|
Considering what both the Republicans and the Democrats have done to our nation in the past 30 years, I wouldn't be surprised if this was a first step in undermining what was once the crown jewel of American industry...
Steve Naidamast
Sr. Software Engineer
Black Falcon Software, Inc.
blackfalconsoftware@outlook.com
|
|
|
|
|
The most obvious valid reason to release code as OSS if you are a stand-alone developer is that it will add credibility to your CV.
Then not only you can claim that you know how do/use X, and there is also tangible proof of it. And a better CV means higher pay.
Another not so obvious reason, if you give out the source code then paying customers will be easier to lure in because if you stop
working on it, they are not left with a binary blackbox which they cannot use/fix.
Now, you may argue that the latter is not OSS but it depends on what your business model is. OSS is a distribution stragegy
that may, or may not, make sense for you business.
A typical scenario where it makes sense is if you are selling hardware, e.g. an IoT for a niche market. At my current company
we are using an LTE router with specific hardware I/O, which runs OpenWRT customized by the vendor. They can, and do, give us
almost(*) all of the source code because their advantage is the hardware, not the software.
(*) and I wish it was really, really, really all of the source code. I stumbled the other day on a bug from an OSS library that
our vendor uses, but that is bundled together into a binary blob with their own private code. If I had the full source, the
fix would have been done by me that very same day. Without it, I have to wait 6 months (at least) for them to make a new distro release.
|
|
|
|
|
I started an open source project on Github back in 2014.
Its initial purpose was to share some of the techniques I used to replace the STL with a library that was more tailored to C++ embedded projects.
Over the years it became more and more popular around the world and now I have many hundreds of users registered on the project's Slack group. Over time (nearly 9 years), feature requests and my own additions have turned it into a major project that can take a significant amount of my spare time, to the point where it could easily be my full time job. I've tried to monetise by asking for sponsorship, so I can earn my living from the library, rather than fitting it around the day job, but sponsorship only brings in beer money. Developers are keen to financially support the project, but their managers can't see the point of paying for what they're already getting for free. I've tried offering 'paid support', but there were few takers.
I have to admit that I have become very cynical of the whole business of companies using my unpaid work to boost their productivity and profit, on a project that, if I were creating it as part of a full time role, I would be paid very well for. I'm feeling like I am just an unpaid employee to most companies.
I can easily see why some projects are pulled or abandoned.
|
|
|
|
|
Thanks so much for sharing your real story.
Your post is fascinating to read and you really conveyed the feelings that come with putting so much into a work and have it succeed (being accepted and used a lot and helping devs) while not really being able to taste the true success that should be yours. I'm very sorry that has happened.
I think this statement you made really sums it up:
John Wellbelove wrote: Developers are keen to financially support the project, but their managers can't see the point of paying for what they're already getting for free.
That's really terrible.
Unfortunately, yours is the story of OSS that I've discovered the most and it is very sad.
John Wellbelove wrote: I have to admit that I have become very cynical of the whole business of companies using my unpaid work to boost their productivity and profit, on a project that, if I were creating it as part of a full time role, I would be paid very well for. I'm feeling like I am just an unpaid employee to most companies.
I'm very sorry for this. I wish there was a way you could now flip the switch and force all those people who are using it to pay a reasonable fee or else the software would evaporate from their systems.
John Wellbelove wrote: I can easily see why some projects are pulled or abandoned.
Additionally terrible is the fact that those devs who have pulled their stuff have ended up suffering at the hands of social media telling them that they are the terrible ones. It's such an upside down system really.
Thanks again for sharing such a great (and emotional) story.
|
|
|
|
|
I think here needs to be a corporate culture shift in their view of open source software. If they don't start to support it, then quality OSS projects will start to disappear or stagnate.
|
|
|
|
|
Bit late to this discussion but...
1) you have a job that pays you, like academia, or you're a student and you write something that you don't have the time or inclination to turn into a commercial product - 'cos you have a job.
2) you write something in the course of a bigger job, a utility or a library or an interface to some other library (e.g. C++ front end) that has no commercial value in itself and, as others have said, you're happy to share and show off.
3) you've written something that you thought you could make some money from but it was unsuccessful. There is actually quite a bit more to commercial success than just building the better mousetrap. Publishing as open source might yield some crumbs from an otherwise failed adventure.
I've done all 3...
|
|
|
|
|
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick).
The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that.
In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front.
For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive.
If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it.
Thanks
|
|
|
|
|
|
Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?
...
Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.
That might be something to do with it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Pete O'Hanlon wrote: Is there a reason you can't use Let's Encrypt[^] or Cloudflare[^]?
Good question, and one I had earlier.
SSL certificates for websites are not the same as code signing certificates. Neither of them offer code signing certificates, only SSL certificates for website https use.
|
|
|
|
|
It's the most mind blowing profitable business racket: let me sell you a number! Certificates are essentially a number and there is no chance of running out of them. Now they don't even sell those; they lease them for a year. Isn't that genius?
Mircea
|
|
|
|
|
I get what you're saying, but surely you realize it's not just the "number" they sell you; it's the whole trust chain that has to be in place before yours can be trusted.
|
|
|
|
|
I know, but it's still funny. Reminds me of that game: "You say a number. If I say a bigger number I win."
