Interesting Links for 12-12-2021
Dec. 12th, 2021 12:00 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
andrewducker- This Digital Bank Is Designed for the LGBTQ+ Community
- (tags:LGBT banking finance usa )
- Covid pill being rolled out among vulnerable Britons could fuel dangerous mutations
- (tags:Pandemic medicine Doom mutation )
- The Prisoner Of War who escaped a Nazi camp in full naval uniform
- (tags:wwii impressive viaDanielDWilliam )
- The internet (and many large companies) are dependent on software maintained by people in their spare time, for free. This may not be sustainable
- (tags:software opensource security )
- Britney Spears: Muppet murderer!
- (tags:BritneySpears Muppets )
- Here's a collection of good news from 2021
- (tags:GoodNews )
- "It's hard to overestimate the impact Moominland Midwinter had on me" (looking forward to reading these to Sophia)
- (tags:books children )
- A pictorial history of Santa Claus
- (tags:Christmas pictures history )
- McDonald's McRib NFT Project Links to Racial Slur Recorded on Blockchain
- (tags:funny McDonalds blockchain race food )
Tags:
no subject
Date: 2021-12-12 02:31 pm (UTC)The internet (and many large companies) are dependent on software maintained by people in their spare time, for free. This may not be sustainable
I think I have as good a claim as anyone to be one of those people, so here are my thoughts.
I don't feel exploited, or undervalued, when my free software is used by companies without paying me. It's not some kind of accident that I made it possible for them to do that. It was on purpose, in the hope that they would.
Partly, that's because PuTTY in particular is a security project, and security is a special case. Security across the whole Internet is interconnected: the more sites are insecure, the more of them will be taken over by malicious people and { added to botnets to run DDoS attacks | used to participate in large-scale computational attacks like brute forcing passwords | have trust paths exploited to attack accounts on other machines | miscellaneous }, and the more of those attacks will reach as far as sites I personally care about.
So I benefit, selfishly, from helping to secure as many other machines on the Internet as I can manage – whether those machines' owners pay me in money or not¹. And part of that is making all the necessary security tools available free of charge, because the more money they cost, the more companies will take a cost-benefit decision not to bother with them, neglecting the externalised cost of those knock-on effects of their insecurity on everyone else.
Secondly, regardless of the project in question, it's just part of who I am. When I write code for my employer, I do believe in the usefulness of what I'm doing², but I also know that what I'm primarily working towards is my employer's bottom line, and that enabling people to get useful things done is a means to that end, and not in all cases the most efficient means, or the one management will settle on. Giving useful software³ away for free is what sends me to sleep at night believing that I really have enabled people to get useful stuff done, and that there wasn't some tradeoff in which the end user turned out not to be the beneficiary after all. If I don't do it for too long (which has happened, in years where I was exceptionally tired by other commitments), I start to develop a sense of long-term dissatisfaction, which I cure by going back to writing free software.
It is true, of course, that companies who depend on my software can behave in demanding and annoying ways. Often I feel as if some particular correspondent of mine has simply forgotten that I'm not a paid software vendor who has a multi-million-dollar contract with their employer, and hasn't quite figured out that as a consequence I have no incentive to drop everything and solve their particular problem.
(In fact, I'm pretty sure this is literally true in many cases – the most obvious examples being the mass mailings along the lines of "We are harmonising our relationships with all our vendors and require you to sign the following revised contract". I'm sure what happens there is that they have some giant spreadsheet⁴ of Software We Use; Employee A downloads PuTTY and conscientiously sticks my contact details in the spreadsheet; later, Employee B does a mailmerge from the whole thing, without stopping to think that not everyone it mentions is a paid vendor prepared to bend over backwards to keep their lucrative contract.)
But I've always been able to deal with this by pointedly reminding the most demanding people that I'm not at their beck and call. Most of those companies who mistake me for a contracted vendor are prepared to recognise their mistake once I point it out, and the more self-aware ones even apologise. I've not even found it necessary to be especially rude: a plain statement of the facts of life normally does the job. If one of them is rude to me, then the quintessentially British approach of a faint frown and a tone of mild reproof (or its email analogue) generally gets good results – probably a lot better than mouthing off like a sweary 13-year-old in return.
