Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn’t a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront.
Episode Links
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
I usually write a summary for these discussions. In this instance, that isn’t going to work. Instead I’m including the transcript of the discussion. There is too much nuance and information to properly give a summary.
Josh Bressers (00:00) Today, open source security welcomes back to Thomas DePierre, one of my favorite people to talk about open source. So Thomas, welcome back to the show, man.
Thomas Depierre (00:08) Hey Josh, thanks. Well, I mean, thank you for inviting me back. ⁓ I love talking with you about this too. And I love listening to you. Yeah, I need to welcome you to this. don’t know why. I mean, in my house, right? I mean, my house, I welcome you in my house, kind of too, right? Now that we do this stuff remotely and not in a studio.
Josh Bressers (00:15) You did technically invite yourself.
Yeah. Good. No. So, Thomas reached out and you wrote a blog post ironically on April 1st, which makes it even funnier. But on April Fool’s day, you let me, let me zoom up. You, have a, uh, uh, 2024. Oh, holy crap. It’s, it is that old. Oh my goodness. It feels like it was not that old, but it’s been, it’s been a crazy year, but, but the title is you are all on the hobbyist maintainers turf now.
Thomas Depierre (00:31) Miracle.
Okay.
Yeah… I think it was last year actually. Yeah… Yeah, I’m old. We are old.
Josh Bressers (01:00) And I feel like this is where it’s always been relevant, I think, but it feels like, I don’t know why, but I’ve heard multiple times over the last probably two or three months, a number of people saying things like, most open source developers are paid to work on the things they work on. And so you were like, Hey, we should talk about this. I’m like, yes, it is absolutely the right time to talk about this. So I’ll give you the floor, explain to us kind of what you, what this is all about.
Thomas Depierre (01:22) Okay
Right. I mean, anger mostly, that’s what my blog posts are about, anger management. But I think that it’s a strategy that is pretty easy. You destroy nothing, you just write words, no one reads them. Pretty nice. I think what it’s coming to is, I mean, my personal feeling, I am a maintainer. If you want to know more about me and what I do, you can go to previous podcasts with me on this podcast, previous iterations.
But the… I think the reality is that…
There is a lot of maintainers, right? I know you recorded a podcast like a few weeks or months ago, I don’t know it is with you, with your schedule, right? But around the ecosystems ⁓ data with, and the thing that he’s mentioned that there are millions of maintainers, right? And we don’t know all of them, right? And we don’t count everyone that commits some stuff on all, you know, but between those are millions of them and…
Josh Bressers (02:14) Yeah. Yeah.
Thomas Depierre (02:30) We don’t see their life a lot, right? We don’t know a lot of stuff about them when you are not one and talking in this kind of places. And it’s pretty, and a film we have had in this year quarterly, I have had, and we have talked a bit with friends that are, you know, small maintainers too and all, is that this is probably most of the open source out there.
Josh Bressers (02:41) Yes.
Thomas Depierre (02:57) And by most of the open source, I do not mean most of the open source if you take into account all the packages that are just version 0.1 and never used anywhere, right? But also most of them if you take the stuff that is actually in use.
Josh Bressers (03:07) night.
Yes. Yes.
Thomas Depierre (03:14) and I wrote the blog post because I finally got some data that followed that. So it’s not data from me, data I collected, and it’s data from different sources that you should probably not combine the way I did, but it’s good enough to get a taste or an idea of what’s happening there. And it’s data from two different reports. The first one is from, I think it was Synergy.
Josh Bressers (03:32) Yes.
Sonotape.
Sonotape.
Thomas Depierre (03:40) The sonotype one was they look at how much open source is used in the real world, like in proprietary code base and stuff like that. How much is it used? And the second one, and we’ll come back to that, and the second one is from, ⁓ what are they named? The ones that paid maintainers, yeah, Tidelift, right. I like them on top of that. Louis is a great guy.
Josh Bressers (04:02) Tidelift
Thomas Depierre (04:11) Tidelift talks more about how many, like who are the maintainers, right? What are their problems? What do they deal with? Who are they in a demographic and professional way? And if you look at these two data sets, there are two things that come out for me. The first one is that nearly every single…
code base out there use open source. And by nearly, I think it’s 95 or 99, something like that in the high nineties percent of proprietary could be like stuff, use open source. Yeah. Yeah.
