Open Source Icon

Open Source

All things open source.
282 Stories
All Topics

iliana etaoin iliana.fyi

There is no “software supply chain”

iliana etaoin:

There is a lot of attention on securing “software supply chains.” The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.

This is where the supply chain metaphor — and it is just that, a metaphor — breaks down…

I think we all know this intrinsically, but it’s easy to forget. iliana goes on to describe feelings I’ve heard expressed by a few maintainers recently:

I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is “done”. The focus on securing the “software supply chain” has made it even more likely that releasing software for others to use will just mean more work for me that I don’t benefit from. I reject the idea that a concept so tenuous can be secured in the first place.

Nitasha Tiku washingtonpost.com

Signal hired one of Big Tech’s sharpest critics and wants your donations

Nitasha Tiku writes on The Washington Post:

The only way to escape technology that makes money off your data is by paying for products that don’t, Whittaker says. An alternative to data collection only exists if the community of people who rely on it “kick in a little bit,” she said.

Signal is one of the few successful tech products, like the Firefox browser, led by vociferous critics of Big Tech. The app offers end-to-end encryption on group text, voice and video chat, does not collect or store sensitive information and does not store backups of your data on its servers — a viable alternative to relentless data gathering at the center of tech industry critiques.

In the world of messaging (today), you have behemoths like WhatsApp and iMessage, and they are “backed by some of the richest companies in the world.” And then there’s Signal. It’s run by a nonprofit and pretty much operates as the exact opposite — they are committed to end-to-end encryption, does not collect or store sensitive information, or backups of user data.

This post from Nitasha Tiku on The Washington Post gives a detailed backstory on Meredith Whittaker, former Google manager, and her arrival to Signal as President (and board member since 2020), as well as why Signal “hopes to support itself with small donations from millions of users.”

GitLab dissociatedpress.net

GitLab’s the latest punching bag for entitled users

This post reacting to other people’s reaction to GitLab’s recent free tier changes starts kinda rant-y:

Lots of users expect to get things for free, forever, from for-profit companies that don’t answer to them. Those users contribute almost nothing1 to the bottom line for the for-profit companies, and actively drive up costs for them. Yet, somehow, with no skin in the game, they feel entitled to complain and badmouth the companies because they’re not getting as much value for their monthly contribution of nothing at all.

But it ends with a pretty strong call to build things for ourselves:

Create a business case, get the funding, stand up the infrastructure, and pay people to work on it rather than expecting for-profit companies to prioritize (what you see as) the public good over profit. Whether that’s how things should be or not, it is how they are and that isn’t going to change as long as the only movement in the direction of change is people hectoring for-profit companies to do better.

Daniel Stenberg un.curl.dev

Everything I know and learned about running and maintaining open source projects for three decades

Curl creator/maintainer Daniel Stenberg is writing a book. It’s (aptly) named: Uncurled

Because of my background and life with Open Source and probably a lot because of the relative success some of my projects have had, I frequently get questions about subjects related to maintaining Open Source. How to run a project and what makes them succeed? For a long time I have been collecting lessons from my life with Open Source into a list of advice for fellow Open Source library hackers. This document is my attempt to convert those thoughts and experiences into words.

I don’t believe it’s finished, but there’s a lot here already! Excited for this and while it’s a free to read GitBook right now, I hope it ends with some kind of physical manifestation.

Engineering at Meta Icon Engineering at Meta

Meta is transferring Jest to the OpenJS Foundation

Good for them (and us)! But what does that mean in practice?

Over the next few months, we’ll be completing the OpenJS Foundation’s incubation program checklist, including transferring the Jest domain, repo, website, and other assets to OpenJS. We’ll also be updating the code of conduct and contributor license agreement.

Additionally, as part of this move, we will be publishing a project charter and creating new governance policies that will document the process for gaining commit access, as well as our leadership selection process.

Next up: React?! A guy can dream…

Open Source supabase.com

Should I open source my company?

