Corporations and OSS Do Not Mix

An anonymous reader writes: Ian Cordasco, a prolific open source developer, wrote a lengthy post about his experiences working on code that gets used by companies as part of their business. His basic thesis is that the open source development process is not particularly compatible with for-profit corporations, and having them involved frequently makes progress more difficult. "As soon as a bug affects them, they want it fixed immediately. If you don't fix it in 24 hours (because maybe you have a real life or a family or you're sick or any number of other very valid reasons) then the threats start." He adds, "When companies do 'contribute,' it's often not in the best interest of the community, it isn't enough, or it's thoroughly misguided." Cordasco is quick to note that there are exceptions, but he has an idea why the majority behave that way: "I don't have the complete answer, but one important point is that there is toxicity in the community, its leaders, and or its contributors, and the companies have learned their behavior from this toxicity." He provides a list of suggestions both for companies using open source software, and also some further reading on the subject from Ashe Dryden, David MacIver, and Cory Benfield.

Offer paid support?

[ArmoredDragon]

If somebody wants a fix for software that they haven't paid anything for, and they want it now, why not offer paid support on that one issue at a rate of $416 per hour? A 24 hour fix would place a cool $10,000 in your pocket. And if they don't want to, then tell them to hire somebody else to do it.

Re:Offer paid support?

[Clived]

Doesn't IBM and all the other big names who provide OSS products do this ?

Re:Offer paid support?

[ArmoredDragon]

I know RedHat does. If you don't have a contract with them, and you are a business, then they likely aren't going to bother with you. Now if you find a security vulnerability on the other hand, that's different, but if something doesn't work and you need it to work to fit a business need, they're going to want you to buy a contract.

Re:Offer paid support?

I love this business model!
1. Create OSS software that does something expensive commercial software does, include many subtle bugs. Release it free to the world.
2. Wait for phone to start ringing from desperate suckers I mean cheap corporations.
3. Offer to fix the bugs quickly for a fee.
4. Go to bar, watch the big game with buddies.
5. The next day, release the patch that you created at the same time you wrote the original, flawed code.
6. Send invoice.
7. Profit!!!!

Re:Offer paid support?

[jonnythan]

Because the corporation is "contributing" to the project in some way, and they feel entitled to have such bugs fixed in a short period of time.

No one cares if some random company using a piece of OSS demands a bug fix. That's not what this is about. This is about getting for-profit corporations getting involved somehow in a project, and then threatening to pull support if issues affecting them aren't resolved immediately.

Re:Offer paid support?

[mark-t]

Presumably, they have chosen OSS over alternative projects in the first place for a reason, so them switching to another product just because a bug isn't fixed as soon as they might like would be their own loss on that level.

Re:Offer paid support?

[ClickOnThis]

Playing in the OSS world means others can see your code.

And that means others can see the hey-nonny-nonny you're conducting.

Best-case scenario: you're exposed as a profiteering scumbag, and your reputation is toast.

Re:Offer paid support?

[hjf]

Because it's really not the volunteers who develop linux. It's paid people. And, by far, the highest contributor is - guess - Red Hat.

Re:Offer paid support?

[johnnys]

Because business NEEDS to have the illusion that they "have a neck to choke" when something goes wrong, so they need to have a "contract" with a "company". I've heard this from the C-suite for years. (That is what Red Hat is selling, and why they're successful!)

It's nuts, really: Anyone who reads common software company contracts/EULAs knows that they have NO recourse if something goes wrong, but if they think they can somehow hang blame on a vendor if they have a problem, then that makes them feel safe.

In truth, the OSS model means that if something goes wrong and the vendor tells you to f**k off or goes bankrupt, you can find someone else to help you. If a closed-source vendor can't/won't help or goes under, you're screwed much harder.

Re: Offer paid support?

[maugle]

Sadly, nearly all bugs fall into the category of "obscure, but simple to fix". Also, in my own experience, the bugs which have taken the longest to track down the root cause have also been the bugs whose fixes only required a couple keystrokes.

Re:Offer paid support?

