2024.1

manuscript/chapter1-bio.md

@@ -220,6 +220,15 @@ Or a whole series of tiny/easy guides to contribute to [Open Source projects fro
 
 In April 2022, I joined the Italian community behind [/r/place, and it was an interesting experience](https://daniele.tech/2022/04/the-r-place-story-from-the-italian-view-and-from-bots/) in something that lasts few days but purely online.
 
+In May 2023 I was one of the organizers of [Merge-IT 2023](https://merge-it.net/) with various communities and panels.  
+
+In April 2024 I was elected again in the Italian Linux Society, I did a [report in Italian](https://daniele.tech/2024/02/mi-ricandido-a-italian-linux-society/) about the past 3 years, so I am still doing a lot of stuff for FOSS in Italy.
+
+In June 2024 I was promoted as one of the maintainers of the [Amber Lang](https://amber-lang.com/) and started coding a bit in Rust.
+
+In June 2025 (it's the future of the time of writing), I will get married to my wonderful girlfriend Fiamma!
+
+
 # Conclusion
 
 Open source allowed me to:

manuscript/chapter2-philosophy.md

@@ -28,7 +28,8 @@ The seven stages of Grief is a way to express the various steps of a loss, anywa
 
 So Open Source != Free Software, this means that open source is a subset or a minimal definition of the goals of a project compared to Free Software. This happen about the *free* in Free Software because as we said open source means that the code is available but what you can do with that depends on the license, that can be Free Software, or you need to pay to access it for example. There are tons of pages that explain the difference between the various licenses and why, but often they are very complicated, so [get ready on studying them](https://blog.graphqleditor.com/software-licensing-cheat-sheet/).  
 Another opinion is by company side when the license topic is on fire, like dual licensing, CLA, abuses or license's restrictiveness, but I don't want to talk about those stuff as it is the most common discussion in this world and there are people who explain a lot better than me, [Open source licensing for supervillains](https://offlinemark.com/2021/01/22/open-source-licensing-for-supervillains/).  
-Yes, you need to study a bit because it easy to get a license conflict because [you like to code but you don't care of the legal part](https://arkadiuszkondas.com/dmca-php-ml-and-copyright-boundaries/).
+Yes, you need to study a bit because it easy to get a license conflict because [you like to code but you don't care of the legal part](https://arkadiuszkondas.com/dmca-php-ml-and-copyright-boundaries/).  
+Another recent trend, followed by the various Open Source companies that have to fight against various hosting/cloud providers that not contribute back (in money terms) to the project or the fact that "open source" is used for everything that is free to download and use it, is the one [that developers care more about software's access that the license itself](https://www.infoworld.com/article/3703768/the-open-source-licensing-war-is-over.html). Infact there is a new term "post-opensource" about [this new types of licenses for Open Source Business model](https://devclass.com/2024/02/08/preserving-the-magic-of-free-new-types-of-licenses-will-not-solve-open-source-business-model-says-percona-founder/), usually because they are double licensed and not OpenSourceInitiative compatible, as they limit the usage for some specific business cases.
 
 ## Do ut des
 
@@ -189,6 +190,30 @@ The transparency of the OSS management can benefit the quality of the project it
 
 For legacy project instead it is important to define the license, how to setup a dev environment (if it is possible), give all the information that are available and that can be helpful to run your tool. Don't be like [this (source code of XIII game that I like so much, also the comic)](https://github.com/Ch0wW/xiii_unrealscript) that doesn't include any readme or documentation.
 