Supabase CTO Ant Wilson walks through the pros & cons of open sourcing your startup and why he believes the answer to the question in the headline is (probably) “yes”

Open-sourcing Supabase ended up surprising us in many ways. Many people imagine that maintaining your business in public might be burdensome - but the opposite is true. There are many unexpected upsides that have made building Supabase - the product and the company - easier.

While some of this advice comes from our lens as a Dev Tools or PaaS company, most of it will apply to any software company.

Max Howell Medium

Something new is brewing

Max Howell, creator of Homebrew, has gone back to his notes on brew2 to apply web3 concepts to help “distribute value to open source.” He’s calling this new brew tea.

Tools like Homebrew lie beneath all development tools, assisting developers to actually get development done. We know the graph of all open source, which means we’re uniquely placed to innovate in interesting and exciting ways. This is exactly what tea will do. We’re taking our knowledge of how to make development more efficient and throwing innovations nobody has ever really considered before.

With plans to move the package registry on-chain, Max lays out the numerous benefits due to “inherent benefits of blockchain technology”:

  • Packages will be immutable (no more left-pad incidents)
  • Packages will always be available (we’ll use decentralized storage)
  • Releases will be signed by the maintainers themselves (rather than a middleman you are told you can trust)
  • Tools can be built to fundamentally verify the integrity of your app’s open source constitution
  • Token can flow through the graph

Max says “token flowing is where things get really interesting,” and goes on to say “with our system people who care about the health of the open source ecosystem buy some token and stake it.”

(Thanks to Omri Gabay for sharing this first in our community Slack)

Open Source vermaden.wordpress.com

ZFS compatibility

ZFS has become very portable in recent years of its development, supporting six (6) operating systems: FreeBSD, Illumos, Linux, MacOS, NetBSD, and Windows. But what if you wanted to create a ZPool compatible with all of them? Which options and ZFS features should you choose?

If you haven’t yet, check out The Changelog #475 where I talk with Matt Ahrens (co-founder of the ZFS project) about making the ZFS file system.

Bhupesh Varshney buttondown.email

One secret tip for first-time OSS contributors 🤫

Bhupesh Varshney:

A lot of folks looking how to get started on open source are given very generic advice on how to approach their first contribution. In this newsletter issue I share one specific actionable item.

His secret tip? Solve static analyzer issues. There, I saved you a click. Unless you’re not sure what he means by that or want his advice on how to actually get that done…

Simon Willison simonwillison.net

Support open source that you use by paying the maintainers to talk to your team

I love this idea by Simon Willison:

I think I’ve come up with a novel hack for the challenge of getting your company to financially support the open source projects that it uses: reach out to the maintainers and offer them generous speaking fees for remote talks to your engineering team.

It won’t work for every person and situation, but we should add it to our arsenal of ways to return economic value back to the maintainers of our open source infrastructure.

Awesome Lists github.com

Open source startup alternatives to well-known SaaS products

The criteria for inclusion is as follows:

  1. Its product is strongly based on an open source repo
  2. It has a well-known closed-sourced competitor, solving a similar business problem
  3. It is a private for-profit company, founded in the last 10 years
  4. Its repo has 100+ stars on GitHub

I’m seeing lots of Changelog guests & friends in this awesome list. 😎

Daniel Stenberg daniel.haxx.se

Enforcing the pyramid of open source

Daniel Stenberg lays out how he thinks we can view the world of software and open source in light of supply chain security, maintainer sustainability, and the like:

Inside the pyramid there is a hierarchy where things using software are build on top of others, in layers. The higher up you go, the more you stand on the shoulders of open source components below you.

At the very bottom of the pyramid are the foundational components. Operating systems and libraries. The stuff virtually everything runs or depends upon. The components you really don’t want to have serious security vulnerabilities.

Enforcing the pyramid of open source

JavaScript fakerjs.dev

Faker.js is now a community maintained project

Eight people have stepped up to take over maintenance of the suddenly abandoned JS library that generates fake data. These transitions are tricky to make smoothly. Props to the new team on being very careful and thoughtful each step along the way, especially when it comes to funding the project. Here’s a nice note from the new team:

We’re excited to give new life to this idea and project.