Josh Bressers (04:46) Right, right. So the sonotype report you reference, it’s
at 77%, but I’ve seen many reports claiming it’s in the 90s now.
Thomas Depierre (04:55) So
I think what they claim is that 77 % of code in codebase out there is open source. But 90 something percent of code bases use some open source. So basically open source is everywhere and open source is also nearly everything. Right? Right, but what that also means is that, and that’s why I keep saying that open source won.
Josh Bressers (05:08) ⁓ okay, that’s fair.
Right. It’s a huge number either way. Right.
Thomas Depierre (05:24) There’s no fight to be done anymore. Like nearly every single code, like line of code out there being used in a product commercial or not is open source, like at least three quarters of it and growing and growing fast. Like you are getting percentage every year at least. like this is going fast. So that’s a lot of code.
And the stuff that comes from, and it’s mostly open source, we won. There is no battle to be fought, right? If you are fighting for open source to become the dominant, that’s done. We are in a different era now. And the, and I don’t think that actually the discourse we have having in these places. And the second aspect is from the Tidelift report. So they have a number that says that something like 60.
Josh Bressers (06:00) Yeah.
Thomas Depierre (06:20) And I get the majority, like 70 % of maintenance are unpaid or part paid time. Yeah. Yeah. And I should have the link in the blog post anyway to them. So.
Josh Bressers (06:22) All right. I’ll I’ve got it. I’ve got it right here. So you said, I just have your post up. that’s what I’m there. There’ll be a link to this in the show notes, but,
but it says 60 % of maintainers, describe themselves as unpaid hobbyists. 13 % are they, they are professionals, but aren’t paid to work on open source. And 23 % are semi-professionals.
Thomas Depierre (06:45) No, 30 %
are paid to work on open source full-time. Most or all of their income for 13 % come from maintaining projects. And 23 % is part-time, right? Some income. Keep in mind that part-time can be a really low bar, ⁓ something we can come back later.
Josh Bressers (06:55) Right, sorry, yes. Yes, you’re correct, I misread that. Right, right, okay, yes.
Thomas Depierre (07:10) That means that at least 60 to 83%, depending on the account, are not full-time maintenance. And 60 % are fully unpaid. Now, the other thing to keep in mind is that this is Tidelift. The people they reach are going to be slightly more in the I am a paid professional or partially paid professional category because of what they are doing. They are paying people for doing this, so that’s normal, they get that.
Josh Bressers (07:15) Right, right, yes.
Yes, yes.
Thomas Depierre (07:40) If we combine these two sets, and we shouldn’t, don’t do it like that, this is purely a wet finger trying to estimate stuff. It means that something between 40 to 50 % of all code in product actually in use out there, like the stuff running the world that is actually in use, not just stuff someone typed for fun, is
Josh Bressers (07:45) Whatever.
Thomas Depierre (08:08) is hobbyist maintained.
Josh Bressers (08:13) Yes.
Thomas Depierre (08:15) I, and if we add to that the, you know, I sometime get a bit of pocket money for my code, which is probably what the semi-professional mean, right? Partially part-time paid. It’s more pocket money than real, you know, full-time, that real job. You will get past 50%. And yes, there is a lot of caveats here in what I’m saying. The error bar, ⁓ massive, it doesn’t matter. We are already at something like, even if you are very conservative, a third.
of code out there being like, that is actually used, being hobbyist maintaining, and I’m being conservative here. That’s a lot.
Josh Bressers (08:46) us.
Yes.
Thomas Depierre (08:55) And that’s not how we talk about it. Right? Because it means that if we want to have impact on open source, right? Being security, know, having better security or having code that is done better or having code that is more resilient where, you know, we have someone to act if we need something to change, like all that stuff.
Josh Bressers (08:59) No, no.
Thomas Depierre (09:20) We, the main people we target are hobbyist. And we don’t know who they are and what they do and how they work. And we know nothing.
Josh Bressers (09:31) That’s correct, yes.
Thomas Depierre (09:33) So, and I don’t think, and that’s my feeling, and that’s shared with other maintenance, that what we see as initiative in this direction, like the direction of wanting to influence or help or come, you know, be part of open source, are made in the mindset that this, that the vast majority of the stuff is hobbyist and that need to fit with the hobbyist mindset and constraints.
and realities.
