Founders Talk – Episode #58

Tidelift's mission is to pay open source maintainers

with Donald Fischer

Guests

All Episodes

Donald Fischer and the team at Tidelift are on a mission of making open source work better — for everyone. To pay the maintainers of open source software they are putting a new spin on a highly successful business model that’s a win-win for the maintainers as well as the software teams using the software. In this episode we dig into that backstory and Donald’s journey.

Featuring

Sponsors

RollbarWe catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog.

HiredSalary and benefits upfront? Yes please. Our listeners get a double hiring bonus of $600! Or, refer a friend and get a check for $1,337 when they accept a job. On Hired companies send you offers with salary, benefits, and even equity upfront. You are in full control of the process. Learn more at hired.com/changelog.

AlgoliaOur search partner. Algolia's full suite search APIs enable teams to develop unique search and discovery experiences across all platforms and devices. We're using Algolia to power our site search here at Changelog.com. Get started for free and learn more at algolia.com.

LinodeOur cloud server of choice. Deploy a fast, efficient, native SSD cloud server for only $5/month. Get 4 months free using the code changelog2018. Start your server - head to linode.com/changelog

Notes & Links

Edit on GitHub

Transcript

Edit on GitHub

What's it like to be on a mission of making open source software better, for everyone? Donald Fischer is one of four co-founders and the CEO of Tidelift. Their mission - to pay the maintainers; to pay the maintainers of open source software and provide a new spin on the highly successful business model that's a win/win for the maintainers, as well as the software teams using the software... So I asked Donald what's it like to be on this mission.

It's amazing, actually, to be on that mission... And it sort of naturally is an outgrowth of everything I've been working on for the last 15 going on 20 years, actually. I've built my career in and around open source, in a couple of different ways, and so when we saw this opportunity to sort of contribute something new to the equation with Tidelift, we decided we had to go for it, because we saw the opportunity to create a new win/win scenario for all kinds of different stakeholders in and around open source.

I wanna go back into your past and figure out what got you here. What makes you and the rest of the team at Tidelift the team that can make this happen? Help me understand more about you and Tidelift and what you're doing.

We're building a methodology with software, and a set of practices to help professional software teams make better use of open source software, and the way that we do that is by helping to address a bunch of pragmatic concerns that professional software teams have with the software that they use. That's in areas like security, licensing and legal issues, just everyday ongoing maintenance... And the way that we address those problems is really what's new with Tidelift. We do it by partnering with the individual open source maintainers and teams of maintainers who work on open source projects, and we kind of ask them to provide these professional-grade assurances for their individual open source projects or components.

Then what Tidelift does is we basically join those together and we represent them to these professional software teams as a whole product. In so doing, we essentially address two different challenges. One is that professional software teams - they need support, they need maintenance for the software that they use, whether it's open source or not. And on the other side, it creates this economic opportunity for open source maintainers to do something that's very closely related to the ongoing development of their software, and something that they're best equipped and best situated in the world to do, but now for the first time for many of them, they can do that in a context where there's an income associated with it, and an income that scales.

To kind of give some -- maybe I'm speaking for you in some sense, so help me course-correct what I'm saying and make sure it's accurate, is you did a lot of interesting things with Red Hat, there's a lot of things you and some of your team members have learned from the experiences of Red Hat, and obviously, Red Hat is one of the most successful with supporting paid versions of open source, and support, and things like that. Are you bringing a lot of what you're doing now from your experiences with that? Is that safe to say?

[00:04:07.24] Yeah, definitely. I had the privilege of being part of the early development of Enterprise Linux at Red Hat, and all my co-founders also had tours of Red Hat around the same time; we all knew each other back then and worked together and stayed in touch since then... But honestly, what we're doing now is also informed by an awful lot of other experiences, in other open source communities and commercial ventures around open source communities; it's not just a Red Hat copycat, it's actually -- if you want to put it in reference to Red Hat, it's almost a generalization or an evolution of the Red Hat business model.

Yeah, where like their focus was one single open source project and one right way to scale it, to enterprises, and support, and all the things that everyone's aware that Red Hat does - you're doing it at scale across open source. How do you make the decisions then to choose which projects to work with? How do you determine what matters? Do you go to the community and say "Hey, which maintainers should we work with?" or do you go to the maintainers and say "Which maintainers of--" and maybe you're even agnostic - not just Javascript, not just Go, not just Rust, or other languages... How do you even choose where to place your focus?

Ultimately, remember that the way that we frame our solution is that we're solving real-world problems for professional software development teams who are already building with open source components, but don't have the kinds of safety net assurances that they would expect traditionally from enterprise software vendors... So to your question of how do we choose which open source projects and maintainers to engage with, actually our subscribers choose; the customers of the Tidelift platform - they essentially direct us towards the maintainers who are best suited to participate in Tidelift. There's a mechanism for doing that whereby we've built a software platform that attaches to the software development process at our customers, it sort of integrates with their code collaboration platform, sort of in a similar way to how a continuous integration system would connect, and we look at the open source components that our subscribers are using in their projects, in their applications, and then we go and recruit the open source maintainers of those projects to provide professional assurances around them. So we just kind of follow where our customers are voting with their feet, so to speak.

