(cache) Open Source is a thankless job. We do it anyway.

Open Source is a thankless job. We do it anyway.

4月 13, '14 コメント [26] Posted in Open Source

Security is hard

There's been lots of articles about the recent OpenSSL "Heartbleed" bug. You can spend a day reading all the technical analysis, but one headline that stood out to me was "OpenSSL shows big problem with open source; underfunded, understaffed." A fundamental part of the fabric of The Internet Itself is mostly just one person plus a bunch of volunteers.

"The fascinating, mind-boggling fact here is that you have this critical piece of network infrastructure that really runs a large part of the Internet, and there’s basically one guy working on it full time."

Moreover, we don't sing contributor's praises for their hard work and success while their software work, instead we wait until a single line (albeit one of the more important lines) fails to live up to expectations. Darn that free stuff, mostly working, and powering our connected global network.

Open Source is largely a thankless job. Sometimes in the Microsoft .NET community, it feels more futile because it's often hard to find volunteers. Many folks use the default stuff, or whatever ships with Visual Studio. With Rails or Node, while they have corporate backing, there's a sense that the projects are community driven. The reality is in-between, but with open source projects built on the Microsoft stack volunteers may say "we'll just use whatever the ship."

There's anger around past actions by Microsoft, but as I've said publicly before, they've come a LONG way. I will keep pushing open source at Microsoft until I think I'm done pushing and can push no more. There's a seismic shift going on inside. Mistakes get made, but it's moving in the right direction. Everyone is learning.

Visibility is hard

Jeremy Miller's team recently stopped active development on the "FubuMVC" open source .NET framework. In his exit blog post, the question of the viability of .NET open source comes up:

"Setting aside the very real question of whether or not OSS in .Net is a viable proposition (it's largely not, no matter how hoarse Scott Hanselman makes himself trying to say otherwise), FubuMVC failed because we — and probably mostly me because I had the most visibility by far — did not do enough to market ourselves and build community through blog posts, documentation, and conference speaking."

It's very true that in a large way visibility drives viability for many open source projects. Jeremy's retrospective is excellent and you should read it.

I think it's harder to bootstrap a large framework project that is an are alternatives to existing large frameworks because for many, it's easier to use the default. Frameworks like FubuMVC, OpenRasta, ServiceStack, Nancy and others all "reimagine the default." They are large opinionated (in a the best way) frameworks that challenge the status quo. But it's much more difficult to cultivate support for a large framework than it is a smaller library like Humanizer or JSON.NET.

Still, without these projects, we'd all still be using the defaults and wouldn't be exploring new ideas and pushing limits as a community like the FAKE F# build system, or Chocolatey, or Boxstarter.

Microsoft can better support OSS projects not just with licenses and money, but with visibility. I'd propose dedicate Open Source tracks at all Microsoft conferences with speaking slots for open source community members. DotNetConf is a start, but we can go bigger.

Organizing is hard

OWIN is an example of a small, but extremely important project that affects the .NET world that is struggling with organization. Getting it right is going to be important for the future. There's a small, but influential group of community members that having been trying for months to find middle ground and build consensus around a technical issue.

ASP.NET Web API and SignalR both build on top of an open source project called OWIN (Open Web Interface in .NET) that aims to decouple servers, frameworks, and middleware from each other.

There's an issue open over on GitHub about what may seems like an obscure but important point about OWIN. The OWIN specification doesn't include an interface called IAppBuilder, but IAppBuilder is used by default in most Microsoft examples. Can the underlying OWIN framework remain neutral? The issue is a long one, and goes off on a few tangents. It's a complex problem that perhaps 20 people fully understand.

Scott Koon worked hard on a Governance document for OWIN and hasn't seen any forward motion. He vented his frustration on Twitter, rightfully so. Under the often-used "Lazy Consensus" technique, if folks are silent or don't reply in 72 hours, that is effectively consent and can change the direction of a project. Active involvement matters.

The fun part of open source is the pull requests and writing code, but before the code building, there's the consensus building. Ownership is the most contentious part of this process. Ownership means control; control over direction. The key to finding control and working through ownership issues is by thoroughly understanding everyone's differing goals and finding a shared vision that the community can rally around, then move forward.

