In the past few weeks an exceptional amount of (mainstream) media attention has been devoted to Open Source Software. The reason for this is a major vulnerability (or rather a family thereof) in Bash known as Shellshock, which was first publicly disclosed on September 24th. You may also remember another widely publicized open-source project issue from this year — the also dramatically named Heartbleed bug in OpenSSL from April.
Much has been talked about these issues, from ignorant reports stating that Bash itself is the actual bug to ad hominem attacks on various developers. I have nothing of value to contribute to these types discussions, so I'm going to focus on something else that I've been thinking about for a while now: taking open-source software for granted.
One of the most commonly used words to describe the most popular open-source software is "free". The allure of not having to pay for things is always strong and tends to resonate exceptionally well with the lower-investment crowd, such as kids, students, and hobbyists. After all, open-source operating systems, editors/IDEs, compilers, languages, libraries, frameworks, and all other sorts of tools have been accessible for quite a while now, and in the last decade and a half there's been an absolute explosion of them all, largely due to the immense increase of availability via the Internets.
For years many people have been conditioned to perceive these tools as cost-free. To them they've always been free to obtain and use, often well documented and community supported, and oftentimes even prescribed (by educators) or the only choice (lack of funds). I myself have taken many of these projects for granted for the longest time.
It's not until fairly recently that I've started realizing how much I've benefitted from other people's tireless efforts. As a web developer, the vast majority of code I've written has been served on Linux servers running Apache, nginx, PHP, Python, Ruby, Flask, Django, Sinatra, Rails, Jekyll, and a myriad of other packages, and that's just the serving side of things. There's also BIND for DNS, vim for on-server editing, tmux and Screen for terminal multiplexing, Firefox for many of my visitors…you get the point.
At some point in the last few years it dawned on me that I'd never contributed to any of these projects in any way except for perpetuating their popularity by using and recommending them. I'd never donated a penny to a single one, fixed a bug, or even reported one! A bit embarrassing, really.
At that point I realized I should try and be an actual participant in the open-source community, and then promptly did nothing about it. I submitted the smallest of pull requests recently, and that's still my entire score. Not impressive.
As I read about Shellshock (and patched Bash on my own machines), I ran into a very interesting piece by Andrew Auernheimer. Auernheimer's political views aside (he's a white nationalist), he has a good point about how much of the Internet — nay, the world — relies on projects like Bash, GNU/Linux, et al. The entire civilized world depends on computers, and nearly everything running on those computers is standing on the shoulders of giants. Failure is quite problematic, as the general public may now know a little better than before.
But what do we all do to help those who build the pillars upon which others build other pillars upon which we build our world? Hardly enough, really.
I don't expect non-technical people to start donating to open-source projects. It'd be nice, and said donations should generally be tax-deductible, but I won't hold my breath for it…even if so many use Firefox, for example.
I do, however, expect my fellow technical folks to take note. This includes developers, sysadmins, and everyone else working in the field who relies on these technologies. Between money, code, and whatever else we've all got, we can contribute quite a bit to the very tools that make our jobs awesome, or at least less terrible.
It's both altruistic and selfish.
And necessary.
Thanks for reading! You can keep up with my writing via the feed or newsletter, or you can get in touch via email or Mastodon.