I think we need an organization that has a few developers who work on maintaining important web software that might otherwise go unmaintained - e.g., project owner abandons, can’t invest necessary time, etc. Tidelift, etc. is a great idea for getting project owners/contributors funds to free them to spend more time on development but doesn’t help with these other situations - of which there are many. I’ve created a bare bones proposal here.
I couldn’t agree more on the problem definition. I too believe that FOSS should be threated like a public good. Its the backbone of our digital infrastructure and vastly underfunded. I’d love to hear your thoughts on our project Radicle: https://radicle.xyz/towards-decentralized-code-collaboration.html
Its essentially two things: a code collab network without intermediaries and a decentralized registry that distributes value back to FOSS, e.g. based on dependencies.
Chiming in here. I write web authoring software at Velara 3. I currently charge (not enforced) for licenses for that software so that I can afford to keep development going. I would reduce prices if I was able to receive a grant. There are a few other great web projects like Apache Flex that are staffed by open source developers. From conversations, many would donate more time to the project if their work was offset or better to phrased “invested in”. Commercial companies benefits and take advantage of projects like these.
Enjoyed reading about Radicle. Sounds like a worthy undertaking!
In the article you mention self sovereign user identity, I’d love to hear more about your thoughts on that as I am interested in implementing user controlled identity in another project I’m working on.
My biggest hesitancy with distributed projects of this nature involves the potential for illegal materials to be stored on individual’s systems. For example, if someone where to create a revenge porn repository hosted via Radicle, the contents of this repository could reside on one’s local computer without any intention for it to be so. It seems to me (though I’m not a lawyer) that this could serve as grounds for seizure (and perhaps charges) by law enforcement agencies.
This applies also to export controls on specific technology - e.g., cryptographic software - to specific countries (e.g. Iran). It seems possible (probable?) that governments would view participation in a peer network as active participation in such and the pressure that can be placed on organizations (such as Github) would be just as real for the individual.
Thank you. You have to explicitly track projects and only those are replicated locally. So if someone hides malicious data in the linux kernel, which you happen replicate, then in both scenarios (centralized Github repo vs. Radicle repo) you’d have that data on your local machine after pulling from remote.
Otherwise the network is open by default, which is pretty much one of the reasons why we’ve started Radicle and made certain design decisions. Some Users from Iran weren’t able to access their repositories on Github anymore which is something that wouldn’t happen in our network. Whether that has legal implications for individuals I honestly don’t know, although I’d doubt mass lawsuits against individuals. I guess seeding copyrighted data on Bittorent might be a good starting point for research here.
Read the proposal and, without being utopian, I’m not sure how we can do better than Tidelift and other independent funding mechanisms. I worry any org will not choose to update the package I need updated, will keep rewarding a few programmers, will be subverted, will fall to infighting, will have high overheads, etc. Maybe though that is just the cost of a global public good org and it will do more right than wrong. Transferring ownership of dead projects is tough and perhaps one of the things an org like this could do better than Tidelift etc.
How was the OpenSSL maintenance problem resolved?
Thanks for the feedback Paul. I would see this organization as working parallel to rather than in competition with Tidelift. I think Tidelift et al. are making good progress on this front generally, I’m thinking this org would be specifically focused on those projects that have been abandoned / aren’t fully supported.
In cases where the abandonment isn’t full it may be as simple as creating a patch and pushing to the repo…which anyone could do this would be more about making sure that it was done, as it so often isn’t now.
In worst case scenarios the repository could be forked…this means some work on the part of the software / library users to grab the forked version, but if this org became a recognized conduit for such forks it could become a habit, perhaps even automated into some software, to check for forks when repos were found that were quite outdated.
I’ll flesh out the proposal with additional info (e.g. on governance) when I get a few moments, I understand your concerns about the organization not focusing on the right software, at least from the perspective of some.
Regarding OpenSSL, I’m not sure there has been a fully satisfactory resolution. According to Wikipedia the team around OpenSSL is still quite small.
There are a few forks out there, including one by Google called Tink, but I’m not familiar with how adoption has been of these forks as compared to OpenSSL.
Small idea but npm seems like a practical place to analyze this problem. It collects usage stats, code repository stats, vulnerability stats, and has the
npm fund command which shows you which libraries you are using that are asking for funding (with links.) Together you could see what libraries are “dead” or risky but being used a lot and have requested funding.
Agreed. I’d like to do this with a few of the larger projects (e.g. create-react-app) in the near future.