This sausage making process is tedious, messy, but necessary. These discussions are as much a part of OSS as the code is. It takes equal parts patience and pushing.

Getting involved is hard

I get dozens of emails every week that all ask "how can I get involved in open source?" Everyone assumes my answer will be "write code" or "send a pull request," or sometimes, "help write documentation."

In fact, that's not all you can do. What you can do is read. Absorb. Understand. Be welcoming, inclusive, and kind. Offer thoughtful analysis and ask questions. Avoid hyperbole and inflammatory language. Show code examples when commenting on issues. Be helpful.

Your blog posts are the engine of community, your open source commits, documentation, promotion, samples, talks, gists are important. But getting involved in open source doesn't always mean "fork a project and send a giant pull request with your worldview." Sometimes it's the important but unglamorous work of writing a governance document, organizing a conference call, or thoroughly reading a giant Github issue thread before asking a question.

Why do we do this? It's not for the glamour or the money. It's because we are Builders. I encourage you all to get involved. There's lots to be done.

* photo by Sweet Chili Arts, used under CC

Sponsor: Big thanks to Novalys for sponsoring the blog feed this week! Check out their security solution thatcombines authentication and user permissions. Secure access to features and data in most applications & architectures (.NET, Java, C++, SaaS, Web SSO, Cloud...). Try Visual Guard for FREE.

« Amazon Kindle Paperwhite SECOND GENERATI... | Blog Home |

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

About Newsletter

Sponsored By

Hosting By

コメント [26]

Share on: Twitter, Facebook, Google+ or use the Permalink

2014年4月13日 15:35:23 UTC

Yep, a fun set of challenges. The other tricky issue is the sense of entitlement. Meaning: if you *do* manage to get users, some will want some complicated but extreme minority feature, and don't seem to understand that this doesn't just happen overnight, or that any extra features just for them is a whole extra set of code that will need maintenance and regression testing forever. Or who will bemoan that there isn't an example document describing exactly their scenario, but who also don't want to help by... writing one. It can also be rewarding; but it has moments when it sucks.

Marc Gravell

2014年4月13日 15:47:39 UTC

Marc - Entitlement is a huge issue. Folks don't realize that changing something can "break the world." Also, I've seen large enterprises elect to NOT use an open source project because the college student that maintains it is moving on.

Scott Hanselman

2014年4月13日 15:55:07 UTC

There's anger around past actions by Microsoft, but as I've said publicly before, they've come a LONG way. I will keep pushing open source at Microsoft until I think I'm done pushing and can push no more.

As someone who is generally pretty negative towards Microsoft, probably too often, I can honestly say MS has definitely come a long way over the last 2 years. Lots of great things have happened, and I hope it continues.

Thank you Scott and all those at Microsoft who have helped make these changes happen!

Phillip Haydon

2014年4月13日 16:15:18 UTC

Because it is so hard to have an Open Source project work as expected, in all terms, there should be a new approach on how a project is funded. At my blog, I wrote: Had Heartbleed showed us a new business model for Open Source?.

I ask the reader to answer a question:

"if we, the IT industry, had put more investment into the OpenSSL development team, would the chances had been higher for the Heartbleed bug to be found?"

Which leads to a very simple question:

Should we consider a different business model for Open Source software? What about a model where a company (not individual) willing to use an Open Source software has to either:

pay for a license and/or subscription support;

provide resources (developers and/or QA) dedicated to the software itself;

What are your thoughts?

Bruno Borges

2014年4月13日 17:00:32 UTC

@Bruno There are already people out there doing this kind of thing. For example RRDTool, an open source time-series database and graphing suite (it might compete with commercial efforts from OSISoft - PI,AF etc) and corporate entities sponsor new feature development as well as open support contracts. So, it seems to work, but this greatly depends on the people in those corporate entities understanding open source software.

http://oss.oetiker.ch/rrdtool/sponsor.en.html

Oisin Grehan

2014年4月13日 17:36:44 UTC

@Bruno Doing that just stops it being open source. There's already software out there you can pay for; you're just taking open source and making it not open. Allowing contribution of resources is just another way of paying for it.

