I ask this because I think of the recent switch of Ubuntu to the Rust recode of the GNU core utils, which use an MIT license. There are many Rust recodes of GPL software that re-license it as a pushover MIT or Apache licenses. I worry these relicensing efforts this will significantly harm the FOSS ecosystem. Is this reason to start worrying or is it not that bad?
IMO, if the FOSS world makes something public, with extensive liberties, then the only thing that should be asked in return is that people preserve these liberties, like the GPL successfully enforces. These pushover licenses preserve nothing.
Code complete is arguably a myth when talking about security. You need to update when vulnerabilities are found at minimum. Sometimes, the changing software environment changes and so the software has to start adding features again or get replaced. Rarely old features are the vulnerability, and have to be removed.
What does security have to do with open-source projects succumbing to “corporate takeover”, which isn’t even possible?
If the code is of such a restrictive license that you aren’t able to fork and re-release it with changes, then it isn’t open-source to begin with.
To your last point about removing “old features”, this is done all the time, and this is why things use semantic versioning. Nobody wants to be forced to maintain old code into perpetuity when they can just drop large portions of it, and then just release new versions with deprecated backends when needed
Sorry, I didn’t explain what I was talking about.
The problem is that in the modern software environment there’s a constant need for updating and patching, and if a proprietary fork provides those updates and a free original can’t keep up for whatever reason, the proprietary fork (that could have contributed otherwise) gains inertia until the free original dies. This is admittedly harder to pull off in a mature and well maintained free software ecosystem, but I think you’d be surprised how many important free software projects lack needed manpower. It doesn’t help that MIT practically encourages people not to publish code, compared to GPL.
People make out forking like it’s a big protection against proprietisation, and it is, but it’s not foolproof. Good forks are usually founded by community members that already understand and contribute to the code, most forks actually die quickly. The fewer contributors relative to the project’s size and complexity, the more realistic it is to either be overtaken by a more competitive proprietary fork, or for the maintainers to sell out and relicense without anybody to fork it.
Realistically, I don’t know how likely this would happen to anything decently important, but it has happened at least a few times. I remember using Paint .NET while it was still MIT licensed years back, but nobody forked it. Since we’re on Lemmy, Reddit used to use a Free software license.
There’s a few different things getting wrapped in here together, so let me break down my take:
Licensing - if you intend to only use FOSS software, it wouldn’t matter if a corporate/proprietary version of something exists or not. If you intend to release something and make it free, you would need to include only license-compatible libraries. I don’t see why Microsoft having a proprietary version of something that is better would be a problem, because that’s not the focus of your goal of releasing something for free. Similarly if you start a company and bootstrap a product off of open libraries, you will steer towards projects that are license-compatible. Whether there is a better version is irrelevant.
Scope of license - Your comments seem to focus on larger product-complete projects. You mentioned Paint.net as an example. So say Adobe forks GIMP, and drops a bunch of proprietary Photoshop libraries into it to make it beefier or whatever. Similar to the above, people who intend to only use FOSS software still wouldn’t adopt it.
Death by license - there have been some cases where FOSS project maintainers get picked up by corporate sponsors and sort of “acquired”. This is on the maintainers to make that choice of course, not the community, and contributing members of that community have every right to be pissed about that. Those contributing members also have the right to immediately fork that project, and release their own as a competitive product. Redis vs Valkey, and Terraform vs OpenTofu, are examples. Some people flock away, some people don’t, but in most cases ts a guaranteed way to turn the community against you, and towards a fork of said project. Happens a lot.
I think what you’re not seeing here is that these companies buying out projects really don’t intend to put a lot of money back into them after they get their bags of money. Whether or not people continue to use the originals is less important than the forks being available and supported. If companies believe in the project, they kick in PRs to keep things rolling along because they need that particular part of their stack. I myself am a maintainer in multiple public projects, and also work with companies that contributed to dozens of different public projects because the products they make revolve around them: everything from ffmpeg, to the torch ecosystem. You find a bug you can fix, you submit a PR. That’s what keeps this ecosystem going.
