Tomasz Donarski
Reforging (or rather rebrewing) the Support for Open-Source

Summarized using AI

Reforging (or rather rebrewing) the Support for Open-Source

Tomasz Donarski • September 19, 2023 • Wrocław, Poland

The talk by Tomasz Donarski at wroc_love.rb 2023 addresses the critical challenges facing open-source software. Open source, likened to oxygen, is often overlooked despite being essential to the IT industry. Donarski begins by narrating a fictional tale about a developer who creates an open-source tool out of necessity but struggles financially as the project grows. Key discussions revolve around:

  • Unsustainable Financial Models: Many open-source maintainers provide valuable software but face difficulty securing funds for their efforts, leading to a cycle of voluntary work chased by financial instability.
  • Dependency Issues: The reliance on open-source libraries often goes unnoticed, contributing to vulnerabilities, as illustrated by real-world examples like the Log4j incident, where a widely used library faced scrutiny from major corporations despite being maintained by a few developers.
  • Sabotage and Security Risks: The talk also highlights incidents of sabotage in the open-source community and how malicious actors can exploit vulnerabilities in widely used tools.
  • Call for Change: There is an urgent need for a sustainable support system for open-source projects. Donarski emphasizes potential solutions, including a new initiative called 'T', which aims to create a rewarding system for open-source contributors. The system proposes a package manager and an algorithm-driven rewards engine to recognize the value of all contributors fairly.

In conclusion, Donarski underscores the importance of supporting open-source maintainers through financial incentives and community collaboration to ensure a thriving open-source ecosystem. He encourages attendees to engage with initiatives like 'T' and emphasizes that contributions to open source are needed now more than ever, as they form the backbone of much of today’s technology.

Reforging (or rather rebrewing) the Support for Open-Source
Tomasz Donarski • September 19, 2023 • Wrocław, Poland

