The Philosophy of the Open Source Pledge

Vlad-Stefan Harbuz
This post originally appeared on vlad.website.

Today, we launched the Open Source Pledge. Virtually all companies use Open Source software 1, making the Open Source ecosystem crucial to virtually all of the technology we use. That Open Source software is created and supported by maintainers. But the companies that use Open Source software almost never pay the maintainers anything. This means that the maintainers end up doing a huge amount of work for free, often as a second shift after their dayjob so that they can pay the bills, leaving them burned out and overworked, and leaving the projects they maintain at risk of serious security issues.

The Open Source Pledge aims to change that, by getting companies to pay the maintainers of the software they rely on. We launched the Pledge today with the support of 25 wonderful companies and 6 large foundations.

I’d like to talk about why the way the Open Source ecosystem is organised harms both maintainers and companies. I’ll explain how companies can not only do the right thing, but also make sustainable and impactful investments in the Open Source ecosystem. And I’ll talk about why this means that companies that do not pay their share act uncaringly and shortsightedly.

The screen on the Nasdaq tower in Times Square saying “Nasdaq congratulates the companies launching the Open Source Pledge”, followed by many company logos, and a link to https://opensourcepledge.com.

The Problem

The device you’re using to read this post runs Open Source software. There are some high-profile projects that any computer is basically guaranteed to be using — curl, OpenSSH, Python, and so on. These high-profile projects are often, but not always, able to secure funding for their development.

But there are tens of thousands of projects, making up the vast majority of widely-used Open Source packages, that never get more than a few dollars of funding, despite being relied on by companies such as Adobe 2, Amazon 3, Apple 4, Facebook 5, Google 6, Mastercard 7, Microsoft 8, Netflix 9, Sony 10, eBay 11, and many many others. These companies do not pay back their fair share — in many cases, they pay back nothing — to the Open Source software developers whose work they continue to monetise and depend on year after year.

For example, without FFmpeg, YouTube wouldn’t work, yet the people who make FFmpeg don’t meaningfully get paid by Google or by anyone else.

@mok says “ffmpeg has created more enterprise value than we can fathon”. @FFmpeg says “Yet we receive essentially no support from these enterprises relative to the value we provide”.
FFmpeg's tweet on 20 Oct 2024

There’s more. Though the maintainers of Open Source software are often not paid for developing this software, creators of widely-used internet infrastructure such as Elasticsearch can set up hosted versions of their software that they can sell as a service, in order to be able to afford to fund further development. But even this is made difficult by monopolistic free riders such as Amazon. Elasticsearch was previously Open Source, but had to change their license to a non–Open Source one when Amazon took Elasticsearch and started selling it themselves, using their massive scale to take revenue from the original creators of the software. These kinds of moves leave the people who maintain our internet infrastructure unable to earn an income, while enriching profiteering and mooching corporations who don’t give back, such as Amazon.

Basically, the people who make the software we all rely on don’t get paid. This xkcd comic sums it up nicely:

This xkcd comic shows a Jenga-like tower of blocks, illustrating “all modern digital infrastructure”. The structure precariously rests on a small load-bearing block, titled “a project some random person in Nebraska has been thanklessly maintaining since 2003”.
xkcd #2347 — Dependency

This has bad consequences for all of us. Putting maintainers in a position where they’re overworked and vulnerable to burnout renders the Open Source software we rely on vulnerable. There have been multiple serious worldwide security issues because of bugs that are demonstrably a result of overworked and underpaid maintainers. The XZ backdoor, which affected billions of devices worldwide, happened because Lasse Collin, the maintainer of XZ, was overworked and underpaid, and ended up being forced to accept “help” from someone who turned out to be a malicious contributor who would go on to add a backdoor to XZ. And there are other examples, such as the Log4Shell vulnerability, where underpaid maintainers doing their best to fix a major security issue were rewarded with death threats.

Analysing the Problem

So why, specifically, is the status quo of Open Source funding bad? Two reasons.

#1: It’s unfair and uncaring. People like Jordan Harband, Josh Goldberg, Filippo Valsorda, Caleb Porzio, and thousands of others, build software billions of people rely on, but have to jump through a million hoops to pay the bills. This is unfair because these developers contribute massively to our tech infrastructure, and companies don’t support them. Why is it uncaring? To care about someone means approximately to be motivated to act when they might be harmed, even when you personally stand to gain nothing. Companies happily profit off of Open Source maintainers’ work, but do not care when these maintainers struggle to pay the bills.