And that’s what I end with anger, but that was a long time ago, my anger, I mean, it’s not gone away, but I can manage it better now. is like, before offering things, right? Before offering help, before trying a scheme you have in your head that may help, that you think will make things better, you really need to sit down and do the product research, rather user research to understand this demographic.
Because otherwise, and that’s what we are seeing a lot, what you’re going to offer is not going to help or even to be done. I think that was, there was a tweet somewhere, like I should search it from someone that was at the ⁓ OpenSSF right? Open source security foundation, saying they have millions to spend on open source security and they couldn’t find a way to spend it.
Josh Bressers (11:08) Yes, I remember that.
Thomas Depierre (11:09) Right? And I should go find it, but what that means, tell me, is you have a product market fit problem. Your product, your money, the way you are trying to spend your money on what you think is going to help doesn’t fit.
the people that do this doesn’t fit the market with people that do this lead or can do or can accept.
Josh Bressers (11:36) Yes. ⁓
Thomas Depierre (11:37) Right? Okay.
And that’s when you start to look at the open source initiatives that exist with that lens.
You start having nightmares at night, but that’s okay, that’s my life. So yeah, that’s the thing I think. And the reason I contacted you again to try to do this was that Predrag was working on cargo-semver-checks You interviewed him in your podcast a few episodes ago, said something like, he’s paid for by all kinds of complexities and tools to work on this.
Josh Bressers (12:00) night.
Yep. Yep. ⁓
Thomas Depierre (12:24) Now he’s not paid a lot of money and he mentioned numbers, which is rare. Actually, people who are paid even part-time in open source rarely mention numbers. ⁓ Even if it was just in passing, but it did. And he mentioned a thing which is like, it need to be a career If you want to give money to people and all and you want them to be able to take the money, it need to be something you can make a career of And it need to be something that…
I think he mentioned is the cost of his house, right? His mortgage or his rent. I think he mentioned his rent and like, yeah, nice. You are giving me that amount of money. My rent is four times that.
Josh Bressers (12:57) gas.
That’s right. Yep. Yep.
Thomas Depierre (13:06) In that case, in that…
That’s I think is, and maybe we can talk about that and you can ask questions or or think with me, like how do we find out and communicate what is it to be an hobbyist maintainer What do we do? How it is? And then people may be able to try to find ways to help us that fit into that.
Josh Bressers (13:35) Right. Right. Okay. That is a lot to unwind. Like a lot. So I want to start with something you have in your post here, which is kind of near the end where you mentioned the, the old guard, the people who did open source and like the nineties and early two thousands, which is obviously where I come from as well. What we experienced is not what’s going on today. And that’s the thing like
Thomas Depierre (13:38) Yes. Yeah.
Yeah.
Josh Bressers (14:02) I always find myself being like, well, that’s not how it works. And then I have to say, no, Thomas would yell at me. What would Thomas do? And then I try to listen and learn because that I think is more important and interesting than anything else. And I think this comes back to your OpenSSF comment is I would, from my experience, the OpenSSF is primarily filled with people who know open source from the nineties and early two thousands. They don’t know open source today.
Thomas Depierre (14:06) You
Yes, and they may also know open source because I have looked at who is on the board of the OpenSSF and they probably know open source from a point of view of companies that are large, like big enterprise, that found open source. They do have people that are paid full time by them to work on Linux, to work on
Josh Bressers (14:44) Yes, that too.
Thomas Depierre (14:55) Maybe to maybe they pay Red Hat. Like there is a lot of people in this company. There is a lot of people that are paid to work on open source. And so to them that the world is see that the open source is see, right? Like I code a lot in Alexia and Erlang for my personal, you know, like professional life. Erlang is maintained by the team paid by Ericsson. Ericsson is a big telco company. If
Josh Bressers (15:21) Right. Yeah.
Thomas Depierre (15:24) I work at Ericsson as someone that does software security or something like that. What I know about open source is that there is a paid team working on this language. If I work at Google, what I see is a paid team working on Go and probably C++. I think they have a lot of people that are paid to work on C++, on Linux and Linux kernel, all kind of stuff like that. That’s if I work at Oracle.
Josh Bressers (15:46) Yeah, yeah.