wroclove.rb 2023

00:00:07.259 Thanks! This talk will draw on the topic that we touched upon today, also about money. So, let's roll.
00:00:20.279 Open source software is the backbone of the internet and of the IT industry. It's a bit like oxygen—it's invisible, yet essential.
00:00:26.760 And similar to oxygen, it is often simply forgotten or, at best, just taken for granted. This presentation will discuss the problems that open source faces, how these issues affect literally everyone, and how these problems can be addressed.
00:01:00.000 My name is Tomasz Donarski, and I am a Ruby developer, as you might have guessed. I am also an open source enthusiast, currently helping Upside with developing Spree Commerce.
00:01:06.860 Rafa has already given an introduction to Spree, so I won’t cover that part.
00:01:18.180 As for the organizational stuff, this presentation will comprise two parts.
00:01:24.420 The first part will detail the problems that contribute to the difficult situation we currently face, and the second part will explore and discuss a particular tool that aims to address these issues.
00:01:44.460 To start, I would like to present a fictional tale. Imagine a developer working at a startup company. You can picture a high-rise building, pizza Fridays, and all the usual perks we associate with startup culture.
00:01:50.700 He does typical developer work, but there's a recurring theme that annoys him greatly. For months now, he has been bothered by something he despises—it hints at some missing tools or a workflow process that has not yet been automated.
00:02:05.219 Despite living in the 21st century, he finds himself performing tasks manually. We, as programmers, hate that kind of menial labor, but he is forced to endure it.
00:02:12.180 Like any developer dealing with such frustration, he vents to his friends at a pub after finishing this tedious work. They listen to him complain about how annoying it is and how it simply should not be this way because it's a waste of time and effort.
00:02:25.860 For all the hours he spends complaining, his friends just nod in agreement. One supportive friend suggests that instead of just complaining, he should do something about it.
00:02:38.400 He realizes there's some truth to this. So once they finish drinking, he goes home, sleeps, and over the course of a few weeks, he develops a piece of software that eases his pain.
00:02:45.000 He brings it to work, and it works wonders. His job becomes enjoyable again!
00:03:00.480 However, he soon realizes that he may not be the only person who has suffered from this tedious manual process. So he decides to publish this software as an open source library.
00:03:11.819 Initially, nothing happens, but after a few weeks, things start to gain traction. More and more users begin to adopt this library, and he gets excited, realizing that what he created improved the developer experience for many.
00:03:23.159 Fast forward a few months, and the user base grows exponentially. The demand for new features increases, and maintaining the package requires more and more of his time.
00:03:36.000 He's thrilled about all the new users, resolving bugs, and helping people. He commits to maintaining the project during his free time.
00:03:46.380 After these months, he’s effectively juggling two jobs: one at the startup company and the other maintaining the open-source project. Despite the growing workload, he finds fulfillment in improving the developer experience for people around the world.
00:04:02.460 Motivated by this passion, he decides to quit his day job and fully immerse himself in the open source project. However, just as you might expect, within a few weeks, he runs out of money.
00:04:12.959 Realizing he needs financial stability, he begins looking for a job again. He partially abandons the open-source project to sustain himself.
00:04:24.420 He finds a job but, remaining mission-driven, he eventually leaves that job to devote himself back to the growing mountain of issues, feature requests, and tasks.
00:04:35.820 Unfortunately, his happiness doesn't last long, as he runs out of money again. This time, he is smarter and explores sponsorship options, checking out GitHub sponsorship, Patreon, and Ko-fi, but sadly, he finds little success.
00:04:48.300 Months pass, and his project becomes immensely popular, to the point where nearly every developer has heard about it and is likely using the library. Yet, despite this popularity, he receives only a couple of hundred dollars.
00:05:03.000 Living in the Bay Area, this is not sustainable at all. Once again, he starts looking for a job.
00:05:19.140 This pattern continues in a vicious cycle for years. Eventually, I'd like to ask you how you feel about people who put their financial stability on the line to provide you with value that you use.
00:05:34.920 I, myself, feel both compassion for their plight and gratitude for their decisions.
00:05:46.740 Now, I need to clarify that this story is fictional—sort of. The person I described does exist, and you might be surprised to know that it was about the creator of Homebrew.
00:05:59.460 On the other hand, you may recognize a famous xkcd comic, which refers to the Dependency Problem. It illustrates the concerns surrounding the reliance on open-source software.
00:06:07.680 Eventually, the creator of Homebrew left, but somehow, the internet didn’t collapse.
00:06:14.460 Homebrew was designed to be viral, allowing contributions to it to remain manageable.
