On the other side: No. When you provide software that is widely used and that people rely on, you automatically created a community where fixing bugs is an obligation. Your software has become a corner stone in other people’s software stack/life and so those people and their issues with your software have become your problem, too. If you want it or not.
Hiding behind open source and not fixing bugs has become a deal breaker so many times over the last few decades, that I stopped counting. Not everybody knows the language needed to fix a bug and not everybody understands the dependencies within a project to being able to fix a bug. So “fixing” one bug can create ten new ones and make things much worse.
Not to mention what happens when you attempt to fix the bug but the source is not accepted upstream because it’s bad, which is understandable, but still leaves you with an upstream version of the software and your patched version that fixes said bug.
The actual advantage of open source is that you actually have access to the code, create a fork and maintain it yourself if things go south.
And btw: If using open source software is only an option when I know all the languages needed to write all the stuff myself, then the whole thing just lost its meaning.
I must ask, do you use Linux?
(Linus, notably: can be hard on maintainers, very respectful of userspace)
No, you don't. Some open source producers might choose to take on that extra burden, but giving your software away for free cannot automatically create such a burden, no matter how many people use it. The only recourse you have as a user if you don't like that deal is to not use the software. You don't have the right to demand more free work from someone who already provided you with free work.
Yes, he is. But that's not because he has a duty to do so. It's because he chooses to, and because he can afford to so choose. If he stops doing it tomorrow, sure, a lot of people will have to scramble, but it's still up to him.
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
It's not even as if this was buried under mountains of legalese. OSS licenses are usually quite simple. You have absolutely no excuse for not understanding that the software provider has zero obligation to you. All you had to do was read a few paragraphs.
What you're saying here is that "give them an inch and they'll take a mile" is not just a description of an unfortunate reality, it's a moral imperative. Give them an inch and they have a right to that mile.
Do you not see how totally destructive this moral framework is? If giving away free work instantly entitles anyone who benefits from that free work to an arbitrary amount of additional free work, the only rational move for a would-be contributor is not to play the game at all. Is that really the world you want to live in?
No, absolutely not. What I write and release comes with no warranty, and no guarantees that any of it is fit for purpose. If people want to use it and find it useful, that's great. If they don't, that's fine too. If they use it and have problems, I'm happy to receive bug reports, but I don't work for them, and have no obligation to them. I will work on bugs and improvements because I want to, because it's fun, and because I care about my work. But when it's not fun or I don't care, I may not work on it, and that's 100% my prerogative.
> Not everybody knows the language needed to fix a bug and not everybody understands the dependencies within a project to being able to fix a bug.
That's tough luck, then. Let's reframe a bit. Let's say you've decided to pay Oracle for their proprietary database. And then you find a bug in it. What are you entitled to? At best, I'd say you're entitled to a refund. Oracle actually has no obligation to fix that bug for you. But Oracle likely will want to fix that bug, because they maybe want to keep you as a customer, and develop and maintain a reputation that their software is worth the money people pay for it.
Certainly some open source developers often have reputations they want to maintain. And sometimes doing the grunt work to do thankless jobs and fix annoying bugs and add features they don't care about... well, sometimes that's necessary to maintain the reputation they want to maintain. And that's fine, if that's the choice they've made.
But it's also fine if someone just wants to build stuff for fun, share it with others, and continue only doing things with it that they find fun. You might look down on people like that, or be frustrated with them, or choose not to use their software, but you are not entitled to any work out of them, and they are not obligated to provide you with anything at all.
As noted in VERY LARGE PRINT at the top of almost every open source license for the last thirty years or so, the person taking the free stuff is responsible for whatever happens when they do. That's why it's free!
If you can support it yourself, great. If you can't, then you might need to hire someone to do so. If those options don't appeal to you, then you should probably buy an alternative that does not explicitly tell you that you're on your own.
Open source software exists so that the community of reasonable, responsible people can share work with each other without being caught in a rats nest of finger pointing, liability, and defensive practices like hiding source code or preventing alteration.
It is a two-sided contract, and the user's side of the contract is very explicitly to take responsiblity for what they choose to do with what they take.
a) open source developers are obligated to provide their users with fixes to any bugs they run into, or
b) open source developers will never ever do anything for their users, so anyone who uses open source needs to be competent at maintaining and modifying all the open source software they use.
I hope you don't truly believe that, and assuming you don't, I hope you aren't arguing this way in bad faith.
Because neither of those things are true. Open source developers will often want to fix bugs in their software, and add new features that people find useful. A user need not assume they'll have to take ownership of everything they use and maintain it themselves. But an open source user has no right to demand anything from the developers. Sometimes the user will have to do their own work if they're having a problem, because sometimes those problems won't get addressed (either ever, or on a time scale that the user needs). And anyone who makes use of open source software should go into it with that understanding.
I've done that myself: I've adopted open source libraries at work (and for personal projects), have found issues with them, fixed the issues, and sent PRs to the maintainers (and maintained and used my own forks until those PRs were merged and new releases made). On occasion when bugs I've found seemed like they'd require too much deep understanding of the code, I've filed issues and provided as much information as I could to help the maintainer reproduce the issues. Sometimes those bugs got fixed, and that's great. But sometimes they didn't. That's frustrating, to be sure, but those maintainers had no obligation to me. From there, I had three options: a) dive in and take the time to learn the software well enough so I could fix the bugs myself, b) live with the bugs being present and decide that that will be ok, or c) drop that software and find or write something else that met my needs.
And all that above is what you sign up for if you decide to depend on someone else's open source work. If you don't like that, then you have two choices: a) write everything that you need yourself, or b) pay someone else for their work. That's it. You have no right to demand anything from any open source developer.
