[HN Gopher] Professional maintainers: a wake-up call
___________________________________________________________________
Professional maintainers: a wake-up call
Author : FiloSottile
Score : 307 points
Date : 2021-12-11 19:28 UTC (3 hours ago)
(HTM) web link (blog.filippo.io)
(TXT) w3m dump (blog.filippo.io)
| bluefox wrote:
| Maybe businesses should pay a tax that goes into paying a
| respectable universal basic income.
|
| That would make it easier to develop and maintain such software,
| and it would make it easier for people doing other things besides
| software development (yes, they exist) to open up their artware
| without starving.
|
| Then there wouldn't be a need for the insane "professional"
| formalism described in this blog post.
| ozfive wrote:
| This assumes that large companies are willing to pay in the first
| place. In my experience most companies if they can get something
| half-developed for free. They will jump on it and think nothing
| further of the ramifications in the future however near or far
| that is. Any business that operates on that level deserves what
| is to come.
| vmception wrote:
| You can get a closer view of this sentiment in action within
| communities built on open source with distributed governance.
| Very many communities in the blockchain space routinely discuss
| how to compensate the development work necessary, and the
| recurring theme is that people imagine a nonexistent cheap
| developer:
|
| An engineer with in Micronesia with specialized skillsets.
|
| Try to convince these communities about the need for a well
| compensated _team_ of people including product managers and
| designers all making 6-figures and honestly people just don't
| believe you. The truth is that cost of living discussion doesn't
| even matter, people should be compensated on the value they bring
| (and in those communities that is very easy to quantify.)
|
| This has wildly slowed down many projects as UI and usability are
| completely neglected.
|
| Its pretty much only been one year that an engineer in this space
| can reliably land compensation packages somewhat competitive to a
| tour in NAAAM
| heisenbit wrote:
| Good maintenance requires skills and a steady hand but nobody is
| going to pay for it. New software is valued much more and thus is
| the resource allocation. If maintenance is done at all and not
| shifted to some lower cost organization or country. The Apple App
| Shop puts a premium on new over working a long time.
| jokethrowaway wrote:
| This is happening because we created a culture that glorify an
| ideal, Free Software, over practical concerns.
|
| OSS is communism applied to software: it doesn't make sense and
| it doesn't work. After a few generations of idealistic people who
| sacrificed themselves and worked for free to give us foundations,
| most of OSS nowadays is just: - Advertising to let engineers know
| that company X is cool and you should go work for them - Ways to
| keep your staff motivated (who doesn't want to become a OSS
| rockstar?) - Advertising to sell an actual business
|
| I'd rather live in a world where companies are building and
| maintaining software and reselling it to other companies.
| Unfortunately we made it sound uncool, somehow.
|
| Pay your invoice, get your token and npm install @user-agent-
| experts/ua-parser
|
| I'm not necessarily against open source and I certainly benefit
| and contribute to it; OSS also has the benefit that more people
| can spot bugs and end users can fix your shit when it's broken.
|
| Still, I would never maintain something that allows companies to
| use it for free. It doesn't make any sense, no matter how much
| code the companies are publishing.
| throwaway5371 wrote:
| no, people should commit security vulnerabilities on purpose;
| anarchy and chaos should arise
|
| reign of chaos
| qnsi wrote:
| hail eris
| rch wrote:
| It seems like Stripe Atlas could be adapted to help people
| formalize side projects, with invoices and subscriptions, while
| providing guardrails to keep from having to worry too much about
| the minutia of business, taxes, fees and so on.
| fleddr wrote:
| Apart from the discussion that nobody will pay, have you
| considered that companies aren't even remotely aware of what they
| use?
| wolverine876 wrote:
| Is the lack of a micropayments system the real problem, as with
| journalism, art, etc.? If people could pay FOSS projects with a
| click, I think they would. They pay Amazon that way, and that's
| often for useless junk.
| beebmam wrote:
| The solution to this, along with many other socioeconomic
| problems, isn't going to be solved through voluntarism.
|
| This is easily solved with a universal basic income. Some of us
| would gladly forever maintain and contribute to free software if
| we had our basic needs guaranteed.
|
| I certainly would
| wolverine876 wrote:
| > The solution to this, along with many other socioeconomic
| problems, isn't going to be solved through voluntarism.
|
| Open source has been incredibly sucessful using voluntarism.
|
| We could also throw in political movements; the all-volunteer
| military, which has existed on and off since the American
| Revolution; science (the pay doesn't nearly match the efforts
| and value); non-profits; teaching (same as science); etc., etc.
| Why do people feel so motivated to sh-t on voluntarism, which
| has changed the world with great success. Almost every major
| advance in history has been accomplished by volunteers
| (depending on how you define it). Declaration of Independence,
| Newton, Van Gogh, World Wide Web, etc. etc. etc. ...
| qwerki wrote:
| It's great to see more discussion in this space. The way I see
| it:
|
| 1) It's really difficult to donate to Open Source; 2) Companies
| don't get enough value in exchange for donating - They are
| businesses and think in dollars & cents; 3) and, Devs much prefer
| to write code rather than chasing companies for donations &
| sponsorships.
|
| As a result of these dynamics, OSS is very mispriced at the
| moment. Unfortunately that is going to impact quality and we
| shouldn't be surprised by the Log4j bug.
| andreineculau wrote:
| > Professionalizing the role of maintainer
|
| My 2c are that the problem is there, not specifically to OSS. The
| whole industry is looking down on maintenance and maintainers.
|
| Keeping things working might not be a great career, but it's
| equally important as creating new stuff, and guess what: some
| people don't want to create but like to debug and maintain.
|
| A parallel might be drawn with the right to repair electronics.
| When we will get back the culture of repairing stuff, then we
| will value more the act of repairing. Because now, it's an art of
| repairing that very few afford.
| Jupe wrote:
| I don't know... I just don't see how OSS will ever be a real,
| sustainable business. The moment it does, someone else will
| simply subvert the paid-for software with a look-alike that does
| 90% of what the original does, but for free. In my view, this is
| the birth story of OSS. And I don't see any real market there.
| Even if you manage to find a "niche", like some sustainable
| software-as-a-service with subscription, there's nothing stopping
| someone else from undercutting you... all the way to "completely
| free".
|
| Moreover, isn't this what's happening to most software,
| everywhere? Cases-in-point:
|
| Compilers - when's the last time you actually paid for a
| programming language? I know for me: SAS C in the mid 1990's
|
| Databases - any new solution would likely use a free DB.. and why
| not?
|
| Digital audio workstations - "free" ones seem to come out monthly
|
| Graphic editors - 2D and 3D alike - the free varieties are
| getting better every year
|
| Developer IDEs - From console editors to full GUIs to online
| offerings; all free
|
| Even the business model of "hoping to make server software so
| good that everyone wants it" fails when hosting services just
| grab it, re-package with their own branding and profit.
| [deleted]
| fatcat500 wrote:
| If there was a button on Github that donated small amounts of
| money to the maintainer(s) of a project, I would press it
| frequently for many libraries I depend on.
|
| For example, donating 25 or 50 cents every time I visit
| gofiber/fiber would be fine with me.
|
| However, there is no way to feasibly charge small quantities of
| money without the majority of it getting raked in processing
| fees. For example, Stripe charges 30 cents plus 2.9 percent (last
| I checked), meaning only ~20 cents would make it to the
| maintainer(s).
|
| The same issue exists with rewarding content creators. You either
| donate a non-trivial amount of money (often recurring) like $10 a
| month (which means you have to keep track of that expense, which
| is arguably an even greater disincentive for donating), or you
| don't donate at all.
| rubyist5eva wrote:
| It's a double edge sword. They can you use your stuff AS-IS
| WITHOUT WARRANTY, but if something goes wrong it is AS-IS WITHOUT
| WARRANTY.
|
| We've gotten complacent that open source just exists and is
| maintained and it's sunshine and rainbows. We've been able to
| build amazing things on the backs of these maintainers, but you
| have to factor in that they _don 't owe you anything_. So keep
| that in mind when you're just gonna install some random library
| from the public package repository because "not invented here" or
| something.
| nobodyandproud wrote:
| For businesses, "free, as in speech" is equivalent to "free, as
| in beer" because I as a company developer can build it and use
| it. Even better if it's a non-viral copy-left license.
|
| Why pay for the cow when you get the milk for free? There's no
| incentive for anyone to pay and this has become best practice.
|
| Anyone remember the uproar over CentOS being retired?
|
| There's this unrealistic expectation that maintainers be paid
| without a real business model, but that's what needs to be done.
|
| Become a business or being part of a business, and find a cost
| model that is both appealing to customers and self-sustainable.
|
| All which comes with non-engineering headaches, but there's no
| avoiding it.
|
| What may help here--and the missing ingredient---is the lack of a
| professional, trade organization.
|
| In fact, this would solve a number of pressing problems in our
| industry.
| smasher164 wrote:
| I agree that appropriate compensation is necessary, but I don't
| think it's sufficient. There's a lack of visibility and tooling
| for dependency management/auditing. I can't even find a proper
| list of critical OSS along with their donation links.
|
| Moreover, there needs to be a fundamental re-thinking of the
| security model of languages and runtimes, i.e. even if I can
| eval() user input or load a plugin from the network, it should
| not be game over. There should be finer-grained access control in
| programs, both at the type-level and with how they interact with
| the OS. The global view of "your program can do anything unless
| said otherwise" needs to change.
| neilwilson wrote:
| There is of course another way to do this.
|
| The state offers a guaranteed job and collects tax.
|
| Just as it does to maintain the roads.
|
| Toll roads became public roads .
|
| Earning six figures is a chore and frankly gets boring after a
| while. But if you had enough to keep the wolf from the door ...
| pbiggar wrote:
| Here's something I wrote in 2018 that could basically be the
| exact same thing written today:
| https://medium.com/@paulbiggar/how-to-fund-open-source-8790e...
| daenz wrote:
| I'm an open source author and maintainer of a somewhat-popular
| python package[0] (~1M downloads/month) that I've maintained for
| over 10 years. I don't recall ever receiving a donation. I am
| still maintaining it, but I just don't have time to add the
| improvements that it needs to keep up with the ecosystem
| (asyncio, for example). If organizations who use it got together
| and chipped in some non-negligible amount, I would be much more
| serious about keeping up with it, but $0, or $5-20/month, is just
| not realistic incentive to compete with other priorities in my
| life. I don't know the answer, but that's my thought process.
|
| 0. https://github.com/amoffat/sh
| pdonis wrote:
| _> organizations who use it_
|
| Do you know which organizations these are?
| nopenopenopeno wrote:
| Good for you. The welfare queen megacorps have been too
| comfortable expecting handouts like open source charity work
| and public bailouts. Open source software has served the elite
| executive class while leaving working people to depend on anti-
| freedom proprietary offerings. I am sick of watching it go down
| like that. The never-ending data leaks, dark patterns, lock-in
| strategies, and attacks on encryption and freedom of speech,
| are all exacerbated by this tendency to yield the commons to
| the ruling class. If open source doesn't serve working people,
| I don't care a lick for it anymore. Cheers to Stallman and all,
| but this is where his proposals fell short.