+## What is "Post Open Source"
+
+When [something gets a Wikipedia page](https://en.wikipedia.org/wiki/Post_open_source) it means that is important.  
+It is a trending topic and philosophy that with all the companies that lives reselling F/OSS projects as SaaS and the same vendor that changes licenses is getting popularity.  
+
+Everything started from companies, like Elastic or MongoDB or Redis, saw other companies like Amazon or Google reselling their OSS projects (not their enteprise version) without contributing back to the projects and at same time making money.  
+This was unfair so they created new licenses to avoid those cases and at same time there were a lot of forks to avoid those new non-open source licenses.
+
+So at the end of the day [one of the founders of the Open Source Initiative](https://www.theregister.com/2023/12/27/bruce_perens_post_open/) (Bruce Perens) officially said that the problem is the licensing that doesn't fit in this new world where a lot of companies uses OSS without contributing financially or in the project itself and at same time making money.
+
+Resources:
+
+* [Elastic, The SSPL is Not an Open Source License](https://opensource.org/blog/the-sspl-is-not-an-open-source-license)
+* [MongoDB, MongoDB Issues New Server Side Public License for MongoDB Community Server](https://www.mongodb.com/company/newsroom/press-releases/mongodb-issues-new-server-side-public-license-for-mongodb-community-server)
+* [Redis tightens its license terms, pleasing basically no one](https://www.theregister.com/2024/03/22/redis_changes_license/)
+* [RedHat, How Red Hat’s License Change Is Reinvigorating Enterprise Linux Distros](https://thenewstack.io/how-red-hats-license-change-is-reinvigorating-enterprise-linux-distros/)
+
+As today there aren't new licenses that are still Open Source Initiative approved (they don't respect one of the 4 freedom) and at same time a process for OSS projects that let them to survive in this world. At same time as F/OSS user and contributor I think that is important to have more awareness to the consumers like companies to give back something, not just be a consumer.
+
+For the same reason, since 2023 a lot of companies release their LLM models for AI as open source. At the end they aren't open source, because they just shares to you the final output, so you don't know how it is generated, infact some [big projects don't want contribution generated by AI](https://www.theregister.com/2024/05/18/distros_ai_code/) and at same time they have some limitations.  
+The [Meta case with LLaMa 2 shown some issues](https://opensource.org/blog/metas-llama-2-license-is-not-open-source), has doesn't follow the 4 freedom, limit the commercial usage and also the purpose of the model.
+
+It is that there isn't anymore some affection or purity about what means "Open Source", so it is like that is freely downloadable without paying but there will be some limitations, but Open Source doesn't want limitations.
+
 # Conclusion
 
 I hope that now it’s clear why philosophy is so important: not only it differentiates us from our competitors (the non-open projects) but it’s for us a path to follow.  

manuscript/chapter3-contributor-mode.md

@@ -38,12 +38,12 @@ There are many projects started as private or side projects inside a company or
 
 Let's see an example of an OSS project that forced the [entire ecosystem with Chromium](https://www.reddit.com/r/opensource/comments/phm308/comment/hbjo95j/?utm_source=reddit&utm_medium=web2x&context=3):
 
-* Apple forks KHTML (from Kounqueror by KDE) and creates WebKit
+* Apple forks KHTML (from Konqueror by KDE) and creates WebKit
 * Google creates a new browser based on WebKit (and hires various Mozilla employees)
 * Years later, as Apple is not following enough all the changes by Google, they fork it and create Blink
 * All today's browsers (except Firefox) are based on WebKit or Blink (often is branded as WebKit)
 
-Now for them is easier to push standards or bad behaviours as their is the most used technology in a ratio 20:1, so now with the new [Manifest V3 for extensions](https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-next-steps/) will be more difficult to do adblockers.  
+Now for them is easier to push standards or bad behaviors as their is the most used technology in a ratio 20:1, so now with the new [Manifest V3 for extensions](https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-next-steps/) will be more difficult to do adblockers.  
 
 This is a bad way to use an OSS project but is also the reality as there are many good examples that is not the case to discuss (otherwise this would be a new chapter).
 
@@ -94,6 +94,12 @@ The idea is that the most bottom stuff requires more attention by moneymakers, l
 
 With this version maybe is easier to understand how a component in a business can be valuable, but in Open Source it's ignored by those entities as they are not contributing to the future of this tiny piece. Another short version is [Sponsoring dependencies: The next step in open source sustainability](https://humanwhocodes.com/blog/2022/06/sponsoring-dependencies-open-source-sustainability/), that makes more sense, after all every OSS project is based on other OSS projects that often don't get the deserved credits.
 