Thomas Depierre (15:51) I see people paid to work on Java because I think Oracle still have people paid to work on Java. So you do have this lens of seeing these people. In the same way, if you are part of the, what I call the org out here because it’s also true, is that part of the fight you fought, and that was a fight, right? I’m not going into it like that. That was not easy, right? I’m not…
Josh Bressers (16:17) us.
Thomas Depierre (16:19) I’m not dismissing that experience, right? It’s true, it happened. Was also building foundations and stuff like that. And the people you see are the people that were paid enough to stay that long.
to stay all this year in this. And so what, and that’s something I experienced when I went to, especially to FOSDEM when I went to FOSDEM to try to be in the room with the… ⁓
Josh Bressers (16:34) That’s true. Yeah, that’s true.
Thomas Depierre (16:53) the European Commission, The European Union Commission, when there were people from the Commission that came in to try to talk around open source, at the time mostly about the CRA, but not only. There were also discussions around ⁓ the DMA, right? And how, for example, what Apple was doing in terms of opening or not the ecosystem. Like there was a lot of discussion around this stuff. So like there are discussions and you will also see people explain how they are trying to
You know, use open office of Linux for desktop at the commission or stuff like that to try to fight back the evil Microsoft. Like you will see all that stuff, right? To a maintainer like me. And I asked in the room and I, can, it was recorded. So I think you can go search in FOSDEM for the recording of that. You can see me. I asked in the room during questions with your hand. If you are not paid to be in that room, in this room.
Like it is not your job to be in this room.
Josh Bressers (17:57) How many hands went up?
Thomas Depierre (17:58) And this was,
was, this was, FOSDEM is free, it’s open source people that came to here, like, I’m not saying this is, you know, corporate lobbyists, no, no, no, this is open source people, people that work with foundations, that pay open source people, that develop this people, they are lobbyists, but paid by the foundation, like, it’s not people that come from, you know, whatever. I was the only person that raised my hand.
Josh Bressers (18:03) Yeah, yeah.
Wow, that’s worse I expected five or less, but one is terrible.
Thomas Depierre (18:25) I think there may be one other person, but I think it was me and maybe one other person was not too sure. Now, I am not saying this is, you know, like they are bad people. It’s great and we need them too. But what it means that people in these rooms are the people that know the 13 % that get paid. Right? They are the people that grew up when the fight was not, was around open office.
Josh Bressers (18:55) Yeah, that’s right. That’s right.
Thomas Depierre (18:55) Right
around a Play Store, Google Play Store, around, you know, ⁓ the GPL being a virus, right? Like this, but this was real fun. This was real stuff that happened, right? The thing is we ended up not winning through that way. We didn’t open source did not win through open office. mean, LibreOffice now, LibreOffice I suppose now, but still, right? Or we did not win through Audacity or all that stuff, right? We won.
Josh Bressers (19:07) Yeah, yeah.
Right, right, exactly.
Yeah, yeah.
Thomas Depierre (19:25) shoe the bottom by replacing the entire bottom.
Josh Bressers (19:27) Yep. Yep.
Exactly. Yes.
Thomas Depierre (19:31) And so all that experience you had, all this view you had, that’s not the world we live in now. And so it warps things because these are the people that are in the room, the other way they think about it. And that’s not a bad thing. Like I’m not saying they’re bad for having this thing or having felt this, it’s just that it’s probably slightly out of place now with the reality we deal with, right? And that’s where listening come in. ⁓
Josh Bressers (19:59) Well, I want to add one piece to
this as well, is if you look at a lot of the companies that are, we’ll say selling open source and I’ll use the word selling loosely. It is, they’re clearly selling to that demographic and they’re clearly riding the, can you trust all these weirdos horse? Because that is like the message, right? you can’t trust open source, but you can trust me. And it’s like, ⁓ I don’t know about this.
Thomas Depierre (20:26) mean, yeah, I… The thing is, the money they get is not money we would have gotten anyway. Like, they are filling a different need, right? It’s a need of security, of wanting to feel safe. And so that’s… that’s okay. I have more… The part that really struck me was that outside that room, I was talking with someone from ⁓ Ireland that was working for a foundation, like a European…
Josh Bressers (20:38) Sure, sure.
Right, right.
