larlet-fr-david-cache/cache/735087276fd57a6e3b9c2b71d7fa12c3/index.md

title: Corporations and OSS Do Not Mix
url: http://www.coglib.com/~icordasc/blog/2015/11/corporations-and-oss-do-not-mix.html
hash_url: 735087276fd57a6e3b9c2b71d7fa12c3

<p>I have been working on Open Source Software (in one way or another) since 2011
(just over 4 years since my first open source commit on a project). When I
started writing open source software it was for fun. I was not a Computer
Science/Engineering student. Programming was a hobby and open sourcing the
code was fun and exciting. Eventually, I started maintaining Flake8, then
Requests, then other things. Today, I'm a core developer of the following
projects:</p>

<p>And probably other projects that I've forgotten about. I've created
(and still develop) the following projects:</p>

<p>I'm was a core reviewer and driver for five projects in OpenStack (until
recently when <a class="reference external" href="http://lists.openstack.org/pipermail/openstack-dev/2015-October/077876.html">I removed myself from 4 of those projects</a>).
I am still a core reviewer for:</p>

<p>I also contribute (a fair amount) and am often pinged for reviews on <a class="reference external" href="https://github.com/shazow/urllib3">urllib3</a>.</p>
<p>Some of these projects are "owned" by one person and maintained by me (or me
and other persons). In other words, the "owner" is absentee. Think of a
landlord who does not collect the rent, or inspect the premises, or deal with
tenants, or really any work.</p>
<div class="section" id="working-on-projects-at-work">
<h2>Working on projects at work</h2>
<p>I've worked on a lot of projects. I continue to work on a lot of projects.
Over the course of two jobs, only one has given me the ability to work on Open
Source Software ... sometimes.</p>
<p>OpenStack's Compute service, Nova, needed to perform URI validation as part of
their JSON Schema validation but could not use the existing library because of
licensing. Only because this was something important to my team, I was allowed
to create <tt class="docutils literal">rfc3986</tt>. I continue to maintain that, but, in my free time.
OpenStack uses, heavily:</p>
<ul class="simple">
<li>requests (and as a consequence chardet and urllib3)</li>
<li>Flake8 (and transitively, pep8, pyflakes, and mccabe)</li>
<li>Twine</li>
<li>flake8-docstrings</li>
</ul>
<p>I've had opportunities to work on requests and Flake8 as a result of a few
show-stopping bugs, but otherwise I don't work on any of the above projects
during work. This isn't a break from what I'm used to, so I'm not trying to
complain or anything like that. Would it be nice to be able to improve the
software that powers our company and our product? Certainly, is there a
serious need to do that? Not at the moment.</p>
</div>
<div class="section" id="working-on-projects-for-companies-that-don-t-employ-me">
<h2>Working on projects for companies that don't employ me</h2>
<p>Some of these projects are used by the US Federal Government, those and others
are also used by some really large corporations (no I won't name names, I
don't see a point). I sometimes get a thank you from individual developers at
those companies, but those companies think nothing of just taking the software
(which is fine because I licensed it permissively). That said, when there's a
bug introduced in the package, those companies email me, ping me relentlessly
in IRC, create duplicate issues, and do everything they can to (perhaps
unintentionally) overload me. As soon as a bug affects them, they want it
fixed <strong>immediately</strong>. If you don't fix it in 24 hours (because maybe you have
a real life or a family or you're sick or any number of other very valid
reasons) then the threats start.</p>
<blockquote>
"Well if you're not going to take this seriously, we'll have to start
using another project."</blockquote>
<p>Not once has a company said to me:</p>
<blockquote>
"This bug is costing us $X per day. Can we pay you $Y to focus on it and
get a fix out as soon as possible?"</blockquote>
<p>I've also never demanded this. It would be nice, but it never happens. So,
what happens? Those bugs are fixed eventually. Sometimes those companies let
their engineers submit a fix that is incredibly poor but it took them an hour
and now they can whine at me for not merging it. Nevermind that it breaks the
continuous integration checks that ran 30 seconds after they sent the PR. This
is because the company wanted to invest as little time in the problem as
possible so the person couldn't fix the tests, write new ones, or write a real