And potentially their money too, since it's a subscription. The word alone elicits that there's some sort of recurring payment into some sort of system that's monthly, yearly, biannually, or whatever that might be; some sort of commitment on the long-term (or some sort of term) that says "We wanna use enterprise-level type software that's open source, that includes support, includes SLAs (or whatever they may be needing) on a certain duration" and their vote is essentially participating in that subscription, but then saying "Hey, this is the software we're using. Can you go out and establish these relationships with those maintainers?" Is that how it works?

Yeah, exactly. So in other words, a customer of ours will subscribe to Tidelift for one of the applications that they're building, connect to our software, connect to our software infrastructure. Now we have a lens into what are the actual open source components that they're using...

Dependencies.

Yeah, I was about to say, not just the top-level components, but we look at the transitive dependencies as well, all of the packages that those depend on...

The entire tree.

[00:07:57.18] Yeah, we build the tree. And then the way that we've packaged it is we charge the subscriber a fixed cost for all of the packages in the Tidelift subscription. It's sort of like a Netflix subscription in that way, where Netflix might not have every movie that you want to watch, but if it has a lot of the kinds of movies that you like, it's gonna be interesting for you to be a subscriber; there's always more movies joining the catalog.

So we sort of simplify it by charging one blanket subscription price, and then we bill the subscribers on a monthly basis for that. Then at the end of the month we take each subscriber's payments for that month and we split them up and allocate them specifically to the participating maintainers of the packages that they use. So a subscriber's dollars only ever get directed to the participating maintainers for the actual packages that that subscriber is using, and that's one of the ways that we align the interests up and down the system.

And if there's not a participating maintainer for a particular package that the subscriber is using, we sort of note and increase the potential payment that would be available for a new maintainer who showed up and agreed to participate in the Tidelift system. So we sort of create an incentive for somebody to -- we signal the funded incentive for somebody to come along and take us up on following through on those maintenance tasks around that particular package.

So if I'm a maintainer and I'm participating in this, my "income" or "revenue" generated from this style of funding for my project or my teams - is that number coming from Tidelift, does it ebb and flow then because of that? Or is there some sort of barrier or predictability they can have into how they can begin to step away for their full-time job or do this full-time, or whatever it might be? How do they understand the income that's possible, and even not just possible, but on a day-to-day or month-to-month basis, how does it ebb and flow?

This is actually one of the fundamental reasons why we started the company, and one of the fundamental contributions that we wanna make - it's really hard to dedicate your efforts on an ongoing basis to an open source project if you're not sure what you're gonna be paid tomorrow, or especially if your income is swinging erratically in terms of what you're receiving related to your open source project. So our goal, in other words, is to make it a lot more predictable month-to-month.

It doesn't mean that your income could never ever go down in the Tidelift system; as I said, we pay the maintainers based on subscribers using their software, so if all of a sudden none of our subscribers are using that software anymore, the amount could go down. But in reality, once software is in place, it tends not to go anywhere; just new software gets added.

On the other hand, we're growing quickly, the audience of participating subscribers, so the total dollars in and the number of potential teams that might be using your project for any given maintainer is increasing. We think that what will practically happen as a result of this model is that open source maintainers will see much greater predictability and have sort of a steadier income to depend on, which is in contrast to some of the other existing models for funding open source projects that might be more episodic if they're based on grant funding, or sort of bounty kind of mechanisms. Actually, I think all of those systems are great, and anything that is funding open source is laudable and awesome, but we just saw an interesting opportunity to contribute another model that's additive and incremental on top of those.

[00:12:17.09] I wanna rewind a little bit back to the dependency tree that you mentioned, just for those listening who may not be intimately familiar with how software works, which leads into one of your acquisitions, and you can speak to that if you'd like to... But it just kind of helps to get a lens into the dependencies of dependencies; so when you have an open source project or just a project in general and you've got an application you're building, when you use Vue, for example, on the front-end, well Vue has so many layers of dependencies beneath it that whenever you, as you mentioned, come into the platform, you're scanning the dependencies, and it probably points out some opportunities to grow as you've mentioned you are...

But I kind of wanna just touch on that a little bit, because not everybody listening to this is that familiar with the software process and what dependency trees actually are, how deep they might go as dependencies of dependencies; Vue has tons of different things it relies upon, and all those things tend to be other open source projects that are probably not receiving funding or really have any sustainable model behind it, aside from maybe side work... Which is fine, that's open source, but we're looking for ways to make it enterprise-level and enterprise-grade, I'm assuming... Is that right?

Yeah, that's right. The issue of the lack of appreciation or really understanding of how much software exists below the visible water line is really remarkable... For example, we recently wrote on our blog about look at React - super popular web front-end framework, born at Facebook... If you go through the prescribed Hello World creating a new React application, using the very well-executed Create React App tool, you'll end up with a sort of Hello World web app based on React, and that thing by default will have 1,103 dependencies as of the last time we that we looked. So that's over 1,100 distinct packages coming out of the Npm Javascript package catalog. Those are coming from a lot of different places. A couple dozen of those are coming from being authored by the Facebook React engineering team... But the beauty of open source software is that the vast majority of those are coming from somewhere else, from somebody else... But all of them are getting built into your React application.

