This week we’re celebrating Maintainer Month along with our friends at GitHub. Open source runs the world, but who runs open source? Maintainers. Open source maintainers are behind the software we use everyday, but they don’t always have the community or support they need. That’s why we’re celebrating open source maintainers during the month of May. Today’s conversation features Alyssa Wright (Bloomberg), Chad Whitacre (Sentry), and Duane O’Brien (Creator of the FOSS Contributor Fund and framework). We get into all the details, the why, the hows, and the struggles involved for companies to support open source.

After years of working for Google on the Go Team, Filippo Valsorda quit last year to experiment with more sustainable paths for open source maintainers. Good news, it worked! Filippo is now a full-time open source maintainer and he joins Jerod on this episode to tell everyone exactly how he’s making the equivalent to his total compensation package at Google in open source.

Filippo Valsorda:

Last May I left my job on the Go team at Google to experiment with more sustainable paths for open-source maintainers. I held on to my various maintainer hats (Go cryptography, transparency tooling, age, mkcert, yubikey-agent…), iterated on the model since September, and I’m happy to report that I am now a full-time independent open-source maintainer.

People like Filippo are still (unfortunately) the exception, not the rule. BUT! I’ll celebrate every time an open source maintainer makes it to the promised land, hopefully paving the way for others to follow after.

I’m sharing details about my progress to hopefully popularize the model, and eventually help other maintainers adopt it, although I’m not quite ready to recommend anyone else drop everything to try this just yet.

Thomas Depierre, writing about the concept of the Software Supply Chain in the context of open source development:

We are not suppliers. All the people writing and maintaining these projects, we are not suppliers. We do not have a business relationship with all these organisations. We are volunteers, writing code and putting it online under these Licences. And yes, we put it online for people to use them. But we do not get anything from it.

He goes on to discuss how, importantly, licenses such as the MIT point this out (in all caps):

If you use this, I owe you nothing. At all. We have no relationship. I put this up online on the condition that if you use it, all the risks are on you… So all your Software Supply Chain ideas? You are not buying from a supplier, you are a raccoon digging through dumpsters for free code. So I would advise you to put these rules in the same dumpster. And remember. I am not a supplier.

That raccoon line reminds me of a now-ancient meme you might still enjoy…

We’ve been using Parker Selbert’s Oban library for years and he even helped us hold it right by improving our open source implementation!

So, Jerod invited him Backstage to discuss the library, how we’re using it, Parker’s plan to make it financially sustainable, his “freedom number” of Oban Pro subscribers, and a bunch of other random stuff along the way. Let’s go!

Zach Leatherman recently announced he will now be working on Eleventy – his simpler static site generator – while continuing to work at Netlify. What makes Eleventy special? How’d he convince Netlify to let him do this? What does this mean for the project’s future? How many questions in a row can we type into this textarea? Tune in to find out!

All the details of the National Science Foundation’s “big bet” are in the article, but here’s the money quote:

If you are working on an open source project that might benefit from this kind of funding, check it out here. Phase I applications are due May 12, 2022, and Phase II applications are due October 21, 2022.

I love this idea by Simon Willison:

I think I’ve come up with a novel hack for the challenge of getting your company to financially support the open source projects that it uses: reach out to the maintainers and offer them generous speaking fees for remote talks to your engineering team.

It won’t work for every person and situation, but we should add it to our arsenal of ways to return economic value back to the maintainers of our open source infrastructure.

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Daniel Stenberg lays out how he thinks we can view the world of software and open source in light of supply chain security, maintainer sustainability, and the like:

Inside the pyramid there is a hierarchy where things using software are build on top of others, in layers. The higher up you go, the more you stand on the shoulders of open source components below you.

At the very bottom of the pyramid are the foundational components. Operating systems and libraries. The stuff virtually everything runs or depends upon. The components you really don’t want to have serious security vulnerabilities.

A rebuttal by Kailash Nadh to the aforelinked post.

large for-profit corporations started their widespread consumption of FOSS, ever since countless “unicorns” raised infinite amounts of funding on valuations built pretty much entirely on FOSS, ever since FOSS got co-opted into corporatisation and capitalisation. And yet, countless maintainers of critical and widely used FOSS struggle to make a living.

Whose fault is this? I do not believe that this is FOSS’ fault as a conceptual framework or a system. If FOSS was broken, the internet as we know it today wouldn’t exist; the countless marvels of technology that we take for granted and techno-economies that thrive on them wouldn’t exist; millions of software developers (like me) who learnt to write code with FOSS and learnt to make a living with that knowledge wouldn’t exist.

The post-log4j-zero-day thinkpieces started rolling in over the weekend. I’m happy about that. We need to discuss this stuff. Here’s what Christine Dodrill’s TL;DR:

If you want me to make you useful software, pay me. If you use software made by others in their spare time and find it useful, pay them. This should not be a controversial opinion. This should not be a new thing. This should already be the state of the world and it is amazingly horrible for us to have the people that make the things that make our software work at all starve and beg for donations.

The entire article is worth considering.

Overdoing things can have a deep mental impact, one should not feel guilty about giving up on something. It’s the same with pursuing side-projects don’t hesitate to abandon them if the need arises

Cool move by Vercel. Rich says:

so happy about what this means for svelte’s future. it’ll be the same independent, pluralistic project as before, but with Vercel’s backing we can get ✨ a m b i t i o u s ✨

Congrats to the Svelte community! We’ll surely dicsuss this move and what all it means when Rich joins us on JS Party in early December.