| javajosh wrote:
| First, I don't use it, but thanks. (I know, being a maintainer
| is a thankless job, but I'm a rebel.) Second, the OP addresses
| this issue directly. He's talking about "making OSS maintenance
| _legible_ " (emphasis mine) to BigCorps via 5-6 figure invoices
| "on letterhead".
|
| It's a grand idea, and I hope it works. The path to not working
| is too achingly obvious though. Budgets are always tight (even
| if you're Apple and you have to artificially make money feel
| tight). What corp officer with budgetary discretion is going to
| greenlight a 5-6 figure payment to someone who's not doing work
| directly for the company? I think the key here is that that
| person is going to have to a) be principled, and b) smart about
| selling it, by emphasizing the fact that the changes were
| beneficial to our company, and leave out the fact that those
| changes were beneficial to every company. It wouldn't hurt if
| BigCorp got a measurable recruitment bump from it, too.
| daenz wrote:
| If I could figure out for certain which big companies were
| using my software, I might try the invoice idea for fun. I
| expect it would be ignored, but I would send it anyways to
| prove the idea one way or the other.
| gumby wrote:
| Big companies don't just pay random invoices;* you need to
| indicate what project and account (usually IDs from their
| CRM). So it would merely be chucked out.
|
| * In really big companies it's possible for admins to buy
| routine stuff below a threshold just to save on paperwork.
| So there's a scam in which someone sends out a bunch of
| $100 invoices for "printer paper" -- account payable
| assumes the department code was left off by the vendor but
| it seems legit so they pay it. Seems like a hard way to
| collect money.
| jsmith99 wrote:
| It's called a Purchase to Pay system - whoever makes an
| order supplies a Purchase Order number from their
| internal system, which the supplier will reference on
| their invoice so the accounts team can look it up before
| paying it.
|
| In terms HN would understand, it's a stateful firewall
| for invoices that prevents paying orders that didn't
| originate from your company.
| josteink wrote:
| If you hosted the package/library yourself instead of in
| closed silos/package repos, you could directly check the
| IPs of whoever regularly pulls your stuff.
|
| We all opted for centralized package repos though, so now
| only they know. And they're not telling us.
|
| Just another "free" opportunity lost to centralization, I
| guess.
| javajosh wrote:
| _> We all opted for centralized package repos though, so
| now only they know. And they're not telling us._
|
| I'm sympathetic to the view, but there really are some
| things that are better centralizing. Reducing code into
| binaries is something that a "fair" 3rd party is going to
| be better at than the 1st party. Why? The 3rd party
| central source is (presumably) mechanically cloning and
| building, whereas the 1st party is doing much much more.
| Effectively the 3rd party offers a better guarantee to
| the end user that this binary corresponds to that
| particular source.
|
| Also, the Way to measure who's using your code is to put
| runtime telemetry in there. Distasteful, but so common
| now with every kind of software, it's crazy. Yes, even
| OSS CLI programs phone home now (heck, ohmyzsh phones
| home every time I open a terminal!). For a generic server
| library, you'd add a check to make sure it's the most
| recent version and print that out to stdout on startup.
|
| See, it's not user hostile it's to keep them informed of
| updates! /s
| oauea wrote:
| > ohmyzsh phones home every time I open a terminal
|
| are you talking about the update check that by default
| runs once every 14 days[1], or is there something else?
|
| [1]: https://github.com/ohmyzsh/ohmyzsh#getting-updates
| indymike wrote:
| Oh, wow. I've used this before. I think the python community
| needs to work out how to make it easier for us to identify and
| donate to maintainers. When I pip install, I never get a donate
| here: some url. When I npm install, I do (arguably too much).
| Anyhow, sh is handy. Thanks!
| dalke wrote:
| > Open Source maintainers graduating to sophisticated
| counterparties who send invoices for "support and sponsorship" on
| letterhead, and big companies developing procedures to assess,
| approve, and pay them as a matter of routine so that they can get
| what they need from the ecosystem.
|
| The first 1/2 already exists. It's the companies which need to
| change.
|
| I say this from experience. I'm self-employed, with my own
| company. For the first 15 years my plan was to provide commercial
| support for open source packages I worked on. I had an LLC, an
| accountant, I paid a designer for a logo, etc.
|
| I co-founded the Biopython project and offered commercial support
| for it, with a couple of other Biopython developers under NDA so
| we could work on commercial projects that used Biopython.
|
| Any interest? No.
|
| I started an open source package for high-performance molecular
| similarity search. This got some funding, mostly from personal
| contacts at companies which wanted new features. And people used
| it.
|
| In fact, at one conference a speaker gave a talk based in part on
| the results of my software. He commented correctly that it's very
| hard for a company to spend money on software they get for free.
|
| I commented, correctly IMO, that I offered support contracts, and
| support is easy to justify to management if they really cared.
|
| (Over the course of the conference, I learned what they liked
| best of "free software" was it is 1) available for no cost, and
| 2) doesn't come with string attached - they didn't want to care
| about upstream.)
|
| My story isn't unique. I'm not the only one to try the
| "sophisticated counterparty" route. LLCs are cheap.
|
| The real onus is on the big companies. And since that's not going
| to happen, I now offer proprietary licensing for my once FOSS-
| only software.
| kazinator wrote:
| This is completely wrongheaded.
|
| The people responsible for the logging library security are 100%
| the people who decided to integrate that piece, not some open
| source person who provides a patch and his three sponsors.
|
| The Log4j library has a LICENSE.txt with clauses "7. Disclaimer
| of Warranty." and "8. Limitation of Liability."
|
| The wake up call is that programmers should take responsibility
| for everything that they integrate, including all that they
| recursively integrate. If you put it in the image, it's your
| fault.
| pselbert wrote:
| The only reason I'm able to maintain a reasonably successful open
| source library is because it is part of an open core business
| model. Without that I couldn't justify the development effort or
| relentless support to myself, or my family. Getting a few hundred
| dollars a month wouldn't cut it either.
|
| Building a business on a stack of other people's hobbies isn't
| sustainable. I mean, just tell that to anybody outside of tech
| and watch their reaction.
| julianlam wrote:
| Agreed. It is exactly the funding model my project (started
| with two colleagues) endorses. We incorporated federally and
| keep an open core.
|
| I can't imagine it would be as clear cut for a "library", but
| it can be done...
| dkjaudyeqooe wrote:
| Why not start a foundation, or even a business where companies
| and individuals can voluntarily pay for open source software,
| like an online store?
|
| Different projects have different prices, but you can pay more.
|
| The money is forwarded to project maintainers was wages, but a
| "tax" is applied so that some money is redirected to small but
| growing projects.
|
| Projects that see sufficient income would be certified as having
| certain level of guaranteed support, based on the fact that they
| essentially have a staff to maintain the project. The entity
| would ensure and manage this. Some of the money would be used to
| fund this process.
| WesolyKubeczek wrote:
| You used the word "voluntarily" here, and it's going to be the
| singular reason it won't work.
|
| Corporations ever do anything voluntarily if the alternative is
| tangibly worse, evidently more expensive, or existentially
| threatening, especially in short to middle term.
| thruflo wrote:
| Sounds like an opportunity for a seedlegals.com style sass.
|
| There's tipping and sponsorship infra, but is there a service to
| plug an OS project into corporate-friendly licensing and support
| invoicing?
| mwcampbell wrote:
| This post didn't go the way I thought it would. When these
| discussions get going, I always feel a little guilty because my
| tiny company doesn't pay for all the open-source software we use.
| I suppose we should, but it would be hard to make a business case
| for that, since the software is already free. It would be easy to
| conclude that this is a problem for the big, rich companies to
| solve, but I'm suspicious of advocating any action that I'm not
| willing to do myself.
| reidrac wrote:
| I don't know if this makes sense: sponsoring one of the open
| source projects your business depends on, could that work as
| PR?
|
| Perhaps this could work for any company size, but I guess it
| depends on what is your core business.
| DarylZero wrote:
| The real solution is to throw out all the crap at the top of the
| stack, get down to simpler and simpler code that can be
| maintained by the people autonomously without corporate
| involvement.
|
| E.g., Gemini.
| baskethead wrote:
| If the US government had any sense of strategy, they would employ
| these maintainers en masse, not only to create good will but to
| make sure that other bad actors don't get to them first.
| bhauer wrote:
| I feel as if engineers at firms that build systems that use open
| source libraries should campaign internally to create budget line
| items for paying non-trivial amounts to the maintainers of those
| libraries.
|
| I find it difficult to blame developers individually. Individuals
| working at these companies aren't going to see it as their role
| to send some of their own after-tax income to maintainers via
| GitHub Sponsors unless they are unusually charitable. But I could
| definitely see my _company_ sending thousands out the door (pre-
| tax) every year to the maintainers of the libraries we depend on.
|
| For example, imagine your team is 15 people. Have the company
| budget for and send an additional one developer's worth of salary
| out annually to the open source maintainers, divided among the
| libraries in a proportion agreed to by the development team. Yes,
| it's an additional cost line item, but it's the right thing to do
| and it won't break the bank.
|
| Open source has reduced costs dramatically for all of us who use
| it in our dependencies list. A nominal cost line item on our
| annual budgets is more than fair.
| DarylZero wrote:
| This makes more sense than blaming the developers.
|
| But ultimately the problem is the same: engineers, i.e.
| employees, don't control the money. They don't have agency to
| direct the money toward functions other than enriching the
| people who have the money.
|
| They may have more agency relatively speaking than free
| software developers, but on an absolute scale, you can measure
| this kind of agency in dollars, and it's a pittance.
|
| Maybe they could donate some of their own salaries. Maybe they
| could get employer matching. Still doesn't seem realistic, but
| it's closer.
| jbk wrote:
| > Now is the perfect time for Open Source maintainers to become
| legible to the big companies that depend on them--and that want
| to get more out of them--and send them five-to-six figure
| invoices.
|
| Well, this is exactly what I've been doing around VideoLAN (VLC,
| x264) and FFmpeg for the last few years. In order to do that,
| I've created 2 official companies Videolabs and FFlabs (besides
| the non-profit orgs) and I've gone through all the hoops to get
| paid (PO, billing, invoices, registering to large companies is a
| lot of paperwork, tbh, but well..) and we try and bill small to
| large companies that depends on those projects.
|
| And FFmpeg and x264 are the core of the online video.
|
| So I did exactly what Filippo is saying we should do.
|
| But the result is really not impressive. Seriously, asking for
| money for support from those companies feels like we're pulling
| the nails, even if their full business depends on it. Getting
| 30-50k$ from those companies for support for one year can be very
| challenging, long or leading to nowhere at all.
|
| So, large SV companies and startup should also start agreeing to
| pay for open source, when it's the core of the tech.
| bdcravens wrote:
| Would following an open core model work better, like it has for
| Hashicorp, Sidekiq, Tailwind, etc? Also, would focusing more on
| the low 4 figures result in more revenue? I feel the crowd
| sensitive to open source has that kind of spending authority,
| but once you get into the enterprise amounts, it's out of our
| reach to effect change.
