Every time we have a supply chain security issue. Or a maintainer taking their code out of the commons, we trace it to maintainer burnout.
Last week there was a backdoor that was thwarted by chance in xz. Which is more than covered elsewhere.[4] The system works, folks felt, but we also started thinking about project sustainability again.
The backdoor was a long time in the making, selecting one very burned-out maintainer in a small dependency. There was a social engineering attack to get the keys to the project's castle. To undermine the security of projects elsewhere. Well undermining the security of everywhere.
How do we reduce the risk? We have no choice in this. The EU now has a cyber resilience act. For any FOSS project that's trying to gain project sustainability via commerce, it's a new headache. This is despite the leeway given to FOSS within the act. [1 - 3]
We cannot assume that it's a case of chucking money and hoping it magically fixes everything. Projects can get lots of money and still be dysfunctional or taken apart at a whim.
I'd like to talk about our Projects as part of the Commons. Projects provide open code to the commons. The communities that it serves need to in turn provide support to folks who work in those projects.
Very often we have projects relying on a chain of dependencies, where nothing happens on those dependencies. Particularly the libraries. Libraries aren't supposed to change, other programs end up relying on them. The only reason to change them are required features and security updates. Often those libraries once developed will not change for years.
So what else is a maintainer meant to do?
They have to eat. Then all of a sudden folks come with demands on a project. Our industry constantly flirts with burnout, it's unhealthy and ultimately unproductive. This is how you end up with bad actors taking over projects when the project maintainers burn out.
As usual, we all started to think about why this happened. Then we suggested some ideas.
"If someone is burnt-out or has a mental health crisis, they could contact the foundation, tell their story, and say, hey, I need a few months to recover and deal with my problems, can we put out a call among already trusted members of the open source community to step in for me for a while? Keep the ship steady as she goes without rocking it until I get back or we find someone to take over permanently? This way, the wider community will also know the regular, trusted maintainer is stepping down for a while, and that any new commits should be treated with extra care, solving the problem of some unknown maintainer of an obscure but important package suffering in obscurity, the only hints found in the low-volume mailing list well after something goes wrong." - OS News [4]
This is a nice idea. However, I have concerns about this approach. For one thing, for some projects, it's not so easy to find a maintainer. Andrew Tridgell just took back maintainership of Rsync. Which he'd handed over about 20 years ago. [5]
There's also the huge privacy elephant in the room.
There are potential privacy risks. Folks with mental health issues know it's unwise to talk openly about their state of mind. It's private information and you want to be talking to Mental Health Professionals. So who will the organisation trust with that? Who will pay those professionals? Who will you pay to ensure that that private session information remains private?
Those support and counselling session notes will go on your medical records. Where are those being stored? Data leaks. Most maintainers would not trust this.
Also given how this recent piece of social engineering happened, I don't trust an outside organisation to steward this at all. You only have to look at how abusers can smarm their way into vulnerable communities to see how an organisation like that is catnip to some abusers.
Look at the issues with the crisis health line and how they used the data from suicidal teens to help Lyft improve their customer services. Seriously, go ask Tim Reierson. [5]
If people want me to trust someone with my mental health with my hangups, the last thing I want is to worry about where that information ends up. Or for that matter trust any sensitive information about my private information.
Data leaks.
Part of the reason why we have a mental health crisis is that there is no social safety net for programmers or their support systems. If they even have a support system to help with the admin of a project. Often their healthcare is tied to their employment and many project maintainers have a day job. If they are fortunate, their employer pays them to maintain their project. However that brings other motivations to projects outside the original project scope. What if the Organisation then pulls that time away from the maintainer?
While I like the idea of an organisation to help developers with burnout, sustainable projects need more than developers as project maintainers. They do need support and they need governance to help them to survive long-term.
But even this well-meaning proto-proposal has some sharp edges.
"I’m not proposing this be some sort of glorified ATM where people can go to get some free money whenever they feel like it. The goal should be to help people who form crucial cogs in the delicate machinery of computing to live healthy, sustainable lives so their code and contributions to the community don’t get compromised. This means not just doling out free money, but also helping people connect to the therapists, doctors, debt restructuring experts and whatever other specialists we all sometimes need in our lives to help us get back on track." - OS News [4]
It's just all so reasonable sounding, isn't it? It is written from a place of utter privilege. If an organisation like this is funded, there is a very real danger it's going to be a bunch of privileged able-bodied folks who happily go to conferences unmasked to network on behalf of the organisation.
I can imagine the justifications as well:
"Fundraising is very important and we have to justify ourselves to our contributeurs. These meetings have to happen in person."
Would these people be paid? Or so rich that they can take the time to be on another board.
I find myself disappointed in an attitude that writes "Open Source is more than just code", then writes that ATM comment. I know it's written with your heart roughly in the right place. But I can see the value for you is purely in the code. What it can do for you. No space in your ideals for the unseen "gluework".