If someone is putting constraints on their software; someone else will do the same software without the constraints. We're developers; that's what we do. We write code; regardless of whether someone's paying us for it. If the only software that does X is not free/OSS; then some dev that wants to code will fill that hole in the "market". How many pieces of strings-attached software can you think of that don't have an OSS alternative?

Personally; I don't think the quality of software is in any way related to whether it's OSS or not. Commercial software can be unloved, abandoned, badly managed and poorly reviewed/tested too. You could say commercial software is better because a companies business depends on it; but you could also say OSS is better because the developers are doing it for the love of building the product without financial motivation or constraits.

I don't think any amount of additional funding in OpenSSL would have ruled out a bug like Heartbleed; a bug is a bug; it would've been found with more testing or reviewing. More funding would probably just add more features; not verify the correctness of the old ones. People take OSS software and make assumptions about it without reviewing/testing it. This isn't the first widespread security bug, nor will it be the last.

If we want to improve the quality of open source software; we don't need to put funding into all of the projects, we need to do the same things to improve the quality of closed source software; and that is to improve tools, languages, etc. so that developers are better able to write and prove correct software.

Developers are starting to focus more and more on concurrent and parallel code; yet the languages and frameworks we use make it easy to write code full of race conditions. Putting funding into solving these problems will benefit both open source and closed source projects at a much larger scale than funding for individual projects.

Danny Tuppeny

2014年4月13日 17:53:02 UTC

"Open Source" software doesn't have to be free as in free beer. Obligating companies to pay for a project, either by giving money so the foundation can invest by hiring full-time developers, or by giving their own developers to work full-time on these Open Source projects would drastically increase the amount of people coding, improving, reviewing, testing, etc. People love to code, yes. But love isn't enough in the world we live in, sadly. Open Source should not be charity.

Charging for an Open Source project also does not remove the "Open Source" nature. It will continue to be open, but not 'free' for companies who profit from it; only individulas should be free to use it. If there is profit, there should be a trade. Unfortunately, as you might agree, the way a great part of the IT industry sees Open Source projects is just "Free" software to run for-profit business.

There should be a way to avoid that, while keeping freedom for individuals to use, contribute back, and be part of Open Source projects.

Bruno Borges

2014年4月13日 18:50:18 UTC

@Bruno But what you're suggesting is a barrier to using the software for several reasons, including:

1. Some companies simply won't be prepared to spend the money

2. The people that make the decision to use open source software/libraries currently (for example, developers) often cannot take the decision to a) pay or b) commit resources alone. Getting this "agreement" may be tough and/or take time. Many devs will simply take an alternative rather than embark on this "mission" because thy're probably knee deep in solving a complex problem.

There will almost certainly always be someone willing to do it completely free. Some devs (myself included) would simply rather our software was used by as many people as possible. Adding barriers will be counter-productive to that goal.

I have no cares of being rewarded for anything done in my spare time, and I'm certainly not alone. Because of this, (really) free alternatives will almost always exist, and limit the use of not-quite-open-source software as described.

I'd go as far as saying that payment-required open source gets the worst of both worlds; it costs money and it doesn't have a solid business backing it. I'd rather have something free-and-on-my-head or paid-but-I-have-someone-to-kick-if-its-bad.

Danny Tuppeny

2014年4月13日 19:44:07 UTC

// 1. Some companies simply won't be prepared to spend the money
This will be a matter of price/negotiation. The foundation or the company behind an Open Source project will define the requirements. If it is too expensive, or requires too many developers working part/full-time to back the project, other foundations/companies will come up with alternative solutions, negotiable options. All I'm saying is that none should actually offer for free. Competition will continue to exist though.

If there are individuals willing to do completely free, fine. But businesses and those who want to run a business (get paid, or invest enough time/resources) on top of Open Source projects, these businesses should reconsider the business model.

Companies/foundations willing to run a serious Open Source project should stop the "please support us, please subscribe our support offer, please donate" stuff. It should be "pay, or give us paid developers; it will be for your own good".

Bruno Borges

2014年4月14日 0:06:17 UTC

Economists know this phenomenon well as the 'tragedy of the commons'.[1] OSS is a public good which everyone wants to use, but no one wants to pay for.

[1] http://en.wikipedia.org/wiki/Tragedy_of_the_commons

Yawar

2014年4月14日 1:17:27 UTC

I think it's harder to bootstrap a large framework project that is an are alternatives to existing large frameworks because for many, it's easier to use the default.

