Open Source, Unrequited Hope | Anant Shrivastava’s Blog

Most widely used open source licenses start with the same idea: “no guarantees, no obligations.” This is as clear as a legal text. Use if you wish, at your own risk. However, every time something breaks, the world turns around and blames the developer.

Somehow, a simple “no liability” clause becomes invisible in practice. We’ve built a culture that holds unpaid volunteers to the same standards as billion-dollar companies. If a small library behaves badly, the question that rarely arises is “why doesn’t the company test it?” It becomes “why hasn’t the maintainer fixed it yet?”

Every vulnerability makes headlines, every maintainer becomes a criminal, and every apology is demanded in triplicate.

Abuse of Accountability

Even when billion-dollar companies rely on voluntarily created tools, they often behave as if their maintainers owe them a service level agreement. When a weakness arises, too many organizations treat information disclosure like a hot potato. They called it back with a deadline and called it a liability.

Disclosure norms are built to pressure companies that have budgets, release teams, and legal protections. In many cases, they succeed. But the same process, applied to individuals, creates strange distortions. Volunteer does not have a QA department. They don’t have a security team. They don’t have managers who can change priorities because a PR crisis is happening.

Finding bugs and forcing deadlines without offering help is not responsible. It is arrogance disguised as process.

If you benefit, contribute. Money does help, but so do repairs, testing, triage, and just plain empathy.

This is also why I like it And Lorenc’s thread. This adds nuance. This is not always purely a “funding issue”. Sometimes the money is there, but it doesn’t flow to the right place, or comes without conditions.

The Myth of Free Labor

We repeat “open source is free” so often that we forget what “free” actually means. Being free to use it is not the same as being free of responsibility for how you use it. Nobody forces you to adopt someone’s code. No sales pitches, no NDAs, no onboarding calls where you get a false sense of security.

You choose it.

If it is damaged, you are still responsible for your own home.

And because humans like easy targets, we targeted the maintainers. This is simpler than admitting that entire corporate ecosystems depend on unchecked and unpaid work.

Somehow, “thank you for sharing” quietly became “you owe us your time.”

A good example of this tension appears in the reflections of Salvatore Sanfilippo, the creator of Redis. He left his company when his role became more focused on business than technology. His story captures an important truth: not all developers want to scale, monetize, or manage teams. There are those who want to build, learn, and share. That motivation flattens out when we treat every open source repo as a conduit to profit.

The Many Faces of Open Source

Open source is not a single identity. It’s a crowded room with very different people wearing the same label.

1. Job seekers: write to demonstrate competence and opportunities to obtain land.
2. Builder: share for joy, curiosity, and a desire to fool around.
3. Business: balancing openness with sustainability and a clear support model.
4. The Idealist: believes that software should belong to everyone.
5. The “I don’t care” hacker: publishing code because sharing is easier than keeping it private.

However, the world brings them together. When something breaks, no one pauses to ask who wrote the code. Job seekers do not register for audits. Hobbyist does not promise support. Idealists do not agree with SLA. Hackers do not intend to scale.

But responsibility falls on everyone equally.

Uniform Cost of Expectations

This is the reason why many developers quietly stop sharing.

Corporate users want stability.
The individual creator desires freedom.
Regulators want control.
Society wants trust.

Trying to satisfy them all with a set of expectations guarantees that no one wins.

Take a look at the Google Play ecosystem.

In the beginning, it was a wild market where anyone could upload an app. It’s chaotic, but also full of creativity.

Now, for security reasons, even developers who do not distribute through the Play Store may be required to carry out verification requirements to be in the same ecosystem. Companies that once welcomed every developer are now too busy managing their own scale.

I’m not against safety. I would argue that control grows faster than empathy. As systems evolve, they tend to protect themselves first.

Corporate Blind Spots

Take FFmpeg, the backbone of modern multimedia.

When vulnerabilities emerge, organizations that rely on those vulnerabilities often expect volunteers to fix them, even though the volunteers have no agreed-upon timelines. The organization doesn’t write the code. They found a weakness. But instead of contributing to improvements or funding immediate and ongoing maintenance, they instead set deadlines and demand compliance.

