The initial message was polite and just asking a question. On the surface.

If you read between the lines, it can also sound quite entitled.

1. "Our customers..." - apparently it's part of their services or products in some way, which means they are getting paid for the mitmproxy developers work. Of they have a problem, they should ask "how can we help fix it?", not "when will it be done?"

2. "...in regulated industries [...] are prohibited by regulations..." - these are clients with deep pockets, which makes point 1 sound even worse. Also implying that their clients problems should somehow be a priority for the project maintainers. If I hadn't read the reply I would have guessed from the tone that they're already sponsoring the project somehow. It sounds like a friendly but somewhat frustrated paying customer to me .

3. "...s/w with known High and Critical severity vulnerabilities" a bit of a stretch but this could be interpreted as "your software is terrible and full of unpatched vulns".

I'm not writing this to say that the IBM guy is a bad person. I'm sure he's just trying to get his job done and communication is hard. Just trying to convey how messages that are following all the "rules" (be polite, don't make demands, don't call people names, ...) can still be interpreted as rude.

The "I hope you don't find this follow-up to be offensive -- that's certainly not my intention" part of the email sounds like someone that is aware that they're sometimes unintentionally offending people.

The intent behind the response from mhils is pretty clear to me. He points out that he's not being paid, that he doesn't appreciate the message, and that you can't make any demands unless you're willing to contribute somehow.

The problem is, I think, that this type of language isn't clear to everyone. The follow-up email just shows that the message didn't get across.

I don't know the IBM guy, maybe he's just entitled, but living around several very intelligent autistic people has made me see how common these types of interactions are. I think us non-autistic people can get better at recognizing the situations and adapt our communication to be more direct and precise without a lot of effort. It's often the case that the person on the other end is already spending a lot of energy on adapting.

Not excusing anyone's behavior of course. I just think this interaction could have had a lot of other outcomes.

Ah yes, because what I want to infest my personal hobby projects is all the corporate bullshit speak that I'm forced to deal with from 9-5. If IBM ever starts monetizing a project of mine, that's fine, but if they try to waste even 12 seconds of my time reading an issue, I'm pretty sure I'll respond in whatever way sparks joy.

> it was mhils who first responded like a jerk.

What?!!

Mhils answered happy to setup a support contract if you need timely release while pointing to his email. Nothing in his answer is out of line. I think you need to seriously reset your expectations if you think that answer from someone providing free labour is in any way wrong.

I agree with you except for this part:

> it was mhils who first responded like a jerk.

mhil's response was polite and reasonable. The :-) could possibly be interpreted as antagonistic, but in absence of other clear antagonism, I wouldn't assume it was meant that way even if it might have been. The email is where this exchange went off the rails, everything prior to the email was fine.

> Otherwise, it can appear as if the developer has a "first one's free" mentality, where the user is now dependent upon broken software and the developer wants to charge for the fix.

I would be willing to be the original “first one’s free” license came with an explicit disclaimer that the software was provided “AS IS”, without any warranty implied or explicit.

So, it seems like it would be on the company for deciding to use the software in a critical way, without having a plan for support.

They should have read the contract.

I'd argue that weaponizing politeness with the explicit intent to exploit someone's free labor -- especially when you stand to gain monetary value -- is in and of itself "jerkish behavior".

Saying they “need some kind of target date” is not polite, it sounds a lot like a demand.

I agree that the response is a bit snarky and escalates the situation. However, unpaid open-source project maintainers aren't obligated to be scrupulously polite at all times no matter what. If you want professional corporate interactions, then pay professional corporate prices.

I'm also sympathetic to not wanting to commit to a specific release schedule for an open-source free time project, with implied consequences if it isn't met.

The maintainer didn't answer the question. But I don't think it was snarky. If you want a problem solved in an open source project you (and your financially very solvent customers) rely on the minimum would be to offer some way you can help or provide resources.

Totally agree, but the other side in response might label this whole situation as ransomeware, extortion etc. I mean "might", we can't be sure.

From the IBM employee's perspective it should seem reasonable that if he's asking for specifics that take time to figure out and for answers to questions while not contributing anything to the project, that he should pay for those answers in a timely fashion for his benefit. He's treating the Github like a support page so I don't see anything wrong with the maintainer offering a support contract in response to that. It would be beneficial to both parties.

If the maintainer said "I'm not releasing this until you grant me a support contract", maybe that would be extortion. Until then, he's simply getting the service he pays for.

The answer was completely reasonable. The commenter (IBM) required timeline and resolution for business critical reasons - the way to get that is to sponsor the work or do it yourself. The commenter should know that, and businesses know that.