[ebvwfbw]

Institutionalized at Microsoft.

Threats?

[iTrawl]

What threats? (I didn't RTFA yet). Start with the warranty disclaimer that you attached to your licence in capital letters. Then, if they "contribute", tell them nicely to fork off (the technical term, not the innuendo) and, if their fork is actually any good, they should ask you to merge their changes, which you will if they're not bullshit.

If they keep kicking and screaming like baby lawyers, submit for their review a support contract. Make sure your rate is in the "highly paid consultant" range - you might even get away with it, as at that point you'd be speaking _their_ language.

Re:Threats?

[TheRaven64]

As an opensource developer, do you really see someone as choosing to use another project as a problem?

Nope. Open source and proprietary alike care about contributors, not users. In off-the-shelf proprietary software, the (non-pirate) users are all contributors, because they all pay money. In open source, there are a lot of ways to contribute (code, testing, bug reports, documentation, artwork, and so on, as well as money), but users only matter inasmuch as they're real or potential contributors. Some users are negative contributors - they make a lot of demands, but give nothing back. The project is usually better off without them.

If the company is providing a significant contribution, then they may well expect something in return. Often, it's just the continued survival of the project, but if they want more then you should make sure that both parties agree on what the contribution is buying. If they're going to throw money at you, then they might reasonable assume that they've paid for some of your time to be spent on issues that matter to them. If you don't want to accept these terms, then having them use another project is probably better for both of you.

Re:Threats?

[BarbaraHudson]

The threat is to move to using another OSS project. Of course, that other project probably have maintainers working under the same constraints, so the problem won't go away magically. When someone threatens to do that, the proper response is "I'm good with that. Which one are you switching to?" They probably haven't done the research to evaluate other products, or, if they have, they haven't found something compelling enough to make the switch. Call their bluff. The only thing you have to lose is someone who thinks that making threats is the right way to ask someone a favor.

They know it will cost them money to switch. That's part of the cost of being a dick.

OSS is not compatible with businessmen.

[IBitOBear]

The core problem isn't that OSS is incomparable with "business", it is only incomparable with the business of "selling software".

OTOH, I spent several hours going round-and-round with my brother inlaw. He runs/owns a company that installs business solutions (computers and software) into other businesses. He was all "I could never make money on open source platforms" using linux as the O.S. because it's free. But he readily admitted that installing Windows had a zero profit margin because of licensing.

There is also the ready admission that having a Windows service contract (again sold a essentially zero markup because of the licenses) doesn't garantee that Microsoft will issue you a patch if you complain about a problem. You are basically just paying up front for the chance to be told to work around a problem or the "opportunity" for an unsupported patch that you'll have to buy again if you upgrade.

Business men have no idea how to deal with OSS because they tend to mimic others and very few have ever done it. The idea of having a line item for zero-dollars that already had zero markup when the line item was non-zero dollars, is mystifying.

So here's this smart guy running a services business, but unable to see how he could charge to service OSS. But companies service OSS all the time.

The true failure, deeper in, is the idea that every incremental correction and modification is precious and must be hoarded and monetized.

And further in still is the complete failure to understand things like the up-front cost of a GPL project base is "disclosure", and that disclosure of those incremental changes is very cheap. Compare embedding linux kernels in things to the up-front and per-unit costs of Wince or VxWorks. Then really _think_ about how non-money-value your fix to that one serial driver really is compared to the item you wan to sell.

Companies tend to forget which businesses they are _not_ in. Selling software is not sustainable, but selling experience (games) and experience (professional expertese) are. So is selling "devices".

So its a problem made up of compounded risk adversity multiplied by inherently unimaginative "business thinking".

Re:OSS is not compatible with businessmen.

The core problem isn't that OSS is incomparable with "business", it is only incomparable with the business of "selling software".

...

Umm, Red Hat has a market cap of $14.81 BILLION dollars.

But don't let reality get in the way of your rants.

They're hilarious.

Re:OSS is not compatible with businessmen.

[serviscope_minor]

Well done for condescendly making the parent's point while claiming he's wrong.