fix. I don't blame the engineer, I blame their manager and their company. If
the project is that important to them, they should have let the engineer spend
a few hours, fix the bug the <em>right</em> way and follow the guidelines outlined in
the contributor's documentation.</p>
<p>Further, some of my projects (<tt class="docutils literal">github3.py</tt> in particular) tend to only ever
actively benefit corporations - the corporation using it and GitHub. Neither
ever tries to support me in its development. This is why I am also very
conflicted about finding other maintainers for this project. I would love to
find someone who could be paid by their employer to work on it, but I do the
majority of the work on the project so it's hard to even know who to ask about
that.</p>
<p>In short, the joy and enthusiasm that I had when I started working on open
source has been flattened. My attitude was naïve at best - this is fun and
maybe I'm helping some other people do good and have fun too. This is also how
a lot of my friends presently view their projects. Is it greedy of me to want
them to continue to be able to have that perspective?</p>
</div>
<div class="section" id="other-people-s-experiences">
<h2>Other people's experiences</h2>
<p>Ashe Dryden has written an invaluable post about <a class="reference external" href="http://www.ashedryden.com/blog/the-ethics-of-unpaid-labor-and-the-oss-community">The Ethics of Unpaid Labor
and the OSS Community</a>.
This is a must read and it really hits home a bunch of very important points
about the way we treat Open Source Software and its developers (e.g.,
requiring that a developer have an active and colorful GitHub profile before
considering them for a job).</p>
<p>David MacIver recently decided they were <a class="reference external" href="http://www.drmaciver.com/2015/08/throwing-in-the-towel/">Throwing in the towel</a> for their project
<a class="reference external" href="http://hypothesis.readthedocs.org/en/latest/">Hypothesis</a>.</p>
<p>Eric Holscher, who co-founded <a class="reference external" href="https://readthedocs.org">Read the Docs</a> and
<a class="reference external" href="http://conf.writethedocs.org/">Write the Docs</a>, has recently been
<a class="reference external" href="https://twitter.com/ericholscher/status/658723665597456385">discussing</a> the
economics of companies using open source software and contributing absolutely
nothing back to the projects they use.</p>
<p>Dr. Russell Keith-Magee, the president of the <a class="reference external" href="https://www.djangoproject.com/foundation/">Django Software Foundation</a>, gave <a class="reference external" href="https://youtu.be/mY8B2lXIu6g">this talk</a> at PyCon Australia. His key argument in this
talk is that if open source projects had resources equivalent to closed source
products, open source software would exceed any other project in quality. This
talk is excellent and full of great examples.</p>
<p>Cory Benfield, my very close friend and colleague on several of the projects I
mentioned above, has <a class="reference external" href="https://lukasa.co.uk/2015/08/Funding_OSS/">also blogged on this topic</a>.</p>
<p>No one is asking companies to endure a significant financial burden in order
to contribute back. But all of these items are, predictably, ignored by the
companies who seriously need these projects to work and remain production
quality.</p>
</div>
<div class="section" id="when-companies-do-contribute">
<h2>When companies do "contribute"</h2>
<p>When companies do "contribute", it's often not in the best interest of the
community, it isn't enough, or it's thoroughly misguided.</p>
<div class="section" id="best-interest-of-the-community">
<h3>Best interest of the community</h3>
<p>OpenStack started as a collaboration between Rackspace and NASA; it was
originally very operator focused. The project was used by tiny cloud operators
and larger operators alike. All had a chance to voice grievances and work with
developers to make things better. Somewhere along the way, the community
became developers (who never deployed or operated OpenStack other than with
DevStack) employed by large corporations working solely to forward the goals
of those corporations. OpenStack isn't really something that was ever meant to
be consumed by developers. Sure, the APIs are technically something a
developer would use, but those are exactly how operators interact with the
projects too. The developers who work on OpenStack don't mean to be harming
