[SENSIBILISATION] Ajout d'idées de déconstructions

[Françoise CONIL <francoise.conil AT insa-lyon.fr>]

bonjour,

Suite à la réunion de ce matin, j'ai repris de la liste que j'avais 
récupérée, quelques idées de déconstruction :

    https://pad.april.org/p/deconstruction

Librement

--
Françoise CONIL
* Most projects have more than one maintainer  
* Most projects are part of a large foundation like Eclipse or Linux Foundation  
* There are many options for libraries and you can swap them out if needed  
* Open source is more secure than closed source  
* Open source is less secure than closed source  
* Most projects have funding driving the development  
* If I use open source in my product, I have to open source the whole product  
* If the source code is available, it’s open source  
* There are a few thousand open source projects  
* A project with no commits for 12 months is abandoned  
* The project is simple to upgrade  
* The project is impossible to upgrade  
* Companies give back to the open source projects that make their businesses viable  
* Contributing your free time to open source will help you get a job with the companiIes who rely on your software  
* Open source is free  
* If the project stops being supported and maintained it will just stop working.  
* There is no support for open source projects.  
* There is no way to ensure the security of an open source project.  
* Open source projects perform more poorly than their closed source competitors.  
* Open source projects cost more in "soft costs" than paying for licensing.  
* Open source changes too quickly for us to use.  
* Open source changes too slowly and is behind the curve.  
* Many eyes make all bugs shallow  
* All open source developers live in Nebraska  
* you can do whatever you want with open source.  
* Everybody can look at the source code and find backdoors. (ok, everybody could look, but who ever did?)  
* It’s easy to sustain yourself as an open source maintainer by providing consulting services or support  
* people will read your source code without being paid to  
* (a) if a thing sounds true for 3 of the first 5 open source projects you can think of, it generalizes to most open source projects. (This might be a metamyth that underlies most others. Or maybe not.)  
* (b) open source has worse UX  
* (c) open source has better UX  
* there’s not a spam problem in OSS  
* It’s all run by hippies  
* \- Using open source in a corporate environment is more expensive than using closed source products in the end because you don't get support and have to do maintenance work.  
* \- Kind of related but ... You need the perfect hardware setup to run Linux or you will run into problems quickly. (The hardware compatibility grew amazingly over the last years and I personally never ran into any unsolvable problems since I switched completely)  
* \- Open source is dangerous because attackers can find security flaws more easily with direct access to the code.  
* Paying an annual fee for an open source project means it’s more secure.  
* Not paying an annual fee for an open source project means it’s less secure.  
* Open source means contributions are welcome  
* Open source means it costs $0  
* Open source means I can get the source code on the internet  
* Open source means it can't be patent- or trademark-encumbered  
* Open source is originated by companies like Microsoft to obtain free labor for projects that the company will commercialize for profit (think Open AI).  
* Open source is free of charge (often true, but not always).  
* Open source is less reliable than commercial software because companies can't DEMAND a bugfix to volunteer maintainers (while it is technically true that companies cannot DEMAND a bugfix, whether that makes open source tools less reliable is up for debate).  
* Open source means contributions are accepted  
* Open source means you can "just fork it"  
* All open source uses permissive licenses  
* Open source projects infrequently change maintainers. Most are BDFL.  
* A project needs a regular interval of commits to be considered maintained.  
* For "if the source code is available, it's open source" see the TiVo.  It's led to the term "tivoization" for this kind of tyranny.  
* Open source is communism  
* StackOverflow is permissive open source. (It's really CC BY-SA)  
* All open source packages have the same problems / concerns.  
* All open source projects have the same maturity level around licensing, security, community, etc.  
* All open source packages have a clear declared license  
* All open source packages pay attention to their own open source dependencies / SBOMs  
* If you pick a fork it is still being maintained  
* There's too many problems, it's not worth doing anything.  
* All open source packages pay attention to their own open source dependencies / SBOMs  
* it’s always a good idea to update to the latest version  
* Noone actually finds security issues by source code review  
* All security issues in a project will be found because someone will notice them while reviewing the code  
* if a project is old enough it's obviously figured out funding  
* All open source is on GitHub (Debian, fedora, Firefox, GNOME, KDE, GStreamer, Pidgin, etc aren't)  
* Everything is being rewritten in rust  
* Lack of commits means the project is abandoned  
* Open Source developers are only trying to make users happy  
* Open Source developers are worried about keeping users  
* "Not invented here" is a choice not a grim reality  
* All open source users are developers  
* Number of users is a knowable metric  
* Your code being on GitHub is a valid opt-in for co-pilot consumption (even though anyone can do it ..)  
* Licenses/attribution don't matter  
* Code signing isn't required  
* Maintaining countless preferences in a program doesn't cost anything  
* Projects have a single bdfl and that never changes  
* Contributors are always right  
