The Internet Relies on People Working for Free
But when software used by millions of people is maintained by a community of people, or a single person, all on a volunteer basis, sometimes things can go horribly wrong. The catastrophic Heartbleed bug of 2014, which compromised the security of hundreds of millions of sites, was caused by a problem in an open-source library called OpenSSL, which relied on a single full-time developer not making a mistake as they updated and changed that code, used by millions. Other times, developers grow bored and abandon their projects, which can be breached while they aren’t paying attention.
[…]
Survival of cURL is thanks to a set of sponsors who fund the project’s hosting and other costs — though Stenberg says no major company pitches in — and contributors like Stenberg that give their time away for free. Stenberg says he believes that it’s important that open source exists and that he has never regretted making cURL open source. What frustrates him is when companies demand his help when things go wrong.
Last year, a company overseas contacted him in a panic after they paused a firmware upgrade rollout to several million devices due to a cURL problem. “I had to explain that I couldn’t travel to them in another country on short notice to help them fix this […] because I work on cURL in my spare time and I have a full-time job,” Stenberg says.
[…]
When Stenberg asked the company that needed him to fly to a different country to troubleshoot their problem to pay for [a support contract], they refused.
Previously:
- Ending the “npm Install Funding” Experiment
- GitHub Sponsors
- Popular NPM Package Compromised
- curl Is C
- The OpenSSL Heartbleed Bug
Update (2020-01-30): See also: Igal Tabachnik.
7 Comments RSS · Twitter
One another example is postfix, which is a critical piece of Internet, and is maintained by a single person that don't even share its CVS repository.
Millions of people rely on it, and we don't even have the full code history available…
Sounds like Stenberg has an opportunity to turn cURL into his full time job by charging for support, ala SQLite.
The tech companies worth billions of dollars who profit from OSS really should contribute more financially to keeping these projects going. I've never really understood why Apple doesn't do things like, I dunno, give $100,000 a year to the Homebrew project or whatever. That's so little money to Apple it's a .00001 rounding error, but it would mean a lot to the people who maintain this software that I use nearly every day.
One of my mutuals on Tw actually lives in a car in the bay area, and pushes commits to DNS and BIND. Another IRL friend who has maintained TCP/IP tools has lived on the street. It’s always been this way, and never talked about until... well, there’s a lot of glib talk, but never by lofty execs whose bonuses depend on this core tech.