the actual intended consumers, but if you keep an eye on discussions with
operators, we (yes, I'm one of those developers) cause more problems than not
out of sheer ignorance of the real users and how they <em>actually</em> use
OpenStack. (To be clear, the <em>community</em> are the people who operate and
maintain OpenStack clouds.)</p>
<p>Generally speaking, though, companies can have engineers become involved in a
project to scratch their own itch while also benefiting the community. These
are not mutually exclusive results; they're just exceedingly rare results.</p>
</div>
<div class="section" id="it-isn-t-enough">
<h3>It isn't enough</h3>
<p>A lot of projects use sites like <a class="reference external" href="https://www.bountysource.com/">BountySource</a> to get paid to work on a bug on an open
source project. <strong>Sometimes</strong>, companies will add a bounty to a bug. The
largest bounty I've seen for any project I work on that accepts bounties has
been $135 (USD). These values often do not reflect the true value to the
company nor to the person fixing the bug. That said, sometimes you find a
bounty <a class="reference external" href="https://www.bountysource.com/issues/25924774-add-ppc64le-port">like this one</a> where a
company has added a significant amount to a bug. Those seem to be the
exception rather than the rule, though.</p>
<p>Other times, companies give a developer an hour to "make it go" which results
in a situation like I described above. Allow me to expand: these will be
companies that file a bug with as little detail as possible and then a fix
that makes little sense and may appear to fix the bug but causes many others.
After they have a fix, they stop responding to questions for more detail so it
can be fixed appropriately. They often can't share a sample of how they're
encountering the bug or anything like that.</p>
</div>
<div class="section" id="thoroughly-misguided">
<h3>Thoroughly misguided</h3>
<p>Some companies don't even bother giving engineering time to a project, or
money to the developers working on the project. Instead they run well
intentioned campaigns to increase activity for those projects by offering
rewards to anyone for doing just about anything, regardless of value or merit.
These rewards can be anything.</p>
<p>One very recent such event promised a t-shirt if you sent 4 pull requests (via
GitHub of course, because obviously <em>real</em> open source software would
<strong>never</strong> be developed anywhere else) to open source projects. That was it.
The pull request didn't need be merged, or to stay open for very long. It
didn't need to contain any value at all. The event organizers contacted some
projects <em>owners</em> asking if they could feature the projects. Now harken back
to the paragraph where I explained that the owners of some of the projects I
maintain are absentee. One of those was featured. That wasn't the only project
I work on that that received hightened and lackluster attention from t-shirt
seekers, but it was easily the one that received the highest traffic. So what
happened was: the company contacted the owner who agreed but didn't tell me.
The company never considered the fact that others might actually be doing the
work of the project (and didn't think to check that with the API they're going
to use to decide who gets a t-shirt).  The company never talked to me in
advance to, at minimum, warn me. (To be clear, the owner isn't blameless in
this either, but I'm also not the only person who was in this position and
complained about it. Perhaps I'm just loudest or have the largest platform.)</p>
<p>Of all of the pull requests (on all the projects) that I received as a result
of this event, some of them were merely diffs that looked like this:</p>
<div class="highlight"><pre><span class="gh">diff --git a/ex.txt b/ex.txt.new</span>
<span class="gh">index 5fe5360..e98e6b5 100644</span>
<span class="gd">--- a/ex.txt</span>
<span class="gi">+++ b/ex.txt.new</span>
<span class="gu">@@ -1 +1 @@</span>
<span class="gd">-foo bar bogus. Biz baz boo</span>
<span class="gi">+foo bar bogus.. Biz baz boo</span>
</pre></div>
<p>No, really, I actually got a pull request that added a second period to the
end of a sentence. I love encouraging and helping new contributors work on a
project or otherwise aiding those new to open source in general, but how do
you help someone who sends that pull request? Their commit message was "Update
ex.txt".  How do you help that person who clearly only has a goal of padding
the number of PRs they sent for the month of October?  Closing that pull