00:06:22.740 Homebrew holds the record as the open-source project with the highest number of contributors.
00:06:31.740 However, this story covers just one dependency. Regrettably, most of our dependencies do not have this level of recognition or contributors. One such example is Log4j.
00:06:41.040 You might remember it as a Java logging library that gained infamous attention due to a severe security vulnerability.
00:06:54.300 The alarming part was that it was widely adopted by many commercial and governmental software systems, yet nobody knew they were relying on the unpaid work of a handful of developers.
00:07:02.100 Consequently, it became known as one of the biggest critical vulnerabilities of the last decade. The worst aspect of the Lock4j incident was how poorly the industry understands open source and how it operates.
00:07:16.760 When catastrophe struck, the maintainers—a few developers from Nebraska—faced scrutiny and blame from multimillion-dollar corporations and individuals, while they only issued a humble plea for support.
00:07:30.720 Eventually, they worked on a patch, which was provided, but like many high-profile vulnerabilities, it was quickly forgotten.
00:07:45.020 Sadly, it wasn't only the Log4j maintainers who were abused and harassed. Other unrelated projects, like Curl, received similar scrutiny and unnecessary pressure.
00:07:55.560 They were bombarded with requests to mitigate risks with strict deadlines, often from companies that had no contract or agreement.
00:08:06.400 It's concerning how many companies believe they hold entitlement over the unpaid work of open-source maintainers.
00:08:22.900 In reality, a vast majority of software stacks rely on open-source and are managed by volunteers. When things go wrong, often no one is there to assist.
00:08:34.840 This brings us to another significant point, the lack of dependency support. Core.js is downloaded 30 million times a week, illustrating its importance in the Node.js world.
00:08:48.000 Despite its significance, it is barely funded. Its README even contains a plea for financial support, stating it is present in a vast majority of apps and websites.
00:09:00.219 Yet, they receive hardly any financial support and instead face abusive comments from users.
00:09:08.540 This scenario is not unique to JavaScript. In the Ruby community, we have similar packages upon which we depend but that are equally unsupported.
00:09:16.760 Peter Sonnet has raised awareness about the unsustainable nature of open source. He explains that the less support an open source maintainer receives, the less work they can deliver.
00:09:26.480 As was shown with Homebrew, we, as dependents using such libraries, become de facto customers.
00:09:34.740 When maintainers are busy with their day jobs, they can only tend to open-source work afterward, leading to delays.
00:09:43.120 On top of the fatigue and burnout that many face from this context switching, this situation is far from ideal.
00:10:00.960 Oftentimes, sponsorship pages for open-source packages look bleak.
00:10:09.760 It’s not my intention to cast blame. Neither you nor any one person is at fault here.
00:10:19.080 The root cause of the problem lies in the lack of a sustainable support system for open source.
00:10:28.340 There is no automation or robust framework, something I will address later in the talk.
00:10:36.399 Now, I want to highlight two additional challenges facing the open-source ecosystem.
00:10:42.280 The first one is sabotaging packages. We have learned the hard way about what can happen when packages are hijacked.
00:10:50.359 One well-known case involved LeftPad, which removed its code following a legal dispute with a company.
00:11:00.360 This deletion caused countless CI pipelines around the globe to break, emphasizing the collateral impact these actions can have.
00:11:10.279 A second instance involved the libraries Colors.js and Faker.js, where the maintainer deliberately made the libraries malfunction.
00:11:17.640 This malicious act resulted in gibberish output, demonstrating how vital support for these libraries really is.
00:11:26.720 While standing firm in your beliefs can be admirable, sabotaging widely used projects is not an effective way to resolve issues.
00:11:34.740 The next area of concern is the malware that affects open source.
00:11:48.900 For instance, Event Stream was compromised through social engineering, resulting in the theft of Bitcoins from unsuspecting users.
00:12:01.920 Another case involved malicious packages that could expose environmental variables to an attacker's server.
00:12:10.680 Moreover, GitHub estimates that 70% of all bugs in open-source software are intentionally introduced.
00:12:18.180 We are not adequately addressing these problems, and there are no incentives for developers to tackle these vulnerabilities before they lead to significant damage.
00:12:27.120 Now, let's return to the idea of an open-source support system. Earlier this year, Nate Berkopec proposed a way to solve the problem of underpaid open-source contributors.
00:12:34.560 He stated that we, the users, must start paying them, as we are their customers.
00:12:40.760 While I agree with the sentiment, I beg to differ that donations alone are the solution.
00:12:52.620 Current solutions like sponsorship and bounties have limitations. Sponsorship typically only benefits the most prominent packages.
00:13:04.960 Many smaller libraries, like Core.js and Log4j, receive little to no support, despite their popularity.
00:13:12.659 In the case of bounty programs, they may prioritize short-term requests over the overall health of the library.
