The bug has no actual example of them making demands, "leeching" or acting entitled.
The security issues would be security issues just the same even if the library was only used by Linux desktops. (And if the library is unfit for use in other operating systems like the author suggests, feels like it probably is equally unfit for use in Gnome.)
ratio = (contributions - demands) : earnings
If you contribute nothing, demand nothing, and earn nothing, carry on. “Nothing” is loosely defined as “near enough to zero in the context of a specific project”.
If you contribute nothing, demand nothing, and earn (DL) a million dollars using it somehow, you’re a leecher. Your U/D ratio is 0.0. That should be an uncomfortable realization. One way to cope with that is to raise your ratio to 0.1. If you make a million dollars of revenue using libcurl, how much are you allocating to donate back?
If you contribute nothing and demand security fixes, then you’re not a leecher — you’re a parasite, because your demands exceed your contributions; your sign bit is still negative even if your ratio is 0.0 or NaN. It has been zero days since this workplace had a maintainer injury due to parasitic behavior.
Leechers are demoralizing when the revenue earned would let the author quit their day job to do more fun work instead. Parasites leave a trail of damaged and dead projects in their wake. libxml2’s maintainer made a policy change that cuts off the food supply for parasites; good. They’ll still burnout someday due to the untreated morale damage being done by the billionaire leechers, though.
If an author accepts contributions and you feel like a leecher, do something about it. If they do not accept contributions (including money) or if the anccepted contributions are incompatible (their code is in COBOL and you only know Rust, they only offer “donate bitcoin”, you’re a broke student funding school with your project) then maybe write them a thank you letter? and revisit this if your or their circumstances change someday.
As a former open source maintainer, I don’t mind it when people leech. That’s chill. Go for it. I don’t have a tip jar because I don’t expect a tip. But I mind when people DL a million dollars of revenue using my work and have a UL:DL ratio of 0.0 with me.
Corporations, formally do not care whether users are hobbyists, leechers, or parasites. Maintainers do. The OSI continues to reject as Open Source any licenses attempting to stop the morale impact of millionaire leechers and the time and effort drained by parasites.
Which is more important to the future of open source: the right to be a leecher or a parasite, or the maintainers that they feed upon?
There's the "demand" word again. Who is that demanded something from the maintainer, and where? I saw no indication in the original bug of any demands from big tech companies.
(Just the act reporting a security issue is not a demand. A verifiable bug is a bug whether it was reported or not, and reporting one is a contribution.)
When the demand part of your torrent-inspired equation is zero, how is it leeching? It's just zero, no matter what the earnings are.
https://gitlab.gnome.org/GNOME/libxml2/-/issues/905#note_243...
Psychologically, it hits different when a leecher — someone whose uploads are not greater than some minimum threshold — begins demanding something; what they receive then is not just a free copy of the maintainer’s work to profit from, but also the specialized work of the maintainer to satisfy or reject their request. The cumulative impact of dealing with parasites is distinct from the demotivating effect of profitable leechers who silently download their work and never say anything at all?(and also from the motivating effect of seeing millions of people benefiting from leeching — adoption is often a significant reward). Torrenting has no language for this difference, as in torrenting there is no such problem; so I did some research and chose ‘parasite’ here. I recognize that, scientifically, the animal ‘leech’ tends to be viewed as ‘parasitic’; but there’s a clear difference in connotations, as a torrent leecher is not viewed with – does not view themselves with — the same disgust and loathing as parasites are.
Yes, those alleged demands by "leechers" are exactly what I've been asking about. From the lack of specifics, it is starting to be pretty obvious that they do not actually exist.
I'm not saying that the maintainer did anything wrong. They don't have to give anyone the time of day, and everyone should be happier now that expectations have been set appropriately.
But why can't we just accept that it is a choice he has the right to make? Why do we need to fabricate villains by making up stories about demands, entitlement, and billions in profit?
This is an understated but brilliant framing. Oh I know they won't contribute, users will continue to apply pressure through issue threads saying that their clueless security teams are breathing down their necks. But at least you'd hope this gives pause.
The linked issue is worth a read, it's a shame the burden that corporate leeches like apple and google have placed on him. To them this project is simply free labour they have assumed they are entitled to and by extension are subject to their individual security theatrics.
https://gitlab.gnome.org/GNOME/libxml2/-/issues/913