@ashwinvis @strypey It's better not to need trust. With Windows, you have to trust that the closed code is doing what you want. With linux, you can't inspect all the code and you have to trust that others are auditing competently.
@strypey @ashwinvis Recall that #openSSL had a quite serious bug around ~10 yrs ago. After it was discovered, it was realized that no one spotted the bug for several years.
@aktivismoEstasMiaLuo OpenSSL was a very different case to the Linux kernel, which has dozens of paid devs plus volunteers. It's worth noting that if OpenSSL was proprietary, the bug would probably not have been found at all, and would still be unpatched.
@strypey @aktivismoEstasMiaLuo @ashwinvis
The problem with OpenSSL was the same as GnuPG or many other popular open-source software. Everyone is using them and everyone expects they will be maintained and developed in accordance to best practices but... nobody supports them.
This applies equally to large companies who monetize every dollar from open-source but donate nothing, just as well as regular users who *could* easily donate $1 per month but won't because they expect "someone else"...
@kravietz yup, it's the Snowdrift Dilemma:
https://wiki.snowdrift.coop/about/snowdrift-dilemma
But there's software this definitely doesn't apply to, eg the Linux kernel.
@strypey @aktivismoEstasMiaLuo @ashwinvis
From personal experience I can however tell that if you're working for a large company their procurement process is usually so fucked up that it's easier to get $100k for some crap commercial half-baked product than $10 per month to donate to an open-source project... This is stupid and short-sighted.
@kravietz @ashwinvis @strypey A big part of that is accountability. Managers want to offload accountability which is why they love to buy COTS (since a company stands behind it, it gives the illusion of having a warranty even though it doesn't). But w/ #freesoftware managers are afraid they can't point the finger when something goes wrong.
@strypey @ashwinvis @kravietz the fix in this situation is to actually have a 3rd party for-profit support company who develops and gives tech support for the free software.
@aktivismoEstasMiaLuo that was the theory in the late 1990s of how open source was going to be funded, with Red Hat as the poster child for this model. As the data from the last 20 years indicates, it works for some things, but not for second and third tier common infrastructure like OpenSSL. This is the stuff funding projects like Snowdrift.coop and Tidelift are trying to find ways to fund properly.
@strypey @aktivismoEstasMiaLuo @ashwinvis
Precisely. Consulting only works if the software does *not* do what the commercial customer does π and they require some extra customizations etc.
If it just does its job, nobody will bother to come up with "take my money" because why would they (unless they think strategically).
The free vs premium model is an evolution of this idea and makes a lot of sense, but still you can't do this for OpenSSL...
@strypey @ashwinvis @kravietz It was a flat annual price, with no per bug or per hour pricing. Seemed to work well for everyone and the support was quite good. But I could only see this model working for software that's close to our daily operations. Infrastructure types of code like OpenSSL would indeed present the snowdrift problem.
@kravietz @ashwinvis @strypey It was nice that there was no restriction on the kind of tickets we could open. So users would open a ticket just to ask how to do something that's not well documented. It was much better than my experience with support on proprietary products.
@aktivismoEstasMiaLuo the Tidelift model is that companies pay for one support contract, and Tidelift strategically deploy the collected funds to developers, right down the tech stack.
@ashwinvis @kravietz
@kravietz @ashwinvis @strypey i've worked on projects that relied on #freesoftware compilers and tools like emacs. We paid a high (but reasonable) b2b price. We opened tickets for any kind of anomaly or screwy behavior, which would either get fixed or they would respond with instructions on how to overcome the issue. So we got bug fixes & training from the contract. We also filed enhancement requests.