00:00:07.259
Thanks! This talk will draw on the topic that we touched upon today, also about money. So, let's roll.
00:00:20.279
Open source software is the backbone of the internet and of the IT industry. It's a bit like oxygen—it's invisible, yet essential.
00:00:26.760
And similar to oxygen, it is often simply forgotten or, at best, just taken for granted. This presentation will discuss the problems that open source faces, how these issues affect literally everyone, and how these problems can be addressed.
00:01:00.000
My name is Tomasz Donarski, and I am a Ruby developer, as you might have guessed. I am also an open source enthusiast, currently helping Upside with developing Spree Commerce.
00:01:06.860
Rafa has already given an introduction to Spree, so I won’t cover that part.
00:01:18.180
As for the organizational stuff, this presentation will comprise two parts.
00:01:24.420
The first part will detail the problems that contribute to the difficult situation we currently face, and the second part will explore and discuss a particular tool that aims to address these issues.
00:01:44.460
To start, I would like to present a fictional tale. Imagine a developer working at a startup company. You can picture a high-rise building, pizza Fridays, and all the usual perks we associate with startup culture.
00:01:50.700
He does typical developer work, but there's a recurring theme that annoys him greatly. For months now, he has been bothered by something he despises—it hints at some missing tools or a workflow process that has not yet been automated.
00:02:05.219
Despite living in the 21st century, he finds himself performing tasks manually. We, as programmers, hate that kind of menial labor, but he is forced to endure it.
00:02:12.180
Like any developer dealing with such frustration, he vents to his friends at a pub after finishing this tedious work. They listen to him complain about how annoying it is and how it simply should not be this way because it's a waste of time and effort.
00:02:25.860
For all the hours he spends complaining, his friends just nod in agreement. One supportive friend suggests that instead of just complaining, he should do something about it.
00:02:38.400
He realizes there's some truth to this. So once they finish drinking, he goes home, sleeps, and over the course of a few weeks, he develops a piece of software that eases his pain.
00:02:45.000
He brings it to work, and it works wonders. His job becomes enjoyable again!
00:03:00.480
However, he soon realizes that he may not be the only person who has suffered from this tedious manual process. So he decides to publish this software as an open source library.
00:03:11.819
Initially, nothing happens, but after a few weeks, things start to gain traction. More and more users begin to adopt this library, and he gets excited, realizing that what he created improved the developer experience for many.
00:03:23.159
Fast forward a few months, and the user base grows exponentially. The demand for new features increases, and maintaining the package requires more and more of his time.
00:03:36.000
He's thrilled about all the new users, resolving bugs, and helping people. He commits to maintaining the project during his free time.
00:03:46.380
After these months, he’s effectively juggling two jobs: one at the startup company and the other maintaining the open-source project. Despite the growing workload, he finds fulfillment in improving the developer experience for people around the world.
00:04:02.460
Motivated by this passion, he decides to quit his day job and fully immerse himself in the open source project. However, just as you might expect, within a few weeks, he runs out of money.
00:04:12.959
Realizing he needs financial stability, he begins looking for a job again. He partially abandons the open-source project to sustain himself.
00:04:24.420
He finds a job but, remaining mission-driven, he eventually leaves that job to devote himself back to the growing mountain of issues, feature requests, and tasks.
00:04:35.820
Unfortunately, his happiness doesn't last long, as he runs out of money again. This time, he is smarter and explores sponsorship options, checking out GitHub sponsorship, Patreon, and Ko-fi, but sadly, he finds little success.
00:04:48.300
Months pass, and his project becomes immensely popular, to the point where nearly every developer has heard about it and is likely using the library. Yet, despite this popularity, he receives only a couple of hundred dollars.
00:05:03.000
Living in the Bay Area, this is not sustainable at all. Once again, he starts looking for a job.
00:05:19.140
This pattern continues in a vicious cycle for years. Eventually, I'd like to ask you how you feel about people who put their financial stability on the line to provide you with value that you use.
00:05:34.920
I, myself, feel both compassion for their plight and gratitude for their decisions.
00:05:46.740
Now, I need to clarify that this story is fictional—sort of. The person I described does exist, and you might be surprised to know that it was about the creator of Homebrew.
00:05:59.460
On the other hand, you may recognize a famous xkcd comic, which refers to the Dependency Problem. It illustrates the concerns surrounding the reliance on open-source software.
00:06:07.680
Eventually, the creator of Homebrew left, but somehow, the internet didn’t collapse.
00:06:14.460
Homebrew was designed to be viral, allowing contributions to it to remain manageable.
00:06:22.740
Homebrew holds the record as the open-source project with the highest number of contributors.