So if you're a professional software team at a large enterprise that has a bunch of goals around security and compliance or needs/requirements, things that you need to comply with, it raises a lot of questions about "Who's on the hook to support all that stuff, and why would they be on the hook?" To which our answer is the best reason for them to be on the hook, or a great additional reason for them to be on the hook is that they're getting paid to do the work to make those things true about those open source components. That's really the meat of what we're trying to do.

An example that -- I'm not sure if you're familiar with Nadia or not, but Nadia Eghbal, when we first learned about her was several years back, and we've since done a podcast with her called Request For Commits (I can link that up in the show notes if you wanna check it out as a listener)...

I'm a long-time fan of Nadia's and the show. I recommend it to all of your listeners who have not yet explored those paths.

[00:15:58.10] And it is retired, so when you go listen, just know that, and send us your hate mail; we wanna hear more of it, because we wanna do more around sustainability of open source, but that show just is in a retired state, for its own reasons... But the last episode does tell you why, so if you're really curious, just listen to the latest episode. But you know, she'd written about the economics of open source, and the example she used was the rate at which Instagram was able to become a billion-dollar company and then be acquired by Facebook - I don't mean to keep going back to the Facebook well, it just happens to be that example... But Instagram was built on open source software. Now, I'm not that intimate with the details of what they've given back to open source; I don't know what Facebook's involvement is, and they've since acquired Instagram, but that was the initial yardstick, at least by Nadia, on like, you know, Instagram was worth -- the acquisition was like 4 billion? One billion? I can't recall right now. It was like 4 billion dollars from Facebook, so somehow they got to that value and they were built upon open source software... So going back to your model - we have this economic need of all these dependencies, and they would have never been able to get there building all the technology on their own. They had to lean on open source. So there's a responsibility there to support the dependencies beneath the tree.

Yeah, there's a couple different ways to look at it, honestly. One lens of looking at it is to say if you're building on all of this software, you owe it to the creators to allow them to drive some participation in the value that they're creating. First of all, I agree with that; I think that's a very reasonable worldview. But it's hard to get large organizations to open up their checkbooks for things that are purely morally justified.

One of the things that we're bringing to the table with our model is we're just inviting professional software teams to act out of their explicit self-interest, and we're helping open source maintainers create a new service offering that didn't exist before, that we're seeing as very appealing to a lot of the professional software teams who are using their software... And again, the specific service that we're helping put together is a community of maintainers who are proactively committed to maintaining the individual open source packages to a well-defined standard, and then Tidelift's role in that is to sort of be the intermediating agent that helps all of those individual open source maintainers and teams connect to a particular professional software team in an organization.

We're not asking people to buy a Tidelift subscription mainly because it's a morally correct thing to pay the maintainers; we're inviting people to buy a subscription because it's in your best interest to pay the maintainers. When you pay the maintainers, the software that you're using is better and more reliable, and we're adding some business process and technology to the mix that helps you kind of define what is meant by more well-maintained and reliable, and sort of gets everybody on a common, shared mission.

Break

[00:19:33.07]

So you say "professional software teams" - I think I know what you mean when you say that, but put it in laymen's terms for me and the listeners. What is a professional software team as it relates to what you're doing with Tidelift?

When we say "professional software team", we're typically referring to a team building software within an enterprise. Enterprise is kind of a silly IT word, or entrepreneurship business word; it means a company, and often times like a larger company. Again, I've spent the last 20 years in and around open source, so I know one of the beautiful things about open source is that it's accessible to all different kinds of audiences.

If you're an indie developer -- I mean, I started working with open source, getting involved in open source when I was a student. There's individual entrepreneurs kind of picking up raw open source and building with it... It's awesome; it's part of the beauty of the whole thing.

There's also big teams inside of mega-corps that are building with open source as well, and those different audiences have different needs in and around the software that they're using. When I'm doing a side project on the weekend, kind of cobbling together some open source components to sort of scratch my own itch, for sure I do not need an enterprise support contract, I'm not super-focused on intellectual property documentation for this thing that's only ever gonna live on my laptop and never go anywhere. But when you have a team at a financial services company, or a healthcare company, or an industrial company, and they're building the core software that powers those businesses, and in 2018 for sure they are building that with open source software, they would love to have some additional guarantees around that software.

So the open source software, by the open source definition, gives them a bunch of capabilities right off the bat for software that's under an open source license. They can access the source code, they can change it, as long as they adhere with the different requirements for what they need to do if they redistribute it... But the open source license doesn't give you somebody who's on the hook to make sure that security vulnerabilities that arise will be dealt with in a timely way; it doesn't give you any certification around the licensing of all the components of the software that you find that are connected to that, or that are dependencies of that... And it doesn't give you any kinds of assurances about what's gonna happen with the software in the future - is somebody gonna keep caring for it, and taking care of this essentially living organism that the software projects need to be, as the world evolves over time?

[00:24:00.00] Those are the things that we think that professional teams need, that not all open source developers need, but professional teams do need it, and as a result, they're willing to pay for it. One of the things we've done in the Tidelift context is verify that by talking to a lot of those organizations, surveying a bunch of those organizations; we shared the results of a broad survey we did this year that said something like more than 80% of professional software teams were very interested in paying for those kinds of assurances around the open source software that they use.

Another aspect to the professional software teams I thought you used in this context was describing the teams creating the software, meaning the open source software. Did you use it in that context as well? Like, when you're identifying who to work with?

