Investing in Open Source: The Open Source Pledge and Why it Matters

Transcript

Shane Hastie: Good day, folks. This is Shane Hastie for the InfoQ Engineering Culture podcast.

Today, I'm sitting down with Chad Whitacre to talk about the Open Source Pledge. Chad, welcome. Thanks for taking the time to talk to us today.

Chad Whitacre: Hi Shane. Thanks for having me on the show. Glad to be here.

Shane Hastie: So before we get into the pledge, tell me a bit about Chad.

Introductions [00:50]

Chad Whitacre: Sure. So my name's Chad Whitacre. My current role is Head of Open Source at a company called Sentry. I've been here about four years. My background is in the Python world. I cut my teeth as a Python web developer in the '00s when everybody and their uncle had a different web framework, and Django and Flask are the ones that survived the web framework wars of the '00s. I ended up going from there, learning firsthand the challenges of balancing open source work for fun with paid work, closed source work for money. And then spent a lot of the teens building out a crowdfunding platform for open source projects called Gittip. So that was 2012 through 2017.

And yes, since then moved on, ended up Sentry was actually one of the companies that was funding open source developers through Gittip in that era, and I joined the company four years ago as an engineer on our open source team working on release engineering. And then after a year I was promoted to this Head of Open Source role and I've grown into that with these initiatives. Open Source Pledge is one I'm here to talk about today. There's another one called Fair Source that we launched last year. But yes, that's a bit about me.

Shane Hastie: So tell us about the open source ecosystem and why does it matter?

Why open source matters [02:13]

Image source: xkcd archive

Chad Whitacre: Sure. Well, the most crisp way to describe this is the XKCD comic called Dependency. I think, if I remember right, it's XKCD number 2347, I might have that off by one, where you've got all the building blocks, are you familiar with this comic? All the building blocks of our modern digital economy are all resting on this one little Lego piece, or this one little building block buried deep down in the stack that's really at risk for the whole thing toppling over. We call that the Nebraska Project because in the comic it says, "This one critical component has been maintained thanklessly by somebody in Nebraska for the past 20 years", or whatever.

Shane Hastie: I've pulled the comic up and we'll make sure we include it in the shownotes

Chad Whitacre: Shownotes, yes.

Shane Hastie: I was impressed. 2347 is the right number.

Chad Whitacre: Did I get it right? A friend of mine has that tattooed on his wrist. That's how much he loves open source maintainers. Shout out Justin Dorfman. Yes, so that's really the crystallization of the problem that we're working on with the pledge is this problem of open source sustainability. Of making sure that the maintainers of the software that the modern economy depends on are taken care of, are provided for, are sustained and maintained so that we continue to have great software in the future and avoid burning people out.

I'm sure you've covered things like the XZ exploit, the Log For Shell incident, these kinds of things that really shine a light when we have a security incident like this. It's not necessarily that open source is less secure than closed source, but what happens is when there's a security incident like an XZ or Log For Shell or a Heart Bleed if we're going back further, it opens the hood and shines the light on this reality that this Nebraska Project reality, that we are dependent on maintainers who are not properly supported and are burning out. And it's not good. It's not good for the economy, obviously, it's not good for the maintainers. So that's that question of open source sustainability. How do we compensate people fairly for their open source work to avoid burning them out without making people jump through hoops? That's how I think about it.

Shane Hastie: So how do we do that?

How do we compensate people fairly for their open source work [04:25]

Chad Whitacre: Well, the challenge with it is that open source has painted itself into a corner because in our licenses that are working out from the definition of open source, we can't restrict people from using the software however they want using it commercially. Now, of course with Copyleft we can require that folks who do use our software also share their modifications and whatnot. But especially with permissive open source, MIT, BSD, Apache software, there's no restriction on companies using the software without contributing back.

That's the reason for the success of open source, this permissionless sharing. We would never have seen companies adopt open source software if it weren't for this licensing posture. But at the same time, that's the Achilles heel of open source is that, well, companies are free to use this without reciprocating and giving something back in a capitalist transactional sense because these transactions, these capitalist transactions require scarcity. I have to withhold something from you in order to get you to pay me for it before I give it to you. If I go into a grocery store, I don't get to just walk out with the food, I have to pay first and then I can walk out with it.