00:06:31.740
However, this story covers just one dependency. Regrettably, most of our dependencies do not have this level of recognition or contributors. One such example is Log4j.
00:06:41.040
You might remember it as a Java logging library that gained infamous attention due to a severe security vulnerability.
00:06:54.300
The alarming part was that it was widely adopted by many commercial and governmental software systems, yet nobody knew they were relying on the unpaid work of a handful of developers.
00:07:02.100
Consequently, it became known as one of the biggest critical vulnerabilities of the last decade. The worst aspect of the Lock4j incident was how poorly the industry understands open source and how it operates.
00:07:16.760
When catastrophe struck, the maintainers—a few developers from Nebraska—faced scrutiny and blame from multimillion-dollar corporations and individuals, while they only issued a humble plea for support.
00:07:30.720
Eventually, they worked on a patch, which was provided, but like many high-profile vulnerabilities, it was quickly forgotten.
00:07:45.020
Sadly, it wasn't only the Log4j maintainers who were abused and harassed. Other unrelated projects, like Curl, received similar scrutiny and unnecessary pressure.
00:07:55.560
They were bombarded with requests to mitigate risks with strict deadlines, often from companies that had no contract or agreement.
00:08:06.400
It's concerning how many companies believe they hold entitlement over the unpaid work of open-source maintainers.
00:08:22.900
In reality, a vast majority of software stacks rely on open-source and are managed by volunteers. When things go wrong, often no one is there to assist.
00:08:34.840
This brings us to another significant point, the lack of dependency support. Core.js is downloaded 30 million times a week, illustrating its importance in the Node.js world.
00:08:48.000
Despite its significance, it is barely funded. Its README even contains a plea for financial support, stating it is present in a vast majority of apps and websites.
00:09:00.219
Yet, they receive hardly any financial support and instead face abusive comments from users.
00:09:08.540
This scenario is not unique to JavaScript. In the Ruby community, we have similar packages upon which we depend but that are equally unsupported.
00:09:16.760
Peter Sonnet has raised awareness about the unsustainable nature of open source. He explains that the less support an open source maintainer receives, the less work they can deliver.
00:09:26.480
As was shown with Homebrew, we, as dependents using such libraries, become de facto customers.
00:09:34.740
When maintainers are busy with their day jobs, they can only tend to open-source work afterward, leading to delays.
00:09:43.120
On top of the fatigue and burnout that many face from this context switching, this situation is far from ideal.
00:10:00.960
Oftentimes, sponsorship pages for open-source packages look bleak.
00:10:09.760
It’s not my intention to cast blame. Neither you nor any one person is at fault here.
00:10:19.080
The root cause of the problem lies in the lack of a sustainable support system for open source.
00:10:28.340
There is no automation or robust framework, something I will address later in the talk.
00:10:36.399
Now, I want to highlight two additional challenges facing the open-source ecosystem.
00:10:42.280
The first one is sabotaging packages. We have learned the hard way about what can happen when packages are hijacked.
00:10:50.359
One well-known case involved LeftPad, which removed its code following a legal dispute with a company.
00:11:00.360
This deletion caused countless CI pipelines around the globe to break, emphasizing the collateral impact these actions can have.
00:11:10.279
A second instance involved the libraries Colors.js and Faker.js, where the maintainer deliberately made the libraries malfunction.
00:11:17.640
This malicious act resulted in gibberish output, demonstrating how vital support for these libraries really is.
00:11:26.720
While standing firm in your beliefs can be admirable, sabotaging widely used projects is not an effective way to resolve issues.
00:11:34.740
The next area of concern is the malware that affects open source.
00:11:48.900
For instance, Event Stream was compromised through social engineering, resulting in the theft of Bitcoins from unsuspecting users.
00:12:01.920
Another case involved malicious packages that could expose environmental variables to an attacker's server.
00:12:10.680
Moreover, GitHub estimates that 70% of all bugs in open-source software are intentionally introduced.
00:12:18.180
We are not adequately addressing these problems, and there are no incentives for developers to tackle these vulnerabilities before they lead to significant damage.
00:12:27.120
Now, let's return to the idea of an open-source support system. Earlier this year, Nate Berkopec proposed a way to solve the problem of underpaid open-source contributors.
00:12:34.560
He stated that we, the users, must start paying them, as we are their customers.
00:12:40.760
While I agree with the sentiment, I beg to differ that donations alone are the solution.
00:12:52.620
Current solutions like sponsorship and bounties have limitations. Sponsorship typically only benefits the most prominent packages.
00:13:04.960
Many smaller libraries, like Core.js and Log4j, receive little to no support, despite their popularity.
00:13:12.659
In the case of bounty programs, they may prioritize short-term requests over the overall health of the library.