No. The way that I've been using the terminology "professional software team" - I've been focusing more on the subscriber side in our terminology, or the consumers of open source software.

I actually think there is a really compelling opportunity on the creative side of open source to also, in a sense, professionalize there. And I wanna be careful about what I mean by that word, professionalize. Open source maintainers, whether they're paid or not, it is demonstrably true that they create amazing software that is prograde, is used in real-world applications all over the place. I guess a missing part of the "professional" definition there is that often times they don't get paid for the work that they do, so it's hard for it to be a profession for the individual open source maintainer. So I do think there is a double entendre there, which is "We would love to help open source maintainers make it their profession", and that's really one of our ambitions with Tidelift - to enable more open source creators to dedicate more of their time to their open source projects, innovating the features and functionality there, also just like doing the everyday kind of maintaining it tasks, and if we, all of the users of open source, give them the license to do that, and the necessary financial incentives to do that, then we're gonna benefit, because the software that we all use is gonna be better. It's awesome.

The reason why I asked you that question in the opening was I'd heard you use it and I thought that your reference was essentially helping to understand the type of maintainers or type of teams that maintain software describe them; that's how I thought you were using it in that context, which is why I opened up with that question... Because I wanted to understand more so like when you focus your attention on -- I know that a lot of your subscribers are the ones that are leading you to, down the dependency tree which matters to them, because they're paying for the subscription, and essentially, you said they're leading with their feet... That it would describe the kind of teams that are good candidates to be a part of this, because they can provide the support, they can provide the other assurances that enterprise teams need to rely on open source.

Like you said, in 2018 it's pretty difficult to build software today in any real capacity without using open source... So we have to find ways to support it, and I asked you that question to think that maybe you're describing a type of maintainer, a type of maintaining team, their philosophy, the way they organize, the way they govern, what are healthy balances in there... I thought that's what you were talking about, that's why I went that direction.

[00:27:48.07] Yeah, so just to comment on one really fun part of what you were touching on there... I think the really happy news here is that teams inside of larger enterprises that have the requirements for security, licensing, maintenance kinds of assurances around the software that they use - it turns out the software projects that they're picking to build their new applications out of, the software components that they're taking out of the package managers, they're the same ones everyone else is using... They're using the same components at a big bank that I'm using to do my weekend project.

So it's actually a really nice situation, where if those professional teams are interested in paying for these additional assurances, the creators of those open source projects and technologies can access that income that's associated with that, it gives them the license to spend more time on the projects that they're creating, and then the improvements or increases in functionality - that can be shared by everybody, the payers and the non-payers. That's actually one of the beautiful things about open source.

That's why I love your name, Tidelift. That's the underlying (to keep the puns going) current of what you're doing here; you enable subscribers to lift the tide of everyone. Like you said, I could be using whatever the library may be that's part of the Lifter project you have going on, which we'll dig into more... If I'm paying and they're getting supported, then I'm just enabling others to benefit from my subscription, and then therefore funding of those maintainers in those projects. I love the name, it's spot on.

So we spent the better part of maybe 40-ish minutes kind of digging into the context. I wanted to go into more of the getting started, where the idea came from, some of the background even, which is sort of like the crux of what this show is really about... Which I love doing - a deeper explanation of what Tidelift is and what you're doing there, for the better part of 40 minutes. Let's kind of rewind a little bit and just get a picture of some of your personal experiences, and maybe the experiences of other team members... But maybe let's start off with back in 2017 when this began - from what I understand, you were in venture capital, you stepped away, you had this idea... I believe this began with a fundraising round; I'm not really sure. Can you go back to those details and help pave the way for how this got started?

My personal history briefly is I started out as a programmer, I studied computer science... As we talked about before, I had a really interesting tour at Red Hat starting in the early 2000's, and was able to be part of the team, participating in building the Red Hat Enterprise Linux business there... Which is really an amazing thing, that is I think often under-appreciated in the IT industry.

Absolutely.

Red Had as a whole is an over three billion dollar recurring revenue business now. It's really a beautiful and amazing thing, and there's a lot to be learned--

Did you say billion?

Yeah, three billion dollars a year in revenue.

Three billion... Just to make you say it twice, because that's pretty big.

Yeah, it's big. And you know, it just steadily grows. It was an amazing time when -- you know, I did not figure this stuff out myself, by the way, but as a team, and as an organization, we learned a lot of things about what (again) professional software teams that are using open source really need, and that doesn't just come for free... And we've figured out a model that was appropriate for that set of technologies at that time, and it has continued to evolve to support a steady business today.

[00:31:58.08] What I did after Red Hat is I've spent almost a decade as an investor, working with early stage founders who were starting and growing businesses around open source communities, and I chose to focus on that theme... Because I've personally just always been fascinated and sort of in awe of how open source communities arise. This phenomenon where technology will come from a creator or a small band of creators, and then a crowd of individuals will start to kind of assemble itself around that technology.

You see technologies sort of form these tribes, and when I say tribes, I mean in a good way... Not in a tribalism kind of way, but in a sort of...

A Seth Godin way.