Thomas Depierre (20:57) open source solution or free software solution, remember which one, something like that, right? And when he told me that the circuit was time finally, like there was, know, impetuous and all to do an open, like a free software or an open source software bill in Europe. I’m like, okay, what do you want in it? said, what you would like in it is that we would like things like, imagine if in Google Play Store,
there would be an icon next to your name that tells you if it’s proprietary or open source, so that people know where they choose.
So you can pick the game that is open source or the game that is proprietary or the thingy. And I’m like, okay, so I understand why you think about that. I understand where you come from, right? This is a time of is it LibreOffice or Linux or versus Microsoft, right? That’s great. Also, my man, I am sorry.
Josh Bressers (21:31) No one cares.
Yes, yes.
Thomas Depierre (21:57) But you are from the past and that’s not the reality. Like that’s not going to help anyone. And that’s also not important. That fight is, it doesn’t matter anymore. It’s not how we won. It’s not where it come. And so, and at the other end, I don’t know anyone in there that talks about packages, package repositories. Right?
Josh Bressers (21:59) Well,
No one cares. Yeah, yeah.
No, no. Well,
well, it depends what you define. So when I say the word packages, it used to mean like Red Hat RPMs or Debian DEBs or whatever. But when I say the word packages now, I mean like using NPM, right? Using PyPI using, you know, cargo or whatever. Like, yeah, that’s what I see now. I don’t even think about like Debian packages in that context anymore.
Thomas Depierre (22:25) Mm-hmm. Yeah.
programming language.
Yeah, programming language.
So yes, I mean, it’s probably not the place for this, but I think that’s part of the old guard discussion too, right? Like these packages existed for two different purposes. One of them being shipping the shrink wrap product to the user, right? And that’s the part where we did not win. And the other one was shipping C dependencies because C never got a package manager.
Josh Bressers (22:59) Yep. Yep.
Yes.
Thomas Depierre (23:09) I mean, you are laughing, that’s true, right? And C++, the thing is now, and Perl kind of had one, but they don’t really like it, like all that stuff, right? But now what we’re seeing with the distro is that when they have to bring programs written with the, the rest is a visible one, they’re all like Python and all have the same problem, right? When they need to bring program in this distro package manager that use this programming language package manager.
Josh Bressers (23:11) It is, I know, I know.
Thomas Depierre (23:41) It doesn’t work really well, it’s really really painful. Right?
Josh Bressers (23:43) it’s terrible. Yeah, it’s terrible. Which is
why no one uses it, right? This is why containers won, literally. Because they can just ignore all that. Okay, we’ll argue that another day.
Thomas Depierre (23:49) Yeah, kind of. ⁓ I would know. I think there is another reason. yeah.
to go back to this, like, yeah, this old guard is there and this thing differently. Right. And so and and that’s the other people in the room for policy and the other people have access to this money that we’re seeing. And that’s also why we see, I think, part of this discrepancy between
these announcements or the policies that are offered and the reality that they do not… there is a transmission problem in the middle. The clutch is not engaging. There is all these powerful things they want to do and in the real world it’s practically nothing. I’m thinking of the OpenSSF as a typical example. I think you are the one that keeps bringing back this issue with we want to…
say how many maintainers should you have for a package, right? I think I talked in that issue in a couple of one and ⁓ I think they never acknowledged the data you brought. It just fizzled.
Josh Bressers (24:44) Yup. Yup.
No, no, no, it meant nothing to anyone and it was more,
yeah. Well, of course it did because the answer was inconvenient so they just ignored it.
Thomas Depierre (25:05) Right. But the problem, and that’s part of why we keep having this, this, this clutch problem where we cannot, like there are all these kinds of policies and people that try stuff and foundation and think tank and all this offers, and none of it translate into results. It’s because the truth, the reality is too different from where, from the model for this policy. And we just, inconveniently don’t want to deal with it.
Josh Bressers (25:32) So there’s some of that, think, but I’ll say there’s also an aspect of, I think there are people who genuinely want to help, but they don’t know what to do.
Thomas Depierre (25:40) yeah.
I think it’s more than don’t know what to do. I think they don’t know what to do because they don’t understand what the problem is. And maybe I can try and maybe poke at me. I can try to explain what it is from my point of view of being an hobbyist maintainer.
Josh Bressers (25:49) For sure, for sure, yes.