| ozfive wrote:
| At Enterprise levels there is no excuse to be using open
| source software and not paying some amount to get support.
| Boo!!! Booo!!! To anyone in an Enterprise that exploits FOSS
| without diverting funds to it. https://youtu.be/74GdZs2Ilk4
| wpietri wrote:
| That could work if the cost per sale were sufficiently low.
| But unless companies set up some sort of low-overhead system
| for putting that kind of money into open-source projects, I
| can't see it working. From what I hear, most devs can't just
| say, "We use project X a lot, so I'm going to fill out their
| web form right now and expense a $1k annual donation."
| jbk wrote:
| > Would following an open core model work better, like it has
| for Hashicorp, Sidekiq, Tailwind, etc?
|
| Yes, I think this might be a better model, indeed.
|
| But I did not start either of those projects, I came on board
| later; and those models are difficult to back-fit into an
| existing project.
| DethNinja wrote:
| Why not change the license to a revenue share agreement with a
| cap on total amount of revenue?
|
| For example, if a company uses ffmpeg on their products and
| product generates a yearly revenue of 1m then they will pay you
| 1k.
|
| Current open source agreements do nothing to help smaller
| companies or the maintainers and honestly I find it stupid and
| destructive.
|
| Charge larger companies more depending on their revenue and let
| small size companies with less revenue basically use it for
| free. Isn't this more ethical than letting FAANG use these
| software for free?
| hparadiz wrote:
| I really don't understand this mentality. This is what we've
| all been fighting for since the 90s. A free (as in beer) and
| open stack of software that anyone can pull off the shelf and
| use.
|
| So many commercial platforms rely not just on ffmpeg and vlc
| but also on nginx, php, python, nodejs, linux, mariadb, and
| everything else you can imagine. We also pay for some very
| niche things that are simply not available from the open
| source community.
|
| If my company was liable to have to pay out for each one of
| these projects we would be bled dry and our business would no
| longer be profitable. A bunch of people would also lose their
| jobs in the process.
|
| At my company we have revenue sharing so the idea of having
| to cut out a piece of the pie for an open source project
| would not be popular among staff. Most of them aren't even in
| tech.
| ChrisMarshallNY wrote:
| _> If my company was liable to have to pay out for each one
| of these projects we would be bled dry and our business
| would no longer be profitable._
|
| Unfortunately, building a business on a limited resource
| that is -currently- "free," is not a particularly wise
| decision.
|
| VideoLAN and ffmpeg are _amazing_ tools, but a lot of folks
| have made a lot of money on wrappers (some of which, are
| eye-wateringly expensive). I 'd be unsurprised to find a
| number of license violations in some of these wrappers.
|
| History is filled with examples of people making money on
| resources that are not sustainable. These folks make a lot
| of money, until they wipe out the resources.
|
| OS is a limited resource.
| pizza wrote:
| Open source developers can still release things to everyone
| for free. Seems fair to say that companies derive value
| from open source in proportion to their scale. How about a
| $1m value generated threshold before it's considered
| impolite for a company to not at least give a little
| something back?
| hparadiz wrote:
| Ultimately these tools have already been released for
| free so asking for a rent seeking style payment after the
| fact is a little bit like sour grapes. What stops me from
| just forking the project? Really nothing. If anything
| open source maintainers that want to get paid should look
| into a model that mirrors the bug bounty programs. Have
| bounties for features. Generally these projects only
| really need security updates.
| kazinator wrote:
| Throwing money at some outside parties will not ensure that
| your in-house developers aren't carelessly in including
| snippets of code from the wild into your product.
| Klonoar wrote:
| Wasn't there some YC company that was trying to act as a sales
| agent/middle-entity for this kind of situation? If not YC, they
| at least were on HN at one point.
|
| Curious if anyone knows.
| hncurious wrote:
| What's the largest company that uses FFmpeg and has refused?
| What did they say?
| H8crilA wrote:
| You need a proper "asshole" in such organizations that will go
| and threaten complete lack of support if the bill isn't paid.
| Of course there is a lot more detail in such negotiations, but
| the fact is that he/she will be facing similar "assholes" from
| the side of the copros. The entire thing is essentially just a
| game of standard capitalism. You have to know how to play that
| game, though.
|
| FFmpeg should be able to pull multiple $M per year easily from
| all the major corporations that use it. For comparison, $1M is
| the total yearly cost of ~3 average engineers at FAANGs. And
| most, if not all of them, use FFmpeg quite seriously.
| jbk wrote:
| > You need a proper "asshole" in such organizations that will
| go and threaten complete lack of support if the bill isn't
| paid.
|
| That's the point, they don't pay, and they don't get support.
| But they still complain when there is a major CVE.
|
| > For comparison, $1M is the total yearly cost of ~3 average
| engineers at FAANGs.
|
| I wish we got that...
| bogwog wrote:
| 1) Create a funding report newsletter for FFMPEG
|
| 2) When funding is low, big scary exclamation marks all
| over the place
|
| 3) Include a bulleted list of doomsday scenarios showing
| what could happen to YOU if a bug/vulnerability is found
|
| 4) Add a picture of a sad kitten or crying baby for good
| measure
|
| Now just subscribe all of the non-tech business people at
| organizations that use FFMPEG, and wait for them to panic.
| (Make sure that they need to call you to unsubscribe from
| the newsletter, especially if they work at the New York
| Times)
| DarylZero wrote:
| >Now just subscribe all of the non-tech business people
| at organizations
|
| Ah, if only one could "just" get a mass of people's
| attention and send the message
| justinclift wrote:
| > Now just subscribe all of the non-tech business people
| at organizations that use FFMPEG ...
|
| Don't do that bit unless you're sure it's not illegal in
| your (and their) jurisdiction.
|
| Spam being a thing, and there being laws against it.
| infogulch wrote:
| Note "yearly _cost_ ". Between administrative and
| organizational overhead, taxes, benefits, etc, typically
| only 50% of that cost is actually taken home as employee-
| visible salary [1] (which the employee then pays income
| taxes on...). $175k is still a healthy salary especially
| when compared to other locales, but it's not the $333k that
| is easy to presume based on GP's comment.
|
| [1]: From what I've seen this ~50% number seems to be
| pretty close to the mark across virtually all industries
| and jobs. I.e. it's pretty safe to assume that the total
| cost to your employer to retain you is around double your
| take home pay.
| cma wrote:
| It doesn't seem like that 50% number would just keep
| scaling with salary. There is a cap on payroll tax [1],
| administration stuff around administering health,
| vacation, etc. doesn't change that much, office space..
| maybe so with things like the Apple spaceship ($5 billion
| with capabilities for 12,000 employees; amortized over 25
| years would be $16,000 per employee so I wouldn't think
| so).
|
| [1] https://en.wikipedia.org/wiki/Payroll_tax#/media/File
| :Effect...
| watwut wrote:
| Do those specific managers and layers really complain about
| CVE? Afaik they don't care or know.
| bscphil wrote:
| > That's the point, they don't pay, and they don't get
| support. But they still complain
|
| You've put your finger on the core of the issue with
| FiloSottile's suggestion. The problem is that to sell
| something to a big corporation, you need to have something
| tangible you can sell. What you have are enormous pieces of
| widely used software, being given away for free. Many
| companies are going to take that and run with it, and forgo
| a support contract entirely. You may argue that they _want_
| support when there 's an issue, but the truth is they're
| happy enough with the status quo and just complaining a
| lot.
|
| In FiloSottile's model, a corporation needs to use your
| software for something specific, but also expects to need
| changes to it or prioritized issue support and approaches
| you; you send them an invoice with five zeroes on it as a
| bill for your services and they are heavily incentivized to
| pay for it.
|
| Unfortunately that's not the reality for 99.9% of open
| source maintainers, a figure that includes most creators of
| popular software like VLC. I've personally contributed to a
| bunch of projects and maintain some of my own, but it's a
| hobby. As far as I know no corporations are even using any
| of them. Figuring out some software niche that no one yet
| has a product it, building it, and waiting for a
| corporation to swoop in and drop me a six figure yearly
| check cannot be a career strategy.
| nerdponx wrote:
| Would it be unethical to refuse to fix bugs reported by
| employees of large corporations, unless those
| corporations pay a support contract or contribute a patch
| themselves?
| mfer wrote:
| > So, large SV companies and startup should also start agreeing
| to pay for open source, when it's the core of the tech.
|
| Companies usually have a reason to keep their expenses low.
| Sometimes they are a public company with fiscal
| responsibilities. A startup will only have so much runway and
| is likely trying to reduce expenses.
|
| Given this situation, why will they pay for what they can get
| for free?
| skinkestek wrote:
| > Sometimes they are a public company with fiscal
| responsibilities.
|
| Public companies also have accounts for goodwill in their
| books, don't they?
|
| Also, I'd even say that depending on volunteers for
| everything when you aren't in dire straits isn't to
| responsible.
| watwut wrote:
| No, the companies are supposed to generate value for
| shareholders. They are supposed to have infinite financial
| growth and that is pretty much it.
| DarylZero wrote:
| That's how it is most of the time but I don't see how you
| can say it's "supposed to" be that way. It's
| pathological. Essentially it's a form of group
| sociopathy.
| thedevelopnik wrote:
| Yes, you just described Capitalism.
| watwut wrote:
| Supposed as per economical theory/ideology, legal
| expectations and also per "what kind of CEO will get the
| job".
|
| It is not like most of the time randomly. It is like
| that, because economic system is designed to work that
| way.
| OJFord wrote:
| Yes, but it doesn't mean what you think.
|
| Goodwill in that context is _towards_ the company, an
| intangible asset comprising the value in its brand etc.
| mfer wrote:
| > Public companies also have accounts for goodwill in their
| books, don't they?
|
| I've worked for multiple public companies and have yet to
| see this. I have seen different models. For example, when
| they want a feature in an open source project they may
| contract with maintainers to pay for work. Or, they may
| have a maintainer for a project on staff.
|
| > Also, I'd even say that depending on volunteers for
| everything when you aren't in dire straits isn't to
| responsible.
|
| Responsible to whom?
|
| People choose to be volunteers. Being a volunteer and
| hoping for hand outs from companies it's working out well
| for most folks. Maybe it's time to look at other ways of
| doing things.
|
| Note, I'm not suggesting what the right way to do things
| is. I'm just looking at how people are doing things.
| Expecting them to behave differently isn't likely going to
| bring about a change in them.
| wpietri wrote:
| It seems like you haven't quite got the concept of open
| source. If everybody consumes and nobody contributes, how
| long will that last?
|
| A while back I bought a cheap robot vacuum. Their scheduling
| feature didn't meet my needs, so I reverse-engineered the
| protocol and open-sourced a cron-friendly CLI tool and a
| library so people could do other things with it:
| https://github.com/wpietri/sucks
|
| Honestly, this was a mistake on my part. It was a demanding
| audience of home-automation hobbyists mostly without
| programming skills. The company was thoroughly unhelpful.