Offering to do it for money when a company asks is helpful, as the option is not a given. Declining is also fine, in which case you can either wait till it happens or get a full refund.

The response was fine, in the same tone as the original request even if the first one was offensive by accident. A kind, functioning human would be puzzled at the slightly blunt response and re-evaluate the whole conversation.

They would not go to a private channel, knowing that they would get blasted for such a response in a public forum, and get even more offensive. Plus, any non-native that has an advanced enough understanding of English to use the phrase 'thinly veiled extortion' can also control the tone of their requests. No need to defend IBM here.

I agree it would have been more civil to take this initially as a simple request for a schedule estimate. But regardless, how on earth is “you’ll need to pay me to work for you” extortion? Using that word is a bright red flag to me.

I don't think so. It's fair to ask for a timeline and even "slightly demand" from the author if they can speed up. (like "Can we please have this by ...). However, mentioning your clients as such (highly regulated industries) seems to me (I might be wrong) to imply a certain kind of coercion and responsibility for the author (hey look there are some very important people here using this.). It's not the responsibility of the author, and he shouldn't be stressed about it.

Of course the email seals the deal.

Your definition of extortion, withholding labour in the absence of payment, is the bedrock of our economic system. I have no idea how workers sleep at night.

Anyway, someone who maintains an open source project for free does so for his own satisfaction and is not obliged to do anything. This guy was very reasonable in suggesting the other guy pay if he wants something, given he's being paid and so is his company. Neither did he snap, since he was polite and constructive.

The follow-up email was the real kicker.

I often respond "shut up or pay me". It works pretty frequently for niche technical software and I land some contract work which I get to open source. The alternative of just fixing their issue never works.

So, if it sounds fun I just fix it. If it sounds boring, pay me

The original interaction is not unreasonable tbh. I have in the past have posed questions on issues of OS projects to ask about timelines. Sometimes it is important for you to know that because you have to either fix it yourself, find alternatives or wait for the fix, but with a timeline laid out for regulatory purposes. Getting offended by a question like that would be a red flag for me. I do understand the frustration of OS devs, but a polite we can’t fix it rn and we don’t know when we’d be able to, is often sufficient.

> does kind of read like extortion

I think you should google what "extortion" means. That's not how it works. It's an open source project. The guy can, quite literally, go fuck himself.

>> The thread already indicated that this was fixed and waiting for the next release

Making a release is work too, so the response looks OK to me.

> And frankly from their perspective, your response does kind of read like extortion, e.g. "shut up or pay me".

"You don't get paid. You kidding? You get a commission, that's better than getting paid."

The initial comment was just barely on the side of acceptable, it's not demanding but is a bit entitled.

The private followup email is maidenless.

Reading the issue[1] I think the IBM request is a lot more reasonable than this tweet makes it seem. The issue is that a mitmproxy dependency has a CVE, mitmproy updated the dependency (in March), but hasn't made a stable release yet with this update (last release from Nov 2022), and IBM guy is asking "when do you plan to tag a release? Do you have a timeline for this so we can communicate this to our customers?"

Notably it's NOT asking for a fix; "when will you fix it?" is not accurate as there is nothing to be fixed. It's just asking "when do you plan to make a new release with this dependency update?"

I don't think that's an unreasonable question. I also don't think it's unreasonable to ask for a support contract if you want these kind of fixes shipped within a certain timeframe, but the question is a lot more reasonable than it seems at a glance and immediately coming back with "email me for a support contract" seems a bit over the top to me. I could have asked this question and I think most people here could.

[1]: https://github.com/mitmproxy/mitmproxy/issues/6051

OP here. To be clear, I don't mind the release question at all, it's valid! But the context should be along the lines of "we have an interest in this, how can we help make it happen" (contributions or $) and not "you are causing problems for our customers". I don't want the requestor to have a miserable time because of a badly-worded comment, I want large companies to have a healthy relationship with FOSS.

This sounds very much like the idiocy of "infosec" lunkheads who know nothing about what they're "fixing" but if an automated system tells them a CVE exists, they've absolutely got to have it "patched". They don't look into what the claims of the CVE are, or whether their specific use case is vulnerable. They don't know, they don't care, they're not even programmers. All they know is a box needs ticking.

A similar thing happened with h2database - a "security researcher" found that if you do something you're told not to do, then bad things happen.. but they demanded and got a CVE allocated anyway. Anyone who looks at it realises it's bullshit, but the mere existence of a CVE is all that matters to these idiots.

What the h2database developer said about it: https://github.com/h2database/h2database/issues/3686#issueco...