* Users only want the best for the project  
* Distro packages are dead  
* The more CVEs a project has the less secure it is  
* Putting your software on github \*\*will\*\* get you more contributors  
* funding platforms are available for all projects  
* cla's and dco's are fine and will never be abused  
* signing releases doesn't hold value anymore  
* it's possible to have a completely open source computer  
* you can t use non-libresoftware in open source development  
* the amount of contributions you make shows great understanding of the project  
* Open source projects employee contributors  
* All projects except crypto donations  
* Releases are regular and predictable  
* Features are planned  
* Stale tickets have no value and should be automatically closed  
* Mailing lists are dead  
* Pull requests are the only contribution method  
* Translators are directly involved in the project  
* Drive by contributors will resolves issues in their contributions  
* "We'll release it as open source, so that it can continue to live after $project\_the\_government\_pays\_for is finished"  
* Open source projects are all on github / on github makes a project open source.  
* open source means it'll stay open source forever  
* if you take the time to document your project well, it will reduce your support load and people will help themselves, and realise they are not entitled to one on one support.  
* "If it's free, that must mean it's low quality/a scam"  
* “if you find a bug in an open source project you can fix it yourself, and the pull request will be readily accepted back into the main project”  
* Not only do you need some programming skill to do this, you're also at the mercy of the maintainer when it comes to getting it merged.  
* A related myth: "An open source package will always be better than anything we could develop in house." Again, it's often true, but it's by no means guaranteed.  
* "Company data processed by open-source software becomes public"  
* You cant/shouldn't charge money for open source software  
* Most open source software is made by hobbyists in their spare time  
* if you have an open source project and you want people to use it, you must put together a sound marketing campaign for it. It will remain completely unnoticed if you don’t do it.  
* Foundations actually do something other than provide ownership for trademark  
* Software can be done and no need to touch it anymore  
* Maintainers are supported by their employers  
* Maintainers benefit from their maintainership  
* Companies hire based on portfolio  
* Anyone could maintain it  
* Making good software take a team and a lot of hours coding  
* Updating dependencies is easy  
* Releasing a new version is easy  
* Distros backport fixes for all security bugs.  
* There are a lot of maintainers (in practice a handful of people maintain nearly all the ecosystem)  
* Standard library are maintained  
* Build systems are a solved problem  
* CI and testing are easy to setup  
* Reviews raise software quality  
* Sending a patch is helpful (it usually just give more work to the maintainer and more to maintain)  
* There are other crypto implementations than openssl (everyone use openssl under the hood)  
* Lots of dependencies is bad  
* We can manage and discover our dependencies  
* Someone is responsible to make things work at the bottom of the stack, right?  
* "Hundreds of transitive dependencies in frontend code are normal and the way the technology works. We don't worry about the resulting attack surface. No company has time for that."  
* "When choosing open source components, all you need to do is check the licensing. No need to check project health, e.g. number of contributors, contingency plan, frequency of upgrades, reaction time for security patches."  
* If I use an open source project, the maintainers are required to respond to & fix my bug reports  
* \- "Open source has nothing to do with the environment" \> https://eco.kde.org/blog/2024-05-29\_introducing-ns4nh/  
* \- "Open source applications only exist for programmers"  
* \- "My open source software will be useable and intuitive enough for all potential users, even if I don't directly consult them."  
* The maintainers of the FLOSS I am using owe me: Bugfixes, User support, Signatures on paperwork, Compliance with "software supply chain" rules  
* \- When you build the source code, the output binaries are guaranteed to be identical to those that the maintainer gets when building the same source code.  
* \- Okay, but at least they are guaranteed to work the same way when executed.  
* \- You're guaranteed to get executable output binaries.  
* open source code “is not copyrighted”.  
* Creating an open source application will solve a social problem.  
* Doing Open source as a company has only benefits. Better security (more eyes on it), tech clout, more (free\!) contributions, and totally no overhead added.  
* maintainers owe you, the user, support, especially fixing bugs you need fixed  
* \- Highly requested features are implemented first  
* \- Maintainers respond to issues and fix bugs  
* \- Many stars equal many contributors  
* \- Pull requests adding features are always merged  
* \- Maintainers don't want your money  
* \- If I open source $thing, people will show up to work on it\!  
* \- If I take my project to a foundation, a bunch of big companies will show up to work on it\!  
* \- Open source is \*free\* (in particular, cheaper than proprietary)  
* \- If it's open source, then I can use the brands/trademarks in any way I want  
* “if a library doesn’t do quite what you need it to, just fork it and add the extra functionality yourself” (now you’re responsible for integrating any bug fixes / security updates from the upstream library yourself for ever more)  
* \- Losing users is a problem  
* \- "Taking your business elsewhere" is a threat  
* \- Maintainers provide a service  