And if someone keeps pestering in spite of every clue you try to impart, well, there's always the 'just stop replying' option.
When it comes to companies depending on my stuff, I take the same no-nonsense attitude, because in every free software licence agreement (even the maximally permissive MIT, my usual choice) is that all-important "NO WARRANTY" clause, and it's there for exactly this reason, and I'm happy to push back if people try to ignore that. If your company is going to come crashing down if some particular bug in my stuff is not fixed – then you can fix it! I even provided all the source code to make it easy for you! With your whole company at stake you can afford to spend a programmer or two's time on that. And if you don't have any programmers on staff, you must at least have money, so try hiring one. You don't get to tell me that it's simultaneously too vital for you to survive without the fix and too footling for you to spend any of your own resources on. Pick one.
(That said, of course, I do take security holes very seriously. It's hard to think of a security bug you could report to me that I wouldn't immediately drop everything to fix in a timely manner. Perhaps the only exception would be if the bug is really in a shared thing like the SSH protocol, where it actually can't be fixed unilaterally without all the other implementors cooperating to deploy a revised version of the protocol in coordination. Or something so huge that it would require rearchitecting everything from the ground up.)
Perhaps this means that a wise company would avoid getting into a position where they depend on my stuff in the first place, if they can't fix bugs downstream of me. That's fine too! Nobody has to use it – the flip side of me not being a commercial software vendor is that I'm also not an evil lock-in merchant. When I define my own data formats I provide conversions to well-known alternatives, so you are always free to walk away and use something else. If your reason for using something else is not that you think my software is bad but simply that you'd rather have someone on call you can scream at to drop everything and help you with this week's emergency, then it's best for both of us that you do exactly that. Good luck, and have fun.
¹ On the other hand, of course, if people do feel like paying me, I'm not about to turn it down! I'd never claim to dislike money :-)
² Well, at least I believe in the ultimate effects of it. When you get into one of those problems everyone must have from time to time where you find yourself pratting about in the organisation's internal CI infrastructure at five removes from any code an end user will see, it starts to require some cognitive effort to remind yourself that anything useful is going on at all :-)
³ Or fun software. I'm often amused that people compliment me on things like PuTTY by telling me how much of their time it saved, whereas people compliment me on my puzzle game collection by telling me how much of their time it wasted. I always think that when I come up before the Great Project Manager In The Sky to be judged on my lifetime contribution to global productivity, I'll probably end up finding out I more or less broke even :-)
⁴ Obviously it should be a database, but I'm sure that in most cases it's a shonky, poorly change-controlled spreadsheet :-)
no subject
Date: 2021-12-12 03:17 pm (UTC)That all seems very sensible. Have you ever had any company actually pay you?
no subject
Date: 2021-12-12 03:57 pm (UTC)no subject
Date: 2021-12-12 04:08 pm (UTC)no subject
Date: 2021-12-12 05:28 pm (UTC)no subject
Date: 2021-12-12 06:15 pm (UTC)It wouldn't be enough money to live on, by a long way. But I'm not sure I don't prefer it this way – a labour of love becomes a chore if you can't temporarily put it down when you're running low on love.
no subject
Date: 2021-12-12 06:17 pm (UTC)no subject
Date: 2021-12-12 06:05 pm (UTC)no subject
Date: 2021-12-12 06:19 pm (UTC)no subject
Date: 2021-12-12 07:57 pm (UTC)You got a lot of nice comments though.
https://news.ycombinator.com/item?id=29530260
Well said!