> I struggle to understand why I should feel the slightest shred of sympathy for "major corporations" that are using a volunteer-developed open-source project. Feel free to get your corporation to pay someone to deal with this, or pay for a similar commercial library.

I’ve had sudden spike of ”when will you fix this” and „I am also affected, this is important!” comments on one of my projects. It was very odd to see sudden interest like that.

But around the same time I’ve got an email with apology explaining that company’s boss asked employees to stir up the pot to pressure me into a fix, pretending its affecting far more people than it really did.

Sounds to me like somebody learned that using an aggressive/threatening tone has been highly effective at their own job and doesn't their negotiating position here is quite different.

There is a subtle difference between "I would like to know when this will happen so I can make plans"and "I need this done because I'm being paid for your work, please hurry". If the requester left out the background information, the tone of the request would have been more of the former and less of the latter.

Corporate entitlement about using open source (and demand support for it) is enormous. I would love if licences with usage restrictions were more popular, and the OSI wouldn't just say "that's not open source!!!". It would prevent these kinds of situations.

While the behavior from "FrugalGuy" is immature and childish, a better way for the mitmproxy maintainer would be to post a polite but firm response, one that leaves no room for error or drama such as this one:

> As per the mitmproxy license, the software is provided as-is without warranty, and project maintainers are currently constrained by other priorities and deliverables.

> As such, statements on the Github issue tracker are not considered as sufficient justification for the prioritization of issues. The only way to prioritize issues would be to enter a support contract, available [here], the terms of which we will be happy to discuss further.

I think a year's salary of an engineer (which is NOTHING at certain corporate scales) would make the fix happen in matter of weeks and it is only fair.

OR if you absolutely don't want to pay then other way would be to allocate one of your own engineer for few months to patch the parts you need for the paying customers and contribute upstream.

EDIT: SORRY - This one year one engineer compensation is just my own limited incorrect estimation. I am no position to say what's exactly worth in but I would estimate few months of effort for an engineer that's NOT familiar with the code base, probably.

I've just realized, if you don't want your code to be used for commercial purposes, instead of using the GPL, just claim your project has a critical risk vulnerability.

It seems more interesting to discuss the implied underlying situation here than focus on any individual actor's tone.

It seems from the interaction that a part of IBM has (1) taken software that explicitly has no warranties, (2) repackaged it and sold it for profit by unilaterally adding new warranties of their own creation, and (3) attempted to redirect the burden of compliance with those warranties to the original authors (who had explicitly disclaimed any such warranties).

Some idiot just commented on the Github issue attacking the guy and telling him "Welcome to Hacker News".

That commenter is equally stupid. Has no involvement with the project and nothing to gain by being inflammatory.

I've worked on many commercial products that have incorporated open source components (and respected their licenses.) I was always under the assumption that it there was a problem with the open source bits, it was MY responsibility to resolve those problems for my customers, because it was part of the product I was shipping. Full Stop.

That almost always meant getting into the code and fixing what I needed fixed and (hopefully) getting a PR accepted so it'd be in the next release. If I needed fixes from the maintainer to support my commercial product, I'd expect that I'd need to pay...something to make it a priority for them. I mean, my problems aren't their problems, right?

Have developers forgotten how to publish community forks to package managers? I believe the reason projects wait for releases is to allow the community to find bugs and the release to stabilize. If the community is rushing the publisher, they would be better off cutting their own beta releases, because a primary namespace semver does not magically make the changes stable.

PM gone astray, wow. I can understand asking - even being a bit robotic in doing so. The first time. The email is too much, you got your answer.

To get a firm date you need a contract

These type of people are the cancer of open-source… Feel free to come up with a PR if its so important to you.

This points to such a great communication principle, including one that HN/dang promotes -- if the point remains the same, then take out anything else, especially when it's personal or potentially inflammatory.

Now, instead of a fairly simple and straightforward issue as the current top comment points out, this has blown up between parties and on the internet because of the completely unnecessary "extortion" remark.

I'm sorry but we have no record of having received your payment.

I think even more disheartening here would be giving a response the commenter requested and then not even getting a "thank you" in return, which happens all too often.

Ron Craig has been at IBM for 27+ years! Really speaks volumes for the organization sadly. Horrible conduct

This is the correct response whenever a corporate OSS user shows up and reveals themselves as such. 'For corporate users, we can arrange a support contract to answer questions. For non-corporate users, support is provided via the community forum.'

I'm not surprised it happened, but I am surprised at the @us.ibm.com sender address.