| When my vacuum finally broke, I was relieved, as I had a good
| excuse for trying to hand off the project. Nobody stepped up,
| so I shut it down. I just ran out of interest in doing free
| work to support a company worth billions.
|
| I really admire the community spirit of open source But it's
| not sustainable if companies making their money off it keep
| depending on the niceness and generosity of others without
| giving back enough to keep them happy, healthy, productive
| people.
| mfer wrote:
| A few thoughts...
|
| I've long known people who modified cars. Sometimes they
| did it as a business. Sometimes they helped friends out.
| Sometimes the work was on nights and weekends. The car
| manufacturer never had a responsibility to support them.
| They never had to support people in forums. Anything they
| did was their choice. Sometimes as a business and sometimes
| volunteering.
|
| You didn't have to open source that work. Once it was out
| there, you didn't need to provide support.
|
| Doing volunteer work and hoping for generosity from
| companies isn't working.
| phkahler wrote:
| >> You didn't have to open source that work. Once it was
| out there, you didn't need to provide support.
|
| That's true. The problems brought up in the article all
| stem from companies relying on open source and then
| getting into trouble when there are problems with it.
| They would pay if they had to.
|
| The core problem is that everyone wants something for
| nothing. Sure companies appreciate that they can get
| billions of dollars worth of infrastructure software for
| free. Individuals appreciate that they can get useful
| software for free (though many don't care if it's FLOSS
| or illegally obtains commercial). People will take what
| they can, and pay for what they must. Open source is
| sometimes better than commercial, and even if the
| developers were paid industry rates it would be much
| cheaper because companies charge rent for software - not
| for development.
| bawolff wrote:
| > It seems like you haven't quite got the concept of open
| source. If everybody consumes and nobody contributes, how
| long will that last?
|
| I think that's a pretty unfair characterization of the
| previous post.
| candiddevmike wrote:
| IMO, I think the golden age of completely FOSS apps (no
| open core) is ending/has ended as users expect more
| features and apps struggle to meet demands without
| effective monetization. I think open source will always
| have a place for libraries and tools, but end user
| applications will either become open core or no longer open
| source.
| smorgusofborg wrote:
| > as users expect more features
|
| I think mobile was a reprieve for commercial software and
| UX specialists and the increasingly negative comments on
| new OS versions indicate it is close to done like
| desktop.
|
| For every user that likes a change there are 19 that
| prefer the flow they already learned to stay exactly the
| same and at least half are looking for exploitive
| attempts to modify their behavior in anything a publisher
| changes.
| the_af wrote:
| > _I think open source will always have a place for
| libraries and tools, but end user applications will
| either become open core or no longer open source._
|
| Very sad if this ever comes to pass. It's a world in
| which I would never have learned about computers or
| decided to work with them. I think it makes more sense to
| charge big companies but keep software free and libre for
| individuals.
|
| (I don't think this future will happen though: I think
| it's based on a deep misunderstanding of what drives FOSS
| developers to do what they do).
| laurent92 wrote:
| Shouldn't Open Source be considered the 8th wonder of the
| world?
|
| - OSS allowed an entire industry to flourish,
|
| - It has had so many contributions that it is easily the
| category which is the biggest benevolence of the world,
| and possibly the biggest achievement of humanity,
|
| - It allowed the entire world to go securely on the
| internet (launch a Debian and it's secure and up to very
| high professional standards without effort, try doing
| that in the legal field),
|
| - Its results are permanent. In 2100, documents written
| in Office 365 or Adobe will be lost, but they'll be able
| to recompile LibreOffice, Chrome (at least Webkit) or
| Wordpress. Benefits of OSS accrue over time, as opposed
| to closed-source software which is sold under closed
| license and DRM.
| wpietri wrote:
| Entirely possible. Although I suspect more libraries and
| tools will go that way as well. Note that mine was in
| theory a library/tool. And the examples mentioned in the
| blog post were similarly infrastructural.
|
| Most of us work at such high levels of abstraction we
| couldn't even name all our dependencies. Which in effect
| makes us the same sort of consumers app users are:
| expecting a lot out but not putting anything in.
| usefulcat wrote:
| >> Given this situation, why will they pay for what they
| can get for free?
|
| > If everybody consumes and nobody contributes, how long
| will that last?
|
| That doesn't answer the GP question, which is all about
| incentives.
|
| The answer is, at least some parties won't pay for what
| they can get for free. So the options are:
|
| a) deal with it
|
| b) require payment
|
| c) come up with some way to incentivize more donations
| meheleventyone wrote:
| d) stop
|
| It's not like there is a parable about killing the goose
| that laid the golden egg to teach you how to appreciate
| these things.
| [deleted]
| KarlKemp wrote:
| In strictly economic terms, it rarely makes sense for all but
| the largest users of some upstream project, putting that
| proposition squarely in tragedy-of-the-commons territory:
| it's better to hope for others to support it.
|
| That applies even to existing sponsorships, however. Their
| existence thus points at more than cold-blooded short-term
| business interests being at play here. While corporations are
| in theory seeking only shareholder value, corporations happen
| to be (made up of) people, who are capable of altruism, and
| should be encouraged to use it. Just because US capitalism
| has managed to build a not-entirely-failing system on
| unadulterated selfishness does not turn that mindset into a
| virtue, or even reality: as far as I can tell, the dominant
| reason for sponsorship is that some person with a bit of
| authority likes the idea.
|
| They may consider it good for marketing, or recruitment, or
| to secure their supply chain, or just morally called for, or
| they want to be the fat cat at this years TINYTEC-CON. If you
| asked them, they'll give you a reason that totally makes
| sense for a business and has little to do with reality. And,
| no, nobody ever got sued or fired for these decisions. So go
| ahead, do it! You got all the left-padding you needed, it's
| right to pad their wallet in return.
|
| (recycled from earlier comment on the topic)
| DarylZero wrote:
| Right. Mostly they wouldn't even pay employees if they could
| get away with it. We have to make laws about it.
| imachine1980_ wrote:
| like dual licensees?qt?
| DarylZero wrote:
| I mean just ordinary employees really wouldn't get paid
| at all if not for labor regulations.
|
| Just look into the amount of simple "wage theft"
| (employers forcing employees to work off the clock, etc.)
| that exists in the USA.
|
| Of course, this country fought a war over the issue of
| free labor from black slaves.
| jokethrowaway wrote:
| What you say is nonsense. Companies will try to pay as
| little as possible to make more profit. They won't pay
| you more than you can make them. Employees will try to
| get paid as much as possible. They won't work for
| something they can't live on.
|
| All is good and dandy.
|
| If employees are not getting paid, they'll go and do
| something else (like another job or growing food
| themselves) or steal and starve if there are no jobs or
| resources. They would never work for free because they
| can't live without eating.
| [deleted]
| jbk wrote:
| > Given this situation, why will they pay for what they can
| get for free?
|
| See the article...
| mfer wrote:
| I was responding to the parent comment not the article. The
| article makes great point. It essentially talks about a
| services and support business around open source. Some have
| been doing this for decades.
|
| When you have contracts and support at a cost you aren't
| doing the work for free. The article is talking about
| running open source like a business rather than a volunteer
| situation. That means, you're not doing everything for
| free.
| jbk wrote:
| > It essentially talks about a services and support
| business around open source.
|
| Which is _exactly_ what we are doing...
| Terry_Roll wrote:
| It aint going to happen, have you read some of the contracts
| linked to opensource, it will be a minority who make money from
| it. For example, I could use opensource internally, add
| features to it but I dont have to submit those changes back to
| the main source for others to use. Not only that who is going
| to police it? Its not like there is some magic open source
| police who will police my computer is there?!? So sure whilst
| the statement is true that Open Source runs most of the
| internet, the companies using it like Facebook or Google are
| not under any legal obligation to submit any changes back to
| the public domain for the greater good under some of those
| contracts. Even MS has some API's which come very close to
| mirroring Open Source functionality which makes me question MS
| is this legal!
|
| Open Source is just naive charity, much like the UK Govt
| exploited the charity of the public by helping along a Weekly
| 8pm clap for NHS workers on a Thursday night during Covid
| Lockdowns. A weekly clap aint going to pay the bills and the
| rich will say anything to get out of handing over money. Hard
| lesson but its the truth, they would spend on PR Image control
| than pay bills IMO.
|
| So sorry, Open Source is something people can practice on and
| not get paid for except in a consulting role at best.
| StreamBright wrote:
| It is really not that hard with the right licensing.
|
| Offer your FOSS project with the meanest anti-corporation
| license you can find (AGPL?) which is not going to bother your
| user base but it is going to be a major hurdle for any
| corporation and then offer the software with a corporate
| friendly license for 100.000 / year.
|
| Wouldn't this work?
| coldpie wrote:
| You run into problems when there are contributors other than
| yourself.
| [deleted]
| tomxor wrote:
| Unpopular opinion:
|
| Maybe there is nothing wrong with the "status quo", maybe we
| don't need _yet another_ attempt to finance small FOSS projects
| where it 's hard to explain how money will actually solve any of
| these issues.
|
| _Maybe_ people just need to be more considerate of what they
| depend upon. And in the case that a popular yet well maintained
| project has a CVE on day, _maybe_ we need to accept that
| popularity does not make them invulnerable to bugs, all software
| has bugs.
|
| </ unpopular realists opinion>
| jjoonathan wrote:
| "Being considerate" and "accepting" can't fix bugs. Time and
| money can fix bugs. We need to get these projects more time and
| more money.
| rglullis wrote:
| No doubt. The question is who should be paying them?
| finnh wrote:
| Would more time or money prevented the log4j bug? If anything
| that strikes me as coming from too much time spent on
| overarchitecting something.
| jjoonathan wrote:
| That's more an argument against old-school "no amount of
| architecture is ever enough" Java -- not so much an
| argument against the principle that engineer-time can fix
| bugs.
| watwut wrote:
| This bug was not consequence of not enough developers.
| And there will never be guaranteed "no security issue"
| situation. That level of certainly is simply too
| expensive.
| taberiand wrote:
| Money spent on dedicated testing might have discovered it
| earlier perhaps?
| mro_name wrote:
| I don't think testing is the silver bullet here - it's
| about system boundary awareness.
| jsiepkes wrote:
| I don't really see how the Log4J2 issue would have been
| uncovered by testing. It's not really a bug but more of a
| design flaw.
|
| The reason is that the whole JNDI string interpolation
| feature by itself opens a door to a whole world of
| layered complexity which you can't comprehend. And even
| if you could comprehend it all Java could add some
| feature to JNDI which introduces an issue which wasn't
| there when it was all tested.
| brabel wrote:
| Exactly, the JNDI feature has been on the docs for
| everyone to see for several years:
| https://logging.apache.org/log4j/2.x/manual/lookups.html
|
| Anyone who knows anything about JNDI would've immediately
| recognized that this was an incredibly bad idea, as JNDI
| attacks are well known around black-hat circles (LDAP is
| just one of the things you can do once you have JNDI
| available).
