I’ve been reading and thinking recently about the potential for a tragedy of the commons to be a reality in the realm of open source. The tragedy of the commons is a economic theory that says that individuals behave contrary to the self-interest of everyone by depleting a common resource. One needs to look no further than the environment for examples of this behavior.
Free and Open Source Software
Free and Open Source software has revolutionized how the world consumes software. Linux, BSD, httpd, nginx, MySQL, PostgreSQL, and thousands of other software products are consumed voraciously. But almost universally people are only consuming. And generally that’s okay. Sharing is one of the key tenets and strengths – that we are able to freely share code to help our neighbor.
Of course we can’t deny that it has a downside? We’ve of course seen the outrage and shock following the Heartbleed vulnerability that only 4 people were watching and contributing to one of the most widely used cryptography libraries in the world.
This past week, the coverage of the GPG suite of tools being basically unfunded broke. Unfortunately it took that level of shaming for folks to realize that it was important and supply some money to fund a developer or two to work on the project. Of course I am as guilty as anyone – I’ve used GPG for years to protect private communications, to sign software releases, and a few other purposes. And before that I’ve used OpenSSL for years to protect web traffic. However, until this past week, I hadn’t contributed a cent directly to any of those efforts.
Technical Debt
The issue though is really larger than just security or a few ‘critical infrastructure’ projects. The reality is that we, and especially businesses, are incurring an odd kind of technical debt for every piece of free and open source software that we are using. If we aren’t actively contributing to a project, we are hoping that others will. We are putting our trust in the fact that someone will find it valuable enough to contribute, even when we don’t.
Recently, one of the members of the Apache Software Foundation’s infrastructure staff, Daniel Gruno, did some research into open source project health. He invented a humorous name, termed the ‘Pony Factor’ to represent the lowest number of contributors to a codebase to contribute 50% of the codebase. And then realizing that people come and go from open source projects, he developed an ‘Augmented Pony Factor’ calculation that takes into account only active developers.
He started by looking at projects at the Apache Software Foundation. The below graphic shows the lowest number of individual contributors who contributed to an Apache Project’s codebase. Obviously that graphic only lists a few of them. If you want to see all of the current projects from the Apache Software Foundation, you can see that graph here.
But, in a vacuum that’s hard to know if those numbers are good or not, so Daniel went beyond that and looked at a handful of popular free and open source projects:
I was shocked by seeing some of those statistics. Do I feel comfortable that only three people are actively contributing 50% of the current code contributions to the blog software this post appears on? Or that one person writes most of my preferred version control platform. Am I willing to trust my business to that? And of course we know that state security agencies have NEVER asked free and open source developers to compromise security.
How do we avert a tragedy?
The first issue is that we need to be aware of the risk. Many of us see the incredible platforms out there and simply trust that the people who wrote them knew best and are going to continue to provide us with great software. As one of my favorite authors quipped in his novel, TANSTAAFL.
“Gospodin,” he said presently, “you used an odd word earlier–odd to me, I mean…”
“Oh, ‘tanstaafl.’ Means ~There ain’t no such thing as a free lunch.’ And isn’t,” I added, pointing to a FREE LUNCH sign across room, “or these drinks would cost half as much. Was reminding her that anything free costs twice as much in long run or turns out worthless.”
“An interesting philosophy.”
“Not philosophy, fact. One way or other, what you get, you pay for.”
I am not advocating for paying for every piece of software or needing to contribute to every open source project in existence, but I’ll leave you with this question. What are you doing to avert a tragedy of the free and open source commons? And if you aren’t, then who will?
David Nalley's Blog
February 7th, 2015 at 18:25
You haven’t linked to any details of the “pony factor” definition and methodology. I’m not so much shocked as incredulous when I see nginx (whose dev list I’ve followed for some time) shown as having a pony factor of just 1, and I daresay the same might apply to other projects. I suspect it is in part an artifact of how a community is structured: for example, how do you count developers who contribute via regular git pull requests?
February 7th, 2015 at 19:19
Hey Nick,
I’ve asked Daniel to either publish a blog post about the math behind the pony factor, or alternatively to let me copypasta the definition. I’ll update the post when it’s up.
February 8th, 2015 at 20:37
Nick:
I posted Daniel’s explanation (with his permission) of Pony Factor in a new blog post:
February 8th, 2015 at 01:14
[…] Risk of the Commons […]
February 8th, 2015 at 16:22
Your comment that one only needs to look at the environment as a metaphor for open source is right on the money. What we find of course is that it is business that is the primary agent in depletion. While true that consumers are the terminal point in depletion it is unrealistic to expect consumers to be fully aware of all the processes that go into the products they consume.
Your article highlights the common ethic of all business and that ethic centers around minimizing costs to maximize profit. I think it is not crazy to say that this ethic which is not new is operating at an unsustainable scale.
Any time behavior is subordinated to single principle, the end result is distortion and corruption.
It is not so much that one can expect such an ethic to not exist it is that quantitative difference leads to qualitative difference.
What you have outlined is not unique to open source. Using it as an example, we must wonder what will be the result of the business principle at a global scale where all other principles are placed in subservience to it?
No doubt we will find out.
February 9th, 2015 at 07:21
It may sound strange in the ears of an american, but you’re describing a basic problem with capitalism. The solution already exists: There must be a state that represents the interests of the commons and spends tax money for it.
Free markets won’t do anything for the commons.
Free markets are ok for the scale of restaurants so that we can choose where to go for lunch.
February 12th, 2015 at 05:21
Isn’t the issue the 50% commit volume? On many projects, the initial person is still active, and all the bulk of the legacy code is attributed to 1 or 2 people.
I think it would be more interesting to go to 90% of commit volume.
Or, even just look at the commit volume over the last 2 years and tak 70-90% on that.