00:13:20.340
These circumstances render open-source contributions vulnerable and less than ideal.
00:13:27.760
So where does this leave us? There's a myriad of challenges facing our community, and no easy answers on the horizon.
00:13:37.960
However, there is hope. I want to talk to you about a concept known as T.
00:13:45.900
The creator of Homebrew, Max Howell, is working on developing a system for rewarding open source developers.
00:13:52.439
The system aims to compensate not only open source developers, but everyone involved in the ecosystem.
00:14:02.160
This system comprises several components, starting with a new package manager that should help illuminate the dependency structure.
00:14:12.300
This centralized package registry will help protect against hijacking and sabotage, plus a reputation system will be built in.
00:14:23.460
Next is an algorithm-driven rewards engine that calculates the value of each contributor based on their impact.
00:14:32.780
For the first time, all dependencies across the graph will be rewarded, not just the popular libraries.
00:14:40.840
But this model won’t overhaul the open source world; it represents a needed change.
00:14:47.760
The currency will be distributed as tokens in a proof-of-stake blockchain.
00:14:54.020
Stakeholders will lock tokens to bolster the network's stability.
00:15:00.660
In T, participants can not only contribute code, but also validate contributions.
00:15:07.180
Every participant can play a role, whether coding, validating, providing economic value to developers, or evaluating software quality.
00:15:15.280
This includes package maintainers, developers who build on open-source libraries, supporters of open source, and validators to ensure quality.
00:15:22.680
As this is developed further, T will be a framework that helps support the broader open-source ecosystem.
00:15:32.300
The stakes are high, and it's essential to find new ways to incentivize participation.
00:15:39.780
The new package submission process will create an entirely new process for releasing code.
00:15:46.060
It will ensure that packages submitted are trustworthy and verified.
00:15:52.660
Also, there will be an option to review releases, providing positive verification of the maintainer's claims.
00:15:58.780
In the case of a positive review, everyone involved will receive a reward.
00:16:06.160
If a negative review occurs, maintaining responsible disclosure is key to addressing issues promptly.
00:16:14.020
The best way to honor the contributions of our community is through collaboration and shared goals.
00:16:22.520
Now, let’s summarize what we discussed today.
00:16:28.520
We faced several challenges: a lack of awareness about dependencies, high expectations for maintenance, security vulnerabilities, and inadequate support systems.
00:16:36.960
It was clear that something has to change in the way we value open source.
00:16:42.640
Fortunately, there is a new movement aiming to reshape these challenges. Contributors need our support more than ever.
00:16:50.860
By empowering those who work tirelessly, we can ensure a flourishing open-source ecosystem.
00:16:59.660
T, the initiative led by Max Howell, provides that structure.
00:17:06.380
I encourage you all to explore these ideas, engage with them, and reach out to the community.
00:17:14.740
If you’d like to learn more, I have links available for further information.
00:17:27.720
Any questions?
00:17:30.060
Any questions? Oh, clear! Okay.
00:17:34.279
So, just a reminder that next month, Oktoberfest starts. It's a great occasion to begin contributing to open source.
00:17:44.520
Contributions are welcome at any time.
00:17:49.200
I recently read an article on donating to the Sidekiq maintainer.
00:17:54.400
It also detailed how to monetize open source, which is a fascinating read.
00:18:03.000
It's worth exploring how various projects are devising ways to support developers.
00:18:12.960
As I understand, they have received some substantial grants to help build these systems, as maintaining these platforms can be costly.
00:18:29.080
If anyone has ideas or feedback, engage with the T community—they're open to it.
00:18:36.480
I believe they even have a Discord channel for discussions.
00:18:42.300
So feel free to reach out with any insights you may have.
00:18:52.040
Does anyone else have questions or comments?
00:19:00.700
I have a small comment if that's okay.
00:19:07.800
There is a path often rejected by programmers, which is learning sales and marketing.
00:19:16.000
If we want to survive in the industry, there's a case for considering selling our software.
00:19:24.540
Yes, Sidekiq is a shining example of that model.
00:19:32.740
We often shy away from these ideas, but perhaps we should evaluate how we approach this.
00:19:39.720
We can advocate for this new model, but at the same time, we should also evaluate its practical applications.
00:19:48.400
The next person from the audience appears to be curious about their monetization.
00:19:56.560
They expressed concern about the use of tokens in place of traditional currency.
00:20:06.640
My understanding is that these tokens indeed have a community-driven application, but we will need to wait for clarification.
00:20:13.440
For now, the knowledge shared is not much different than a regular package manager.
00:20:20.160
In the interest of time, I think we should wrap it up.
00:20:31.640
Thank you all for your engagement.