Tag Archives: open source

gnome-passwordsafe & my involvement

It is difficult to get frustration off your chest and doing so in a constructive and non-offensive manner, so please bear with me.

The beginnings

I started my involvement in the nice gnome-passwordsafe some time ago, providing patches and merge requests, with the maintainers being rather non-responsive. But the program is nifty and works well, filling a niche on mobile phone screens. I then pondered a fork or rewrite, but after @okias (David Heidelberg) was granted maintainer role, things started to flow and I aborted any forking fantasies I had.

Recent past

Things have been working rather smoothly, and we have managed a nice 4.0 release with lots of active contributions. As openhub.net puts it “Over the past twelve months, 37 developers contributed new code to GNOME Password Safe. This is one of the largest open-source teams in the world, and is in the top 2% of all project teams on Open Hub.
@okias is a great maintainer, and msandova aka deathwish_, Jean Felder and me have worked relentlessly in our spare time to clean up the code base and pay back accrued technical debt. Nonetheless, frustration and annoyedness with regard to the project have been growing for me recently and it stopped being fun. Having a full-time job and a family, the one thing I do not want is annoyedness and frustration in my spare time.

Status Quo

Three currently active core contributors have worked to refactor the code base and improve the code architecture. All three agree on the fact there is … lots of potential for improvement and have worked to achieve it. The rub is, all three have different visions of how precisely that should look like and the code base is so small and (still) intertangled that it is hardly possible to focus on different areas without stepping on each other toes, or breaking each other merge requests.

At the same time my frustration has been growing as some of my commits in a MR have been lingering or rejected by “being out of scope” for a MR (it removed a superfluous and invisible GtkBox) while at the same time crucial files (hello main_window.py) is totally refactored in another MR without any indication of what the refactor is good for and why there was a need to do so; complaining about everybody else touching that file. Or rejecting MRs that get rid of additional threads, saying we should first methodologically analyze what they did. Well, I did not come up with a patch by randomly fuzzing the code base, so I would appreciate if the hours spent to analyze the code flow were not just discredited as unmethodologically.
I don’t want to get into personal accusations about specifics because I guess others might feel just the same about their interactions with me (and probably rightfully so).

At times, I feel I don’t fit into the culture of the project, I do like python and gtk. But I have not drunk the flatpak-CoolAid yet (I prefer my distribution as the distributor of code), and don’t think flathub.org is our user facing homepage. I don’t think “secrets” is an appropriate name for a password manager. Gtk4 will not be a panacea, and we should not focus solely on it the day it is being release (or even before). And I believe a python programm is allowed to use pythonic programming patterns rather than GObject’ifying all and everything (unless it makes sense to do so).

I would rather work in incremental steps and use defensive programming using a baby step approach. On the other hand, I am clueless when it comes to GtkBuilder ui files and I don’t appreciate the small UI papercuts with a similar level of importance as others do, so having complementary talents work on the code is certainly useful and needed.

But I do not think the code base is big and modular enough for 3-4 code architects to work on it simultanously. At the same time I don’t want my grumpiness to impede on the progress of the project. So I will be scaling down my efforts with passwordsafe and wait until the major architecture has settled down and contributions are more useful again. Nobody benefits from 30+ competing merge requests all changing the same files being proposed simultaneously.

The future

I will be back!

Best of luck to all involved, continue to rock the boat, and making passwordsafe work well on Linux phones. I am not gone from the project, but I will refrain from bigger merge requests until things have settled down a little. I am not bitter or offended and think you passwordsafe devs are all doing great work: where we had too few over the last two years, we now have a bit too many too active cooks trying their hand at the same meal. I’ll be back for dessert.

Gambardella and Hall, 2006, Research Policy

For a number of reasons I had to reread this Gambardella & Hall, 2006 article [1] today. It is about researchers (in which open source software developers are included) having to chose between operating in a “Public Domain” (PD) manner, in which knowledge is disclosed according to “The republic of Science” and a “Proprietary Research” (PR) mode in which researchers attempt to monetize their work and keep the created “intellectual property” proprietary.