Whereas with open Source, one analogy I like to use is more like a restaurant because by the time I go to pay for my food at a restaurant, it's already in my belly. I've already consumed it. And that's a little bit points towards the situation we've got with open source, which is those of us who are producing open source software, we're giving this gift to the world and saying, "Here, take this thing, go ahead and use it however you want". And the question is, well, that kind of comes with an obligation to reciprocate. This is what we have to think about.

There's a social contract in open source, and it's clearest in the Copyleft but it's kind of ambiguous in the permissive side. Those that are producing open-source software, they're giving something to the world. And to one degree or another, and again, there's a spectrum. Not everybody feels the same way about this and I think there's a conversation we need to be having. What is that obligation? What is that expectation for reciprocating or giving back or sharing back in view of the gift that you received? Our companies aren't really optimized for that.

The biggest consumers of open source are the tech companies in the world. Basically, every company in the world has open source in their stack at this point. And our companies aren't really optimized for, I mean, not even just not optimized. That's not how they're designed to reciprocate for gifts. They're designed to participate in a market transactional economy and not in the gift economy that open source kicks off.

Yes, so it's difficult. There's three ways that companies do participate in open source. One is sharing open source code themselves. So much of open-source gets written by people on company time. Most of it, in fact. A second way that companies participate in open-source sustainability is through gifts in kind. So Sentry, for example, we're a developer tools company. We have this error monitoring application, performance monitoring product, and we offer free SaaS credits to open-source projects to use our software. So that's the second way that companies can contribute. CDNs will provide bandwidth to package repositories for open-source languages, and things like this.

A third way that companies can participate in this open-source gift economy is with cash payments. And that's really what we're focused on with the Open Source Pledge. Open Source Pledge is trying to establish a new social norm where companies pay maintainers for the open source software that they consume and use and depend on.

The Open Source Pledge [07:48]

Pledge itself does not touch any money. We're not involved in the flow of funds. We're looking to incentivize the continued growth of ecosystem players like GitHub Sponsors, Open Collective, Thanks.dev. What Pledge is about is the marketing aspect, is that social nature of this and the social nature of the contract that we're trying to develop. So the pledge says, "To be a member of the pledge, you have to give money to maintainers in a certain amount. The amount is $2,000 per developer on staff". So if a company employs 100 software developers, those software developers are the ones that are benefiting from open source software the most. So if a company employs 100 software developers, their threshold to join the pledge would be $200,000 per year that they're paying open source maintainers.

The specifics of that are left up to the company. We give some guidelines. The intent is to pay maintainers. So well, that could be open source foundations. The intent is something like a GitHub Sponsors or a Thanks.dev, we really want to see the money getting to maintainers and we're looking for receipts. We're looking for some accountability.

So you go and pay those maintainers, then you make a blog post about it, and that's the second aspect. So you pay the maintainers, then you make a blog post on your company blog and your company voice that says, "We just joined the Open Source Pledge. Here's how much money we're giving and here's who we gave it to". You give those receipts. And then you come and make a PR to opensourcepledge.com and we review what you bring and how many developers you add, how much money you spent, who you spent it on, and then we onboard you to the website and then you're a pledge member and you can put a badge on your website. So yes, there's multiple ways companies participate in this open source gift economy. What we're focused on with the pledge is that component of paying cash to maintainers.

Shane Hastie: And how do we make sure that the cash goes to the right maintainers?

Enduring the funds go to the right maintainers [09:40]

Chad Whitacre: Yes. That's one of the hardest questions in this experiment. And it's really what we're trying to get at with this transparency, with this accountability. We're really, again, hoping to incentivize the growth of ecosystem tools like Thanks.dev, like Open Collective, where you can see those receipts. Honestly, Open Collective is the furthest along with this. They're very transparent where you can see the money coming in and the money going out. Seth Larson just published a year in review for the urlib3 project in the Python ecosystem. I saw this go by on social media the other day. And he gave a great Sankey diagram for urlib3 that showed, "Here's the money that came in and the sources it came from Tidelift, Open Collective, Sentry, et cetera. And then here's where it went. Here's the maintainers that were paid". I love seeing that.

