What's the greatest lie of open source?

The greatest lie of open source? Assuming that an open source program is safe just because the source code is public.

This is better than not having the code at all, however this is a false sense of security.

First of all, you should be compiling your own binary from the sources, otherwise you are blindly trusting that those binaries you download are built from the original source code, which may not be the case.

Second, open source security relies on enough eyeballs reading the code independently and spotting the security holes or anything malicious but you can't know how many people actually did. Some software isn't popular enough, some other software contains millions of lines of code.

The same process would have to happen for each patch and software update.

The same thing happens with closed source projects, however. Less popular software will have smaller staff and it's more likely to contain errors and security holes, especially if it's an one man project. More popular software will have more staff working on it but if the software is big and complex, most people working on the project have never read the entire code and there's more lines of code that may contain issues.

Software is a giant mess

The following is not a lie of the open source ethos, but I would describe it has one of it's biggest failures: That you can sell your open source product to users and make a living from it.

Of course, you can make money using open source software to provide solutions for your clients. If you run a SaaS you most likely built it on open source software, and ironically, exert even more control over your customers.

But what if you simply want to sell your open source product to customers so they can run it themselves? It's a dream for many developers but impossible to achieve. There are some success stories, but they are always the exception not the norm. And they often require selling closed-source extensions that are the bits of the business that actually bring in revenue (think GitLab).

And no, you can't sustain your livelihood by selling support if you are a solo developer. Besides the idea of selling support for open source products is, to most developers, the most unappealing option possible. (Charging for documentation is even worse.)

The GNU Project (supported by the Free Software Foundation) still "encourage people who redistribute free software to charge as much as they wish or can" [1]. This advice might have made sense in a time of software CDs and dial-up internet, but makes no sense in a era of broadband and GitHub.

[1] https://www.gnu.org/philosophy/selling.en.html

That people/organisations (who benefit from a project) will contribute. Some do.. however many organisations take and don't give back. They are quick to move on when the open source project falters (or original maintainers burn out) rather than rally toward a solution.

The greatest lie of open source is that open source contributors are morally superior to testers, donators and people who take their time to submit detailed issue reports.

As a matter of fact, one of the guys in that Twitter thread, Olivier Tassinari - a team member for the Material UI react component kit, acted like he was some kind of royalty when he compared his GitHub contribution history with mine after a disagreement about putting ads in NPM logs.

I can't stand arrogant, entitled assholes like that, especially when I'm supporting everybody by regularly donating money to much, much larger open source projects that everybody uses.

If you find a bug or even just a mistake in the documentation, you can fix it. In actuality, there is such thing as too small a fix, or the process for merging code can be made arbitrarily large, or the maintainer might just not want to make the improvement that obviously should be made.

"The effort[1] of making something open source will be more than made back by external contributions."

"Well, if not contributions, at least it will help with your career, with consulting work or job offers."

[1] Yes, even slapping the BSD license and doing nothing is effort. And odds are good you'll not get anything out of it.

That people will be thankful, and not demand your time and attention.

(Some will. Most who are express it correctly by never contacting you.)

If you write it, they'll use it ... and contribute to it ... and fix your bugs.

That being OSS guarantees higher quality and safety than proprietary software, because unlike with proprietary software "with enough eyes all bugs are shallow, and anyone can fork or contribute."

The reality is popularity and budget are more relevant than licensing in that regard.

That it is cheaper at scale.

Say you pay 1M EUR to Microsoft for their suite, 10k users.

You get an asset manager and a IAM (AD), database, web server, OS, user desktop, word, excel,...

All of this integrated.

On the other hand you have all the pieces separately, maintained or not, and they do not talk to each other.

You saved 1M EUR, which will give you a team of 5 or 7 people who are supposed to maintain and integrate these pieces (the part of work MS does, not the administration you need anyway on top).

It may work or not, but this is far from a given.

If I had to start the IT of a company today I would go for full SaaS for services, Win10 on desktop, and O365.

(just in case and to avoid misconceptions: I like my Win10 desktop much more than a Linux one (tried to switch multiple times in 20 years), run all my home services on Linux and develop open source)

That there is no cost in open source software.

Someone is paying the price for open source software. Employers, employers being stolen from, individuals using their spare time, individuals who have been given/made a lot of money or the state.

I worry for younger people who have an over romanticised view of open source and would ask that they consider how their open source heroes created their software. Were they supported by academia, employment or the state? Make sure you can pay the bills before you think you are ARPANET or Linus Torvalds. Make sure the 100/0s of hours invested were a good use of your time.

Not exactly a lie, but I guess a drawback: while having a source code is nice in a way people could know that the program is safe, in the same way open source is also more prone to getting hacked. The reason is because potential hackers could study the source code in-depth to figure out potential security loopholes/corner-cases, something that's a lot harder to do on proprietary software whom hackers don't have access to the source code.

I don't know if it's a lie but there sure is a lot of spyware these days. For example, if you follow the directions to disable telemetry in strapi, it still stays active in certain configurations (eg. devmode). In other modes it loads external resources that can be used for tracking.

Many:

The more the better. - The contrary is true. The busfactor is only relevant to closed source. Design by committee works nowhere. Not in the arts, not in engineering.

The project is not maintained anymore, the latest issue or commit was years ago. - This defines stability. no problems, no changes needed.

Vetted by the community.

That is the biggest lie I see. It falsely equivocates a project’s security to its popularity. This is the primary adoption consideration for most JavaScript projects.

That it doesn't cost something. And, that anything that costs something must be paid for by a false choice between an oligarch and a tyrant.

"Web framework X is designed with emphasis on simplicity, performance, and reliability."

That it's more secure.

2020 is the year of the Linux desktop.