The author calls it a 'joke' that Heroes are just unpaid Amazon employees, but reality doesn't become a joke just because it's funny. The asymmetry here is staggering. I find myself holding back private research because I don't want to provide free R&D for a value-extraction machine that is already efficient enough.<p>The author was at least dependency-driven in their contribution, but outside that kind of dependency, it's hard to justify contributing even 'in the open' when the relationship is this one-sided. Amazon in particular has done enormous damage to the economic assumptions that permissive open source once relied on. There's increasingly more projects adopting 'Business Source Licenses', precisely to prevent open work from becoming a free input into hyperscaler monetization.<p>These devs know Amazon is grabby and, at some point, the only dominant outcome their community contribution is upstream of is unpaid labor for a trillion-dollar entity that also diverts support and community engagement away from the original projects by funneling users into managed versions of the same software.
> There's increasingly more projects adopting 'Business Source Licenses', precisely to prevent open work from becoming a free input into hyperscaler monetization.<p>They could use AGPL or GPL3, typically those licenses are verboten in hyperscalers.<p>The truth is that the sort of company opting for BSL never really wanted to do OSS, and in truth only did so for the optics of it, for the goodwill it buys among developers, etc.
The GPL3 can be put behind a server and no one will ever see the source code because there is never any distribution.<p>Only the AGPL is remotely close to forcing hyper-scalars to release the source code of what they provide.
> They could use AGPL or GPL3, typically those licenses are verboten in hyperscalers.<p>Laws are only as good as their enforcement, in business at least. Unfortunately I have seen first hand that no one cares about licensing if they can’t get caught.<p>Businesses licenses are good because you can offer support and other benefits to encourage payment.
Hey, nothing wrong with closed source, BSL, etc. I am fine with it. I am the last person that will say someone should give out their work for free.<p>What I object to is companies releasing software with permissive licenses, and then getting butthurt that others profit from it, or trying to rug pull the permissive licenses after a community adopted and contributed to it.<p>If you want to play the OSS game, then play it right.
I know this is true of AGPL, but GPL3? I thought the people who objected to GPL3 were those distributing software to their users (e.g. was a reason Apple switched from bash to zsh). I cannot think of aything in GPL3 that would be a problem for hyper-scalers.
Or SSPL, which extends AGPL with even more sharing requirements.
I'm "lucky" to not be smart enough or important enough to think about this. Regardless, i wholeheartedly agree -- at this point, anything i personally could release publicly, will either be fully open source, or completely private. And I'm only choosing open source if I'm relatively sure it's not gonna make some asshole tons of money.
I understand people have a viewpoint here about not giving time to large behemoths. I'll counter with a story and perhaps a larger point.<p>Back in 2006/7 I had an idea for a project for which, in all enthusiasm, I setup a mailing list, but ended up never pursuing it. It's a very unique name.<p>In 2012, another developer landed on the same name for their project, but saw that the mailing list was taken up and reach out inquiring if he could take over, and I obliged because here's another person doing something in cryptography and open source, 2 of my favorite things then (and now).<p>The project was "scrypt" and the developer was Colin! :) I knew nothing about Colin or tarsnap then, IIRC.<p>Sometimes you just do kindnesses of which you're able, with people who you feel a sense of community with, without expectation of anything commercial. Karma adds up, and it's benefits are large, though hard to always articulate.
I strongly disagree with the part about IAM roles for EC2<p>> a useful improvement (especially given the urgency after the Capital One breach) but in my view just a mitigation of one particular exploit path rather than addressing the fundamental problem that credentials were being exposed via an interface which was entirely unsuitable for that purpose.<p>What alternative interface does the author propose we use to securely exchange credentials? The only other approaches I can come up with involve allowing monkey hands to come into direct contact with secret materials. Outlook, slack and teams cannot possibly be more secure than IMDSv2. I think if you are manually passing around things like PFX files you've already lost the game.<p>The entire point of the IAM roles is to make everything a matter of policy rather than procedure. The difference here is insane when you play through all of the edges. IAM policy management is significantly easier to lock down than the alternative paths. I can prove to an auditor in 5 minutes that it is mathematically impossible for a member of my team to even <i>see</i> the signing keys we use for certain vendors without triggering alerts to other administrators. I've got KMS signing keys that I cannot delete with my <i>root</i> account because I applied inappropriate policies at creation time. This stuff can be very powerful when used well. Azure has a similar idea that makes accessing things like mssql servers way less messy.