Now, urlib3 is a pretty small project in the grand scheme of things. My comment was, "I want to see this for the Linux Foundation. $300 million budget. Let's get the Sankey diagram that shows, well, here's the big components of what's coming in from which corporate sponsors, and then here's where the money's going". Technically, the data's there. Their annual report is 140 pages long or whatever, and they're not really ... I don't know, I haven't seen that level of transparency yet for that kind of organization but I think that's the sort of thing that would be great to see. And then the community can police it, right? Then with that transparency that enables us to see which organizations we think are doing better or worse at this.

Shane Hastie: As an individual contributor, why do I care? My company's paying me.

Chad Whitacre: As an individual contributor to open source projects or to a company?

Shane Hastie: Let's take both. Somebody working in a company that happens to use some of the open source frameworks. Well, yes, that's nice. These people have very kindly given it to me. It saved me a lot of time. Why should I advocate?

Why should I care? [11:29]

Chad Whitacre: Yes. I mean, at the end of the day, again, going back to the definition of the thing, you don't have to. Open source has painted itself in this corner. It's like there's no legal requirement, certainly. And it's an open question whether there's an ethical requirement or a moral requirement. I think what we would offer from the Pledge is an invitation. No, you don't have to. But look, when you've got XZ, let's unpack this XZ case a little bit. What is it? It's like a compression utility that is precisely one of these projects that's been maintained for years and decades by one person and that person's burned out. They're crushed by the weight of demands on their time for a project that they're doing in their spare time. They're not getting paid for.

And a couple of years ago, a profile on GitHub showed up and started offering to help maintain this project. And it turns out that that profile on GitHub was a bad actor and ended up introducing a back door, if I remember right, into the XZ utility project. And then that is this low-level component that gets distributed in Debian and everywhere else, and now there's a back door in all of the world's systems. Thankfully, we caught it and we were able to fix it quickly.

But the point is that burning out, is it Lasse, right? Lasse Collin? Remember the name, right? The maintainer of XZ, have we done right by that person? Those of us that are doing the Pledge are saying, "No, we haven't". It's an invitation to the rest of the world to say, "You know what? You're right. We should have a social contract in which Lassie Collins is taken care of, in which the people building our software are appreciated and valued for what they're doing so that we don't burn them out. Yes, so we don't have these security incidents. But really so that we're not burning out the people that we're depending on to build the foundation on which our modern digital economy is built".

So yes, I mean, if somebody wants to be cynical about it and say, "Well, that's their fault for building open source software". Okay, you can be a cynic but I'm not going to be. I would invite those who also don't want to be cynics to join us.

Shane Hastie: How do I convince my company?

Convince your company [13:45]

Chad Whitacre: So there's a couple of tiers here. My company, Sentry, is a developer tools company. So we sell to the developer market, we build tools for developers. Obviously we're developers ourselves. And for us, participating in the pledge is really a brand marketing investment. I'll just be honest about it. It's who we are, it's who we want to be, it's the kind of company we want to build. And if we're looking for, well, why is our company doing this? That's it. Because we care about developers and we want to improve the status quo for developers and we think this is an important way to do it. So if your company also builds developer tools and sells to the developer market and wants to be in the good graces of the developer community, this is an excellent way to do that. That's the number one.

Number two is that security conversation. By ensuring that maintainers are taken care of, that open source projects are properly maintained and resourced, we reduce the risk of supply chain attacks. We reduce the risk of critical security vulnerabilities in our open source stacks. So there's both the positive brand marketing angle and then the risk aversion, protecting against supply chain attacks angle. Those are probably the two places to start when having that conversation.

Shane Hastie: Chad, a lot of food for thought here. Where can people dig deeper?

Chad Whitacre: So the Open Source Pledge website, we have an extensive FAQ on there. We've got a GitHub issue tracker that's open. And we're also on social media, on LinkedIn, on Twitter, on Bluesky, on Mastodon, and those links are all on our website as well. So that's probably the best place to go. And happy to follow up with anybody who's got any further questions about any of this stuff.

Shane Hastie: Thanks very much for taking the time to talk to us today.

Chad Whitacre: Thanks for having me on. I appreciate it.

Mentioned:

• KXCD Comic 2347 – Dependency
• Open Source Pledge
• GitHub Sponsors
• Open Collective
• Thanks.dev
• Sankey diagram for urllib3
• xz backdoor issue