We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Why and How Companies Should Pay Open Source Maintainers

Logo von FOSDEM VZWFOSDEM VZW
 Harbuz, Vlad-Stefan

Formale Metadaten

Titel
Why and How Companies Should Pay Open Source Maintainers
Serientitel
Anzahl der Teile
78
Autor
Lizenz
CC-Namensnennung 2.0 Belgien:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
In this talk, I present some economical arguments for why companies should pay the Open Source maintainers they depend on, and I suggest some technological solutions for how this might be accomplished. Virtually all companies use Open Source software, making a critical subset of the Open Source ecosystem crucial for everything from watching YouTube videos to working with medical records. But the companies that use Open Source software rarely pay the maintainers of the software they depend on. I explain that this can lead to serious issues in the Open Source ecosystem, such as the international security risks we saw with the XZ backdoor and the Log4Shell vulnerability. I explain that, if companies paid the Open Source maintainers they depend on, the Open Source ecosystem would become more sustainable and stable while retaining the significant economical advantages provided by Open Source governance models, and companies would benefit from this. Next, I want to talk about how to actually pay maintainers. Forward-thinking companies have, in fact, shown their willingness to fund the Open Source software they depend on. But it is not always trivial to figure out which Open Source maintainers a large codebase depends on, and how to actually pay those maintainers. At thanks.dev, we have created a platform that scans companies' codebases to identify the Open Source maintainers whose projects these codebases depend on. We then give companies an easy and financially transparent way to pay these maintainers. But dependencies often form a complex tree, and it is not immediately clear how much money should go to each dependency's maintainer. Current methods, though helpful, are simplistic. I introduce a new algorithmic technique for fund allocation, which uses a combination of coupling and complexity metrics to calculate which dependencies are most critical to a certain project. Using this method can provide a better allocation of funds. I am keen to hear the community's feedback on both my economical and my technological suggestions, and to further develop solutions together.