This project can have a fresh start and it will become even cooler.

We felt we needed to do a public announcement because of all of the attention the project received in the media and from the community.

We believe that we have acted in the way that is best for the community.

YouTube Icon YouTube

What really happened to Faker.js?

Fireship with a brief (3:48) rundown of the most recent instance of a popular open source library maintainer removing their code from public repositories in response to corporate (ab)use of their free labor:

Yesterday, a popular open-source package, Faker.js, was abruptly taken down from GitHub. Its readme simply said “What really happened to Aaron Swartz?”. Let’s take a look at why Open Source Software can be a bad deal for many independent developers.

Kailash Nadh nadh.in

"Open source" is not broken

A rebuttal by Kailash Nadh to the aforelinked post.

large for-profit corporations started their widespread consumption of FOSS, ever since countless “unicorns” raised infinite amounts of funding on valuations built pretty much entirely on FOSS, ever since FOSS got co-opted into corporatisation and capitalisation. And yet, countless maintainers of critical and widely used FOSS struggle to make a living.

Whose fault is this? I do not believe that this is FOSS’ fault as a conceptual framework or a system. If FOSS was broken, the internet as we know it today wouldn’t exist; the countless marvels of technology that we take for granted and techno-economies that thrive on them wouldn’t exist; millions of software developers (like me) who learnt to write code with FOSS and learnt to make a living with that knowledge wouldn’t exist.

Xe christine.website

"Open source" is broken

The post-log4j-zero-day thinkpieces started rolling in over the weekend. I’m happy about that. We need to discuss this stuff. Here’s what Christine Dodrill’s TL;DR:

If you want me to make you useful software, pay me. If you use software made by others in their spare time and find it useful, pay them. This should not be a controversial opinion. This should not be a new thing. This should already be the state of the world and it is amazingly horrible for us to have the people that make the things that make our software work at all starve and beg for donations.

The entire article is worth considering.

Chris Manson chris.manson.ie

It's all gravy

This is a short post by long-time open source maintainer Chris Manson about commitment to tasks in the open source world and how life always takes priority over dev.

We always need to keep in mind that most open source contributions are given from people that are opting to give up their spare time (usually for free) and the level of expectation can never come anywhere close to the sort of relationship that an employer might have with an employee or contractor.

Pairs well with Every commit is a gift. 🍷

The New Stack Icon The New Stack

How to find a mentor and get started in open source

The New Stack’s Jennifer Riggins covering Kubecon+CloudNativeCon 2021:

The Cloud Native Computing Foundation has more than 138,000 contributors making over 7 million contributions to more than 100 open source projects. It’s reasonable that getting started in open source would feel overwhelming — to say the least. So how do you get started as a contributor to cloud native projects? How do you find a mentor or guide to help you along?

She draws many solid takeaways from a panel that discussed this exact topic at the event. This quote from Grafana’s Uchechukwu Obasi is spectacular:

“I think open source really changed my life,” Obasi said. “I’m African, I live in Africa, but having the opportunity to work on software that impacts millions of lives, it’s an opportunity that I never take for granted. If open source can change my life, it can change yours too.”

Nix blog.replit.com

Betting on Nix

Replit is donating $25k to the NixOS Foundation. Here’s why:

Replit has a history of betting on nascent technologies. The first version of Replit used WebAssembly long before WebAssembly found widespread adoption. We’re betting that the Nix project will improve performance across the board, sidestep a whole slew of bugs for our community, and let any Replit user build and publish programming environments.

For a primer convo on Nix, (re)visit our conversation with Domen Kozar on The Changelog.

Python lukasz.langa.pl

Where does all the effort go? Looking at Python core developer activity

Łukasz Langa was tasked by the PSF to look at the state of CPython as an active software development project.

What are people working on? Which standard libraries require most work? Who are the active experts behind which libraries? Those were just some of the questions asked by the Foundation. In this post I’m looking into our Git repository history and our Github PR data to find answers.

Follow along as Łukasz explains how they gathered the data, analyzed it, and got answers to the questions above.

0:00 / 0:00