...collective way, yeah. It's really amazing. You might join the Python tribe, or the Ruby tribe; or maybe it's not a programming language, maybe it's the deep learning tribe, or something like that, right? But it starts to become part of individual people's personal identity, their professional identity. It's really a powerful thing, so what's always fascinated me is if there's this fundamental energy around technologists sort of assembling themselves in these tribes - there's so much power to it - and what are the opportunities to add a commercial component there.

The thing that I've always really focused on is not just how do you go kind of harvest that energy from the community, which I think is a very pessimistic way to view the world, but can you build a complementary business that sort of amplifies the energy in one of those communities that helps capture more resources to invest more aggressively into developing the technologies, or advocating, evangelizing the technology? How can you build businesses that sort of amplify those communities and make them even more successful, and make the individuals within them more successful?

I think there's a really fortunate history of startups and businesses of different scale being built over the last 15 years now that do that, and that's just been a phenomenon that I've loved to follow, and sometimes to be part of.

I think the important thing to draw from this is it seems to me that you've spent a lot of your life trying to find ways to support open source, and it's either helping certain types of businesses build themselves around open source through venture capital and investing, and I'm sure in a lot ways leading product, because that's also part of the investor's role, is to be somebody who is an advisor to the direction of the business and the viability.

I think the other important thing you said there was that you're the support, rather than -- I forget the exact language was that you used, but essentially, you're there to amplify versus to draw and take away from the energy... What was the word you used of how you're not attaching to the community?

I think the language that I used was instead of trying to harvest energy from these communities, it's like "Can you actually build an engine that contributes net energy back to the community, that helps it grow and become more sustainable, as opposed to sort of drawing energy off of it?" Those are the really powerful companies, and also I think they help to form really powerful communities.

[00:36:04.26] If you look at the different businesses that have been built around Linux, or different big data technologies, or core systems-level databases and things like that, if you can get a community going that has complementary and additive businesses, that's a beautiful thing. And to connect that to the story of Tidelift, I've been a student of that phenomenon for a long time now, and I've had the great opportunity to work with a number of other folks who are also fascinated by the same kinds of dynamics.

One of the things that annoyed me about the existing models for commercializing open source or building these complementary businesses around open source is that, you know, if you look at something like the venture capital model, where I was personally quite active, there's only a relatively small number of open source projects or communities or tribes (if you will) that have enough scale to them for the traditional venture capital model to work.

There definitely are some... At this point, there's several dozen substantial venture capital-backed companies that have been formed, are performing, several have gone public... It is a model that works, but it only works for a really pretty small subset of open source in general. And one of the really interesting things to me is that it only works for a subset of the commercially relevant open source projects.

So I would often, as a venture capital investor, meet with entrepreneurs, open source creators who had projects, they had lots of real-world professional users - often times the users that they had were asking them for "Hey, can get a support contract for this, or a service-level agreement for it?" and yet they didn't really fit the venture capital model of going and raising X million dollars and then building a company from scratch with all that that entails; building a sales force, a finance function, a way to handle subscriptions, a level one support team and so on.

So when I started talking to my co-founders, the gentlemen who eventually became my co-founders at Tidelift, we looked at that problem and that opportunity and we said essentially "What if we build that go-to-market mechanism, like the sales and support and finance, back office kind of stuff, what if we just build that once, instead of asking every open source project to do it themselves, and then just let the open source projects and teams plug into it?" Sort of like in the way that creators plug into Etsy.

You know, one of the beautiful things about these marketplace models is if you're amazing at creating some craft good, you can go to Etsy, and Etsy helps you access an audience of people who are interested in your kind of thing, they handle all the payments, and the logistics, and customer service issues and so on, and you don't have to go learn how to do all of those things. Etsy is kind of your partner for doing that. You get to focus on conducting your craft. That's one of the things we're trying to do with Tidelift - we wanna make it possible for open source teams who are building technologies that are used by these professional organizations to be able to access some of that potential energy and income that can be associated with that, without having to go become salespeople, or customer support people themselves. We'll kind of do that with you, in the sense of do that for you, as the open source creator; you plug into our infrastructure and you focus on making the open source project amazing. We'll help with all the bunch of the business stuff.

[00:40:15.04] These teams generally would still have to be the ones providing the service-level agreement, right? If I understand correctly, you may institute it and do the business-level side of things to ensure that there are subscribers that have desires to bring on certain lifters or whatever, but it's still the lifter's job - which is a term we haven't defined yet, so maybe it's a part of your response, to help me understand really what a lifter is, or what that role is there... Because they're gonna have to eventually support that software, and provide the enterprise-grade stuff that you're selling as part of the subscription... This whole general sales thing - that's what the product is, it's reliable, it's supported, bug fixes etc.

The way that it work is that one of the things that we add to the equation by creating Tidelift is we are an intermediary between the professional teams that are paying for these assurances and the individual open source maintainers. A couple benefits of that - one is that we turn a many-to-many relationship that would basically be impossible for every open source application development team to strike a business agreement with every one of those 1,100 Npm module maintainers that goes into their web app; we allow them to have one place to go, which is Tidelift, and then we sort of federate all of the participating maintainers behind that.

So we have a relationship with each of the paying subscribers, and then Tidelift also has a relationship with each of the participating maintainers. And what we ask the maintainers to do - it's actually detailed on our website, for any maintainers who are interested in understanding what we propose in our model...

