1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Open source software rarely receives the kind of attention that the press lavishes on the latest hot new thing blessed by Silicon Valley venture capitalists. Yet these projects are the foundations of the web world.
Without open source there would be no Slack, no Medium, no Github. Nor would there be Google, Facebook, or much of anything else. Without open source projects like Apache, Nginx, OpenSSL, OpenSSH and others (to say nothing of GNU/Linux, which does get some attention), the latest hot new thing would likely not exist. More fundamentally, the web as we know it would not exist.
There is a kind of myth that has grown around this lack of attention. It's the myth of the lone developer creating powerful magic. It's a myth the open source community likes to tell itself: that open source software is created by individuals working on labors of love in their spare time. This isn't always a myth, indeed it's often surprising how little support key open source projects get considering how many companies would cease to exist without them.
All myths have an element of truth to them, however the myth of the lone developer completely ignores the fact that much of the money going into open source software is directly and indirectly (in the form of employing developers who contribute to open source projects) coming from corporations.
There's a tension in open source between individuals building projects out of love or frustration or other personal motivations and corporations pouring time and money into projects that further their bottom line.
Occasionally the web gets a wake up call about this tension that exists between individual developers and corporations building fortunes atop their code.
The recent kerfuffle at NPM, which is currently the default package manager for the very popular Node.js project, nicely illustrates exactly this tension. It's a somewhat convoluted story, see The Register's <a href="http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/">early coverage</a> for full details, but the short version is that NPM bowed to legal pressure and renamed developer Azer Koçulu's kik package without asking him. This angered Koçulu so he deleted all of his code on NPM, one piece of what happened to be very widely used and, after it went missing, all the code built on it broke.
There's a lesson here for everyone -- consider your dependencies carefully -- but there's also a wakeup call here for both to developers and corporations.
Developers like Koçulu got a little reminder that the NPM project is ultimately corporate-controlled. It will make decisions in its best interest, which may not be in every developer's best interest. It's a not so subtle reminder for Koçulu and other NPM developers that they serve at the pleasure of the king, in this case NPM Inc. For his part Koçulu clearly got the message, he referred to deleting his code as "<a href="https://medium.com/@azerbike/i-ve-just-liberated-my-modules-9045c06be67c#.tqxmtpeko">liberating</a>" it. It's now hosted with Github. Another large corporation.
On the other side of the coin NPM <a href="http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm">learned</a> that it's vulnerable to the whims of individual developers contributing (and un-contributing) code. Anyone who relies on NPM is similarly vulnerable. The NPM community quickly stepped forward and, because Koçulu's code is open source, forks were quickly put up in NPM's repositories.
There's really nothing new about this story, it happens all the time. It's part of the tension that seems inherent in software development at this stage. It's so common in fact that open source software has a simple mechanism for handling this situation -- the fork. Don't like where a project is headed or who's in charge of it? Great, go make your own. It happens with small projects like Koçulu's and big ones like the MariaDB fork of MySQL.
So while the short version of the NPM story has a happy ending -- Koçulu's code is now free of NPM and NPM has forks of it available for developers who depend on it -- the longer story remains undecided. As software developer Dave Winer <a href"http://scripting.com/liveblog/users/davewiner/2016/03/24/1139.html">writes</a> in reference to replacing NPM, "we need a framework, legal and social, for projects that are not 'owned' but are just there".
In fact there are quite a few frameworks out there, albeit none that's a perfect fit. But part of the reason that the code underlying the web continues to be developed in spite of no large corporate backing is because non-profit foundations like the Apache Foundation, The Free Software Foundation, the Python Software Foundation and dozens of others sit behind the code, quietly raising money, keeping the lights on and the web humming.
The NPM community and the larger Node.js community might want to think about setting up something similar. Similarly anyone hosting code on GitHub might want to think about what the transition away from GitHub will look like for their project. As Winer notes about Github, "the VCs are going to want an exit... then what happens?" What indeed. Most likely developers will get another reminder of the tension between open source developers and corporations.
|
