Trivia question for the day: Why is a duck? There are multiple punch lines for that, but I'll post the one I've heard most at the bottom.
I'll answer the next one, myself. "How many open source programmers does it take to screw in a light bulb?" The answer is, "Only one, but afterward dozens of other people screw with it."
While doing research on Full Stack Observability this past week, I came across some interesting data on related and even unrelated subjects. One was a list of programming languages according to popularity, where SQL appeared in the list. SQL is not a programming language, at least not in the same sense as C# or Java. I've seen lists like this in the past where XML appeared in the list. XML isn't a programming language, either.
This weird anomaly is often caused by the organization doing research. I worked for a research firm briefly and got an inside look into how this happens. I say "briefly" because I got canned after I complained about how horrible the research data was collected. For example, one question asked, "Which operating system do you use?" Among the multiple choice answers was, of course, "Linux", "macOS", "BSD", "Windows", and then I saw the choice, "Apache". And that was one of the lesser stupid multiple choice questions. It did occur to me that the research company might have included stupid answers to weed out unserious respondents, but I suspect the people who created the survey simply didn't know what they were doing.
Then I came across this InfoWorld article about the decline of open source projects being actively maintained (the article is based on this report). This doesn't surprise me, and I don't think this is an entirely new trend.
Before you start flaming me, let me tell you that I am 100% pro-open source. I am not offended by some proprietary closed source code that exists, such as the closed source drivers for video cards, or closed-source code that prevents you from violating copyright laws. (There was a big fuss about that regarding TiVo some years ago.) But I still believe open source code is superior overall because the more eyes you get on the code, the more likely it will be secure. The problem is, it does not necessarily follow that it will be more likely mature.
Here's the problem. Open source code often springs up from a small number of coders (sometimes just one person). Once the creators are satisfied with the result, or they solve the problem they are addressing, they move onto another problem. "It works the way I like it, so I'm done. Here's the code for anyone to else screw with." And then the project turns into a mess.
There are significant exceptions to this rule. Kubernetes, for example, is constantly maintained and improved because it is practically ubiquitous and addresses one of the most relevant trends in computing these days. In fact, the open source projects for any important trend are likely to be maintained fairly well. But when it comes to plugins and libraries, I suspect programmers just "pip install" or "npm install" and hope for the best. And that's where insecure or even malicious code can creep in. Improving the next video editor is exciting. Examining the latest code of a SOAP library ranks between boredom and coma.
But that's what it takes to keep open source secure. Eyes. If I wore a hat, I would take it off to the hard workers who spend their time keeping an eye on the most boring areas of open source. If you're one of them, bravo. We need you.
Why is a duck? Because ice cream has no bones.
