Isn’t this one busy January.
Covid continues its uninterrupted world tour and things in Russia must be so bad, that the only solution they came up with is to try to invade Ukraine as a distraction from an actual problem. The situation is so preposterous that I’m wondering if there’s something even worse happening there.
The world is in dire need of extra sanity, that’s why this week’s Best Band Ever™ is Superorganism.
Difficulty level: I'm too young to die.
Let’s get to the money.
Recently, there was another wave of discussions
on open source authors not being compensated for the work they put in. And of course, it all started with then infamous left-pad, but software ecology and dependencies are not in today’s scope.
But even before we go into the topic of extending universal basic income to open source developers, let’s have a look at a something similar.
In 1928 Alexander Fleming discovers penicillin. 1940, the research team of Howard Florey and Ernst Boris Chain isolate the purified compound. In 1945, the three got the Nobel Prize, but because “doing so would be unethical“ the penicillin was never patented, only one of the processes of its mass production was.
It’s 1959. Nils Bohlin, working for Volvo, invents three-point seatbelt. “Volvo then made the new seat belt design patent open in the interest of safety and made it available to other car manufacturers for free.”
My point here is that the inventors of penicillin were doctors and scientists, and penicillin was mostly a by-product of their everyday “business“.
Volvo is a carmaker, not a business exclusively dedicated to the drivers’ safety. Opening patent on three-point belt didn’t harm their business. Again, it was a by-product, which they decided to share for the greater good. Plus, dead people are not a good market for car sales.
This is the core principle of open source - give away for free useful by-products.
You made something that you find useful. If it’s not your “core business“, you have two options: a) patent it and turn it into a relatively static product; b) give it away for free and see it grow and become something different and (ideally) more and more useful.
Or not. Each of the options can turn out to attract zero attention.
And this is, in my opinion, is the catch with all the discussions about open source developers not being compensated - people, who start open source projects in hopes that one day this will be their source of income … don’t see the point of it. Open source is about giving away for free something that one thinks will be more useful if not restricted by individual ownership.
Don’t get me wrong, it’s possible to earn a living by working with open source. Facebook is paying the salaries of its employees, working on React. So does Google to its employees working on Flutter or Android. Ubuntu seems to be getting closer to stable profitability by selling services around an open source Linux distribution. The author of curl found the right partner to turn it into a full-time job after 21 years of developing curl as a side project.
Ironically enough, he wrote on the same topic (using the same XKCD reference), just 2 weeks ago. And while I agree that open source developers should be financially supported, Daniel’s income is from companies using curl in their business and paying for support and stability, not “a small fee from each curl user“.
This is exactly the reason why open source licences have an explicit clause saying that the software is provided as is:
…PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, ... THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
(That’s a lot of shouting)
Open source is amazing, but nobody is obliged to do it in general or keep maintaining particular projects. Unless they’re paid for it. But that’s the point here, isn’t it?
If your company is using open source software (and it does) - you better take care of the “as is“ part of it.
I wanted to avoid the topic of software ecology and dependencies, but external dependencies are virtually inevitable and that means any company, using open source software, should really seriously address that “as is“ risk.
By reducing the number of them. A little copying is better than a little dependency. Good luck with that create-react-app dependency tree.
By checking what’s in them.
By upgrading consciously and using known versions.
All that sounds extremely boring, but safety and security business is like that.
On the other hand, sounds like it’s a niche open source business model - review and maintain customers’ dependencies and be ready to step in when another log4shell happens. With SLAs and whatnot.
Maybe that would be the answer to the question of money flow to individual projects - these brokers-maintainers will be interested in passing some of their income (depending on frequency of use, for example) down to the projects, because it’s a lot of dependencies.
Take care.
PS. This post is 100% GPT-3 free.
The lone person in Nebraska is an unacceptable key person risk. I think a potential non-profit business model would be to identify widely used packages that have very few maintainers and staff them up. You could have targeted solicitations to companies based upon which packages they are likely to be using.