Scaleway's equivalent only allows connections from ports <1024. This is cute and means only processes with CAP_NET_ADMIN can retrieve the tokens.<p>You can do similar with vsock(7) sockets. This also has the advantage that it's harder to trick an application into making a connection to a vsock socket.<p>Both of these have the weakness that it is not entirely atypical to give processes CAP_NET_BIND_SERVICE so they can listen on "privileged" sockets, but they work against anything without that.<p>Even better, you could put bootstrap credentials in DMI data or similar, where it'll end up (on Linux) inside a sysfs directory which can only be read by root.
> In April 2024 I confided in an Amazonian that I was "not really doing a good job of owning FreeBSD/EC2 right now" and asked if he could find some funding to support my work, on the theory that at a certain point time and dollars are fungible<p>>I received sponsorship from Amazon via GitHub Sponsors for 10 hours per week for a year<p>For whatever reason, I remember being shocked that you were only charging $300/hr [1] which was what a mere L6 google engineer would make salaried. I hope they are paying you more nowadays<p>[1] <a href="https://news.ycombinator.com/item?id=30188512">https://news.ycombinator.com/item?id=30188512</a>
Netflix is a big FreeBSD user and a big AWS user, do they run FreeBSD on AWS? Would be the obvious sponsor to me as they rely heavily on the infrastructure built by volunteers like Colin
I remember many of these events as I was running FreeBSD a lot and subscribed to the mailing lists.<p>Why on earth would you give this monstrosity of a company so much free labour?<p>I get that volunteering is fun, but donating your time and competence to a hyper capitalist company is short sighted. I hope there was appropriate compensation, and I'm not including "early access".
Fantastic piece of lore. Fascinating to read the journey. But also hearing some of the names here (Tavis Ormandy is famous for his role on Project Zero, for instance) and knowing that even top engineers can bomb interviews for making poor choices.<p>Nothing useful to add except that I Like these blog posts from someone who actually did a bunch of things. Nice round-up of the past.
Colin, if I remember correctly, you first ran Tarsnap servers on Ubuntu before you made FreeBSD work on EC2. At what point were you confident enough to switch to FreeBSD?
Interesting how this history is about the edge cases and the unlikely risks that turn into real incidents. the systems scale faster than what we think about their safety.
He gave them so much free labor
It was a different time when software was seen as something that was built together and everyone was interested in learning the best from one another.
No, it was really not. His tale is from mid-2000s, not from mid-1980s.<p>In mid 2000s these companies were already operating in the billions and their engineers were already well compensated, and it was known.<p>Hell, "Cracking the Coding Interview" came out in 2008. Getting a job at those companies at the time was already something coveted because of how well they paid.
> In mid 2000s these companies were already operating in the billions and their engineers were already well compensated, and it was known.<p>Perhaps in the USA, but in many other countries this does for sure not hold.
He wants to evangelize, spread, and support FreeBSD adoption; this free labor helps in this.
This... they really owe him something, IMHO. Hell, discounted service so he can make a better margin on Tarsnap sounds good to me!
I dug up my original AWS account confirmation email from 2006 a while (years) back. Now I need to go find it again to see if I was earlier.
Good domain name.
I was an early adopter and huge fanboy for AWS.<p>At some stage I realised AWS is extremely expensive, extremely slow, extremely ridiculously complex and also a parasitic attitude to open source.<p>I realised I should instead go all in on Linux on virtual machines on other platforms.<p>AWS I’m done.
That attested EC2 instance rollout after ~2 decades was a nice joke LOL
I just want to contrast this article on AWS to its Azure counterpart- <a href="https://news.ycombinator.com/item?id=47616242">https://news.ycombinator.com/item?id=47616242</a>.<p>2 companies have functionally similar products, but behaves completely different. One company makes technical decisions with security as the fundamental principal, while for the other company, security is not a consideration.
20 years of giving love to a soulless corporation