Smaller scale startups to mid-sized companies contribute all the time to public projects, though it may not be apparent. Larger corporations do as well, but it’s more of legal thing than an obligation to the community. Rewriting entire batches of libraries isn’t feasible for these larger companies unless there is a monetary reward on the backend, because paying dev teams millions of dollars to rewrite something like, I don’t know, memcache doesn’t make sense unless they can sell it, and keeping an internal fork of an open project downstream is a huge mess that no engineer wants to be saddled with.
Once a public project or library is adopted, it’s very unlikely to be taken over by corporate interests, and it’s been that way for almost fifty years now (if we’re going back to Bell and Xerox Labs). Don’t see that changing anytime soon based on the above, and being in the space and seeing it all work in action. Though there are scant cases, there’s no trend of this becoming more prevalent at the moment. The biggest threat I see to this model is the dumbing down of engineers by “AI” and loss of will and independent thought to keep producing new and novel code out in the world.
I suppose you’re right that copyleft is not the primary motivator for contributions.
I’m aware that forks happen often when a takeover is attempted. There are many big success stories in FOSS. However, my point was that most FOSS software isn’t that successful. There are plenty of projects out there with very few contributors, and it is those I’m saying are easy for taking over. Perhaps they get taken over because most of the community doesn’t care, but it still happens from time to time. I originally commented because you seemed to make out that proprietisation was impossible.
I get your point that it’s incredibly unlikely for anything that matters however.
Edit: I think I misremembered an example I gave of a successful fork after an attempted takeover, but it was something Oracle.
Just based on experience in the community and professional experience, I can solidly say that your take on FOSS not being successful is just wrong, and I don’t mean that like you’re stupid or I’m shooting you down, you just wouldn’t realize how huge contributions are unless you know where to look.
Here’s a big example: look how many companies hire for engineers writing Python, Ruby, Rust, Go, Node…whatever. ALL OPEN SOURCE LANGUAGES. You bootstrap a project in any of these, and you’re already looped into the FOSS community. 100% of the companies I have personally worked with and for write everything based on FOSS software, and I can tell you hands down as a fact: never met a single person writing in any closed source IDEs or languages, because very few exist.
If you want to see where all the community stuff happens, find any project on GitHub and look at the “Issues” section for closed tickets with PRs attached. You’ll see just how many people write quick little fixes to nags or bugs, not just on their own behalf, but on behalf of the companies paying them. That’s sort of the beauty of the FOSS community in general in that if you want to build on community projects, you’ll be giving back in one form another simply because, as my last comment said, NOBODY wants to maintain a private fork. Submodules exist for a reason, and even then people don’t want to mess with that, they’d rather just commit fixes and give back. Companies are paying engineers for their time, and engineers committing PR fixes is defacto those companies putting back into the community.
To your Oracle point, I think the biggest thing there you may have been Java. That one is tricky. Java existed long before it was ever open sources by Sun Microsystems, and was available for everyone sometime in the early '00s (not bothering to look that up). Even though it was created by an engineer at Sun, it was always out there and available for use, it just wasn’t “officially” licensed as Open Source for contributions until some time. Sun still technically owned the trademarks and all of that though, and Oracle acquired them at some point, bringing the trademarks under their ownership. There wete a number of immediate forks, but I think the OpenJDK crew was further out in front and sort of won that battle. To this day I don’t know a single Java project using Oracle’s official SDK and tools for that language aside from Oracle devs, which is a pretty small community in comparison, but you’re right in that was essentially a corporate takeover of a FOSS project. How successful it was in bringing people to bear that engagement I think is up for discussion, but I’m sure the community would rightly say “Fuck, Oracle” and not engage with their tooling.
I suppose it’s true that neither would have been called feature complete by its authors, proprietisation is much more likely when there is still a lot missing. But I would still caution against thinking that having all the features you need means you’re immune to it.