For all you know, the reason why the maintainer is suffering is because a major pillar in their support structure who did the glue work is ill, or has a family issue. It's not an easy thing for project maintainers to admit burnout, they know people will judge them.
Then any employment opportunities will dry up. We don't allow for weakness in our cultures.
Many project developers and maintainers would love to look after their projects full time but there often isn't the funding to create the support structures within a project to help prevent burnout.
As E Hashman pointed out in a thread.
"As a former maintainer, things I would have liked to consider working on projects full-time include:
The rest of the thread is worth a read, as it goes into the many factors that can take up a maintainer's time and can affect what happens to a project in terms of its priorities.
We have organisations like Tidelift that are trying to provide that support, but so many folks will slip through the cracks. [8] Burnout is more than code demands. The Eclipse Foundation is also looking at this to meet the requirements of the Cyber Resilience Act. [9]
I mean it's nice to have a framework to measure where we are as a project against. But it's not enough.
I wish even one org would commit to monetary support rather than yet another framework. We do need to have a process, but being able to maintain the components of the software supply chain, takes labour. It's work and it should be paid for somehow. Developers need to eat.
It's easy to see why the focus on code value has happened. The code and the project maintainer are the reason for a project's existence. This means other factors like community health and how diverse that is, go out the window. It's harder to measure those metrics.
We also have different meanings when it comes to community. When a library is used everywhere, its community can range from hobbyists to large tech firms who contribute varying amounts of time, or on occasion money. Which can influence a project against its interests and also against the interests of the commons.
Then folks complain when projects take a source of money that's not the ethical choice. Like how can projects be maintained without the support?
Project Maintainers and their families have a powerful need to eat sometime this month. Burnout happens because of several factors. But money will often be at the root of a lot of that burnout.
If you've worked on a project contributed to a project, packaged code, managed a community, gave support to a project that's for the commons i.e. Free Software why not?
But if you're that concerned about fraud or mutual aid being fraudulent or wrong because it's "begging", the answer is simple.
Universal Basic Income, Free Education, free healthcare and free public transport to everyone, regardless of Immigration status.
Then It's not going to matter who runs this hypothetical organisation, because people can take the time to contribute. If you allow remote work, you will have a more varied pool of folks in different circumstances to choose from.
Like if your attitude is: "It's begging, how do I know they deserve this money?"
Dude take a long hard look at yourself. If you're worried about the idea of someone just demanding money without contributing at all and like grifting.
We have those in society. They are called Billionaires.
So if you care about those projects, look for donation pages, but also find out if there's a legal reason why they can't directly fundraise.
Every year several organisations directly fundraise by crowdfunding. Wikipedia and the Organisation for Transformative Works. Yes, the fanfiction website crowdfunds from fanfic readers and authors. [10-11]
They directly fundraise from their community of fandom communities. Imagine that?
Eric Lathrop also had a good idea: "Maybe tech unions could use dues to pay maintainers? Would be cool if something like the ACM morphed into a union and also paid maintainers."[12]
Other developers have also wondered if they have a surplus from a grant or business, perhaps that could be put into a mutual aid fund.
There's a common theme going on here, which seems to be currently incompatible with the ideals of Open Source and Tech in general.
It's a recognition of the Commons and how the code and the community spaces should belong to everyone. So while it's the project maintainers' job to steward it overall, they are accountable to their community. Conversely, it's also up to the community to support the Maintainer and the project. Community ownership is a community responsibility.
Some of the folks on the ground around the world do have some ideas for this. I can see why some of the communities of the global south and vulnerable folks don't trust our larger organisations. Some organisations pay out a pittance if the time is paid at all, and emotional labour is still labour. Exposure and "It's good for networking for your career", is exploitation and frankly, I'd like to reduce that in FOSS.
If we want to secure Project Sustainability in FOSS, we need to think about the idea of sustaining the commons. We also need to think about communal sovereignty in the face of our Infrastructures being run on commercially owned infrastructure that can on occasion be wound down. If we want to keep those projects independent, the communities as a whole need to sustain them, with time, support and yes money.
"I'm imagining these things, and I'm inviting you to imagine them, too. And to keep imagining beyond this tiny window of possibility. Our world and our technology is all too often bent to serve the preferences of capital. But Free Software has been a rejection of that dynamic, and that's powerful. You can just make the software that suits you, you can share it with other people, and they can share with you. You don't need permission from IBM, or from Microsoft, or even from your boss to do it, and that's powerful, too. That's the commons. If our goal is to support open source maintainers, that's the support I would choose. And that's the future they deserve." - Jennifer Moore [13]
It's on us as privileged folks to listen and not just assume folks are grifters.
Again, those are billionaires.
The Horizon EU fund and its daughter Funds NGI provide funding to lots of FOSS Projects.
There is a lot of competition. Some projects have some initial funding from the EU, and then that's it. The NGI funds do wish they could fund more and will point projects at those funds. They are trying to invest in the whole ecosystem for the commons. But there's some fine-tuning in the applications to do for each fund depending on what the stated purpose for that fund is.