00:13:20.340 These circumstances render open-source contributions vulnerable and less than ideal.
00:13:27.760 So where does this leave us? There's a myriad of challenges facing our community, and no easy answers on the horizon.
00:13:37.960 However, there is hope. I want to talk to you about a concept known as T.
00:13:45.900 The creator of Homebrew, Max Howell, is working on developing a system for rewarding open source developers.
00:13:52.439 The system aims to compensate not only open source developers, but everyone involved in the ecosystem.
00:14:02.160 This system comprises several components, starting with a new package manager that should help illuminate the dependency structure.
00:14:12.300 This centralized package registry will help protect against hijacking and sabotage, plus a reputation system will be built in.
00:14:23.460 Next is an algorithm-driven rewards engine that calculates the value of each contributor based on their impact.
00:14:32.780 For the first time, all dependencies across the graph will be rewarded, not just the popular libraries.
00:14:40.840 But this model won’t overhaul the open source world; it represents a needed change.
00:14:47.760 The currency will be distributed as tokens in a proof-of-stake blockchain.
00:14:54.020 Stakeholders will lock tokens to bolster the network's stability.
00:15:00.660 In T, participants can not only contribute code, but also validate contributions.
00:15:07.180 Every participant can play a role, whether coding, validating, providing economic value to developers, or evaluating software quality.
00:15:15.280 This includes package maintainers, developers who build on open-source libraries, supporters of open source, and validators to ensure quality.
00:15:22.680 As this is developed further, T will be a framework that helps support the broader open-source ecosystem.
00:15:32.300 The stakes are high, and it's essential to find new ways to incentivize participation.
00:15:39.780 The new package submission process will create an entirely new process for releasing code.
00:15:46.060 It will ensure that packages submitted are trustworthy and verified.
00:15:52.660 Also, there will be an option to review releases, providing positive verification of the maintainer's claims.
00:15:58.780 In the case of a positive review, everyone involved will receive a reward.
00:16:06.160 If a negative review occurs, maintaining responsible disclosure is key to addressing issues promptly.
00:16:14.020 The best way to honor the contributions of our community is through collaboration and shared goals.
00:16:22.520 Now, let’s summarize what we discussed today.
00:16:28.520 We faced several challenges: a lack of awareness about dependencies, high expectations for maintenance, security vulnerabilities, and inadequate support systems.
00:16:36.960 It was clear that something has to change in the way we value open source.
00:16:42.640 Fortunately, there is a new movement aiming to reshape these challenges. Contributors need our support more than ever.
00:16:50.860 By empowering those who work tirelessly, we can ensure a flourishing open-source ecosystem.
00:16:59.660 T, the initiative led by Max Howell, provides that structure.
00:17:06.380 I encourage you all to explore these ideas, engage with them, and reach out to the community.
00:17:14.740 If you’d like to learn more, I have links available for further information.
00:17:27.720 Any questions?
00:17:30.060 Any questions? Oh, clear! Okay.
00:17:34.279 So, just a reminder that next month, Oktoberfest starts. It's a great occasion to begin contributing to open source.
00:17:44.520 Contributions are welcome at any time.
00:17:49.200 I recently read an article on donating to the Sidekiq maintainer.
00:17:54.400 It also detailed how to monetize open source, which is a fascinating read.
00:18:03.000 It's worth exploring how various projects are devising ways to support developers.
00:18:12.960 As I understand, they have received some substantial grants to help build these systems, as maintaining these platforms can be costly.
00:18:29.080 If anyone has ideas or feedback, engage with the T community—they're open to it.
00:18:36.480 I believe they even have a Discord channel for discussions.
00:18:42.300 So feel free to reach out with any insights you may have.
00:18:52.040 Does anyone else have questions or comments?
00:19:00.700 I have a small comment if that's okay.
00:19:07.800 There is a path often rejected by programmers, which is learning sales and marketing.
00:19:16.000 If we want to survive in the industry, there's a case for considering selling our software.
00:19:24.540 Yes, Sidekiq is a shining example of that model.
00:19:32.740 We often shy away from these ideas, but perhaps we should evaluate how we approach this.
00:19:39.720 We can advocate for this new model, but at the same time, we should also evaluate its practical applications.
00:19:48.400 The next person from the audience appears to be curious about their monetization.
00:19:56.560 They expressed concern about the use of tokens in place of traditional currency.
00:20:06.640 My understanding is that these tokens indeed have a community-driven application, but we will need to wait for clarification.
00:20:13.440 For now, the knowledge shared is not much different than a regular package manager.
00:20:20.160 In the interest of time, I think we should wrap it up.
00:20:31.640 Thank you all for your engagement.
Explore all talks recorded at wroclove.rb 2023
+14