Date: 2021-12-12 09:21 pm (UTC)no subject
Date: 2021-12-12 09:35 pm (UTC)no subject
Date: 2021-12-12 11:31 pm (UTC)That makes sense. But I also can't help thinking, there are lots of worthwhile rewarding things that get done because someone decided to give it a go, but when they become load bearing for society, it usually becomes necessary to make them someone's job somehow because we start to need the level of commitment it's usually not reasonable or possible to get from someone working voluntarily. I'm thinking of examples like, something that might be done by a charity or by a government welfare program. But it's always an awkward balance because choosing to do it as opposed to no-one doing it really IS worthwhile; but that typically comes with not wanting to just walk away if it becomes too much. You found a good balance with good boundaries, but I think it's often really hard to have clear boundaries if you haven't thought in advance of "what is too much" (and it seems common to struggle with that, especially when there's no clear dividing line between "supporting people using it this much" and "supporting people as much as they actually need which is now more than one person can do")
no subject
Date: 2021-12-13 07:41 am (UTC)I hear you – but there might be an unsolved problem hiding under that "somehow"!
Continuing to use myself as an example, supposing somebody did want to make PuTTY into somebody's job. How would they go about it?
One thing they might try is to make me an offer of full-time paid work maintaining it (plus, presumably, hiring and training some equally full-time co-maintainers to ensure ongoing stability). Nobody has ever actually tried this, but off the top of my head, if they did, I'd at the very least have to think very hard about whether I wanted to take it, because it would seem equally plausible that the reason for the offer was so they'd gain control of the project's direction – quite possibly in order to change it in ways I might not approve of if I knew in advance. So I'd start off suspicious.
The second option is to make a fork, and try to persuade people to switch over to it. That has been tried: there have been a lot of forks, some equally free (or 'more' free, if your philosophy prefers GPL-class licences to MIT), some commercial. Has everyone switched over to one of them that isn't PuTTY itself? Not that I've noticed. (Perhaps I might not notice for a while – surely most people who do switch to some other fork wouldn't go out of their way to notify the maintainers of their previous choice – but surely if the majority of users were now using SomeOtherPuTTY then sooner or later I'd be seeing comments on news sites saying so.)
In fact, the most recent commercial fork caused us to get a worried email or two – the company's publicity made at least some users worry that the PuTTY team might have been subjected to one of those "buyout and radical change of project direction" scenarios I mention above, and they weren't happy about the idea. When I said no, original PuTTY is still right where it's always been and nobody is stopping you carrying on using it in preference to the new thing, they were greatly relieved.
In other words, the biggest problem with making a fork is persuading people to switch to it, because you have to build reputation and trust in yourself as a maintainer from scratch – you don't inherit that for free with the codebase.
The third option, of course, is to say, never mind PuTTY in particular, all that's really needed is an SSH implementation that people can rely on having available, and it doesn't especially matter which one it is as long as it works. You could plausibly argue that that's the direction MS have been heading in recently, by setting up an actually working Windows port of OpenSSH and making it ubiquitous on Windows.
That attempt might be working, because I have begun to see comments on news sites saying things like "PuTTY is obsolete, it stopped being necessary when you could just run
ssh.exein your Windows command prompt".Of course, I don't think PuTTY is obsolete, or else I wouldn't still be working hard on features for the next release. And I know there are still plenty of users who don't think so either. But, on the other hand, Windows's bundled SSH solution now does exist, and if what you want is something a large company is making sure of, then that is an option you might decide you prefer.
(Though, of course, that does raise the same question about OpenSSH. Windows's port of that is still just a downstream as far as I know, doing Windows-related porting work but still making use of the ongoing general-purpose development, security fixes etc done by the upstream OpenSSH team. Is anyone making their part of this somebody's job? I have no idea. Is MS fully prepared to pick up that part of the work if they should happen to drop it? Likewise no idea.)
no subject
Date: 2021-12-13 07:00 pm (UTC)Someone wrote a good comment I can't find now, suggesting funding not projects but developers, imagining them working on different things according to what they thought was needed.
In the much longer term, I sadly suspect the answer is, when security becomes something everyone needs to have (like, say, buildings that meet a fire safety standard), the government or some other body will mandate a minimum and there'll be a lot of crappy versions of that, but if they tend up needing something that isn't available, market forces will make something. I don't know what form that would take for something like SSH on Windows: it might be a set of best practices that says "use putty or ssh", or an organisation that provides a version of putty with warranties, or some less good but more certified program...
no subject
Date: 2021-12-13 07:41 pm (UTC)