This article is more than 1 year old
Core-JS chief complains open source is broken, no one will pay for it
Being in Russia and going to jail might have something to do with it, tho
Denis Pushkarev, maintainer of the core-js library used by millions of websites, says he's ready to give up open source development because so few people pay for the software upon which they depend.
"Free open source software is fundamentally broken," he wrote in a note on the core-js repository. "I could stop working on this silently, but I want to give open source one last chance."
The issue of who pays for open source software, often created or managed by unpaid volunteers, continues to be a source of friction and discontent in the coding community.
Feross Aboukhadijeh, an open source developer and CEO of security biz Socket, had a lot to say on the subject in an email to The Register:
Maintainers are the unsung heroes of the software world, pouring their hearts into creating vast amounts of value that often goes unappreciated. These unsung heroes perform critical work that enables all of modern technology to function – this is not an exaggeration. These tireless individuals dedicate themselves to writing new features, fixing bugs, answering user inquiries, improving documentation, and developing innovative new software, yet they receive almost no recognition for their efforts.
It is imperative for the commercial industry and open source community to come together and find a way to acknowledge and reward maintainers for their invaluable contributions. As long as significant personal sacrifice is a prerequisite for open source participation, we'll continue to exclude a lot of smart and talented folks. This isn't good for anyone.
Maintainers of packages that are not installed directly, such as core-js, which often comes along for the ride when installing other packages, have it especially hard. Reliable, error-free transitive dependencies are invisible. Therefore, the maintainers are invisible, too. Perversely, the better these maintainers do their job, the more invisible they are. No one ever visits a GitHub repository for a transitive dependency that works perfectly – there's no reason to do so. But a developer investigating an error stack trace might visit the repository if for no other reason than to file an issue. This is the exact problem that the core-js maintainer faced.
For the large companies that get more from the free labor in open source code than they pay out in donations – if indeed they pay out – the status quo looks like a pretty good deal.
For individual developers, however, code creation and maintenance without compensation has a cost – measurable not just in financial terms, but also in social and political capital.
There are various reasons for this. One is that Pushkarev is in Russia, which since the illegal invasion of Ukraine has been subject to broad financial sanctions. It also didn't help that he served about ten months in prison in 2020 for colliding with two pedestrians on his motorcycle, killing one of them.
And his circumstances are different now. "When I started working on core-js, I was alone," he wrote. "Now I have a family. [Just] over a year ago, I became [the] father of [a] son. Now I have to provide him with a decent standard of living."
- What happens when the maintainer of a JS library downloaded 26m times a week goes to prison for killing someone with a motorbike? Core-js just found out
- Warning over Java libraries and deserialization security weaknesses
- The great big open-source census: Most-used libraries revealed – plus 10 things developers should be doing to keep their code secure
- GitHub drops Atom bomb: Open-source text editor mothballed by end of year
Pushkarev acknowledges that he has received a lot of hate – and not just social media hostility about code style.
"Today, one developer wrote to me a message," he wrote. "He called me a parasite on the body of the developer community that makes a lot of money spamming and doing nothing useful.
"He called me the same murderer as Hans Reiser, but who bought the judge and went unpunished. He wished death on me and all my relatives. And there is nothing unusual here, I get several such messages a month. In the last year, this has been added that I am a 'Russian fascist'."
But he also has received a lot of support from people in the open source community who recognize that code sustainability is still a problem and confine their consideration to financial matters. (Or who simply support fellow Russians).
Pushkarev would prefer to focus on the economics of open source rather than the politics of his situation and of the country in which he resides. "Open source should be out of politics," he said, adding that he does not want to delve into these issues in detail as there are people on both sides of the border between Russia and Ukraine who might suffer as a result.
"I returned to Russia because it was a place where it was possible to have a decent standard of living for relatively small money and concentrate on FOSS instead of making money," he wrote. "Now I cannot leave Russia, because after the accident I have outstanding lawsuits in the amount of tens of thousands of dollars and I am forbidden to leave the country until they are paid off."
Such sentiment does not sit well with Victor Shepelev – known as @zverok on Twitter and GitHub – a Ruby developer and software architect who resides in Kharkiv, Ukraine.
"For me, whatever (probably meaningful) discussion can be made around problems of open source sustainability, getting paid etc., is critically overshadowed by the 'Some words about war' section, and since it is there, I have no desire to comment on the rest of the issue," said Shepelev in an email to The Register.
"'Open source should be out of politics' (and in general 'Culture should be out of politics' – as software development as a part of human culture) is a nice truism to utter in peaceful and democratic society, like 'I have different opinion on taxation and voting system nuances than you, but this doesn't prohibit us from working together on interesting problems!'"
"In the time of genocide, being pronounced by the citizen of the country performing genocide, it is irresponsible to the level of disgust. The army of Denis's country kills my friends and ruins my country, and, according to some, no good and peaceful person in Russia has any role in it because it is all 'politics,' which they stand out of (lazily commenting on 'two kinds of evil' between perpetrator and victim of the genocide, when being asked). Good for them."
"This is as much as I can comment on [Pushkarev's post]."
Open source does appear to be broken, but in truth it was never whole or fair. Its problems were just more manageable in peaceful times. ®