#2: It harms our tech infrastructure. If we do not support the maintainers of the software our phones, games and airplanes run, we will continue to drive away maintainers, leaving our tech infrastructure neglected, un-innovative, and vulnerable to serious worldwide security issues.

The Solution

There are many possible solutions. Governments could support Open Source developers with tax money, which is what Germany is doing with the Sovereign Tech Fund. We could add tooling to the Open Source ecosystem that makes it easier for maintainers to sell their work, which is what Polar is working towards.

But there’s a really obvious solution that we can implement today. That’s for companies to pay the maintainers of the software they rely on. “Pay”, not “donate”, because payment is already overdue, and it has been for a long time.

This is what the Open Source Pledge is — a cultural movement asking companies to pay $2000 per employed developer per year to the Open Source maintainers they depend on.

Some companies might say that they already contribute in other ways. They might contribute by allocating time for their employees to contribute back to Open Source projects, or by offering Open Source maintainers cost-free use of cloud services. These contributions are great and should be celebrated. But they fall short in one important way — they do not help underpaid maintainers pay the rent.

Here’s one obvious question, though. Why would companies make these payments? There are three big reasons.

#1: It’s fair and manifests care. Companies might care about the fact that the developers whose work they rely on are suffering, and they might therefore be motivated to correct this. This sounds good, but it’s relying on a lot of goodwill. This is fine though, because there are two other big reasons.

#2: Signalling thought leadership. Companies that join the Pledge can signal their thought leadership by being one of the innovators driving a paradigm change in the funding of the Open Source ecosystem. This benefits the company’s brand and reputation, which appeals to potential customers.

#3: Ensuring companies can base their products on a healthy foundation. If the Open Source ecosystem that companies rely on starts crumbling, this is bad for those companies, because they will have now built their software on top of a poorly maintained foundation. Paying money to ensure the software they use is innovative, secure and well-maintained just makes sense.

What’s interesting here is that reasons #2 and #3 involve companies making payments for something that they expect to gain future value out of. This is what we call an investment, and paying Open Source maintainers is a particularly good investment. Venture capital firm Accel agrees, which is why they support the Pledge.

The corollary of the above is that companies that do not pay the Open Source maintainers they rely on act uncaringly and short-sightedly. Unfortunate!

How We Can Implement the Solution

I think many companies want to do the right thing. And paying maintainers is something that companies can do today, by joining the Pledge. The Open Source Pledge does not handle any funds — we simply facilitate money being paid directly to maintainers. Sentry has joined the Pledge, and will be giving more than $500,000 this year directly to the maintainers it depends on, continuing a tradition it has kept up for the past 3 years. Antithesis has given $186,000. We have members ranging in size from 135 developers, to 1 developer. And many other companies will follow. If our current members can do it, other companies can too.

Some companies might worry that it is too logistically complicated to figure out which maintainers’ work they depend on, then figure out how to pay those maintainers. But this process is made simple by services such as thanks.dev, which I am also a contributor to. The Open Source Pledge “About” page addresses many questions companies might have.

If you’re an employee, tell your company to pay the maintainers of the software it relies on. And if you’re a key decision maker such as a CEO, CFO or CTO? Do the right thing — it will benefit you, your brand, and the ecosystem you live and work in.

Footnotes

  1. https://gratipay.news/open-source-captures-almost-none-of-the-value-it-creates-9015eb7e293e

  2. https://thanks.dev/d/gh/adobe/dependencies

  3. https://thanks.dev/d/gh/aws/dependencies

  4. https://thanks.dev/d/gh/apple/dependencies

  5. https://thanks.dev/d/gh/facebook/dependencies

  6. https://thanks.dev/d/gh/google/dependencies

  7. https://thanks.dev/d/gh/mastercard/dependencies

  8. https://thanks.dev/d/gh/microsoft/dependencies

  9. https://thanks.dev/d/gh/netflix/dependencies

  10. https://thanks.dev/d/gh/sony/dependencies

  11. https://thanks.dev/d/gh/ebay/dependencies