Mircea
|
|
|
|
|
The verification part is quite extensive, if done properly. My previous employer had code signing certificates: The issuer demanded lots of official documentation as a proof that the company was the one it claimed to be, it required phone numbers that they could call to specific persons and ask them for a secret password etc. etc. Lots of this verification could not be automated, but required a lot of manual work. You are not paying for the USB stick, but for the work of verification that you are you. (They may have been doing a lot of checks that you never noticed or knew about.)
Maybe there are certificate authorities that are a lot more sloppy/lenient in their verifications. But as an authority, they have a great responsibility, comparable to that of a passport office. Your passport is a proof of your identity, guaranteed by the passport office. The code signing is a proof of the code's source, guaranteed by the certificate authority.
An email certificate doesn't prove much: It proves that the mail originates from one who received the certificated sent to address someone@somedoma.in. Nothing about the person, organization etc, only the mail address, which is implicitly verified by the certificate being sent to this email address. All can be done automatically, with no manual operations. So an email encryption certificate should be very cheap, or free.
|
|
|
|
|
That makes sense. But since the one who issued my previous code signing certificate did that already, the renewal cost should be a lot lower.
|
|
|
|
|
I am an IT Manager. My department produces OEM software among other "normal" IT tasks. Our software is used to create USDA inspection data. We are required by the government IT Modernization mandate to maintain a Code Signing Certificate in addition to regularly scanning our code for security weaknesses and vulnerabilities. We use AppScan for our code scanning and GlobalSign for our CSC's. My point is that in some instances, there is an absolute requirement to obtain and maintain the Code Signing Certificates as well as code scanning. Without the Code Signing Certs, Windows Defender, AVG, and the other AV software will either disallow installation and operation, or even delete the files outright at times. Yes it is expensive, but is a cost of doing business for some of us.
|
|
|
|
|
ok, that makes sense RE: paying for all the work to do the manual verification etc, but that doesn't address why they charge the same year in year out.
why not a lower fee for successive years.
If your going to buy a new cert and you get all the verification done, your not going to change much of what was verified every year. You MIGHT have a slight change in staff rotation, but that could be handled by getting the old person to get in touch, provide the existing password or whatever, then hand over to the new person.
In my mind $300 for the first year (Because of all the work) then $100 per year continuous after that, with perhaps a re-verification once every 5 years or something similar.
|
|
|
|
|
trønderen wrote: You are not paying for the USB stick, but for the work of verification that you are you
And likely third party audits that insure that company is actually doing what they claim.
|
|
|
|
|
It would defeat the purpose if they were cheap or free, etc. I would hope that the money is justified by a detailed verification process. I mean, I'm sure they could be a bit cheaper... but something like $20 is just no bueno.
That being said, eventually the block chain will make all of this moot. People are still wrapping their heads around that tech and only associate it with crypto. But, mark my words... more use cases be coming.
Jeremy Falcon
|
|
|
|
|
It is not well regulated and no ones cares to regulate it. So if you gotta have it, you gotta pay whatever they ask you to. Pleasure doing business with you.
|
|
|
|
|
Been through a process mere weeks ago. The price looks more the effort for the audit rather than the USB stick. They checked everything and we needed to update our data to prove we are who we say we are. They checked the email address provided and called the phone number we provided. They checked several databases that have data of our company.
It was a cumbersome, tedious and frustrating process
|
|
|
|
|
It was a cumbersome, tedious and frustrating process
For you, yes (I have to go through it every three years), but not for them. They are all geared up to do it.
The way I see it is that the requirement for these fancy new dongles has been used as an excuse for a massive price hike. Perhaps competition will bring these inflated prices down, but don't hold your breath.
I should add, btw, that there are two types of certificate, OV (for individuals) and EV (for companies). The level of proof of identity required for EV certificates is higher, so I can understand why they cost more, but OV certificates have also gone up in price by a factor of about 3 since I last bought one. Colour me p!ssed off.
Edit: Oooo, just found this:
https://www.ssl.com/certificates/code-signing/buy/
That's by far the cheapest price I've seen since the new dongles came in. Seems too cheap, I wonder they're any good.
Paul Sanders.
If I had more time, I would have written a shorter letter - Blaise Pascal.
Some of my best work is in the undo buffer.
|
|
|
|
|
I looked on that site, and I appreciate that you took the time to look and post it. But you either pay $20/month extra, or $249 for a USB stick. So, the lower certificate price is offset by the cost of the delivery method.
|
|
|
|
|
OK, thanks. I thought there might be a catch. I think the USB stick is something you only have to pay for once though (so when you renew, it should be cheaper).
Currently, I use ksoftware. I think they probably offer the cheapest way to buy outright.
Paul Sanders.
If I had more time, I would have written a shorter letter - Blaise Pascal.
Some of my best work is in the undo buffer.
|
|
|
|
|
In my case, a single person business, it took a month of grit and irritation.
It seemed that the org in question had never had a Dutch request, I had to explain that the verified pdf I sent was sufficient proof of my business being registered by the proper authorities; that after they kept asking every time more outlandish evidence without saying why.
I'm 100% sure that in my case the money did not cover the effort
|
|
|
|
|