Definitely agree with that one. I worked on one site where we used the Spark view engine with ASP.NET MVC, but that's probably the only occasion of using a piece of open source that just flat-out replaced a significant piece of the "default" ASP.NET stack.

It's tough to push something like that in a business environment because you are making it more difficult for new people on the team in the future, it is the path of least resistance to use the default components (especially given that, imho, they really are very good).

But add-on components, I don't see any shortage of them getting used. Everyone is using their ELMAHs and NLogs and what-have-yous.

Carson

2014年4月14日 1:24:42 UTC

What you guys are debating shows there are down sides to both models, but the reason I give the edge to open source, despite all of the pitfalls that Scott talks about, is that it does move us forward and generally improves the .NET developer scene. I've had maybe three kudos from people who use POP Forums over the last year, but I do it because it's the closest thing I can do to contribute to the other projects it depends on.

And I think that might be one of the issues, and it's not unique to .NET: Everyone hopes their project will become a phenomenon. Honestly I think there are too many people trying to write frameworks that cure cancer, or take a slightly different approach on a problem that's already pretty well covered. There's nothing wrong with maintaining something that is a bit of a niche or has a small audience.

I for one am excited by all of the projects out there, and this robustness is what makes it fun to code on this stack.

Jeff Putz

2014年4月14日 2:08:28 UTC

The problem with the "Open Source is Secure" paradigm is that it assumes that every line of code is being properly peer-reviewed by the community. It's not. Code reviews are tedious and boring. The only reason it gets done in commercial software is because people pay us money to do it.

As developers, we *hate* QA. We *hate* code reviews. We want to be writing code, not checking over someone elses. Open Source shows a strong propensity towards lots of developers writing software but then easily glossing over the QA/review processes because A) lack of manpower and B) lack of will.

I don't see how this problem can be easily overcome.

John Michalzak

2014年4月14日 7:08:45 UTC

On the desktop-side, it's hard to get motivated to start a project. Silverlight - gone. WPF - on its way. I've held off any Windows Store projects/libraries because my money is on it being relegated to the dust-heap as well (with Sinofsky).

Dave

2014年4月14日 8:19:51 UTC

What is more shocking, that a one-man-band library had a security hole in it, or that massive multi-national, professional institutions didn't contribute anything back?

That linked article pointing out the "problem" with open source is extremely narrow-minded and is, in my view, actually perpetuating what the true problems are: perception: people wanting something for nothing; people pulling in updates without code review; people not patching mistakes even though they use the software; and finally, blaming the author's opinion on how to run the library he started!

What scares mre the most is this library existing in many a large company's testing framework and going through security analysis only to be deemed safe. They missed this security hole for two years too! Don't blame the guy who started this, he has no sole responsibility over where it is used, how and by whom - everybody who uses it does.

Adam

2014年4月14日 8:29:19 UTC

If an open source .NET community is what you want, then you need to build around an open source runtime implementation.

Why aren't more people switching to Mono? Miguel has said himself that he would like to see it used server side (not just as a unifying mobile language tool). I've experimented with a few projects using Mono on Linux and have found it to show great promise.

That said, some of the existing open source .NET projects are either painfully disorganised (OWIN) or have absolute trolls at their helm and are impossible to reason with when trying to suggest improvements (Nancy).

The community does want to exist. I can see it trying to come to life. There are just a few fundamental pieces that have yet to fall into place. I wasn't nothing more than to write C# on Linux... For a living if possible ;)

Alex

2014年4月14日 8:55:52 UTC

*want

Alex

2014年4月14日 10:29:42 UTC

For the average person that know nothing about open source or even the concept of community, he will be doomed to such pity surprise as "what ? only one person, not even paid is behind Open SSL" (And imagine when I explain that the creator of bitcoin is not even know and used the pseudo of Satoshi)

The developer community knows more about the reason, and understand that such bug might occur even with 100 persons reviewing the code. Our software fails, that's a fact of life we understand, and we know it will not be the last time. We can decrease the probability with some practice but never supress it.