request was a waste of my time, which is already stretched thin. I don't think
that particular person was "trolling" (which is such an overused word as to be
meaningless at this point), or otherwise behaving just in pursuit of their own
amusement, but they were being inconsiderate.</p>
<p>Further, let me reiterate that the company in question <strong>did</strong> contact
someone. That in no way exonerates their borderline reckless behaviour. I
actively mentor several people who are new to open source and their event
consumed (in aggregate) a few days of my time which did not leave me enough
time to work on real bugs in other projects or mentor those people as well as
I could have.</p>
</div>
<div class="section" id="exceptions-to-the-rule-s">
<h3>Exceptions to the rule(s)</h3>
<p>There are exceptions to the rules above sometimes. There's one particular team
at HP (actually they're now in HPE) that is entirely composed of some of the
best open source developers I know of working full time on their areas of
expertise. But, this is the only team I'm aware of at HPE that behaves like
this. Other teams (I'm thinking specifically of their teams working on
OpenStack and their former Helion product) are split between product work and
upstream work and most of the time don't have enough time to dedicate to being
upstream developers and reviewers.</p>
<p>I would argue that while these sponsorships are good for the larger community,
they're still a bit misguided. I trust each of these people to act in the best
interest of their respective communities on that team at HPE, but what happens
to them as soon as HPE decides funding that work is no longer beneficial or
valuable? I don't have an answer to this, but I hope the answer is <em>not</em> that
those developers are shown the door with a generous severance package. On a
similar note, what happens if that developer decides they wish to explore
other communities outside the reason they were hired? Is there room for growth
or are their responsibilities narrowly defined enough that they have to quit
to grow professionally?</p>
<p>I'm asking these questions in the context of this one team at HPE but there
are some similar teams at other companies and the same questions are valid for
those teams as well. If you want an example of what I'm afraid of, just look
for the TwitterOSS team (hint: their funding as a department was cut).</p>
</div>
</div>
<div class="section" id="when-companies-open-source-a-project">
<h2>When companies open source a project</h2>
<p>There's also a separate pattern in the larger community where a company that
already has some reputation in the community decides to open source a project
that was previously just something they had initially developed for internal
use. If these companies dedicate resources to the upkeep of the project and
development of a community there tend to be two possible outcomes:</p>
<ol class="arabic simple">
<li>The company refuses to expand the core development team with non-employees</li>
<li>The company abandons the project and allows non-employees to take over the
entirety of the maintenance burden while continuing to reap the PR benefits
and failing to credit those people or support them in any manner.</li>
</ol>
<p>There are also rarer cases where people who contribute heavily to those
projects are offered jobs to continue their work as an employee, but those
seem to be fairly rare.</p>
</div>
<div class="section" id="why-do-companies-behave-this-way">
<h2>Why do companies behave this way?</h2>
<p>I have heard a myriad of reasons companies behave this way. I don't have the
complete answer, but one important point is that there is toxicity in the
community, its leaders, and or its contributors, and the companies have
learned their behavior from this toxicity.</p>
<div class="section" id="open-source-software-is-full-of-toxic-people">
<h3>Open source software is full of toxic people</h3>
<p>This certainly shouldn't be a surprise at this point. I would guess that it is
safe to say that pretty much every person (including myself, I'm certainly not
exempt from this) has had bad days and reacted poorly when dealing with the
community, contributors, colleagues, etc. These are not excuses and these
events can (and often do) shape the behaviours of the community and those
observing it.</p>
<p>A close friend of mine, Paul Tagliamonte, was involved in the discussion about
Debian's switch to systemd. He received <strong>at least</strong> 3 death threats due to
his participation. In what world is this acceptable behaviour for a community?
