Glorified network janitor. Perpetual blueteam botherer. Friendly neighborhood cyberman. Constantly regressing toward the mean. Slowly regarding silent things.

  • 0 Posts
  • 9 Comments
Joined 11 months ago
cake
Cake day: December 27th, 2023

help-circle







  • Thanks for the share.
    Obviously Perens is one of the FOSS OG figures and he makes a lot of good points. Lately the RHEL/IBM situation has shown a mere license text file isn’t going to keep megacorps from finding ways to circumvent the ideology and the purpose behind it. They have simply too many resources both in development and in legal departments and too many ways to work around the legalese of its intended purpose .

    Also there’s been an increasing trend where products (Elastic etc) start off with FOSS license and as soon as they gain critical mass, they split their product and switch to their own FOSS-light license and gimped “community edition” downloads. Again, all still legally above the board, but at the same time completely ignoring the intended purpose of the license in the first place.

    I think what Perens is proposing is too complicated. I understand that “contract” has far more binding legal fire power compared to a “license”, but as he also points out in the article, it complicates things to the point where it’s hard to adopt. The problem is of course far deeper than just licensing and has its roots deep somewhere in late-stage capitalism and deregulation of corporate entities and those are of course not problems that Perens or the free software community can easily solve. Unfortunately.

    It’s clear that something new is needed and I appreciate the work he is doing. I’m not sure it’s the right direction to take, but can’t say I have any rabbits I can pull out of my hat either, so I’ll follow this with interest.


  • I do security as my dayjob (more blue team stuff these days, but used to do pentesting in the past).

    Software development normally comes down to a holy trinity of Speed/Cost/Quality. You can only pick two.

    Commercial software has time/cost constraints so they often pick speed and cost over quality initially. FOSS software doesn’t need to “get to the market”, but also doesn’t have any money, so you often get cost/quality over speed.

    However - in larger enterprises there’s so much more, you get the whole SDL maturity thing going - money is invested into raising the quality of the whole development lifecycle and you get things like code reviews, architects, product planning, external security testing etc. Things that cost time, money and resources.

    FOSS software is generally going to be missing this, unless the project gets popular and picked up by some big megacorp that bankrolls the development (Google, IBM etc). Look at mission critical projects like OpenSSL that was (until Heartbleed) more or less one man project.

    Commercial software also needs to invest in licensing, support, documentation, certifications, training and potentially integration partners. It’s a whole different playing field. FOSS has easier time, because it’s generally just pointing at the code and saying “well send a PR”.

    Then you have the whole devops thing, where you might take FOSS software and build a whole commercial service around it.

    And all of this is just generalizing of course, because unless we’re just comparing small programs, there’s really no way to do objective comparisons between “commercial” and “free” without writing a full 50 page thesis.