For any project that I maintain... anyone who comes in believing I'm obligated to do whatever unpaid work they want from me immediately gets banned from whatever communication channel they're using to make those demands.
The chances of the Linux kernel suddenly becoming completely unmaintained are so close to nil that it's not really worth considering.
But yes, if you're running something on top of Linux, and run into a kernel bug, you're of course free to report it, but the only guarantee is if you find and fix the bug yourself. None of those kernel developers are obligated to help you. In practice, many will want to help you! But that's not something anyone is entitled to.
I've worked at shops where there were people (myself included) who were capable of and occasionally had to dive into the kernel to fix issues. Often these were kernels coming from BSPs from some random chipset manufacturer, where the kernel was a year out of date and no Linux developer would want to touch it anyway. But even if we were running the absolute latest kernel version, we'd still probably dive in to investigate while reporting the issue upstream.
I mean usually you have to promote software and by promoting you create an obligation - no one is going to use it if you drop some piece of code on GH and in reader you will write „I don’t care about it take it or leave it”.
You have to actively promote and show that you care to create „widely used software”. Promoting by showing that you care creates the obligation. Of course obligation is not entitling people to tell you what to do - but to keep level of decency like fixing glaring security flaws.
Second, even where a developer puts some legwork into letting the world know what they've shared, that effort is within the context of the project's license terms which almost universally make it explicit and clear that they profer no such obligation.
Tweeting "I made this thing, check it out!" does not soemhow absolve the user from reading the license on that thing and understanding that no promises are made.
if you measure the solubilities of some salts and publish them, and your data is widely used and people rely on it, do you therefore have an obligation to repeat your experiments to make them more precise and correct erroneous measurements, and to extend them to more salts? i think not; i do think you have some ethical obligations, but they are limited to admitting that you were wrong, and not taking credit for others' work
if the users of your work start talking to each other and helping each other, they might become a community, but that still doesn't impose an obligation on you to do more work for them. to my way of thinking, you're the person in that situation with the least ethical obligations
FWIW, here’s my actual view on this: there’s a great episode of the Oxide and Friends podcast where Brian & co. talk to Kelsey Hightower about Hashicorp changing the Terraform license to exclude a lot of companies in the TF ecosystem—the ultimate “we’re the maintainers we can do what we want” move. Kelsey has maintained many open source projects and understands the importance of maintainers having freedom to focus their energy where they see fit regardless of what the peanut gallery thinks.
His view, which I agree with, is that what is ultimately needed is upfront clarity from maintainers about how they’re going to govern the project. If you want to have complete control over your project and ignore bugs and pull requests as you see fit, and users need to accept the software as it is, that is fine and good, but put it in the README so that prospective users know what they’re getting into. If you want to have a community-driven governance structure where people have a path to getting involved and steering the project, like Kubernetes, that’s good too and you should lay all that out for users too. What Terraform did, where they cultivated community engagement in order to have this plugin ecosystem and then rug pulled those plugin authors by changing the license, “poisoned the well of open source” (his words) by giving the impression that OSS is inherently fickle and serious teams should be hesitant to use it because maintainers can and will break things carelessly. I worry that comments like the OP’s reinforce this impression.
Professionally, I am one of the developers of Pachyderm, which is an open-source version control and data pipelining tool.
If project members don't welcome that in an actively developed project, that they use themselves too, sometimes in fairly critical scenarios, then that's a bit incomprehensible.
I've found fairly serious crasher bug due to misuse of OpenSSL API in multiprocess context with shared memory and a race condition leading to use of unexpected pointer values in one SIP proxy project, that recently even commissioned a code audit, which lead me to thinking they care about quality of the code.
I provided analysis and a suggested fixes for both issues. More than month into this, no response from anyone related to the project. Thus:
1) It's fine, purely technically... I can apply my own patches, debug the project and fix issues.
2) It's concerning, because it makes the project less trustworthy to me. What other people's serious bug fixes just went into oblivion due to "issue autoclose" bot they use on github and are lingering in the codebase for no reason other than the fix author not wanting to prop up the issue by commenting on it every 7 days?
3) How many such devs just keep crasher and security fixes for themselves, because they realized the project owners are not very responsive, and expanding 2x the effort to describe the issue to someone else, rather than just fixing it for themselves and moving on, is not worth the additional effort.
No, just no.
It is then the same as Microsoft/Google or any other for profit company - you also get "software as is" and even if Excel blows up all your data MSFT is not liable for it. But still there is expectation that they will fix bugs that blow up someones data.
The thing is I pay for for Excel so I expect and demand them to fix their bugs! If I use an open source library for free I have no right to demand them anything, I can hope they will fix their bugs, I can contribute and fix the bugs myself if I can, but I have no right to the developers time or attention.
Maybe you believe they have a moral obligation, but under the most popular open source licenses, they have no legal obligation to fix bugs or be held responsible for the damages caused by their bugs, regardless of whether people rely on their software for critical software.
From the MIT license:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
From the GPL license:
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If you rely on open source software, you do so at your own risk, as the authors have no obligations to those who use the software they made, and it's written out explicitly all the time; people just skip past it.
Promoting by promising to fulfill a particular obligation creates the obligation. I'm not sure "showing that you care" is specific enough.
In any case, you are shifting your ground. Before you said that just making the software available and having enough people use it creates an obligation. Now you are saying that "promoting" it does. When "promoting" is properly unpacked, you will end up agreeing with my position: either the software author has made an explicit promise to provide support, or they haven't. If they have, they have an obligation; if not, they don't.