* \- Backwards compatibility is important to the maintainer(s)  
* • Open source means anyone can steal your code and not give credit  
* • Contributing to open source means other people will profit off of your work  
* if you respond to legitimate issues by saying “patches welcome” then most people will interpret that as something besides “IDGAF”  
* open source removes maintenance burdens for components  
* Closed source commercial software never makes use of open source.  
* \* If I write code, the project is morally bound to merge it.  
* \* LTS linux distributions have the knowledge to patch bugs in all packaged software for years after upstream has stopped maintaining it.  
* if I provide a good bug report then I can expect it to be fixed after some amount of time  
* \- opensource makes you rich  
* \- opensource projects get more bug reports  
* \- The choice of license tells you what the values of the project maintainer(s) are  
* \- The choice of license tells you nothing about the values of the project maintainer(s)  
* "You didn't reply to my issue in 2 weeks? this project MUST be dead"  
* \* You could fork and maintain the project if you really had to  
* \* Your feature contribution would help the project  
* \* The source code you see in the repo 100% matches that package you deployed  
* \* You'd for sure get better support from a paid vendor for your bugs/issues  
* \* Open source alone is enough to prevent vendor/project lock-in  
* \* Open source can work without open standards  
*  Open source projects follow “good practices”, for whatever the person saying it thinks that means  
* you can judge a project simply by its stars on GitHub  
* Somebody other than the author has inspected the source code.  
* People mostly agree on what "open source" means and what rights and obligations it entails.  
* \- open source maintainers have to take care of your use case in a free as in beer way for eternity  
* \- open source licenses promise maintenance and fitness for any purpose  
* \- users have no due diligence in checking the sustainability and motivations of current contributors and maintainers of an open source project before adaption  
* \- any random project contribution qualifies for requesting others to provide specific work pro bono  
* An OSI license everything you need as contributor or user. Project governance is irrelevant.  
* There's no viable open source business model  
* Open Source metrics say something about the realities and needs of a project  
* Selecting Open Source products, is similar to software procurement in general  
* Open Source projects are "third-party software sources/providers"  
* If an Open Source project doesn't do exactly what you need, you pick another one instead  
* \#OpenSource is just a term one uses to find/attract idealistic (cheap) \#DevOps hires  
* "There is no Bystander Effect in Open Source"  
* If an OSS project's version is greater than 1.0, it's good to use, and if it's less than 1.0, it's bad to use  
* \- OSS maintainers always want more people to use their projects  
* \- OSS is a meritocracy  
* \- OSS means anyone can influence the direction of the project  
* \- Serious developers vet their OSS dependencies by reviewing all the code  
* \- If an OSS project is on a package registry and has a straightforward name like "xml", someone must have decided that's the best XML library  
* \- If a FOSS project is being used by massive profitable companies, the maintainer is being paid well...or at all.  
* \- If a FOSS project doesn't get much active maintenance, the maintainer would be willing to change that for money.  
* \- FOSS projects need to treat people terribly in order to maintain quality and reject bad code.  
* \- A distribution package with version x.y.z corresponds with version x.y.z as distributed by upstream.  
* \- A given system will have only one installed version of a given package.  
* \- A given binary will have only one version of a given library compiled in.  
* \- there aren't any support options with open source.  
* \- open source quality is lower than commercial.  
* \- open source means that it is free, and free means low value  
* "Open-source software is easy to use only for programmers"  
* the more popular a project, the more people have read the code and ensured its stability/security/bug-free-ness.  
* "Open source licenses don't have copyleft clauses, while free software licenses do"  
* \- OS code is well-written  
* \- It’s better to use a package than to write code  
* \- Bug reports are helpful  
* \- PRs are helpful  
* \- Starting an OS project guarantees contributions  
* \- Popular OS projects won’t ship breaking changes every other month  
* \- Slate.js will ever reach 1.x.x (or insert another massively popular library that existed for 8+ years)  
* \- Your code needs to be open-sourced  
* \- OS maintenance and hosting is free  
* Every open source maintainer was forged in the flamewars of usenet and nothing you say to them will make them sad  
* There's no women in open source  
* open source isn't commercial software  
* open source is commercial software  
* Triaging bugs is easy  
* Closing a stale bug insults the person who filed the bug  
* The OSI’s list of open-source licenses and the FSF’s list of free software licenses differ fundamentally (the FSF does prefer copyleft licenses, but by no means mandates them, and both approve all the most common permissive and copyleft licenses)  
* When I use open-source software I am completely free from trackers/telemetry. (counterexample: VS Code)

Maintainers

* Most projects have more than one maintainer  
* Contributing your free time to open source will help you get a job with the companIes who rely on your software  
* All open source developers live in Nebraska  
* It’s all run by hippies  
* Open Source developers are only trying to make users happy  
* Open Source developers are worried about keeping users  
*