+[Another story is the one from Thunderbird project](https://fosdem.org/2024/schedule/event/fosdem-2024-2741-take-your-foss-project-from-surviving-to-thriving/), that changed a lot:
+
+>In 2012, Thunderbird was pronounced dead. What happened next unfolded like a fairytale, as the Thunderbird project roared back to life on the shoulders of an incredibly generous community. Fast-forward to the end of 2022, and Thunderbird raised an astounding $6.4 million in donations. Within the last 3 years, it experienced a 326% revenue increase, quadrupled its core team, visually overhauled the desktop application, and announced plans to expand to Android and iOS.
+
+
+
 ## How to live inside the Open Source
 
 The first step is discovering the **Code of Conduct**, usually every project has one and it's based on the same basic rules, mainly covering how to work on the project and to relate to others among the project.  
@@ -168,6 +174,35 @@ The first one is easy as can be a bug report, a localization, replying to a supp
 When you are contributing, it''s important to you to act as a friend and not like a customer to the Maintainer, so provide all the help in what you are asking, in this way you can grow your role in the project but also [your knowledge/awareness](https://notes.eatonphil.com/learning-a-new-codebase-hacking-nginx.html). Remember that the more you are autonomous and provide a "complete" task in a project, the more you can drive it in the direction you want, that can be a feature that you need or finding new contributors.  
 The first expectation in contributing is a *hope* that your contribution will be handled, and you need to help this hope to succeed, like for our daily hope.
 
+#### The XZ Utils incident
+
+In 2024 a very important fact shocked the OSS world, a vulnerability (specifically a backdoor) was inserted in the XZ utility (a compress format, like for tar.xz files) that is a dependence in a lot of projects.  
+That code change allowed, as it was loaded the library, to start a backdoor that was hidden pretty good for few months and it was discovered because an user started benchmark why OpenSSH was slow, compared as before, and at the same time systemd was working to optimize their builds to not include the library when it was not used.  
+So with the second fact the fraudulent maintainer had to hurry up and implement quickly before the change in systemd was official.
+
+![XZ Outbreak infographic by @fr0gger](images/3/xz-case.jpg)
+
+The [timeline](https://research.swtch.com/xz-timeline) was very interesting and as per open source it was transparent online and basically the whole fault is a psychological one.  
+The original maintainer, and creator of the project, didn't have so much time to follow the project and there was a lot of pressure in the community to add more maintainers with access to the project to speed up. The maintainer accepted a person that was completely anonymous, there was only a name without a photo.  
+The fact that the people giving pressure was other anonymous users just gives you the suspects that was everything planned as this project is present everywhere.
+
+> ”Finding a co-maintainer or passing the projects completely to someone else has been in my mind a long time but it’s not a trivial thing to do. For example, someone would need to have the skills, time, and enough long-term interest specifically for this.” - https://www.mail-archive.com/[email protected]/msg00571.html
+> From [A Microcosm of the interactions in Open Source projects](https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/)
+
+The same days a lot of people discovered this ticket on [ifupdown](https://github.com/ifupdown-ng/ifupdown-ng/issues/234), where an user just pushed a lot to get another contributor to the project. Also the same user asked in other projects to update the Xz library so there was a lot of attention in similar cases but seems that in this case it was just in good faith.
+
+I suggest to you to learn from the links otherwise we go outside the scope of the book.  
+What we can learn?
+
+* A single maintainer, in a hobby project, can be a base to attack everyone using FOSS projects
+* Many maintainers are helpful and create a healthy project
+* Find maintainers is not easy as requires a lot of skills and thrust
+* Often maintainers doesn't get credit or compensation for what they are doing
+* There are thousands of tiny projects that can be targeted for "evil stuff"
+* An [open source project without ethics](https://fleker.medium.com/is-open-source-software-ethical-7404ec3ef3b2), well is a Trojan horse
+
+Helping them, instead of just complaining is very important for a better, healthy and safe FOSS world, like we want.
+
 ### Communicate on the internet
 
 The action of communicating is fundamental. If we communicate badly, we lose everything. The talker is an introvert who may as well work on his own, all alone in a garage, without issues.  
@@ -221,6 +256,8 @@ Scared about the tool?
 Often the tool is public, sometimes there is the fear of the public (like in public speaking) with the concern it would be permanent because it is written. I remember the first time I opened a ticket on Debian for an error on a software that I was using. I had a lot of anxiety because I had to use the email instead of a web interface, I was writing a ticket to one of the biggest Linux organizations in the world.  
 I was thinking along the lines of: "it's a stupid error", "maybe it's my fault because I don't know how to read documentation", "I am reporting to the wrong people, since it's the tool and not the distro", "maybe my report is lacking something important", or "it's poorly written and they will mock me for that".
 
