Being the holidays, there isn’t much going on, but that doesn’t mean there isn’t anything to talk about.
Microsoft had a bot run amok at change the copyright on a forked project. Jeff Wilcox from Microsoft responded to the Hacker News post and indicated that it was a bug from a bot that was supposed to automate parts of their open-source management process. The bug appears to be a misplaced if statement condition
There have been reports of this happening before, and there are several problems with this, in no particular order:
- A human doesn’t have to verify the bot didn’t do something stupid. Given where we are with software you’d think anything that had legal and PR ramifications would have human approval. That is not the case here.
- This change had been in place for a month before anyone from Microsoft noticed it (why didn’t the maintainers of that fork notice it earlier? Isn’t it their fork?
- The reason why Microsoft gets so much flack when something like this happens is that their company has a reputation of a lack of transparency and a more recent reputation of doing dodgy things in Open Source while claiming there’s absolutely nothing wrong with what they did. Did commentors judge Microsoft too harshly in this case? Yes. Does Microsoft do things regularly that make this sort of Judgement easy to come by? Also yes.
Open Source is a social construct where the only written contract (the license) is about 10% of the equation. The rest of it is built on trust, convention, and a desire to give back. The software Microsoft wrote doesn’t take the 90% into consideration, and it speaks of a larger problem we have in tech:
We think Software will solve all of our problems. The crypto folks are embracing “smart contracts” as The Way. We embrace AI and Computer Vision for Tesla “Autopilot” without regard to the human lives at stake, and we dismiss bugs are minor inconvienences. None of this is as bad as Therac-25 but we’re not far from that with the trust we put into computers.
Sadly, I think this lesson is hard to learn when there’s ‘no harm done’, especially when as big of a corporation as Microsoft is, they don’t have a single person who owns their Open Source work, who is personally responsible for any Open source mistakes they make in that 90%. Even the head of OSPO is inward focused on what Open Source can do for Microsoft, and not outward focused, on Microsoft’s responsiblities to the Open Source community.
And as if to prove my point, given the recent log4j debacle, we’ve still got to figure out how to pay to fix open source. This is where we need Microsoft (and other Trillion dollar companies) leadership: In helping to re-inforce and sustain that 90%, and stop focusing on how they can maximize their value out of the 10%.