Overall, I have to say I found the paper to be somewhat sloppily researched and written. It refers to “forking” as selling a commercial program while an open source version of the same program co-exists, a definition which most of my acquintances would not approve of. Also, I am not at all sure that one can subsume all “scientists, open source contributors, user inventors and communities of technologists” into one category, as there are major differences in terms of incentives, governance structures and legal frameworks between those.

I do not think the GPL license is presented in a correct manner either (which I find disappointing for a paper that is mostly about the GPL license). It is not intended to restrict freedoms from a Public Domain point of view (the GPL is far from a Public Domain approach), it grants additional rights over the conventional copyright-based protection mechanisms (PR). While the end result might be similar, the emphasis is different, the GPL does not limit freedoms, it grants additional ones. This becomes important in cases when the GPL would be deemed illegal or invalid: The assets in question would not fall into the PD area, but squarely back into old-style copyright law, and its use by others would become automatically illegal too. Gambardella & Hall make a point on the enforcability of the GPL, and they seem to posit that there is “a lack of legal enforcement” and that the GPL mostly “acts as a signal” clearing potential ambiguities. I think, the companies that have been subject to a GPL violation law suit or informal settlement would disagree on the lack of legal enforcement. I that I think a thorough paper on the GPL as a legal coordination tool would be good to point out these issues in more detail. There are more things like that, but that is not the point.

The paper attempts to bring home 3 main points, 2 of them I can whole heartily agree with:

“Our contribution is simply to highlight that Olsons’s insight [that collective action needs coordination in order to be sustained] can be applied to the analysis of the instability of open systems.”

That is a valid and well observed point. I think that there is still too little research on Open Source from a collective action perspective. Our study [2] attempts to go there, but more on that would be welcome.

The second point is a policy implication:

The implication is that there is little need for policy if more proprietary research is desirable, as the latter is likely to arise naturally from the individual actions. By contrast, policy or institutional devieces that could sustain the right amount of corrdination is crucial if the system under-invests in knowledge that is placed in the public domain.” p.880

Research on the fragility of knowledge sharing ([3] forthcoming in Research Policy, online available if you have a subscription) is certainly needed and its policy implications discussed. I do not think that the above statement will be valid under all circumstances (Open Source contributions seem to be coming without policies in place), but I am sure they are needed in other circumstances.

And third, their main point is to create a framework which rests under the assumption that (in my own phrasing):

“The number of contributors to GPL projects will increase. As 1) those who would have operated under the Public domain (PD) scheme anyway stick to it and 2) some of those would would have done Proprietary Research (PR) join the PD scheme, increasing the number of overall contributors to the PD-GPL scheme. Those who would have done PR at any price will stick to their way.”

It is interesting and intuitive assumption, but I am not convinced that it will universally hold true. I have previously written a piece about What constitutes free that asserts that there are 2 camps of “free” definers. One sees the GPL-free as they only free (as GPL’d assets are guaranteed to remain free), the other camp (BSD-free) sees the GPL as unfree as it limits what can be done with the code (eg it can not appropriated). Gambardella and Hall cater to the first group but silently ignore the second one. They are even closer to any “PD” scheme, but would never contribute to a PD-cum-GPL scheme which is not free enough. (If you don’t believe that read any BSD vs GPL flamewar in a mailing list). As such, attaching a GPL license to assets, could very well deter
PD-proponents from joining the GPL’d project. Which renders the paper’s underlying model moot.

[1]Gambardella, A. & Hall, B. Proprietary versus public domain licensing of software and research products Research Policy, 2006, 35(6), 875-892
[2]Spaeth, S.; Haefliger, S.; von Krogh, G. & Birgit, R. Communal Resources in Open Source Software Development Information Research, 2008, 13(1))
[3]Simon Gaechter & Georg von Krogh & Stefan Haefliger, 2006. “Private-Collective Innovation and the Fragility of Knowledge Sharing,” Discussion Papers 2006-21, The Centre for Decision Research and Experimental Economics, School of Economics, University of Nottingham.