|
| Yet, here we are, several years later, acting surprised
| this thing existed and thinking that tests would've
| helped!? What kind of tests, exactly?!!? I think I am to
| blame myself, as many other Java developers who actually
| use log4j, has a good understanding of how it works,
| knows JNDI and LDAP, yet never connected the dots and
| noticed what this incredibly stupid feature was making
| possible.
| beiller wrote:
| Open source always trails professional software solutions.
| Yet always time after time will eventually surpass it as the
| bleeding edge moves further. Maybe we can view it in such a
| way that major companies have become too reliant on free open
| software. If you want secure software, pay for it. The
| knowledge will eventually flow down to free software because
| it's ultimately run by hobbyists. I like the way it is and I
| don't see it changing because so many are just donating free
| time to open free software. Maybe something we could do is
| make open source contributions tax deductible (if we could
| somehow price it accurately)
| er4hn wrote:
| I would say that this is different from "hard to explain". What
| is being proposed is essentially "OSS with a paid model for
| premium support / feature development." It shifts the language
| from "donations", which companies don't understand, to
| "consulting", which companies do understand.
|
| It's not completely novel, projects such as openssl and sqlite
| do offer paid consulting, but it's not normalized among
| companies to pay for doing so. If Filippo can normalize having
| OSS be treated as paid consulting engagements I think that
| would be wonderful for the community.
| tomxor wrote:
| > OSS with a paid model for premium support / feature
| development.
|
| Adding features do not reduce likelihood of bugs, if anything
| the opposite.
|
| It's very difficult to come up with a paid model that
| specifically encourages a preventative strategy towards bugs
| and security flaws. Currently the best we have is getting
| people who care about those things to build software.
| pixl97 wrote:
| Yep. Working for a company that makes paid for software and
| customers always want more features. It's really fun when
| paying mutually incompatible features added and the sales
| people and developers go at it for months trying to figure
| out how to make it work.
|
| Then, maybe a year later, that feature is no longer the hot
| new thing and it becomes abandonware inside the
| application. If you're app isn't cloud based you have no
| idea if you can rip the feature out or not as you have no
| idea how many people, if anyone still uses it.
| brabel wrote:
| Quite honestly, I think that if companies paid open source
| maintainers to get the features they wanted, the log4j problem
| would NOT have been averted at all, it would likely have
| happened earlier... notice that the source of the issue
| (support for JNDI lookups right into any log messages) was
| introduced because of someone asking for that feature (and
| getting it for free!)... if a company had paid for it, it
| would've been just the same, I doubt very much the company
| would have done any kind of security veto on the
| implementation.
|
| What's needed is for open source libraries to somehow get
| "rated" by security experts before they get used by businesses.
| If those businesses using it paid for that, and then paid
| someone to fix any issues found, then I think we would have a
| working solution. Just paying for features would just make
| things worse... have you ever seen companies paying for
| security features, though?? No, I haven't at least... they pay
| for business features that will make them money, they hope,
| security is kind of just implied (and they might lay the blame
| entirely on the developer if they actually had a business
| relationship with them - which may be a big nightmare,
| actually, for OSS developers - and I am one of them myself...
| you can no longer use a license that just says you're not
| liable to anything bad that happens).
| F6F6FA wrote:
| Perhaps OSS has become too sophisticated and professional-
| standard for its own good, while still being created and
| maintained by amateurs.
|
| I have an analytics package which is apparently being
| evaluated by the military of a large country. Even if secure
| code, now the maintainers themselves are under attack.
|
| For I am definitely a weaker link than a soldier or agent or
| gov department. Did not expect such usage when creating this
| project. If said government had seen how this was developed
| and tested, they would probably physically destroy the
| machines it is installed on.
| qwerki wrote:
| Open market dynamics should in theory change this one way or
| another. Long term you can't have some code cost $0 while an
| SVE's code costs $300k+ per year... Reality is open source code
| is badly mispriced right now.
| geerlingguy wrote:
| No thanks.
|
| Maintaining business relationships with $megacorp is one of the
| primary reasons OSS maintainers (maybe just speaking for myself,
| but I don't think so) do their OSS work, and don't develop
| proprietary software and market and sell it around a business
| venture.
|
| If you start writing up contracts or accepting direct payments
| with any strings attached at all, the dynamic is completely
| changed.
| foothall wrote:
| +1.
|
| This can lead to corporate capture. We see this in some
| projects already.
| WJW wrote:
| Not to mention that the dynamic would completely shift in terms
| of community contributions. If I submit a patch to a free
| project where the maintainers make nothing, I wouldn't even
| think of asking for anything in return (even if it is a project
| used by bigcorps, such as Redis or GHC). If I know that the
| maintainers get paid a full salary for maintaining the
| software, it becomes a much weirder thing to send them bugfixes
| for free.
| kam wrote:
| "Sending them bugfixes for free" is both a benefit and a
| burden to an open source project. It takes maintainer time
| and effort to review the fix, test, make releases, etc, and
| that's a thankless job. When a company pushes their patches
| upstream, they're gaining a benefit for themselves (avoiding
| maintaining a fork), and potentially benefiting any other
| users who might be affected by the bug or want the same
| feature. But they're also adding to a maintainer's workload,
| and that's often the scarcest resource in open source.
| WJW wrote:
| Fair enough, but I didn't mean sending in bugfixes because
| I need it for my employer, I meant sending in bugfixes (or
| features) to a project that I wanted to make because it
| bothered me. For example, some time ago I sent in a patch
| to use better data structures in an event loop library that
| I think is cool but otherwise don't use.
|
| Should OSS devs optimize for my (probably quite rare) use
| case? Probably not, but the feeling when making a patch for
| something that I like is still different when the
| maintainer runs it as a business compared to when they run
| it as a hobby.
|
| (This is what the whole discussion seems to be about btw.
| Some people like to program in their free time as a hobby
| and other people would REALLY like guarantees about the
| software that cannot be made without losing the essential
| hobby-ness of it)
| KingMachiavelli wrote:
| It would certainly help if the IRS did _something_ to encourage
| open source. You can donate a work of art to a museum for a
| deduction but you can 't donate 20 hours of labor. The IRS is
| deliberately becoming more strict [1] so many current non-profit
| software foundations e.g. Apache are actually the exception to
| the rule.
| [deleted]
| er4hn wrote:
| Filippo, I think that what you are proposing is an unusual, even
| radical idea. I hope you are able to follow through on it for
| yourself and that you can inspire others to do so by seeing the
| path you are marking.
| daemonhunter wrote:
| Side note: dang there are salary discrepancies in the SWE
| community.
| 1_player wrote:
| There are salary discrepancies everywhere in the world. If you
| mean the salaries across countries, you're comparing apples and
| oranges. EUR100k in Berlin goes much further than $100k in
| Houston (a random big city in the US, I don't think Berlin is
| comparable to NYC)
| usrbinbash wrote:
| Not to mention the person in Berlin has access to state
| funded medical support, a state funded pension, paid sick
| leave, paid ma/paternity leave, ...
|
| Salaries are lower, but expenses for essential services are
| simply A LOT less in most of Europe.
| jakear wrote:
| Tech companies also pay for health insurance, sick leave,
| and ma/pa leave. Sure pensions aren't a big thing, but
| increased savings from increased salary can make up for
| that (not to mention 401k).
| usrbinbash wrote:
| The difference: It's not up to the companies in most of
| western Europe. These services are guaranteed by law, and
| provided by the state.
|
| >but increased savings from increased salary can make up
| for that (not to mention 401k).
|
| And huge medical bills can quickly eat up even
| substantial savings...that doesn't happen as easily when
| medical services are provided by universal coverage.
|
| Also, state guaranteed pensions aren't lost if some
| company in a portfolio crashes.
| JJMcJ wrote:
| > pay for health insurance
|
| Have cancer, or a premature baby with 90 days in Neonatal
| Intensive Care, in the USA, and get back to me on your
| health insurance.
| jakear wrote:
| The fun thing with healthcare bills is you can just...
| not pay them. There's an immense amount of medical debt
| in the country, and it tends to get passed around for
| pennies on the dollar to people who think they can string
| arm it out of you. Ignore them, and they're stuck holding
| the bag.
|
| Your credit score will take a hit. But that's of
| relatively little consequence.
| daemonhunter wrote:
| There are big discrepancies in the US alone. I'm comparing
| mine (L6+) to those.
| lumost wrote:
| Once upon a time, the best way to get a software job was to
| demonstrate your ability to build _useful_ open source projects.
| 10 years ago the Principal Engineers I would work with had super
| sized open source portfolio 's which leant them both credibility
| and experience building products people liked. Junior devs would
| search (sometimes in vain) for issues where they could contribute
| a few PRs
|
| Now the best way to get a job is leet code, leet code, and more
| leet code. Rather than spending <5 hours a week working with real
| code and producing real value on open source projects - most
| career minded engineers will simply focus on leetcode.
|
| Not many people patch esoteric software that's been around for
| 10+ years because it's particularly fun or because there is
| specific business value in it.
| ogogmad wrote:
| > Now the best way to get a job is leet code, leet code, and
| more leet code. Rather than spending <5 hours a week working
| with real code and producing real value on open source projects
| - most career minded engineers will simply focus on leetcode.
|
| Maybe more broadly: The only way to prove that you're good at
| X, is to do X well. An artist is only as good as his portfolio.
| The same is true for all creative jobs.
|
| I'm thinking that these proxies (see all attempts at
| standardised testing) are a disease of our time.
| didibus wrote:
| I'm not sure I fully agree. Doing open source doesn't mean
| you do it well. You have no sense of how quickly, efficiently
| and independently they managed to achieve it. I'd much rather
| hear from prior experience, and probe about situations and
| scenarios they were in, projects and problems they
| contributed too, and hear the story of how they went about
| it, how long it took them, what they did in the face of
| setbacks and pressure, etc.
|
| I have seen first hand developer that are just okay or below
| average successfully deliver on open source, because you have
| infinite time, no constraints, no stress and get to choose
| exactly what you do or contribute. But in a work environment
| they struggle, given ambiguous problems they struggle, given
| time constraints they struggle, given changing needs and
| demands they struggle, working within a team they struggle,
| given something outside their area of knowledge they
| struggle, etc.
| [deleted]
| ignoramous wrote:
| Neither of those make for good _filters_ ; though they are
| decent enough _indicators_. Most engs can 't be bothered with
| leetcode, let alone F/OSS.
| didibus wrote:
| This might sound weird, but I find every time someone publishes
| or contributes open source, they are stealing value from me,
| because it is one less thing that a company will need me to
| implement, build and maintain for them, instead they'll now
| expect me to simply use the existing free of charge open source
| one.
|
| Not only does it feel like I'm stolen value, open source work
| tends to be the most interesting, and as more and more is done
| and offered for free, my work becomes less and less
| interesting, and the job becomes more about connecting and
| configuring all these open source systems together.
|
| Needing to contribute free work in open source before getting a
| job therefore sounds like the biggest of scams to me.
| loudmax wrote:
| I guess in the same way that public libraries steal value
| from book publishers and public education steals value from
| private tutors. Also, how rainwater steals value from bottled
| water companies, fresh air steals value from air filter
| vendors, and sunlight steals value from the electric company.