The initial post was a simple request to find out if there is an eta. I don’t see a big problem with that.

If it was my project I wouldn’t have offered a support contract because the labor law and tax law situation is too complex for me.

It’s actually very kind of you to offer such a contract.

FrugalGuy could have gotten the response “please submit a PR”. Not sure if that would have made them happy.

If we put the emotions and people aside. What stops mitmproxy as a software project to release a new version right now?

Just curious.

Feel free to delete my GH comment, I wanted to after reading this, but the thread was locked

How are contributions or money going to solve a release issue? If the issue is a bug, I can fix it and submit it as a patch. But if the issue is that there's no release for already made fixes, how do I fix that with a contribution or money?

But it was an extortion attempt

> This sounds very much like the idiocy of "infosec" lunkheads who know nothing about what they're "fixing" but if an automated system tells them a CVE exists, they've absolutely got to have it "patched". They don't look into what the claims of the CVE are, or whether their specific use case is vulnerable. They don't know, they don't care, they're not even programmers. All they know is a box needs ticking.

They may know and understand all of this and still not care. Maybe their performance is judged by how quick they can get checkboxes checked, with overzealous approvals harming them more than overzealous rejections. They may be empowered to make exceptions when the specific circumstance warrants it, but that might require them to fill out even more paperwork to justify their decision. That extra paperwork slows them down and harms the metrics by which their performance is judged.

Wow that CVE is absurd.

“If you pass a password via the command line, other processes on the system could see it via ps.”

Yeah, no shit. If that qualifies as a “high severity” CVE then, uh, you can call me a security researcher because I can think of at least a half a dozen applications that allow the exact same thing with the exact same disclaimer (“don’t do this”).

God yes. I work in a regulated industry, and here's the flow:

InfoSec raises vulnerabilities that show up on reports that get managers scared.

Developers have to continually update to accomodate. Even for non-prod deps. You can raise exceptions, but that's a completely separate can of worms.

Managers wonder why dev work is slowed down.

I work for a SaaS vendor in an industry where that is still a bit 'exotic'. We get sent ridiculous 'security surveys' for which 90% of the answers are N/A. I'm dubious that anyone reviews the other answers.

The GNU AGPLv3 makes corporate lawyers seethe so hard, it may as well be a non-commercial license. But it isn't, and it satisfies both the OSI and the FSF.

Anyway, it's good for OSI and FSF to take a hardline stance here. If your priorities don't align with theirs, why should they change to satisfy you? Simply use the license you like, even if they don't approve of it. Why is that a problem for you? Why do you need these orgs to stamp their approval on your choice of license, when you obviously don't share their values in the first place?

> I would love if licences with usage restrictions were more popular, and the OSI wouldn't just say "that's not open source!!!".

I agree with you, but guess who pays the OSI's bills: https://opensource.org/sponsors/ For their corporate sponsors, not supporting usage restrictions is a feature, not a bug.

There's also a ton of dogma surrounding the open source and free software definitions where you'll get dog-piled for not conforming to these definitions. These definitions are often considered as holy writ and their adherents refuse to entertain if perhaps these definitions might need to be adjusted for the realities of 2023.

Even if you try to ignore them and coin your own terminology so as to not to conflict, open source and free software advocates will continue to try and control the narrative by insisting on their own language, which is designed to have negative connotations in their circles.

> I would love if licences with usage restrictions were more popular,

I would not. Or rather, not if the "usage restrictions" were outwith the varying strengths of share-alike enforcement provided by the LGPL, GPL, AGPL.

Freedom for users to run software for any purpose is freedom 0, and Stallman sets out very eloquently why usage restrictions would not help: https://www.gnu.org/philosophy/programs-must-not-limit-freed...

As per the warranty disclaimer, free software is given to you with no strings attached. It is boorish to demand free support and maintenance as well, when you've already been gifted the freedom to make any amendments you see fit. I don't think changing the license would make such boorish people go away.

I think most people don't want to be that anti-corporate. Otherwise they wouldn't use permissive licenses in the first place.

And there may be non-license options that are friendlier to open source than corporate. E.g. if someone has a non-trivial issue they must publish a reproducer.

I'm not sure how that will solve the problem. Chance are the software would still be used in business environments and you would still have people asking for support on behalf of their employer. I have heard stories a plenty of businesses doing that in the 80's, when support was typically offered for free, with pirated software. The only thing that reduced that type of shenanigans were paid support contracts. Your only real recourse is suing for license violations, and relatively few open source developers are going to have the means to do that against a medium business, never mind a major corporation.

You don't need to change the license to the software, only the license to access the bug tracker.