Valerie Aurora
My hot take: software companies should not only have bug bounties but also pay external orgs/consultants for other activities: dev tooling, maintenance, testing, standard compliance, accessibility, etc.
My current working theory is that there is a whole range of software-related work that cannot be done effectively by employees of a company because the internal incentives oppose it. Security is the obvious one but also the above-listed activities are this way too
Valerie Aurora
What is becoming increasingly clear is that the “non-profit” foundation is not adding much value and in many cases is not paying any open source maintainer to do any maintenance, as well as not providing any reciprocal access to its sponsors
So why not save a bunch of cash, get what you actually want, and pay open source maintainers directly?
The short version is that many software engineers don’t want to run a business and are risk averse
Burn out is miserable but it is a known misery
Valerie Aurora
I do wonder if the recent wave of capital attempting to discipline software engineering labor via self-defeating layoffs will encourage more open source maintainers to strike off on their own
I really like the reciprocal access/expertise model because it’s what every open source user actually wants, and it doesn’t have the negative incentives of selling feature development or support contracts
Valerie Aurora
Meanwhile the Extremely Important Very Mean open source maintainer is employed by a “non-profit” foundation that is also selling sponsorships predicated on a hint of “reciprocal access” to the maintainer, which may or may not be true, but is so valuable that multiple other people get VP/C-suite salaries out of siphoning off the sponsorship flow
Valerie Aurora
I know someone who has made an entire multi-decade director/VP-level career because he bills himself as the “only friend” of an Extremely Important Very Mean open source maintainer
Companies pay this guy half a million dollars so that the next time he goes to dinner with the maintainer he will mention that Company X really wants Y
Valerie Aurora
“Reciprocal access” is a wonderful distillation of the service that users of open source software want from the maintainers. From Filippo’s blog:
“I go in, meet the engineers, and learn what parts of my projects they use and how; then, I keep those use cases in mind in my own planning and I reach out and involve them for feedback when there are relevant changes on the roadmap.”
That’s it! That’s what companies really want but end up paying for other things instead
Valerie Aurora
A place where this tension is becoming unbearable is maintenance of open source components of the product
Almost every open source maintainer I know who is a salaried employee is overworked and burned out
You don’t get promoted for keeping an existing piece of software working, especially one that is not directly attached to a revenue stream and is used by your competitors as well
Valerie Aurora
I’m very very interested in the business model used by @filippo since it seems like the lowest overhead, most humane of the open source maintenance outsourcing methods
Multiple companies pay him a retainer that is less than 20% of the loaded cost of a full-time engineer to keep a vital component of their product functioning but also to give their company two things:
1. Provide “reciprocal access” (more on this next)
2. Give advice on any area of his expertise
Valerie Aurora
There’s a whole set of activities that software engineers have to do to make a software company successful, but are actively discouraged from doing by management
E.g. no one likes to hear bad news or criticism, so any activity that requires telling management “I found a bad thing in our software/processes/culture” is simply never going to be the smart path to promotion. So all the smart engineers build another chat system or add AI features instead of fixing existing problems
Phil Dennis-Jordan 😷
@cks @hikhvar @vaurora Yup. I find it truly baffling how many projects only accept donations considering this is an issue for most organisations in much of the world. I’m guessing it’s pretty straightforward in the US to make donations and treat them as expenses, otherwise it makes no sense how we ended up with asking for donations being so popular.
Chris Siebenmann
@pmdj @hikhvar @vaurora Donations are also an issue at my university. We can readily pay for 'services' or the like, especially for small amounts, but making a monetary donation (with no invoice of something received for it etc) is extremely difficult and apparently involves so much paperwork that usually no one wants to try.
Phil Dennis-Jordan 😷
@hikhvar @vaurora Coming at it from the other side though, as a small business owner based in a country where donations are not deductible as a business expense: F/OSS projects who take donations really, really, REALLY, need to start offering some kind of low-cost billable service or product, even if fairly nominal, rather than just donations alone. You’re missing out on a whole bunch of cash.
Phil Dennis-Jordan 😷
@hikhvar @vaurora Yup. And this trust is easiest to earn by just being paid for your time for deliverables. But then moving to a retainer model from THAT, once you’re trusted, requires going through legal & accounting and they don’t really understand why you suddenly want to change what is working fine from their point of view.
So I suspect the model really needs to be supported and encouraged centrally by The Project, who can advertise willing & trusted maintainers.
Christoph Petrausch
@pmdj @vaurora To do this, you need to have good connections to the team at the customer and their support. Also this required mutal trust.
Christoph Petrausch
@pmdj @vaurora I never have been a paid OpenSource maintainer, but my previous Company did consulting. The prefered way of work+pay with the client was "Time&Material", so the client get at the end of a month the bill for our invested time and material (mostly traveling). Most teams at the client also prefered this, but the But often the purchasing department didn't like it, and we had to sell artificial deliveries, which roughly fitted into our monthly expenditure in terms of time.
Phil Dennis-Jordan 😷
@hikhvar @vaurora Even if you do have the expertise and are fully set up for self employment, I’ve also struggled to find clients who are willing to go for such a retainer model rather than a more direct payment for specific work on a feature/optimisation/etc. I mean the latter isn’t to be sniffed at, but it’s difficult to commit to e.g. signing up as a maintainer for a project subsystem when you’re only being paid for dev & upstreaming of a specific deliverable.
Christoph Petrausch
@vaurora building such a business however is really hard. You must either find an employer sponsoring the first N years, or you have to run your OpenSource project for N years as a side project, hoping that it is still needed.
Valerie Aurora
Paying retainers for reciprocal access/expertise is also incredibly low risk for the company paying
“Hey, this person has been successfully maintaining this project for N years no matter who their manager or employer was, you know it’s good because you use it, how about paying them 1/5 of the cost of a full-time engineer and you can cancel any time?”
Anyway, cool stuff, read more here:
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.