| didibus wrote:
| Libraries still pay for each copy of a book, and in some
| countries royalties are paid out each time the book is
| borrowed. The library is not allowed to make additional
| copies of a book and borrow them either. Public education
| pays its teachers.
|
| But overall I'm not in disagreement with you, you could say
| open source is done as part of the greater good and
| advancement of technology and computer science, and not for
| personal capital gain. That also means that it isn't meant
| to be a sustainable career path, or job that you can do
| full time though.
| wolverine876 wrote:
| I can understand the perspective. But it goes both ways:
| Aren't you (and I) 'stealing'? How much do you use open
| source, as a developer and as a user - and just to post his
| message: try enmuerating all the open source that goes into
| it.
|
| We benefit far more than we can ever repay.
| didibus wrote:
| > How much do you use open source, as a developer and as a
| user
|
| As a user I agree, things would probably be more expensive
| if nothing was open source. But as a developer, I disagree,
| my employer would simply need to pay for the stuff I use,
| or they'd pay me or another developer to build them one.
| And this is precisely what the article argues, that
| companies should pay for it. If there wasn't any open
| source logging library, the maintainer could either work
| for a company that offers a paid one, start his own
| company, or work for a company that pays him to maintain
| one for them.
| wolverine876 wrote:
| > But as a developer, I disagree, my employer would
| simply need to pay for the stuff I use, or they'd pay me
| or another developer to build them one.
|
| Good point, but you would have a much smaller industry
| and platform without FOSS, and there is no way you could
| build all the libraries, tools, etc., yourself. Even
| FAANG depends on FOSS. If everything had to be paid for
| and professionally developed, licensed, etc., there would
| be much less around, and nobody could fork and innovate -
| there's a reason people develop and use FOSS.
| didibus wrote:
| I think that's the counterargument, and I can imagine it
| being true, but I also think we just don't know. Maybe
| there'd be just as much advancement but more developers
| would be properly compensated. It's hard to say exactly
| what would have happened because we're talking an
| alternate history.
|
| Lowering the barrier to entry by being able to leverage a
| lot of free stuff probably helps make the industry bigger
| in having more startups, but I also can't say for sure
| there wouldn't be more jobs or higher paid jobs
| otherwise.
|
| In the end, I'm not trying to push to end FOSS, but I'm
| trying to bring to front the contradiction I'm seeing of
| people wanting FOSS but also wanting FOSS developers paid
| a full wage. It seems fundamentally at odds, if you want
| people working on logging libraries to be paid full
| wages, stop making FOSS logging libraries.
| wolverine876 wrote:
| > I think that's the counterargument, and I can imagine
| it being true, but I also think we just don't know. Maybe
| there'd be just as much advancement but more developers
| would be properly compensated. It's hard to say exactly
| what would have happened because we're talking an
| alternate history.
|
| Yes, valid and important point. We could look at how
| other industries develop. Software + Internet is
| especially condusive to 'free' products. Other industries
| must at least share knowledge, which arguably is embedded
| in software.
|
| > I'm seeing of people wanting FOSS but also wanting FOSS
| developers paid a full wage. It seems fundamentally at
| odds, if you want people working on logging libraries to
| be paid full wages, stop making FOSS logging libraries.
|
| An unarguably logic ...
| Scarblac wrote:
| We benefit far more than we can repay, but "stealing" is
| too strong. It's what the author who adopted an open source
| license explicitly intended to allow.
| wolverine876 wrote:
| Agreed. I use to term to compare it to the parent
| comment.
| Scarblac wrote:
| That's a good point. We as developers trying to make a living
| doing it are competing with an ever-expanding sea of OSS. And
| therefore we'd be mad to contribute to it, for free even.
|
| On the other hand, from the viewpoint of all of humanity, it
| is great that there exists a huge amount of software that is
| useable by everyone for free.
| orangecat wrote:
| This is just the broken window fallacy. Hobbyists giving away
| schematics for unbreakable windows are not stealing from your
| window repair business.
|
| Yes, having open source competition means you'll have to
| either build a superior product that customers are willing to
| pay for, or find another niche. That's a good thing.
| didibus wrote:
| > That's a good thing
|
| Good has many dimensions. I'm saying that as a developer,
| FOSS means people don't need to pay you to build those
| things, only to use them, and that's why FOSS developers
| themselves don't get properly compensated, because they
| chose to build it for free.
|
| You could say FOSS is a good thing if you talked about
| computing progress, or barrier of entry for a startup
| wanting to build an app, or as a great source of example to
| learn from, etc.
|
| As for your comparison, I don't think it holds, because
| very rarely are FOSS contributors hobbyists, most of them
| are professionals. So it is much more akin to a
| professional window engineer giving away free schematics
| for unbreakable windows, which means that companies
| manufacturing unbreakable windows no longer need to pay a
| professional window engineer to make schematics for them.
| watwut wrote:
| I don't think there was ever such time. Only a tiny minority of
| developers ever has open source projects and some companies
| even actively discouraged that.
|
| Moreover, with industry moving towards agile, having project
| and developing in a company are massively different kind of
| work.
| jeffbee wrote:
| I don't know if that is objectively true. There are numerous
| small companies who will leetcode every candidate. Then there
| are Google and Microsoft and the other bigs who hire thousands
| of people every week, where the best way to get hired is to
| have a Ph.D and get referred by insiders.
|
| Mediocre candidates getting leetcoded by mediocre companies may
| be a highly visible pattern but on industry scale I am not
| convinced it is the dominant mode.
| pcwalton wrote:
| Having a Ph.D. and getting referred by insiders in no way
| reduces the amount of LeetCode you have to grind for Google
| interviews.
| pixiemaster wrote:
| well written.
|
| One thought: i disagree with the classification of (senior)
| software engineer.
|
| i think it's more comparable to a VP of Engineering in a company
| with n engineers (n = count of committers/involved), so salary
| estimate are even higher.
| jedberg wrote:
| When I worked at eBay, our policy was that we had to use RedHat
| and that any open source we used had to be provided by RedHat or
| we had to get a support contract from someone else who would be
| willing to 1)Support the software and 2)Accept legal liability if
| it failed.
|
| #2 was the big sticking point. RedHat made a lot of money
| accepting that legal responsibility, but very few others were
| willing to do so. It made using software difficult (and a lot of
| us just ignored the policy).
|
| But if you follow this advice, you may end up accepting legal
| responsibility for the software, and that may be bad.
| rightbyte wrote:
| Heh ... I recall somewhere in a Emacs manual it says "prints
| the non-warranty, or the warranty if you version of Emacs comes
| with one".
|
| I thought that was a joke. What did the warranty disclaimers
| say on your system?
| AnotherGoodName wrote:
| That edit to the XKCD image is pointless since it's the same joke
| but worse.
|
| https://xkcd.com/2347/
| philosopher1234 wrote:
| There should be an umbrella company that takes ownership of a
| large number of major projects, charges a single licensing fee
| and grants access to all of them or none of them. It should
| remain free to amateurs and should be free or cheaper for small
| businesses.
| the_gipsy wrote:
| Please define "unsustainable".
|
| It has worked great for decades, both for the free market side,
| and for the FOSS community.
| fivelessminutes wrote:
| It has certainly 'worked great' for leeches, if you ignore
| bombs like this logging bug destroying Western civilization.
|
| Can you explain a bit more how it worked great for the bulk of
| maintainers / authors who don't see any return on their work,
| burn out and have to do something else?
| yjftsjthsd-h wrote:
| > It has certainly 'worked great' for leeches,
|
| And for communities, and for sponsoring companies, and for
| some (although not all) authors.
|
| > if you ignore bombs like this logging bug destroying
| Western civilization.
|
| ...yeah, no; a library had a bug. Somehow, Western
| civilization is still here.
|
| > Can you explain a bit more how it worked great for the bulk
| of maintainers / authors who don't see any return on their
| work, burn out and have to do something else?
|
| Can you explain why you think the majority of
| authors/maintainers burn out?
| nosianu wrote:
| > _authors who don 't see any return on their work, burn out
| and have to do something else?_
|
| I don't understand this argument. Nobody starts an open
| source project - and posts it in the open to share freely -
| expecting to make any money. Are there even any significant
| amount of projects with a donation or a Patreon page?
|
| Webnovels I read on RoyalRoad all have it and are much more
| successful that I would ever have thought given that the
| stories are all coimpletely free and all any one who pays a
| story author gets is a few chapters ahead of others, but I
| can't remember any of the numerous OS projects I use one way
| or another to even try to make any money.
|
| I _did_ see burnout in some projects. I once joined as co-
| maintainer of a medium sized project and was left as the sole
| maintainer because the main author just up and left and was
| unreachable (we only heard of him again over a year later,
| and he never touched that particular project again).
|
| All the stories I saw had nothing to do with money at all
| though, just getting fed up with the expectations. In "my"
| project's case it also was the large amount of complexity and
| technical debt that made the original owner's attempts at
| adding and/or refactoring a huge time sink, and he probably
| would have been better off to start again from scratch (it's
| what happens after adding more and more features in a complex
| cross-mobile phone platform library project's code).
|
| None of those "disillusioned open source maintainer" stories
| I saw ever included any attempt of making money with it.
| Disappointment of not being able to get money from anyone
| only ever comes from people starting a commercial project (a
| new company), if that kind of disappointment exists for
| freely shared open source software then I must have missed
| all instances of such a thing happening.
|
| > _It has certainly 'worked great' for leeches, if you ignore
| bombs like this logging bug destroying Western civilization._
|
| All of life and especially commercial life in anything
| slightly sophisticated or at scale is "muddling through" to
| some degree. The same as biological life actually.
|
| So overall I agree with the previous statement that it worked
| quite well. Nobody should be called a "leech" for using
| projects that were meant to be shared openly and freely,
| given the license and method of distribution (e.g. freely on
| Gitlab or Github).
| rglullis wrote:
| Do you pay for every piece of Open source software you use?
| How much? What is the criteria you use to determine how much
| you want to give them?
|
| Yes, it would be _very good_ if more people started to
| contribute to software they depend on, but to call them
| "leeches" is not only against the spirit of free software, it
| is counterproductive as it will probably lead people to the
| idea that proprietary/closed source is better.
| [deleted]
| bryanrasmussen wrote:
| there is no past tense for unsustainable, so if one wants to
| indicate something was unsustainable in the past they say it
| 'was unsustainable' but if they want to indicate something will
| be unsustainable for the future they just say it is
| unsustainable, one of the downsides of English; also, past
| performance is no indicator of future performance applies to
| many things outside investing.
|
| In other words open source as it was practiced was sustainable
| up until the point it got taken advantage of too much by big
| players not putting things back into the system. At this point
| it has become unsustainable.
| uniqueuid wrote:
| At the very least, it's unsustainable to maintainers as people,
| because many are burning out (I have no data, so this is an
| assumption).