Yes. And we should also add the caveat that this is about you, but every open source developer, every open source project is like its own special snowflake. And so what’s going to work for Thomas DePierre may not work for someone else. Right.
Thomas Depierre (26:05) Yeah, yeah, it’s me, right, my version. Yeah.
Bye!
I have no idea what will work for me. What I can describe is a problem, not the solution.
And I think that that’s kind of the thing here, right? We are not describing the problem. that’s, so let’s see, for example, so right now for the few packages I maintain and the few stuff I do, to give an idea for some people, I am probably right now the expert on string to float conversion. No, sorry, float to string conversion.
on the Erlang ecosystem. That sounds really niche, it is, ⁓ but we, by speeding up that algorithm, it’s not from me, someone else figured out how to do it, I figured out how to implement it into the runtime and all, and I was paid for that and we come back that. ⁓ I probably cut down something like one to two percent conception over all the Erlang ecosystem of power, right, computing power and electricity.
Josh Bressers (26:50) Yeah
Thomas Depierre (27:15) every time you do JSON with float.
That’s a low number, but once you scale it around the numbers of time you generate or read or generate JSON across a whole ecosystem, you get a significant impact. Now, I’m not here to use that to gloat, but to give an idea of what kind of niche things of impact that you probably want to found. Yeah, no. Yeah.
Josh Bressers (27:21) That’s cool.
Hold on, hold on. No, no, I want you to gloat a little bit because what a lot of people don’t understand is Erlang
is used heavily in the telecommunications industry, so it is highly likely that all of us during our day run through your code at least once, probably many more times. Right.
Thomas Depierre (27:43) Yes.
⁓ more than that, WhatsApp
is the Erlang going to back end.
Josh Bressers (27:55) I didn’t know that, so there you go.
Thomas Depierre (27:57) since the first days, that’s how they scaled with so few people. ⁓ If your kids use Discord, Discord is Elixir No, but you probably don’t use it as much as them. It’s Elixir on the backend, which is an Erlang with a shiny bit of stuff on top. So yes, it’s used and you probably don’t see it, but it’s there. And so, yeah, so that’s the kind of stuff that have impact, right?
Josh Bressers (28:04) Hey, I use Discord, I’m not that old.
Yes. Yes.
Thomas Depierre (28:27) And but it’s niche, it’s super nerdy, like there’s maybe less than 100 people in the world that can understand what I’m talking about if I even try to talk about this, like stuff like that, right? Now, I spend probably something like one to two hour a month.
on my maintainership for all the package I have. ⁓ In that time, what I can do most of time is update dependencies, fix the build system, because it probably broke due to some kind of update of Ubuntu. I ⁓ have a few of the stuff I manage that use web stuff, like they have a graphic interface using web stuff.
Josh Bressers (29:02) Of ⁓ Yeah, obviously.
Thomas Depierre (29:17) which means that I’m probably going to on these two hours per month, I’m probably going to spend four hours doing CSS updates. Yes, I’m not, I know the numbers do not add up. I know. Right. All NPM updates on node stuff like that for assets. And so this is, this is, and then maybe sometimes I may have a couple hours per year where I can write code that is not just pure maintenance of dependencies.
Josh Bressers (29:25) Yes.
CSS, yo, it’s fine.
Yeah, yeah.
Thomas Depierre (29:46) That’s my reality. Now the other part of my reality is I got paid to work on this float-to-string conversion. I offered this as a grant and I got paid something like 5k at the time I think, something around that. You can find it, it’s public, the Erlang ecosystem foundation are the ones that founded that, it’s public. And I…
I worked on this something like 10 hours a week for 6 months.
Now, the reason I could do that is because I was, it was the end of the pandemic and I was out of a real job and I didn’t have any contract. so it was just fun stuff. And so I was paid, but I would have done it even not paid. The reality is before I did that grant, I spent six months reading about this and learning how to do it and learning how to all that stuff. all right. So like you.
Josh Bressers (30:42) Sure, yeah.
Thomas Depierre (30:46) And so that’s a huge part of being an hobbyist maintainer is that you do deep niche stuff. And that means that is for me. And that means that I spend a lot of time upfront thinking about it in my shower, where I do something else when I walk, or maybe sometimes I read a paper and then a year later I will do something with it or years later. Right. And so there is only a few hours of code and a lot of time spent doing that kind of stuff. Now.