What about developers who have their addresses and the information of their
loved ones posted on 4chan and other "forums"? Why don't we fight this more?</p>
<p>Any company that has involved itself (or its employees) with Linux Kernel
development has probably come away with a very intensely sour taste in their
mouth and a jaded view of how to effectively contribute to an open source
project. In fact, I wouldn't be surprised to learn that these companies
witnessed significant churn in the engineering teams working with that
community.</p>
<p>They're also certainly not the only community struggling with this. Companies
need to be involved, but just like other contributors, they need to be assured
that they will be taken seriously and treated equally. Some projects work to
actively alienate corporations trying to contribute because of ideology. This
is not the path that will lead us to sustainable open source software
development and companies that can contribute responsibly.</p>
</div>
</div>
<div class="section" id="what-needs-to-change">
<h2>What needs to change</h2>
<p>Too much for me to clearly or effectively enumerate without missing things. So
let me give a high level list of things that I see as being incredibly
problematic and maybe I'll expound on them (or a subset) if I still have the
emotional energy to do so.</p>
<ol class="arabic simple">
<li>Companies need to do more for the projects they use (financially, by
engineers who can contribute to the project appropriately during their
normal working hours, donating services, or some other way)</li>
<li>Companies that already contribute resources in one way or another need to
check that what they're doing is not only in their best interest (or
perhaps not in their best interest at all). No, really, the good of <em>the
project</em> should be the focus of any contribution. If your goal is to
improve something <em>only</em> for the company, then that isn't a contribution in
good faith.</li>
<li>Companies looking for publicity and events that they can tout as their
support of open source software, need to actually employ open source
developers who know the pain that those events will inflict. Not a single
maintainer has ever said "I don't care about the quality, just give me a
flood of new contributions that I need to code review, give feedback, and
hope that person actually acts on the feedback." Not once. I was linked to
<a class="reference external" href="http://awkwardzombie.com/index.php?page=0&amp;comic=013111">this webcomic</a>
recently and it aptly describes this approach.</li>
<li>If a company has an engineer test a fancy new feature for a project, that
engineer needs to test more than just their own use cases to give effective
or valuable review. (See also the following tweets from Jeff Forcier:
<a class="reference external" href="https://twitter.com/bitprophet/status/660943465547599872">https://twitter.com/bitprophet/status/660943465547599872</a>,
<a class="reference external" href="https://twitter.com/bitprophet/status/660943804250263552">https://twitter.com/bitprophet/status/660943804250263552</a>,
<a class="reference external" href="https://twitter.com/bitprophet/status/660943975738556416">https://twitter.com/bitprophet/status/660943975738556416</a>,
<a class="reference external" href="https://twitter.com/bitprophet/status/660944140641763328">https://twitter.com/bitprophet/status/660944140641763328</a> in which he relays
a story of an important PR that people claimed worked without really deeply
testing it.)</li>
<li>Companies that use open source software should strive to hire some,
if not all (not all in one place either), of those people that maintain the
software to work on the project. And no, I do not expect those people to
work 100% of their time on that project. That's unreasonable. They should
be treated like adults though and allowed to spend what they see as an
appropriate amount of time working on the project versus other projects for
the company. Trying to quanitfy/limit the amount of time leads to conflict
and strife and unhappy management and employees. It doesn't work and it's
not a long term, maintainable solution.</li>
<li>Alternatively, instead of hiring those developers to hire the existing core
developers, reviewers, and maintainers, those companies can buy training on
how to effectively contribute and participate in upstream projects. That
said, I doubt there's anyone who can train a person in empathy.</li>
<li>Companies need to stop encouraging and allowing their engineers to be
abrasive, abusive, or insulting when reporting bugs or contributing changes
to projects. This was admittedly more of a problem before I added Codes of
Conduct to projects, but I still see this on other people's projects. (This
happened 2 years ago on a bug report where the company upgraded from an
ancient version of our project to the latest and greatest and found some
usecase that apparently only they had that broke. The vitriol in their
replies and their behaviour should have resulted in them being reprimanded
by their managers for behaving that way while at work.)</li>
<li>Companies need to have realistic expectations of the work-life balance of
open source maintainers. Open source software is unpaid labor for so many
of us. It <em>is</em> work. Many of us working on successful projects take it very
seriously. It is stressful. It is emotionally draining. Sometimes we don't
have the energy to fix your problem as soon as you think it should be
fixed. Sometimes we're on vacation. Sometimes we're sick or taking care of
loved ones. Behaving as if we're your employee that you can just boss
around is not acceptable. If you want that relationship with us, hire us to
work on the project. (Hint: If you act like this, I will never work for you
because it is very apparent your management does not understand what a real
life is or how a work-life balance needs to be managed.)</li>
<li>Companies need to realize that not all open source authors or maintainers
view their projects the same way. For many of us, we scratched an itch, we
are not developing a product. We often do not want our hobbies turned into
work because then we no longer have an outlet or a place to just have fun.
