public money to be routed to Matrix (or Mastodon or similar projects) without the funder having input into the governance of the project, just as any other funder would. https://matrix.org/membership/ is how it works for Matrix.
If governments want to fund digital infrastructure, they should start projects to produce public domain digital infrastructure code. They could hire the maintainers of existing open source projects. But, it would be a new project made by government employees to produce a public good.
Open source projects generally don’t have an obligation to their users. Taking money will create that obligation.
While I share Mr. Hodgson’s concern about funding free software, I do not think that State funding is a good idea. My biggest concern is simply that the State does not have the ability to make good technical choices[0], and that its presence sucks all the air out of the room. Had the United States government decided on software funding in the 1990s, all public developers would probably be using Ada. How likely would IBM have been to fund Linux development with its investors’ dollars in the early 2000s, rather than just taking federal Ada money for a hypothetical ADA-OS 2000?
Even more frightening, if federal dollars were allocated today, we might all be stuck with Javascript for a century.
OTOH, the government does have a role to play in solving collective-action problems. Perhaps, like X11, it could focus on mechanism, not policy; perhaps free-software-development expenses could get extra, or earlier, tax deductions? Perhaps free software development could count as a charitable purpose (maybe it already does, I don’t know)?
0: Neither do private companies! Indeed, they make poor technical choices all the time. But with private companies, there is competition and at least a chance that the bad ones will fail. States are far more resistant to competition, and their failures are far more catastrophic than a corporate failure.
to be clear: in the blog post I wasn’t remotely proposing that governments should determine the technical details of the projects to be funded. But instead the projects which empirically support public infrastructure can apply for maintenance funding.
For instance “xz is used to compress packages for these ubiquitous OSes. please can I get $$K/y for security audits and to cover my time to work on PRs”.
So you would still have the competition for the best tech to get popular and become public infra. But you would be protected against the paradox that the more successful and ubiquitous FOSS projects get, the more they are taken for granted, and the less their maintenance is funded: “I didn’t have to pay for this thing to exist in the first place; why should I start paying for its maintenance now?”
I think the conversation around this would be much more advanced if the Commons Clause-like non-commercial clauses were accepted as legitimate open-source approaches.
A non-commercial clause basically guarantees that corporations can't hijack OSS projects or they can't pressure the maintainers to the point of burnout.
And similarly, OSS projects who explicitly allow commercial usage could point to their licence and require financial support before fixing issues/merging PRs from interested companies.
Non-commercial clauses violate Freedom 0, the freedom to run software for any purpose. It’s the single most foundational freedom. A non-commercial clause basically guarantees that a piece of software will not be used.
For that matter, why should e.g. Warren Buffet personally get to use non-commercial software personally for free, while the bakery down the street must pay for it? That doesn’t seem desirable.
I think the biggest issue is that the companies charging for open source are not turning around and funding everyone the rely on, just a few key projects. If they tried to distribute a little bit to everyone, I think that would go a long way.
The issue I see is figuring out what deserves funding. Is GNU/Linux the thing that we're trying to serve? Who gets to decide what's critical to the operating system? Initially you'll see project jockeying for position, which is going to be a mess. Then you'll see consolidation around projects that can get the funding. Do people contribute to those projects more in hopes of getting paid, at the expense of others?
Honestly just having a decent list of contributors to pick from and knowing who they are personally before handing over maintainership might help.
And of course, there's always the magic word when someone wants you to provide extraordinary support for software that you made for free: "No."
Governments in Europe are funding OSS that they use. For example a bunch of government agencies use Matrix instead of Slack or Teams so they are funding it to remain sustainable.
The great thing about open source is that governments can make or contribute to a competitive offering and if it's good enough, it will get used. That sounds worth a try.
If people instead want the government to forcibly limit options, that would be stupid.
Open source is an interesting creature economically speaking. Being a broadly pro-market guy, when I was in college and I heard about what sounded like a communist software development model, I thought "there's no way this is going to work".
Over time it became clear that it does work to some extent. I became rather fond of FOSS and even embraced the quasi-anarcho-communist aspects of it. In some ways, we can meet each others' needs with even less bureaucracy than with a paid product, just as a paid service tends to have less bureaucracy than a government service. Broad brush, granted.
But it has an interesting relationship with the cash market, in that it does get funded sometimes, despite being non-excludable. There is also a sort of "marketplace of ideas" or perhaps an attention market, that makes certain projects more popular than others and thus get more attention from developers.
Then again, important things like xz have a tendency to fall through the cracks more than in the traditional economy. GnuPG being underfunded was another example. Price signals don't flow as clearly. Also, incentives to fund something crucial that you use aren't there if you're one of many businesses that use the software.
So this is all to say, one could take the argument against government funding in general (picking winners and losers) and apply it here. The reason we're talking about government funding is that perhaps it's better suited toward finding the weak spots like xz. My hope is that (given the alarm bells) the concentrated interests in the market will be able to come in and fill in the gaps themselves. Or, a clever funding method could still arise. My personal idea was insurance policies with stipulations on which software is used, which would give the insurance companies the incentive to find and fix the weak spots.
I think of opensource more as communists using the market power mote bs the government gave private enterprise (copyroght/patent) and inadvertently used it to enforce a brutally laissez faire hypercompetitive market with perfectly known information.
Hire a hacker for review (Spyrecovery36 @ gm ail com ). They offer service like ( phone hack, GPS track, face book recovery, delete criminal record, whatsApp recovery, retrieve lost wallet and many more...
No. As a taxpayer, my money is already going to 1230987587123 government frivolities. I don't need to be funding infrastructure for bigcorps any more than I already am.
e: To the downvoters, do you seriously believe that Tesla, Apple, MSFT, Amazon, etc require MORE government assistance?
Or just the critically undersupported infra fail. The world will not end, and the money will magically appear out of thin air, guaranteed, and the public wouldn't even have to pay for it.
I do realize that living without uber eats/electronic banking/social media for a few days is unfortunately, untenable for the vast majority of the population.
> e: To the downvoters, do you seriously believe that Tesla, Apple, MSFT, Amazon, etc require MORE government assistance?
This is just throwing the baby out with the bathwater. Just because big tech companies happen to build on FOSS projects doesn't mean that the FOSS maintenance shouldn't be borne by everyone, given they benefit everyone (including the governments themselves). And in fact, if the Big Tech companies paid their tax, they'd contribute as much (if not more!) as everyone.
How do you qualify this as "throwing the baby out with the bathwater" and not the suggestion of yielding government control of OSS? That is the disproportionate reaction, and I urge anyone pushing for more government control/spending to catch up on history.
I don't think open-source wants this.