RedHat sell expertise (i.e. support). If you just want the software, you can get it for free from CentOS.

Re:OSS is not compatible with businessmen.

[phayes]

Only an idiot would overlook that support which is to say services is precisely the thing TFA was pretending to complain about.

Seems a bit overblown

Sounds like some bullshit. As someone who works in IT for a major corporation and has to deal with bugs that affect us in COTS software (such as MS Windows and MS Office), threatening people after 24 hours would be ridiculous. If the issue is currently unknown, expect a minimum of 2 weeks with a norm of more like 2 months for a fix - if the vendor will even agree to fix it. Why would a corporation threaten some OSS developer? It just doesn't scan and seems like BS.

Re:Seems a bit overblown

[mysidia]

Why would a corporation threaten some OSS developer?

Because they're scared, and don't have the right expertise in their company to deal with the situation, also they don't have any consultant who can help them, And the bug is an unmitigatable remotely-exploitable 0Day in the web application framework used on their main e-commerce website with public exploit code but no patch, so that's an act of desperation and demonstration of internal management incompetence (not having competent staff or agreements in place to deal with the impact of a bug).

This is the threat...?

[StevenMaurer]

"Well if you're not going to take this seriously, we'll have to start using another project."

I've never exactly gotten this. Why does anyone who is giving something away particularly care if someone who is getting it for free uses it or not?

This guy clearly doesn't understand that Open Source means "Free to Use" not "Free Beer", and that most corporations (the executives, not the software engineers or managers) are plenty happy to pay for support from the subject matter experts in it, so long as it saves them overall money. In fact, many corporation's resistance to OSS is due to the lack of such support - because their customers aren't so understanding..

This is the very business model that Red Hat uses. All this guy needs to do is put up a "priority payment" system for bug fixes, and post it publicly. Done and done.

I suspect...

[SwashbucklingCowboy]

... this is a case of the squeaky well gets noticed.

I work in a large software company where we use thousands of open source projects in a couple of hundred projects and I'm intimately involved in the management of open source within the company. I've never had a team come to me and say "we need this bug fixed in the next day or two". And they damn sure don't go out threatening projects (that would be one of those "career limiting moves"). While I don't doubt that this guy has had people do that to him I gotta believe those are the people that he notices and remembers, not the silent majority.

Re:I suspect...

[Antique+Geekmeister]

> I've never had a team come to me and say "we need this bug fixed in the next day or two".

Then you clearly don't work in IT. Problems with system capacity, critical hardware, authenticated access, and network connectivity all need to be fixed _now_. And not having the resources in place to deal with the shortages leads to people losing their jobs, and can cause the whole company to fail.

So tell them to Bugger off.

[Lumpy]

"As soon as a bug affects them, they want it fixed immediately."

You respond with, "feel free to hire a team of programmers to fix that. you have the source code.:"

Honestly, you have to act like Linus if you run an OSS project.

Re:So tell them to Bugger off.

[simula67]

But as an OSS developer, don't you have a responsibility to fix some problem in your code?

No

You released code so someone would use it

No, people can release the source code because they feel like it.

If you like releasing half-baked crap that is useless to someone after they've invested real time and money, don't release such software in the first place

Just because a project is released, doesn't mean you have to use it. If you want to use something for no money, you have to do your research to make sure that you are using the right open source project.

Re:So tell them to Bugger off.

[serviscope_minor]

But as an OSS developer, don't you have a responsibility to fix some problem in your code?

Nope. Just about every OSS license comes splattered with disclaimers. Personally, I have pride in some of my projects and so would fix bugs in a reasonably timely manner depending on the bug (problems with OSX or Windows are low down on my list since I have neither and no one who has had problems has ever offered to buy me a mac or a windows license).

If you like releasing half-baked crap that is useless to someone after they've invested real time and money, don't release such software in the first place

Ah you're one of those people who gets off on telling others what they should do for fun or how they should run their hobbies. Even though it's clearly a hobby of yours, I'm going to ironically tell you to stop doing it.