|
| As a result, it's also unsustainable to other coders because
| the OSS ecosystem grows replete with broken and stale code that
| is no longer maintained and which creates cognitive cost to
| ignore/prune.
|
| Both might grow in a non-linear fashion, which would be really
| bad news.
| dash2 wrote:
| I maintain a tiny, tiny, unimportant open source package. It gets
| about 10K downloads a month. Assuming that each of those
| downloaders saved one minute of their time on average, and their
| time is worth $15/hr, I'm providing a service worth $2500/month.
|
| I'm starting to think, how could my next project provide the same
| value, and get paid for it?
| JJMcJ wrote:
| Hmm, 25 downloads at $100 per month would do it.
| WesolyKubeczek wrote:
| There's a whole old elephant in the room, but we're not really
| talking about it because it's an elephant everyone loves to hate.
| And yet.
|
| This is a model that MPAA and RIAA use. And their equivalents in
| countries that have functional copyright legislation. Most first
| world countries have one. Don't get me wrong, they are mostly
| rent-seeking racketeers, but if you try to weasel out of paying
| for stuff you're using for your own profit, you're bound to get
| one.
|
| Either some law pertaining to maintenance of "digital
| commonwealth" or some other nice name is passed in enough
| countries so other countries have to follow suit if they want to
| be in good company, and organizations with teeth, one per
| country, are set up to make sure the "digital commonwealth" tax
| is collected from everyone, big and small. They will even
| distribute money among creators, by usage or something.
|
| Microsoft would probably love to be such an arbiter. They have
| Github. They have all the stats. They know if your company had
| been naughty or nice, how many times they downloaded your stuff,
| and how many times their employees were demanding shit in issues.
| It's child's game to join the party, just have an account with
| them.
|
| Or we just piggyback on the existing copyright legislation and
| give RIAA and their likes more power and custody of making sure
| OSS maintainers don't starve. They will surely protect their
| interest with eagerness, who wouldn't like more profit?
|
| Of course, companies will try to fight tooth and claw. They will
| tell you all sorts of doomsday scenarios, how the poor
| megacorporations won't be able to afford it, how they will have
| to raise your subscription fees. Gee, haven't we seen those
| crocodile tears when free roaming in EU was going to be
| established? We also know how it ended: they all sucked it up,
| complied, maybe their profits took... well... not a hit, but a
| nudge maybe. Companies who have to buy music know how to pay the
| music tax to copyright racketeers. They will get used to that.
|
| They will also be happy to pay just one entity and be done with
| it. And if you dare start a company using F/OSS, you're in for
| the largest financial hit. The little man always suffers the most
| in such schemes.
| [deleted]
| skeeter2020 wrote:
| Everything stated about the risks and current deficiencies is
| true. Meanwhile the OP works for Google on OSS, one of the
| "untenable" approaches to funding it that is lamented. Nothing
| else presented is close to an alternative solution; there's no
| "ask" that would fix the situation, let alone an attempt to lead
| by example, so what's the point of this post?
| wutbrodo wrote:
| > This is what I hope to see happen more and more: Open Source
| maintainers graduating to sophisticated counterparties who send
| invoices for "support and sponsorship" on letterhead, and big
| companies developing procedures to assess, approve, and pay
| them as a matter of routine so that they can get what they need
| from the ecosystem.
|
| In what way is this not an ask?
| moksly wrote:
| The alternative to what we have now is not going to be a healthy
| OSS community. The alternative is going to be big companies
| insourcing more of their libraries.
|
| The only reason why OSS has seen the up-pick it has is because
| major companies profit from it. Microsoft didn't embrace open
| source because it had a change or morals, it embraced open source
| because it started making so much more money from enterprise orgs
| switching to Azure compared to selling us licenses for on-prem
| alternatives. Facebook and Google don't share their massive front
| end-libraries and extensive tools because they are nice, they do
| so because it helps them dictate web-development and being able
| to on-board new hires who are already familiar with their tech.
|
| If anything, I think it's more likely that we are going to see a
| big player pick up a NPM alternative and make sharing packages
| much harder. I think the fact that no one has done this, should
| tell you all about how little the enterprise industry worries
| about the status que.
|
| I don't think it's necessarily healthy, and I sympathise with OSS
| maintainers who don't get paid for their work, but I don't think
| it's a massive issue either. The OSS world is still better than
| it ever was, and your tech stack isn't actually in danger if you
| review that code you use.
| creamytaco wrote:
| Reviewing code is the elephant in the room. Filosotile -perhaps
| out of ignorance or disconnect- fails to mention that the vast
| majority of open source projects (log4j being a great recent
| example) are absolute shit. Nobody should be building anything
| on top, nevermind giving the maintainers more money.
|
| In-house development, software BOMs, rising of standards and
| multiple rounds of code review are the processes that the
| industry is shifting towards and for good reason.
| the_af wrote:
| > _In-house development_
|
| ... keeps resulting in shit code, too! There 's no evidence
| standards of quality are rising. In my own extremely limited
| view of in-house software -- i.e. my own professional
| experience -- code quality is crap, standard quality
| practices are very low and actually _worse_ than in FOSS
| projects (I 've seen someone mention more than once that
| "this crap PR simply wouldn't fly if this were an open source
| project, it's so bad nobody would want to review it!")
|
| In-house code is just code you don't know is garbage because
| you cannot look at the code.
| wpietri wrote:
| I would be fascinated to see your evidence that in-house code
| is any better on average than open-source code.
|
| I haven't done a lot of consulting lately, so I haven't seen
| much in-house code in the last few years. But my experience
| is that the average in-house codebase is worse. And that
| makes sense from the incentives. Open-source projects that
| want more than one contributor need to be approachable enough
| that people join in. Whereas with most in-house code, people
| commit to working on it without ever seeing it. Switching to
| work on another open-source project is easy; switching to
| another job is hard. Open-source authors get to decide when
| to release; in-house code is generally driven by execs. And
| so on.
| creamytaco wrote:
| I worked at engineers-call-the-shots fintech and later SV
| shops for many years. No, their in-house code is not worse
| than open-source.
|
| In fact one can safely say that top companies that attract
| top talent also have methodologies in place that lead to
| better than average code quality.
| the_af wrote:
| If you are comparing the top engineering shops to open
| source, you should also pick the top (quality) open
| source projects. Apples to apples.
|
| Most in-house code is crap.
| pixl97 wrote:
| As someone that has to support a lot of in-house code, yea,
| it's a bunch of crap too.
|
| "Works good enough" is how our world generally operates
| unless under strict regulatory guidelines.
| watwut wrote:
| The industry is nor moving towards multiple rounds of code
| review. Nor towards in house development nor away from using
| open source.
| creamytaco wrote:
| Every engineering-driven fintech company I know of (having
| myself worked there or having friends who work there) is
| doubling down on every single one of the processes I
| mentioned.
| geodel wrote:
| Yeah, and that is about 0.1% of total amount of software
| assembled and deployed in the world. It is like saying
| all my friends drink Evian water so that's the way we
| handle clean drinking water shortage in the world.
| nopenopenopeno wrote:
| The welfare queen megacorps have been too comfortable expecting
| handouts like open source charity work and public bailouts.
| Open source software has served the elite executive class while
| leaving working people to depend on anti-freedom proprietary
| offerings. I am sick of watching it go down like that. The
| never-ending data leaks, dark patterns, lock-in strategies, and
| attacks on encryption and freedom of speech, are all
| exacerbated by this tendency to yield the commons to the ruling
| class. If open source doesn't serve working people, I don't
| care a lick for it anymore. Cheers to Stallman and all, but
| this is where his proposals fell short.
| simonw wrote:
| "Your tech stack isn't actually in danger if you review that
| code you use."
|
| Tell that to everyone who depended on Log4j for the past 8
| years!
| bawolff wrote:
| Companies barely spend money on their own internal security dept.
| It seems like it would be a hard sell to convince them to spend
| money on improving an external projects security posture. Maybe
| if it was core to their business, but investing to imorove the
| security posture of a logging library seems like a hard sell.
| usrbinbash wrote:
| > _But! Maintainers need to be legible to the big company
| department that approves and processes those invoices._
|
| I imagine this could be a hard sell to people who just want to
| build some cool software and maintain it. Setting up an account,
| okay, that may be possible, but that's not the end of it.
| Companies pay invoices FOR something. That something means
| contracts, potentially about substantial sums, that means getting
| legal support to navigate said contracts & obligations.
| throwaway894345 wrote:
| We have software licenses and yet every open source project
| doesn't employ a lawyer. The solution is probably the same:
| canned, off-the-shelf contracts. If a company wants to
| negotiate a custom contract, then the maintainer can decide
| whether or not it's worth hiring a lawyer.
| b3morales wrote:
| Even if the contract itself might be commodified, the
| _relationship_ won 't be. Business will want what it wants,
| regardless of what the contract says. Maintainers will
| certainly be subject to influence campaigns by business,
| which will sometimes conflict with other "clients". Even
| saying "no, read the contract" to a persistent VP has a
| psychological and social cost. I can't really imagine this
| decreasing the pressure on maintainers: it's basically
| turning the project into a startup.
| throwaway894345 wrote:
| I think the idea is to provide a middle ground option
| between full-on startup and doing free work for
| corporations. That implies meeting in the middle both on
| compensation and on work delivered, but it's possible that
| we'll find new non-zero-sum opportunities.
| jpeter wrote:
| MANGA should pay them. They have enough money
| [deleted]
| qnsi wrote:
| Can someone help me find whos idea was it?
|
| Basically kill free open source. Make every "new open source"
| (NOS) program dual licensed, free for non commercial use and paid
| for conmercial use.
|
| He proposed companies paying 1% of revenue to license this
| software. But it would all go through a proxy company that would
| gather payment and send it to participating companies, I dont
| remember how it would be split.
|
| I think this is actually a way forward. I would feel better
| building on top of this kind of stack vs npm ecosystem
| rgrmrts wrote:
| Doesn't answer your question but something I've wondered about
| as well. I don't maintain any open source software (yet?) but
| if I were to start a project I'd likely use a permissive
| license.
|
| I don't want to start a philosophical flame war about licenses,
| but this idea makes sense to me. The details will likely take
| work to iron out, but why not have open source licenses with a
| clause for companies with over a certain amount of annual net
| profit. Does anyone have examples of this in practice? As far
| as I know, licensing models like Mongo or Elasticsearch are a
| bit more binary.
|
| I'd be fine letting individuals, small businesses, and startups
| use the software for free in perpetuity unless they hit some
| metric like "greater than $x in annual profit" or whatever. I
| guess a counterpoint to this might just be that companies that
| get to that scale would just develop the same thing in-house
| instead.
| ralph84 wrote:
| It's a bit dubious that paying maintainers more will make them
| write more secure code. Certainly professional developers who
| write closed source have produced plenty of vulnerable code in
| exchange for their six-figure salaries. If you're really
| concerned whether a particular open source package is secure,
| it'd make more sense to pay a third party to audit it than the
| maintainer.
| F6F6FA wrote:
| I feel this is a problem of companies being cheapskates, not of
| OSS maintainers. So do not make it their problem. I do not make
| OSS for companies, but for enthusiasts, contributing to building
| cool stuff, students and researchers.