The other aspect of this is that I am paid full time to work on software. I’m a software developer, among the things. And I have a house with a mortgage and I have food to buy. I don’t know if you know that, but the software engineer marketplace is not great for part-time work.
Right? Like it’s full time or nothing. Or contract. But if you do contract, you have all kinds of other things because you need to spend time managing your clients and finding new ones and that stuff. there is a lot of work there. What that means is if someone come out tomorrow wanting to pay me a grant to work on this stuff a bit more, I can’t.
Josh Bressers (32:00) That’s right. Yeah. Yeah. Right.
Thomas Depierre (32:02) I can’t,
I can’t find time to do that. So, and I think that the, so the aspect is what I do today is mostly a few hours every month doing updates and a few thinking and being interested in this stuff. That’s my life as a base. And I think that’s relatively representative of a lot of hobbyist maintainers, right? Not everyone, but a lot of them are probably something akin to that. Like XZ come to mind or stuff like that. We don’t really want to think about it sometime and then we have to.
Josh Bressers (32:24) Yes, yes.
Thomas Depierre (32:31) And then I’ve got three months where I was stressed by my personal life and I opened my laptop and I discovered that I 10 hours of updates fixing to do. And that’s, that’s part of what being a maintainer is.
So that’s what it is. And the other aspect, I think, is what’s the constraint if you want to help me do that.
Josh Bressers (33:00) Yes. Right. Right. Cause I see that all the time where if you show up to a project and you might send them a pull request and then it can turn into you get ignored or they get annoyed because it doesn’t match the style or whatever the message there’s a million things. Right. And it, it is hard.
Thomas Depierre (33:11) Yeah.
And like even if you, even if I have no problem with your pull request when I want it, I will probably not see it.
Josh Bressers (33:26) For sure. Yeah. Yeah.
Thomas Depierre (33:28) I’m probably going to log into GitHub to check that stuff among all the notifications I get for my job. I will probably see it in six months when I finally have time to go look at my open source repo. And at that point I will look at it and be like, oh yeah, that’s a security fix. I will try to bring it in. I just need to update all this stuff first. So I will probably merge it in three to six months. Or the build doesn’t work anymore, so I can’t bite at your stuff. So let me fix that first.
Josh Bressers (33:33) Right.
Yup, yup.
Thomas Depierre (33:55) Let’s see what GitHub Action did in the meantime, and then maybe we can end that’s how you end up with a six months to a year timeline to merge a security fix.
So that’s, it’s not even that we ignore you, it’s that we have also, we are alive. And this is our hobby when we have time, right?
Josh Bressers (34:13) Yeah, yeah.
Thomas Depierre (34:19) And we have a lot of things that eats that time. Right? Predrag talked about this, right? How cargo-semver-checks was there because imagine all the time lost trying to update when it breaks and not knowing. And Predrag talked about that in the view mostly of the enterprise, right? Where your developers spend time and you stop updating and all. But from the hobbyist maintainers, that most of your job.
Josh Bressers (34:34) Yep. Yep.
Thomas Depierre (34:48) that most of the stuff you do. It’s updating the build systems, dependencies, the stuff like that. That’s most of what you need to do in the constant treadmill. And if you can reduce the time I take there, my, how many things could I do? Right? And that’s why also I think people don’t realize why…
hobbyist maintainers love rust.
Josh Bressers (35:18) That’s a good point actually, I hadn’t really thought about that angle, but yeah, Rust solves a bunch of those problems and it just makes them disappear. Yeah, my goodness, everything solves problems compared to C.
Thomas Depierre (35:23) Compared to C? Like, you can’t even unit test! Yeah, but
that’s the thing, right? We talk about the memory safety, we talk about this stuff about rust From a hobbyist maintainers perspective, I can have unit test.
That’s it. I have, I have cargos that actually can bring a package. I don’t have to fight with all the distros and every time they change the way they do it, it breaks the way I bring back C dependencies I needed, right? Like I actually, and that’s why we see all these package repositories, like for package managers for languages is because the hobbyist maintainers need that to be able to do that job. So, so if you look at it this way,
That maybe help, you know, get an idea of what are the kind of things we want. All right. Same thing as a compiler tell you where the error is. Like the rust compiler actually tells you, you don’t have to spend five hours debugging. It tells you.