We ask maintainers to look after their projects according to a certain set of criteria. These are things like work with our security response team if there is a new security issue that arises, sort of make sure that it's addressed in your particular package, or if there's an issue in one of your dependencies, make sure that your package is adjusted to take account for that, help us documenting new releases that are happening, any licensing changes - we sort of record all of that. Those are the kinds of things that we ask maintainers to do.

Just to highlight - at least for now, we're not asking maintainers to fix a bug or add a feature, or provide help desk support for a runtime issue that was encountered by a subscriber. Those things -- there are open source business models associated with that; they're challenging business models, because they scale with the number of hours that an open source maintainer has in their day. There's only so many support tickets you can respond to, or so many consulting engagements that you can have. So since that's already possible in the world, we're trying to focus on sort of a new model, which is doing things that can be done once where many people benefit from them, like resolving the security issue - you do that once, and all of the users get to benefit from it.

Our part is to create the alignment of interest, so that those things always get done with predictability, and we do ask our participating maintainers (lifters, as we call them) to do those things, and then Tidelift's role is to make sure that everybody is following through correctly, deal with any kinds of issues that come up.

[00:44:01.04] You used the term "a well-defined standard" earlier in the call... I am assuming that that means that it's either written down once, or it's the way things are, or it's maybe a case-by-case basis with each lifter or maintaining core team, that they say "Okay, Tidelift, we wanna be a part of this, we wanna be a lifter. Sign us up, we're ready to go", and then there's something in these well-defined standards that says "Hey, this is what you're committing to." Is that accurate? Can you describe that?

It's more like a set of open source project best practices that we ask our participating maintainers to follow... And here's actually another really great part of how this all works - most open source projects that have a substantial user base are already doing most of these things, or all of these things. This is things like having a responsible disclosure policy and adhering to a responsible disclosure policy around security incidents, or using two-factor authentication on all of your systems that are involved in the build and distribution chain for an open source module. Sort of like checklists for healthy living as an open source project.

Those are the things that we ask open source maintainers who are participating in our system as lifters to do. And even though many of them are doing most of those things by creating a uniform standard where everybody who is participating in the Tidelift system is doing all of those things, it allows us to represent that this collection of software as a whole meets those standards to our subscribers... And again, that's worth a lot to these professional software teams that are building enterprise applications; if we can show them a menu of healthy open source project attributes that we're ensuring are true for the dependencies that they use, they love it... And it's a modest cost for them to pay, to ensure that the software that is really powering their business is well cared for.

Break

[00:46:27.06]

Most companies have co-founders; in this case, you have three other co-founders, I believe. What's the story there? Who are they and how did you all meet?

Yeah, this is the best part of Tidelift for me, it's my co-founders, and then the team that we've built to go on this mission together with us, and it is an interesting story. I have three co-founders - Havoc Pennington, Jeremy Katz and Luis Villa. We've all known each other pair-wise for at least 15 years, and a couple of us go back longer than that. As I mentioned before, we all intersected at Red Hat in the early 2000's, and then we've collaborated on different projects since then... And each of us sort of has a different ingredient that we contribute to the mix.

[00:48:19.26] I talked about my background a little bit; a lot of it is sort of the business side of open source. Havoc, our co-founder, currently is leading Product for us. He is a long-time veteran of the open source world. He was originally one of the founding voices in the GNOME Freedesktop community, the Linux desktop, and co-led the creation of the GNOME Foundation, which continues productively to this day, and implemented a lot of the software himself that powers the GNOME desktop. I got the chance to work with him first when he was leading the desktop development team at Red Hat. Then Havoc has interestingly gone on to do tours in a couple of other interesting and different open source communities. He was working for a stretch in the Scala community, in sort of the greater Java world, and then most recently was back in the Python data science community before we got together to start Tidelift.

Then the third co-founder is Jeremy Katz. Jeremy is an amazing technologist. I got to know him when he was one of the core developers at Red Hat, then he went on to sort of grow his professional portfolio beyond just open source - he was an early employee at HubSpot, the marketing SaaS company. He led the implementation of this product called Stackdriver, which was a startup that was sold to Google and now serves as essentially the management console for the Google Cloud platform, so really a seminal piece of software in the cloud generation.

And our fourth co-founder, Luis, has (I think) the most unusual story, which is Luis started with the rest of us as a programmer, open source developer, but Luis ended up going to Law School, and then closing that loop by becoming an open source legal expert, really, one of the widely respected voices around legal issues associated with open source. He did a really interesting stretch working with Mozilla, where he actually led the drafting of the Mozilla Public License 2.0, and then he had a really interesting time at Wikimedia Foundation, the organization behind Wikipedia, dealing with a whole bunch of open content issues there, and sort of leading the community effort there as well.

So it's a really interesting set of disparate backgrounds and professional experiences, grounded in having all been open developers, software developers, and open source participants in the early years. I guess what we're trying to do is bring those different experiences back together and apply them back where we all started, trying to make open source work better for everyone, the creators and the users.

It's an interesting mix of people. Obviously, you've got business, you've got -- I'm sure everyone was somewhat involved in coding, at least at some point in their life, but taking a role on that, having a role in Google and what powers that, and then legal; the licensing part of open source is, to some, often overlooked, but pivotal to how it could be used.