We should educate the mass by telling them their internet provider is not the one that created internet and that internet is a gigantistic piece of garbage turned masterpiece fueled more by the passion of the builders than money. (This not so easy to understand, since our work is one of the only one that can be done freely at home, without any formal education and graduation)

We don't care about the reaction of the mass though, open ssl is used by IT people that understand that, and while there is no viable economic alternative, the negative remarks are nothing but cheap words.

Nicolas D.

2014年4月14日 13:16:04 UTC

Another flaw in the human character is that everybody wants to build and nobody wants to do maintenance.
-Kurt Vonnegut

FrustratedConsumer

2014年4月14日 13:35:50 UTC

Sometimes in the Microsoft .NET community, it feels more futile because it's often hard to find volunteers

My understanding of things may be outdated, but I think that's because .NET itself and the main tool to author .NET code, Visual Studio, are not really cross-platform and are also meant to run on a commercial platform (that will probably never be open source).

Sure, you can open-source anything you want and welcome contributions, however the fact that in order to do that, you:

Must buy and use Windows

Must buy and use Visual Studio

Probably need to pay extra for a Windows hosting

Really impedes things here. Please correct me if I'm wrong.

Dmitry Pashkevich

2014年4月14日 15:01:44 UTC

Dmitry,

That really hasn't been true since Monodevelop. I've worked on several projects where I windows users were in the minority, but we were all using Mono and Monodevelop to allow for cross-platform development.

Both Unity and Xamarin have leveraged this to offer their own flavors of mono-develop as their default development platform and offer Visual Studio as a paid for or alternate option.

Vernon Burt

2014年4月14日 15:46:39 UTC

Must buy and use Windows

Must buy and use Visual Studio

Probably need to pay extra for a Windows hosting

Actually the majority of .NET OSS projects I've seen on GitHub have instructions for building/developing with VS as well as with Mono/SharpDevelop/InsertOtherToolOrPlatformHere. I've seen people who only write their C# code in SublimeText.

As for the hosting in Windows, that part is largely still true today if you're doing an ASP.NET app, but that's part of the point of OWIN - the decoupling from the IIS/Windows world.

Really, you can work pretty much any way you want - but as Scott points out, the issue is that it isn't as simple as it would be if you just run VS on Windows and use the defaults.

Matt Robold

2014年4月14日 16:44:22 UTC

Dmitry,

Windows hosting does tend to cost a little more. Arvixe, for example, provides Linux and Windows hosting, and entry level Windows hosting costs $1 more per month than the equivalent entry level Linux plan. Paying an extra $12 per year to be able to use the tools I'm most familiar with is worth it for me.

Jeremy Cook

2014年4月14日 19:14:27 UTC

What could be considered the central rally point for open source .NET? Is it ohloh? What about news?

When I worked with Drupal I found that I felt part of a community and I think that feeling, at least in part, could be attributed to having a drupal.org login and being able to change and contribute to pretty much anything on that site.

I don't know where to go for that with .NET. There's Github, StackOverflow, CodePlex, NuGet and ASP.NET, but none of them gives me that holistic "I'm part of the .NET open source ecosystem" feeling.

Jeremy Cook

2014年4月14日 20:44:18 UTC

Hey guys, anyone know any .NET project for OpenFlow?

Hélio Tibagí

2014年4月14日 21:19:23 UTC

@JeremyCook what's sad is that I think CodePlex, Nuget and even Chocolately are supposed to provide that community, but they fall short. And I don't think it's their fault. I think it's mostly the software and licensing when dealing with the Microsoft stack. Getting up and running requires you to install so many things - Windows, .NET, VS, service packs - and 2 of those cost a significant amount of money. Why develop open source software when you can't acquire the tools for free?

No matter what Microsoft is trying to do with the .NET Foundation the fact is .NET is still their software and everyone has to play by their rules. Open source implementations like Mono will never be in the forefront because of this - they're forced to follow.

David Zych

名前 *
メールアドレス	（gravatarアイコンを表示）
ホームページ
名前を記録する

コメント（一部のHTMLは使用可能です：`a@href@title, b, blockquote@cite, em, i, li, ol, pre, strike, strong, sub, super, u, ul`@はattributeつまり属性を意味します。例えば、<a href="" title=""> or <blockquote cite="Scott">.などを使用することができます。）
コメントのプレビューを同時に表示