The project may be <em>serious business</em> for you, but that may not be how
others view it.</li>
<li>Money isn't everything. Whether you're a bootstrapped start-up or a company
that is publicly traded with stock values in the hundreds of dollars, money
isn't everything. Instead of placing $5000.00 on a bug, develop a
relationship with the community. Sometimes a heartfelt gift is more
meaningful than a large sum of money. I know some people who'd rather have
games purchased for them off their Steam wishlist. Other people would love
to get things from their Amazon wishlist. Know the people who develop the
software that allow you to make the money you make and respect them.</li>
<li>Acknowledge the projects somewhere on your website, product, wherever. This
one is simple, just say "This is powered by ...". This gives projects
credibility and that gains users which means another company that can
afford it might hire that person to work on that project.</li>
<li>Companies that open source something need to adopt a Code of Conduct
immediately and from the start. And preferably, if they can, companies
should sponsor and contribute to other projects that have Codes of Conduct
(preferably real ones, not the crap the Linux Kernel has adopted).</li>
<li>Companies that open source a project and then abandon it need to publicly
acclaim the people taking over the project and make a clear change in
ownership. Creating a third-party organization that includes everyone
actively involved in the project is the best plan and the one that will
allow those non-employee maintainers to manage their time and commitments
while being able to be recognized for their hard work, passion, and
dedication.</li>
<li>More communities need to adopt Codes of Conduct and be more mindful about
how their actions affect current participation of corporate and
non-corporate contributors while coloring the future reputation of the
project. Developers move on but first impressions do not. As new developers
cycle onto projects, they may be unaware of past events and may be
metaphorically shooting themselves in the feet.</li>
<li>Conversely, companies need to continuously strive to take the high ground
and continuously re-evaluate projects and their involvement (or lack
thereof) in the project.</li>
<li>Tons of things I can't think of at this very moment. Go read other articles
about this. There are tons.</li>
</ol>
</div>
<div class="section" id="concluding-some-things">
<h2>Concluding some things</h2>
<p>As with all of my posts on this web log, there is no comments section. If
you'd like to discuss this with me, I would encourage you to email me. (You
can find my address on my <a class="reference external" href="https://github.com/sigmavirus24">GitHub profile</a>.) If you would rather discuss this in a
briefer and more public fashion you can also discuss this with me on <a class="reference external" href="https://twitter.com/sigmavirus24">Twitter</a>. <strong>Keep in mind that I've been really
working on keeping a very serious work-life balance so my responses will
likely be delayed if they occur at all.</strong></p>
<p>I also fully reserve the right to take points from this post and write
follow-up posts in much greater detail. If you take the time to send me an
email or a tweet, I may also desire to use that as a discussion point in a
future post. Be prepared for my asking permission to quote you, even if doing
so anonymously.</p>
<hr class="docutils"/>
<p>I would like to extend specific and sincere gratitude to <a class="reference external" href="http://ceastapleton.com/">Cea Stapleton</a>, <a class="reference external" href="https://lukasa.co.uk/">Cory Benfield</a>, and
<a class="reference external" href="https://pault.ag/">Paul Tagliamonte</a> for their thoughtful, critical, and
crucial review and feedback while I wrote this piece.</p>
</div>