[00:52:05.17] We see license changes in business; there's some recent news not long ago with Redis around Commons Clause, or License Zero... All those things have implications. And even React - because you've mentioned them earlier, and we even logged that, about who actually supports React... They had -- I'm not sure of the details because I don't follow this closely, but it had some concerns around the community, the way Facebook licensed React. We've even had Heather Meeker on Request for Commits, since you've mentioned that earlier, and with Nadia - we had a deep conversation around the importance of licensing.

It sounds to me like you've got an ensemble of the right components to do Tidelift... And I don't know how you did it, but that's pretty insane that you have. And it's even more interesting that you all intersect at Red Hat.

Yeah. I mean, I just feel so privileged to work with these gentlemen, and then again, the team that we've brought aboard to share this mission with us; it's a lot of fun. But to the point around licensing - the legal code is one of the technologies that makes open source possible. It is sort of a technology onto itself, and like other technologies, it's complicated. It's complicated for the creators to make the right sets of decisions around "Which license should I use? What are the tradeoffs?" and so on. It's also really complicated on the consumption side, and that's (again) one of the things that we're trying to help address for professional teams that want to engage with open source in the right way. They don't have the time to each go become an open source legal scholar like Luis did, so we're gonna try to create some tools and standard ways to approach this, that let them get the advantage of some of that substantial knowledge that Luis has accumulated in his days.

I'm sure this is the case for most founders or co-founders, but I find it kind of interesting that each of you have a particular milestone in your career, each of you can point to a particular thing you've done that is widely notable, to say -- not so much that this is why you do what you do or you belong here, or you can trust you, but it's like you all have some large-scale contribution to the community you're currently serving through what you're doing now... And to say "We're part of the community. We're not just entering (like you said earlier) and trying to solve a problem, and we've never been here before. No, we've been boots on the ground for decades, and our resumes and the work we've done before" is what you point to to prove it.

Yeah. I mean, the only caution there is that every situation is different. One of the things I always try to remind myself is to learn from the past, but not to over-apply models from the past, because sometimes they can be misleading. The world changes.

The world is a lot different now in 2018, in terms of where open source is in the software ecologies in general versus 2002. Back when we were doing the first version of the enterprise Linux business model in 2002, most professional companies looked at Linux and said "This thing looks crazy. What do you mean free software? How could this possibly work?" etc. Now, fast-forward 15+ years later, there is no proprietary software to buy in most of these categories, right? It's pretty hard to go find a proprietary application framework to build with these days. It's almost complete takeover by open source, but our point that we're trying to highlight with our work in Tidelift is just because open source is everywhere, it doesn't mean that software doesn't need to be maintained. In fact, it sort of heightens the question of "Who is taking care of that software, and why?"

[00:56:13.01] Right. Who is responsible, yeah.

Yeah, and who needs it to happen, and how do we connect the dots?

Well, let's close the loop on this idea of sustaining open source, maintaining open source, this phrase that often gets put out there and talked about, and the actual mechanics of what that really means. There's other models out there, and every model is needed, because you said earlier "Hey, if money is coming in open source - great! Let's not say one way is wrong or right", but I wanna kind of go into the differences of other models. We've talked to Pia Mancini on here before around OpenCollective, we've talked to Eric Berry around CodeFund, previously CodeSponsor... I haven't talked to anybody from Patreon before, but we've definitely talked to Evan You on Request for Commits and several others... Henry Zhu from Babel on how they're leveraging their ability to go full-time and using those platforms to really good advantages... But then here comes Tidelift - so what is the biggest difference between Tidelift and other models where they could be seen as like more charity, or somewhat value-based?

First of all, just to get on the table - the more, the merrier.

I've said it before, I think every channel to pay the maintainers is additive, and so we're just trying to add another option into the mix, and probably "the answer" is not one of these, it's a polyglot solution of multiple of these working in different ways.

I do think that we have a somewhat different approach than a lot of the systems that have been implemented before, and it comes back to just being very practically-minded around not just asking organizations to pay back the maintainers that created software that they're using because it's the right thing to do, not only because it's the right thing to do; we're seeking to give them the additional self-serving reason to do it, which is if I pay for a subscription that covers these open source components, I know that there is somebody who is committing to me that they're gonna care for this software. And when we say "care for the software", it's written down what we mean by it, and if an issue arises, I'm gonna have someone to go to; they're committed to work with me. So it's something that they don't get if they don't pay, and we think that's compelling to a certain audience.

And again, we're more oriented towards these software teams within enterprises. That's not particularly compelling to most hobbyist developers. They're not really the audience for Tidelift, at least at this moment... Not the one that we're targeting, at least. And for hobbyist developers, I think there's a bunch of other options on the table.

By the way, as a hobbyist developer on the side myself, I happily contribute to a number of different funding mechanisms for the projects that I use. I think it's great, and I love doing it, and it makes me feel good, and everybody should. [laughs]

I definitely echo what you're saying on "the more, the merrier." One question I have for you though is like, since you've said you're a listener or this podcast, and you listened to one of the latest episodes with Eric Berry, one thing I can recall him saying in the conversation we had was around this extra layer... So the example we used in that show was Jack Lukic, who was the creator of Semantic UI, which we actually use here at Changelog; it's the UI framework we use for our back-end...

