The faker.js scandal got me thinking on many things. One of them is that in FOSS we leave ourselves open a lot to abuse from bad actors who abuse the openness and permissiveness of FOSS. As developers we expect that the users of our software will be also good actors. Most of the times this actually doesn't matter, but it becomes really painful when you actually want to expand your project into something more wonderful or finally decide to build a service to support financially the further development of your software or do something else to raise funds.
With FOSS licenses you can't prevent anyone from using the software or creating a competing service build on top of it. Over my years in FOSS I have seen and have been on receiving end of bad actors who use the FOSS license as an excuse for their bad behavior. After all they have no responsibilities as users of your software towards you, no matter what they do, as long as the license allows it and even if it does not, do you have the money to sue unless you have a big backing yourself? As such I feel it is necessary to describe somewhere what is expected behavior to at least be able to point to something concrete and be without a doubt label them as bad actors. This might also help others who wish to follow in additional steps.
So what do I think this should include? For starters I came up with this:
- If the author(s) provide any services then it should be noted that they should be primarily used in order to support the further development of the software.
- Letting the authors know if you use the software in a notable project, so that it can be advertise on the package.
- If the software is used in a profitable project, especially if it helps significantly and the authors have a support page, at least a minimum donation should be given.
- For MIT and other licenses that don't require that fixes and features are contributed to the original project it should still be mentioned as good manners to do so.
- Include any other ways on how to contribute to the project to keep it going.
Obviously these things would not be things that could be enforceable. Let's be honest for average FOSS developer nothing really is. The only thing here could be that bad actors would be banned from participating in the community or some other restrictions that are feasible to levy. Similar to what is in code of conduct. Which is where this could be included or maybe in a separate document named something like "codex" or something like that.
Another approach would be to describe what is a bad actor behavior, but I think that would be rather limiting as bad actors would always find a new ways to get around the existing list.
What do you think? Does this make sense? Is it worth attempting to create some sort of a template? Should this be put into code of conduct or some other place. Please let me know your thoughts.
If you like my work, please support me on GitHub Sponsors ❤️.