Funding rounds for many funds EU and Non-EU also can take anything from two months to a year, before work can start, let alone be paid.
EU funds also have a duty to the millions of European Citizens and residents to invest their money wisely and transparently.[14] FOSS projects that are funded are also under that obligation. As the Free Software Foundation Europe says Public Money should be spent on Public code. [15] I think it needs to go further, not just for government code to be available, but any software produced needs to be Free to the commons. So how do we keep those Projects sustainable?
The EU then depends on the project to work out its long-term survival. The point of the Horizon Funds is to develop businesses that become Unicorns and Zebra's. Even the small local commons funds end up being themed around blockchain or AI. Because that's where a lot of technical investors are funding ideas. [16-17]
What about some of the newer projects that are doing research for the Next Generation Internet? Who has not incorporated their project yet? Who have team members working through the hurdles of immigration with little organisational support? What about the projects that are perhaps one or two individuals at the most?
They can't go for the higher value Horizon EU grants as they aren't companies or have a fiscal home yet. Some of the funds aren't set up as a charity so they can only pay businesses, not individuals.
There's a whole spectrum of circumstances across FOSS and big organisations aiming for the good of the supply chain won't catch them all until some developer notices a useful tool for their project and incorporates the dependency.
So we will all be here again, 10 years down the line right at the same place.
So projects rely on the goodwill of grant writers and some project advisers who often don't get paid for months or at all for front-loading work.
The best funding organisations for FOSS at the moment are The NLNet Foundation and the Sovereign Tech Fund.
But if our governments want to secure the software supply chain, developers need to be paid for their time, as do contributors, and their support folks. I think that if a FOSS project has had Government funding at all, then some form of stipend should be paid no questions asked in perpetuity for as long as the code stays open for the public.
I'm also not just talking about the code, which is how projects currently get paid. They get paid for coding milestones mainly. Then it's left to the developers to decide how that money is doled out. Which goes a bit wrong sometimes.[18-20]
You cannot quantify all of the work, and sometimes those dependencies do not change for years. So much like with support, a stipend is needed.
Some projects are also being invested in by legislatures to develop new systems and new communications.
Perhaps continuous investment in those projects, developers and their support systems would be a better value down the line. We need to have support and a more robust ecosystem for this [13]
Rather than hope every project invested in becomes a unicorn business, we need to consider putting public money into all publically available code. We need to invest in these projects in perpetuity for the commons. Especially if we've been given EU seed funding. Relying on a developer to be interested and pick it up down the line will not work in all cases. Folks need to know those tools exist. You can't expect all project maintainers to be good at getting the word out.
Again, this is why a lot of FOSS work isn't code, it's the community communications and moderation. It too needs direct investment.[18-20]
We're part of the infrastructure now as projects and developers. Infrastructure needs to be invested in to face the challenges of our world. Our former public infrastructures of transport, electricity, water and healthcare are crumbling because making them private meant they couldn't invest in coping with Climate change or coping with Public Health issues.
I don't mind if people just took the money and did nothing either. You don't want a disaffected workforce doing the bare minimum. You want people to care.
Imagine what we could do if we had healthcare and a base income. Imagine a coterie of publicly funded FOSS projects with diverse communities. With healthy communities, developers wouldn't feel alone and disaffected by people asking for things. Imagine investment in Community Support and funding for accessibility in some of our projects. It takes more than cash and vague mentions of supporting folks' mental health.
You could have a core set of developers, passionate about public code to help the commons.
Who could be working from anywhere in the EU? In areas that face depopulation when people go where the work is in the cities. To help to improve connectivity in those areas and contribute to those local economies.
We'd do marvels.
It's insurance.
But I'd prefer Universal Basic Income.
[1]https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/
[2]https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/
[3] https://blog.nlnetlabs.nl/what-i-learned-in-brussels-the-cyber-resilience-act/
[4]https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/
[5]https://lwn.net/Articles/968732/
[6]https://reformcrisistextline.com/
[7]https://cloudisland.nz/@ehashman/112181868961681879
[9]https://eclipse-foundation.blog/2024/04/02/open-source-community-cra-compliance/
[10]https://archiveofourown.org/admin_posts/28423
[11]https://archiveofourown.org/admin_posts/28612
[12]https://mastodon.ericlathrop.com/@eric/112198676344118050
[13]https://jenniferplusplus.com/the-free-software-commons/
[14]http://onepict.com/20231103-5years.html
[15]https://fsfe.org/activities/publiccode/publiccode.en.html
[16]https://trustchain.ngi.eu/
[17]https://digital-strategy.ec.europa.eu/en/activities/invest-close-half-billion-euro-part-one
[18]https://ginnymcqueen.com/funkwhale-and-foss-failure/
[19]https://ginnymcqueen.com/funkwhale-the-foss-that-wont-flush/