[01:00:04.03] And the question in the conversation there was essentially like layering on one more thing for a maintainer to do... So Jack may be really great with user interface, maybe really great with the framework, and that's all he may really wanna do, but he's hit a stopping point of time invested because of the lack of funding. So in the Tidelift model - and maybe Jack is not the perfect person; Jack may be considered a hobbyist, even though his project is used tremendously, and very vital to so many projects that are using it... But he may not have the time or the desire to wanna do the other things to support or to be in the Tidelift model; how does that fit in?

I think if I was to rephrase the question, it's like "What if the open source maintainer or team isn't interested in doing the Tidelift-style maintenance?"

Assurances, yeah.

We sort of look at that, again, from the -- think about it from the open source user's perspective. The user is still interested in having somebody look after the security, look after the licensing and the maintenance of this component... So if the current contributors to that project are not interested in doing that, can we create an incentive for some new contributors to join the project to do that? And one of the patterns that I've witnessed being in and around open source communities is when somebody shows up in an open source community and they say "Hey, I'm interested in doing some of the grunt work around here, to sort of help with some of the day-to-day maintenance tasks", especially if everybody else has already passed on volunteering to do those things, usually they're accepted with open arms.

So I think that our model can potentially help in those scenarios by giving someone else a nudge to sort of show up and volunteer... It's not really volunteering, because they get paid to do it.

They're getting paid!

Yup. "Pay the maintainers" is our mantra.

I like that tagline a lot. It's short, it's three words, it gets to the point... Pay the maintainers. I like that. And you said "The more, the merrier", I think that's what everyone is saying - let's just find ways to pay the maintainers, so that they keep maintaining, so that they keep innovating, so they keep really just enjoying it. Open source is fun to be involved in. What makes it not fun is whenever you're not -- not so much not rewarded, but just when you feel depleted at the end of the day because you wake up to 35 new issues, all these different things, and then you've got your day job, and your family, and your life. That's what drags it down and makes it very difficult to scale, and maybe why earlier you mentioned venture capital... Capital wasn't a great option for it, just because of the way the market worked. There's all these different ways, but this is just one of several ways we can pay the maintainers, and I like that mission a lot.

Donald, we're coming to the close here... I'd like to end with this question. Super-secret - something's going on at Tidelift that maybe people aren't aware of; you know, I don't know. Is it a new announcement, something coming up...? What's something that no one knows about that you could share here on the show today? Or even tease, whatever it might be.

Yeah, I'll just mention a little tease. We're gonna have some really exciting to us, and I think relevant news coming out in the next couple of weeks, talking about getting to a certain kind of scale milestone on the Tidelift platform. Stay tuned for that. Stop by Tidelift.com, depending on when you're listening to the podcast, to learn more about sort of showing the model working at some interesting scale that we think people will find compelling.

[01:04:12.05] When you say "milestone", it means the big deal, right? So this is a big deal.

It means we're reaching another waypoint on our journey to demonstrating the Tidelift model working at scale... And paying the maintainers.

Gotcha. So even if you're listening to this distant in the future, and this announcement has since passed, we're gonna update the show notes for what Donald is talking about; we'll definitely link it up, whatever it might be. I don't know where it's at, but wherever it is on the internet, we'll link it up, so just go back to your show notes. We'll make sure we have those up to date.

Donald, anything else in closing? It's a fun journey that you've been on, from your history in open source, all of the different co-founders that have worked with you on this, the mission you have to fund open source, in particular "Pay the maintainers" - I love that. Anything else you wanna say in closing to the listening audience that may be interested in the journey of open source and what it's about?

First of all, I would just say thank you to you, Adam, and to the Changelog and Founders Talk for covering these topics, because I think you're a really important voice and you're shining light on important issues. I guess that would be my parting thought - these issues are important. As a lot of folks now have pointed out - you referenced Nadia did an amazing job shining a light on the importance of open source software...

We have now decided collectively to build our civilization largely out of software, and that software is open source... So if we want our world to be a great one, we need our software to be great, and that means we need our open source software to be great. I'd just invite everybody who is interested in these topics - learn more about the different models that are being proposed. I'd love for folks to come and learn more about Tidelift, and talk to us and help us evolve it in the right way, take it the right way; launch additional models. Let's try a whole bunch of things, and collectively I think we can have a really positive impact on the world... And thanks a lot for paying attention and putting this in front of an interested audience, Adam.

Absolutely, man. Thank you so much for saying that. This has been a labor of love for many years, turned business, and we've been fortunate in that. And if it weren't for our listeners and those contribute to open source, and this entire community, we would not be able to exist obviously, because there'd be nothing to talk about... But we're just so thrilled that we get to be in this position; we've been down a long road, and I'm honored to have 1) you on the show, then 2) you as a listener... And when I mentioned things, even in the breaks, you were like "I've already listened to that." I didn't know that you were that passionate about -- you know, sometimes people say thank you, but you're an actual listener, who listens to every show, or at least a lot of them. That's awesome, I love that.

Keep up the good work, man.

Thank you, Donald. It was a pleasure, and I really appreciate it.

Thanks for having me on.

Changelog

Our transcripts are open source on GitHub. Improvements are welcome. 💚

0:00 / 0:00