+![How likely is it that my bug will get fixed from https://pointieststick.com/2023/07/16/where-bugfixes-and-new-features-come-from/](images/3/how-likely-is-it-that-my-bug-will-get-fixed.png)
+
 Basically I was joining the public circle of technicians that contribute to one of the most famous project in Linux, it was public and open but at the same time it was for a small elite. I took a breath, provided more information I could, verified it few times and sent it (without asking for help, all by myself).  
 I cannot recall what the ticket was about now, this isn't the point however; after that situation I had no more fear or anxiety. If I, an expert and skilled person, was to have them, it was easy to understand what newcomers feel in front of a form whatsoever (even when posing the simplest questions).
 
@@ -233,6 +270,10 @@ One of the common comments that I receive on tickets in my project as example is
 A key point to involve new volunteers if there are information about how to fix it, like a step by step about "what is missing to approve and close" so the ticket will not be abandoned for months because the status isn't clear. And again there will be a documentation of what is required to do.  
 On the other side, if someone opens a ticket, give them the clues to fix on their own and contribute back to the project. One example is giving them the lines and the files to patch, so they can open a pull request or suggest a new wording for the documentation.  
 
+![From reddit https://new.reddit.com/r/ProgrammerHumor/comments/15y7o9a/opensourcecontributions/](images/3/open-issue.png)
+
+I have to admit, there are tons of cases where just opening a ticket is not worthy or really contributes to a project. Of course, there are a lot of cases around, but when you are opening a ticket, just think of yourself as the one that will handle it, just to understand if it is really something that can help the project.
+
 #### Email
 
 Mailing lists are the noisier communication medium, it's easy to lose interest or feel in the wrong place.  

manuscript/chapter5-what-you-can-do.md

@@ -60,7 +60,8 @@ Probably a combo will be to translate something about Support.
 ### Testing *D*
 
 This is very important, as the reviewer is, because they can learn about the project and make it something to improve it. It follows reviewer rules.  
-The difference is that Testing consists in trying to find problems or bugs, while Reviewing on the other hand consists in writing a document including all the problems without going in depth about implementation but only to receive feedback.
+The difference is that Testing consists in trying to find problems or bugs, while Reviewing on the other hand consists in writing a document including all the problems without going in depth about implementation but only to receive feedback.  
+In the [KDE ecosystem they are focus a lot on Quality](https://pointieststick.com/2024/03/09/how-you-help-with-quality/) too, that in my opinion fit this case.
 
 ### Promotion/Evangelism/Design *D/I*
 
@@ -99,6 +100,9 @@ The project needs more buzzword to get promoted and to have a chance to fight wi
 * Privacy is important because it's possible to identify you even if you are navigating in private mode on the internet due to the proprietary feature of your browser full of bugs.
 * Open source doesn't mean it is free, but that the project is under a license allowing specific things. So it's sometimes possible to get the code by paying it for example, like in WordPress plugin/theme ecosystem.
 
+> About Privacy
+> It is a topic that growth a lot in the past years and there are tons of stories about why you should care of it. I want to share this to you [How the Pentagon Learned to Use Targeted Ads to Find Its Targets—and Vladimir Putin](https://www.wired.com/story/how-pentagon-learned-targeted-ads-to-find-targets-and-vladimir-putin/), to understand how much bigger can be.
+
 Those are examples of advocacy 2.0 for open source projects. We take an important fact that involves everyone, from the newbie to the non-IT aware person, leaving a few doubts behind, so people will remember the whole point and give information about something new that they don't know. Also, giving people a choice without being a dictator but motivating them to discover more and not only by talking about your project.  
 For me this differs from promotion/evangelism because the purpose here is to motivate people to discover more and engage, not only to get a gadget or something new to promote.