Avdi Grimm kicks off a new series of posts (that I’m quite excited about) on the various parts that go into a “banana stand” business by deftly wielding a classic Arrested Development gag and telling the tale of how he got his stand started:

I’m a software developer by trade. I’ve slung code either as an employee or as an independent consultant for over two decades. But around ten years ago, I started selling e-books about programming. At the time it was a way to recoup the time and energy I had sunk into researching conference talks, as well as a way to expand on the topics of those talks.

E-books expanded to screencasts, and then to courses. I found myself with a diversified product income that sometimes rivaled or even exceeded what I could expect from a developer’s salary.

As a result, gaps between gigs haven’t felt like “unemployment” for a long time. Instead, they are opportunities to work on my education business. Recently, a major gig I’d been looking forward to fell through at the last second. Once I worked through the disappointment, I was like: “welp, there’s always money in the banana stand!”

The first component of your banana stand: a mailing list

Replit is donating $25k to the NixOS Foundation. Here’s why:

Replit has a history of betting on nascent technologies. The first version of Replit used WebAssembly long before WebAssembly found widespread adoption. We’re betting that the Nix project will improve performance across the board, sidestep a whole slew of bugs for our community, and let any Replit user build and publish programming environments.

For a primer convo on Nix, (re)visit our conversation with Domen Kozar on The Changelog.

Zach Leatherman has been considering sustainability models for Eleventy, so he surveyed the field to see what everyone else in the web framework ecosystem are doing. Check out his post for the raw data and his analysis. Here’s where he stands as of today:

I don’t have the answers. I definitely wouldn’t agree that Eleventy has figured out our sustainable monetization strategy but I do really admire the success that Vue has had solving this exact problem. I do know that I have no interest in Trend 2 (raise investment money) but I’ll continue to keep a keen eye on what other indie-framework folks are doing.

Luis Villa:

Here in 2021, it’s clear that a new set of standards for open source is coalescing. These bring new labor to be done, either by open source developers or as part of a metadata overlay. These new standards include:

• Security information and auditing…
• Legal metadata…
• Procurement information…

Somethings’ gotta give…

This week we’re talking with Pia Mancini about the latest updates to the mission of Open Collective. Earlier this year Open Collective announced “Funds for Open Source.” The idea is simple, make it easy for companies to invest in open source, and they will. Also, since recording this episode, Pia and the team at Open Collective along with Gitcoin announced fundoss.org as part of Maintainer Week announcements. And right now, they have a matching fund of $75,000 dollars funding open source that you can support.

Every commit is a gift, seriously. One of the best ways to show your appreciation for a gift is by a sincere and thoughtful thank you.

So, in honor of Maintainer Week we encourage you to thank a maintainer who has improved your life with their open source gift to the world.

Ryan Dahl and Bert Belder announcing the Deno Company:

Deno is not a monolithic system, but rather a set of technologies that we believe can be repurposed to a variety of needs. Not every use-case of server-side JavaScript needs to access the file system; our infrastructure makes it possible to compile out unnecessary bindings. This allows us to create custom runtimes for different applications: Electron-style GUIs, Cloudflare Worker-style Serverless Functions, embedded scripting for databases, etc.

In order to vigorously pursue these ideas, we have raised 4.9 million dollars of seed capital… This investment means we will have a staff of full-time expert engineers working to improving Deno. We will ensure that issues are addressed, bugs are fixed, timely releases are made; we will ensure Deno is a platform others can build on with trust.

Deno will remain MIT licensed: no open core. It appears they will commercialize through infrastructure and other offerings. Maybe deploy is the first of these?

Pia Mancini:

We are on a mission to make working for an open source project a legitimate alternative to a career working for a for-profit corporation. To achieve our goal, we must remove friction between projects, the communities who support them, and the corporations who depend on their work (and can fund them)

Their entire premise is that companies would invest more in open source if it were easier for them to do so. So, they’re making it easier by introducing “funds”, which companies can set up and then give to one place instead of a dozen (or more) projects separately. And they’ve already gotten the ball rolling:

Over the last year, we’ve been quietly establishing a number of Funds, which have turned into great examples of what happens when you solve the barriers between corporations and open source projects.

I hope it works. Airbnb alerady has a fund. Indeed already has a fund. More to come?

Tailwind CSS creator Adam Wathan joins Jerod, Nick, & Feross for an in-depth discussion of his trending utility-first CSS framework. We cover why everyone complains about CSS, how Tailwind began and how it gained popularity, how developers use with Tailwind and integrate it into their workflows, and how Adam has managed to build a business around the project. Thanks, Bette Midler!

Joe Morrison:

Until yesterday, I was still clinging to a few shreds of romantic optimism about open source software businesses. Mapbox is the protagonist of a story I’ve told myself and others countless times. It’s a seductive tale about the incredible, counterintuitive concept of the “open core” business model for software companies.

We’ve discussed the challenges with open core on many occasions (this episode of The Changelog on Nextcloud immediately comes to mind), but most of those conversations center around the tension of balancing commercial and open source interests. This Mapbox open core story, on the other hand, has a different villain:

Today, we’re gathered here on the internet to mourn the death of the open core business model. We’re here to tell stories of the before-times, to reminisce about how smart we thought we were. We went against consensus, and we were wrong. Because, open core is dead.

Cloud killed open core.

A sad, but unsurprising day:

Growl is being retired after surviving for 17 years. With the announcement of Apple’s new hardware platform, a general shift of developers to Apple’s notification system, and a lack of obvious ways to improve Growl beyond what it is and has been, we’re announcing the retirement of Growl as of today.

Growl is one of the reasons I originally fell in love with the Mac. It belongs in the pantheon of open source projects that don’t merely cease to exist, but are so influential that they change the very platform they are built on.

Thanks to everyone who contributed to this amazing project over the years. 💚