|
| Don't really want a commercialization of OSS maintainers. Does
| not seem in the spirit of OSS, but a convoluted way to contract a
| single dev to work on your stack. If you are this big company,
| ping your developer advocate, set aside a budget, and have them
| go through your dependancies and reward accordingly.
|
| What bothers me way more, is when companies take OSS and then do
| not adhere to the license. Not as in forgetting to attribute you,
| but publishing a patent based on your code and approaches. That's
| easy enough to kill your motivation if you are doing it for free
| in the first place.
|
| If money becomes an incentive for OSS maintainers, then they will
| start replying to the emails they constantly get, to buy their
| extension or use their CDN. Your company bet the house on a poor
| Polish CS student for logging or useragent parsing? Your, and
| only your, problem. OSS keeps on working.
| indymike wrote:
| > I feel this is a problem of companies being cheapskates, not
| of OSS maintainers. So do not make it their problem. I do not
| make OSS for companies, but for enthusiasts, contributing to
| building cool stuff, students and researchers.
|
| I'm starting to do something different at my company. I'm
| finding the package maintainers for the non-commercial stuff we
| use in our product and making a donation. I'm also going to
| start asking the maintainers to invoice my company for support
| where that is possible to do.
| F6F6FA wrote:
| If this becomes a cultural thing, part of OSS, then more
| employees inside big companies will start to advocate for
| funding the OSS they rely on. Companies found to be profiting
| of OSS, while keeping a closed wall, complaining, but not
| contributing patches or funding, will lose market mind share,
| and a percentage of the best developers.
|
| Seems doable, but still hard without centralized control and
| PR.
| ttyprintk wrote:
| What do you think of hiring maintainers to audit? Answer
| specific questions about usage and security, with some
| visibility into your codebase? We've talked this over and hit
| risks concerning access to code where we'd like an NDA that a
| consultant may dislike.
| F6F6FA wrote:
| Consultants sometimes dislike NDA, because as a consultant,
| you are already expected not to disclose. It is strongly
| implied, like patient-confidentiality. Airing dirty laundry
| or competitive advantage as someone visiting many companies
| a year, is like a doctor amputating the wrong leg. You do
| this once, then you are out of a job and reputation.
|
| Risk is on your end, so you pay for it. A 10k contract
| becomes a 12k contract. You clarify your risks, your
| mitigation method (NDA), and that the extra money is for
| the legal liability the consultant takes on.
| wakeupcall wrote:
| As a maintainer of several OSS projects, I could work full time
| on them and have time for nothing else. Yet, I'm pretty sure that
| even if these projects would be 100x more popular, the donations
| I would receive wouldn't even pay my daily expenses.
|
| I refuse all donations/tips for three reasons:
|
| - as per above, your donation is generally insignificant. it's
| just overhead in tax accounting
|
| - people donate "with strings attached": AKA "here's $2, but I'd
| really love this feature"
|
| - receiving donations wouldn't be fair to any current or past
| contributors that made the projects what it is
|
| The last point is especially true in the OSS landscape. The most
| front-facing programs get the donations, but the low-level
| libraries and infrastructure that make them possible get nothing.
| Heck, I've seen forks with a few superficial tweaks receiving
| donations and reaping the benefits while the original projects is
| chugging along slowly at the hard-to-build infrastructure that
| nobody else wants to do.
|
| Bug bounty sites fall almost universally in the last category in
| my eyes.
| slooonz wrote:
| > - receiving donations wouldn't be fair to any current or past
| contributors that made the projects what it is
|
| Hard disagree on that. Maintaining (bug triage, pull requests
| review, bug fixes...) is actually the hard work and the part
| that deserve the reward IMO.
|
| When I contribute to an open source software to fix a bug/add a
| feature, my reward is that the software I use has an annoying
| bug gone/the feature I want. I don't need any reward. On the
| other hand, the thankless maintainer deserve it.
| DarylZero wrote:
| Just fixing a bug isn't making the project what it is,
| though.
| bogwog wrote:
| Everyone does open source work for different reasons, and I'm not
| sure if more money is always enough of a motivator. I have a
| handful of projects that you couldn't pay me to provide
| commercial support for because I no longer have any interest in
| them. Working on boring projects for money is what full-time jobs
| are for (and most full-time eng jobs are much easier than
| maintaining a popular open source project).
|
| With that said, I could totally see how paid OSS work as the norm
| would be a catalyst to improving the status quo. It would
| certainly lead to more and better OSS projects. Even if the
| current OSS ecosystem doesn't like it, it will 100% lead to new
| projects and new devs pursuing the money.
|
| Maybe part of the solution is to form agencies which work with
| OSS devs to pursue contracts/sponsorships/donations from
| commercial users of their projects? The legal/business/sales part
| of the process is non-trivial. This makes me think of "content
| creators" on social media that make a ton of money producing free
| videos/streams. OSS devs are maybe like the B2B version of that?
| :P
| Jsharm wrote:
| Are the salarys on levels.fyi accurate? Looking at Dublin
| salaries, they seem very high?
| didibus wrote:
| I feel like the examples of log4j and ua-parser aren't that
| great, because it would be relatively easy for any other similar
| lib to take their place, as it's mostly straightforward to
| implement, even though it still takes time.
|
| But there are some things like Kafka, PostgressSQL, Spring Boot,
| Tomcat, Apache Math, ZooKeeper, the OpenJDK, and all that which
| are definitely non-trivial and a huge amount of time and effort,
| and you couldn't just take an extra month or two and have a dev
| on your team implement a replacement, unlike log4j and ua-parser.
|
| I think those would be better example to discuss, and my
| impression has been that those things often have a company behind
| them offering support or offering them as a service that in some
| ways pays for some real devs to contribute to them, but maybe I'm
| mistaken.
|
| Like for example, the author mentions working on the GO team at
| Google, and Go I would consider one of those big open source
| projects that truly are foundational and would be non-trivial and
| huge effort to replace. So that shows that the really big pieces
| do have companies hired and paid staff behind them.
| tobltobs wrote:
| First those developers don't get any money for their work, now
| you also telling them that the work they are doing isn't really
| valuable anyway?
|
| Did you consider the fact that half of your examples of worthy
| things are using the unworthy log4j?
| WJW wrote:
| Quite a few managers I have spoken to will use the exact
| reasoning ("we could rewrite this in two weeks or so, why
| should we worry if it disappears?") and do indeed seem to
| think that the fact that because the OSS dev did not get paid
| for their work implies that it is low value work. If it was
| in fact high value, they would have gotten paid for it you
| see.
| didibus wrote:
| As a developer, if there were no free open source logging
| library, then I'd be paid to implement one at my work. It be
| a fun project, but because someone is willing to do it for
| free, and give it away, it's hard for me to justify to my
| employer that we should build our own.
|
| This is how the value is measured.
|
| But if you take a much harder task, like building a
| performant and safe JIT language runtime like the OpenJDK,
| you'll see that even in the open source model, people can't
| actually deliver it effectively for free. It often starts out
| from a company that later open sourced it, or it's backed by
| academia, and contributions require deep expertise, so
| sometimes companies had to have their own staff contribute to
| it on their own payroll.
| javajosh wrote:
| _> I feel like the examples of log4j and ua-parser aren't that
| great, because it would be relatively easy for any other
| similar lib to take their place_
|
| Log4j is a good example, anyway. It's an old library, very old.
| And a lot of other software depends on it. So the effort of
| replacing log4j is not proportional to it's feature list, but
| rather to the feature list times the number of projects already
| depending on it. (The replacement exists, btw, called slf4j,
| usually with logback, written by the same author as log4j.)
|
| Java Logging is a subject in itself (I won't say "interesting
| subject" although it _is_ interesting, in the same disturbing
| way the lifecycle of a tapeworm is interesting.) but I would
| argue that these logging libraries are old and have evolved
| over time in ways that are hard to anticipate or recreate.
| (Rewriting things also leads you to the xkcd "standard
| proliferation problem" - https://xkcd.com/927/)
|
| The real problem is that it takes time, like real calendar
| time, to understand an implementation fully enough to fix it,
| and no-one wants to do that, because it's a job as critical as
| it is thankless.
| f311a wrote:
| There are some maintainers for Postgresql that get paid. It's a
| part of their job in consulting companies (they specialize in
| postgresql). Not sure about the other projects though.
| ItsBob wrote:
| Does this not mean it's time for a new open source license?
| Perhaps one that stipulates all the freedom current ones have up
| to a point?
|
| I am not a lawyer and know little about open source but is it
| possible to create a new license that allows free use up to a
| certain revenue level?
| johnny22 wrote:
| sure, and I think I've even seen one. The problem is, your
| software won't be included in any distribution repositories
| anymore because it is no longer Free Software under whatever
| definition they use (likely based on Stallman's "Four
| Freedoms")
|
| Some similar things have happened to mysql (to mariadb) and
| mongodb (to whatever the fork is called).
|
| Dual licensing it like MySQL did is one way to approach it, but
| plenty of people were happy enough with what it did that they
| didn't pay for it.
| ChrisMarshallNY wrote:
| One thing that I constantly think, when reading about these
| Jurassic-scale disasters, is "where are the wise, conservative
| stewards?"
|
| I've been appalled at the way that older, more experienced
| developers are treated, and am not surprised at this.
|
| There's a really good chance that many of these bugs were
| _introduced_ by developers that are now older, and more cautious.
| In some cases, these may be the harsh lessons that caused these
| developers to become more conservative, these days.
|
| A conservative (not political "conservative," _practical_
| "conservative") approach is generally best, when maintaining
| infrastructure. Be careful, test well, don't "push the envelope"
| too much, and, for God's Sake, _don 't add new stuff, until you
| have the old stuff completely tested, documented, and supported_.
|
| New stuff can be added via forks, and introduced via carefully-
| vetted PRs.
|
| I keep thinking of the Linux core kernel project as an example of
| how to do it right, but I am not very involved in that ecosystem,
| so it may be a case of "the grass is greener on the other side of
| the fence."
|
| I can tell you that I take each of the tools I make, _very_
| seriously. A quick shufti at any of them will tell you that. No
| one really uses them, but that 's fine with me. I write them for
| myself.
| trinovantes wrote:
| Even if you dual license your software with AGPL/Commercial
| license, there's still companies that just plain ignore them. I
| was doing some scripting on my PDF bank statements and discovered
| they were generated using iText (AGPL version). Imagine a
| multinational bank blatantly violating copyright laws let alone
| expecting them to pay for open source.
| imglorp wrote:
| I liked that analogy to paying a law firm.
|
| Most of these companies spend more on greenhouse services to keep
| plants in their offices than they spend supporting the F/LOSS
| stuff that they built their product around. That's how it should
| be viewed.
|
| The Faangs probably have on the order of 100m boxes running Linux
| etc. It would be totally reasonable to expect they would pay
| someone $1/year/box to help maintain all the F/LOSS in there.
___________________________________________________________________
(page generated 2021-12-11 23:00 UTC)