To be fair, some large companies fund open source security work. Google, for example, runs a Patch Rewards Program and an Open Source Security Rewards initiative. It was a real effort and helped.

But they also highlight uncomfortable patterns. We have normalized a world where the pursuit of deficiency is organized, incentivized, and celebrated, while repair and maintenance are treated as optional charities.

If the goal is truly to strengthen open source, another approach is direct ownership of the issue. Fork out critical components, patch them, maintain them, and upstream them wherever you can. Large organizations have done this when it was important enough, such as Blink (a fork of WebKit) and BoringSSL (a fork of OpenSSL).

Money alone is not the solution. Ownership and business are.

I argued something similar to this a decade ago Pentester Breeding.

Back then, the industry celebrated the people who broke things and ignored the people who built them.

Today, the pendulum swings even further. We glorify the offenders, then we burden the builders with the consequences. It feels like a circle that we never escape from.

Dead on Arrival, As Designed

A friend once said to me:

Treat open source as dead on arrival.

Write it down. Let go. Move.

If people use it, that’s good for them. If not, good for you.

When you start worrying about life after death, you lose your freedom.

That cynical wisdom makes more sense with each passing year. We condition ourselves to believe that open source should pay. Maybe you can, but only for those who want that path. Not everyone wants to run a company based on their repo.

Some people want to share and disappear.

Choice, Not Compliance

Maybe the answer is to formalize that choice.

If you want corporate adoption and corporate money, then choose the corporate route. Publish SBOM. Submit a reproducible release. Run updates like products. Put support behind the paid model.

If you don’t want that, choose the free path. No guarantees, no obligations, just pure sharing.

Let the company pay for the privilege of expecting something.

And honestly, donations aren’t just money. It can be money, code, time, documentation, testing, triage, and community management. If you don’t contribute anything, you can’t ask for anything.

You can definitely use the software. You just can’t act with rights.

Even if you have contributed, your expectations should still be lower than what you ask for from paid vendors. Open source is a generosity, not a service.

Ironically, by placing expectations on managers, we make them the weak point in the system.

Attackers no longer need to go after fortified companies. They went after unpaid volunteers whose code was running inside the company. By placing so much responsibility in the hands of individuals who have no safety net, we are turning open source developers into attack platforms.

Not because they did anything wrong, but because everyone passed the risk to them and called it collaboration.

If we truly care about security, we should start by protecting the people on whom we depend, not punishing them because they are human.

This tension is nothing new. OpenSSF’s statement on sustainable management says it clearly: open infrastructure is not free, and pretending that it is will only exacerbate fragility. The Software Maxims section, “Not Vendors,” makes the same argument from another perspective: open source authors are not vendors, and treating them as such is wrong and short-sighted.

Together, they point to one reality. The current system rewards intermediaries more reliably than it rewards creators.

The Range Paradox

Of course, freedom comes at a price.

Software that resists commercial support and enhancements is rarely widely adopted. Companies avoid licenses like the GPL because they demand reciprocity. Reach often comes from compromise.

You either give up freedom to gain visibility, or you give up efforts to achieve peace.

There are no wrong choices. The problem is pretending they are the same.

The famous XKCD #2347 comic about an unpaid maintainer looking after the modern world stopped being funny years ago. Now it’s documentation.

Maybe This Is the Balance

So maybe the way forward is not to “fix open source.” He accepts his duality.

Open source is chaos and order.
Generosity and exhaustion.
Freedom and frustration.

Perhaps the only sustainable model is honesty. Developers declare what they can provide, users respect those boundaries, and organizations stop shifting morality to volunteer time.

Freedom does not mean being free from consequences.
This means knowing what consequences you will receive.

Practical note

If you build open source for fun: Say what you can, say “no” early on, and write down your boundaries. Your repo is not a contract.

If you build open source to make money: Treat it like a product. Offer clear paid support, clear release practices, and clear expectations, then let the free tier remain truly free.

If you are an organization: Take responsibility by default. Fund maintainers, contribute code and tests, or manage your own fork. Don’t shift operational risks to unpaid goodwill.