Bottom line, OSS projects need to specify the time it will take to resolve any issue right on their product description page.

So people doing stuff for free on their own time should put time and effort into boring, uninteresting stuff so that companies can profit from their work without ever having to contribute a cent? Uh... how about no.

Re:Toxicity, of course.

[quantaman]

Yeah, when you start throwing around suppositions that reveal a bias against the OSS leadership for being "toxic", I don't see much credibility in your opinion. Why not blame cosmic rays while you're at it? It's one thing to suggest "we can do better", but quite another to just pretend that it's the fault of people you clearly don't like. You and everyone else is relying on their work to a staggering degree, and now you talk like an usurper who wants to blame the software creators instead of the monied interests who don't have an incentive to contribute back, because some alleged asshole is doing it for free already.

I think toxicity does exist but it's not really a fault of the developers as much as the medium.

If you work in an office and are able to talk to your co-workers directly it's pretty easy to have good relationships. There's lot of opportunity to talk about pleasant non-work stuff, the proximity incentivizes you to keep things civil, and when you do disagree you have body language and tone to help get your point across.

If you turn to an email only relationship all of these things are gone. There's not a lot of opportunity to bond over non-work items, the fact you never see the other person physically means it doesn't matter much if you piss them off, and if you need to communicate something you need to be very blunt.

Online communications will invariably have a much stronger bias towards assholery.

Offer them support

[im_thatoneguy]

I've seen all of this with my freely available code or tools. And I always say the same thing "Thanks for bring the bug to my attention..." and then if I'm currently busy with other things or I don't care that much about the code anymore I follow up with "I'm currently busy with other projects, my hourly rate is $xxx if you need it fixed ASAP I would be happy to provide an estimate and invoice for the work. Otherwise it probably won't be fixed for a few weeks if ever."

Everyone so far has been very understanding and a number of them have paid for the addition or fix. I'll even list the sponsoring party in the changelog.

--Fixed crash from XYZ. Fix sponsored by AnimationCorp LLC.
I get paid to work on a free tool that I use too, they get something they need, I get some minor self promotion for the tool being used by more people and they get some minor promotion in the changelog/release notes.

Reasons listed in TFA are TOTALLY wrong

[Kartu]

Based on my experience, I'm working for one of the big multi-nationals for years.

Bugs fixed quicker in commercial software, are you kidding me?
Fucking, seriously???
It's not only that most of the times you have to find workarounds/fixes yourself, it's that since it's commercial and not OSS code, what you'll likely face won't even be decompiled code, it will be bloody OBFUSCATED decompiled code with things like a.b.c.d1() all over the place!!!

At least for the corp I work for (and I'm pretty sure for most corporations out there) the main reasons for go for commercial over OSS is: LEGAL.
Some motherfucker patents "using (some ancient thingy that everyone on the planet uses) to quickly iterate over tree)" and kaboom, with OSS (no protection whatsoever) you need to pay either them directly or lawyers to fend them off.

With commercial software that's seller's problem.
As easy as that.

There are, of course, libs that are too widely used and would seriously harm IT projects if not used, e.g. apache commons libs. Well, for that there is short whitelist of items that "have been reviewed" along with "mitigation strategies".

Every manager is aware of this, so when you have a choice over "ShareIt" or "ShareThis", one is free, one is not, decision is made instantly, "of course we want the non-free one".

Re:Toxicity, of course.

[serviscope_minor]

They wrongly (for almost all projects) expect OSS software to have the same support mechanisms and turnaround times in place as the proprietary systems they're used to,

Unless you pay OUTRAGEOUS amounts of money for support contracts on proprietary software, then you get turnaround times somewhere between days and never. That includes things with trivial fixes like "you sent me the wrong fucking license key AGAIN".

They're not used to magical fast proprietary turnaround times unless they are Very Large Companies paying for Very Expensive Software across the board. They're just being entitled dicks.

Chances are most of this would go away if the OSS software in question had an explicit disclaimer of warranty and fitness for purpose.

Just about every OSS license has one of those.