Josh Bressers (36:15) Yeah, man, the Rust compiler’s amazing.
Right. Yes.
Thomas Depierre (36:22) As a hobbyist, I just multiplied my productivity by tenfold just because instead of having to spend my hobby time during six months debugging this thing, I can do it in one session.
Josh Bressers (36:39) Okay, so here’s how we should finish this one up. I don’t want to run on too long, we’ll just have you back to maybe continue this. So you’re talking about this from a very hobbyist perspective of you don’t want to get paid, you just don’t want more work. Okay, so you want to, okay.
Thomas Depierre (36:42) Yeah.
Yeah.
no, I want to. no, I would love to get paid. But I will
finish on this then and I will keep it rather short and we can maybe expand on this later. I would love to be paid. Here’s the thing. If you want to pay me, I need stability.
Josh Bressers (37:12) Right, right.
Thomas Depierre (37:15) and sufficient income to pay for my lifestyle.
Josh Bressers (37:20) Right, that’s right. Yes. Yeah, it can’t be $5,000. Right.
Thomas Depierre (37:23) I mean, can be, but per month. But the thing is, like, and it cannot be a six months or one year thing.
Josh Bressers (37:32) That’s right. Yeah. Yeah.
Thomas Depierre (37:33) And
I think that the thing we fail to realize, I have a mortgage, which means that I need to pay every month. I don’t have a choice. I mean, I do, but it’s not a good choice. And that means also, and I have a stable job with a stable French law contract, which means that you can’t fire me easily. And the other aspect is…
Despite that, I know I will probably change jobs every three to five years maximum because that’s the industry we are in. Now, that means searching for a new job is a three months to six months full-time job.
Josh Bressers (38:15) Yes, yes.
Thomas Depierre (38:17) So if you offer me a one year grant that will cover my needs for a year, it’s big enough to cover an equivalent of an income as a salary for my profession for a year, I would still not take it.
Josh Bressers (38:33) Yeah, for sure.
Thomas Depierre (38:33) Because
it means that I’m going to spend three to six months of this year finding, hoping to find a new job. And if things go wrong, and I have some friends that are in this situation right now because the market is not great, I am out, I am dry with nothing at the end of that grant.
Josh Bressers (38:50) That’s right. Yep. Yep.
Thomas Depierre (38:52) So the problem is I would love to be paid but the sums, like the amount needed for it to make sense for me, are nowhere close to what we offer right now. And also I am not sure someone would want to offer it because I am not sure there is enough work in the stuff I maintain right now to fill a full-time job.
Josh Bressers (39:05) Yeah, yes.
And I have a suspicion there are a lot of hobbyist projects that fall under that umbrella where it would be very hard to justify a full-time job.
Thomas Depierre (39:25) Exactly, right?
And, and I mean, I don’t, I’m not even sure Daniel Steinberg is full time on curl. And he may be now, but I don’t think he is. He is now because he used to be part time in a lot of time, but WolfSSL used to pay him to do part time that I don’t know if he’s full, like, we are talking of an extreme case here with Daniel. I love Daniel. I appreciate him. I, and all, but like he’s an extreme case. Right. And so we cannot.
Josh Bressers (39:37) He is now, I believe. Yeah. Right.
Right. Right.
Yes.
Thomas Depierre (39:58) Like, and that’s what I mean when I say that this is not how we are talking of the problem. Right? We are talking of how can we give money to these people? I’m like, you can’t. mean, it’s not that they don’t want it, but like once you put the reality, you know, all the parts together and paint the pictures, you’re like, that’s not going to work. So what’s going to work? That’s what I’m interested in instead of keeping banging my head on this. Like what’s problem?
What are the problems, the real problems, the things that limits the ability, that, that are breaks on the ecosystem becoming better, right? On the people being more efficient, the productivity, you can look at a lot of ways at this. And then that’s where, that’s what I mean with this whole, you you aren’t the hobbyist turf now, right? We need to start looking at our world of open source.
through the lens of the hobbyists are our users. They are the, if you want to help like the hobbyists are the people you need to target if you want impact. And that means that you need to deeply understand the constraints. And that may mean that a lot of the solution you may have, that you may discover you don’t have solutions right now or that they are not palatable.
On the other hand, and I will be a bit hopeful here, we have someone like Predrag and cargo-semver-checks or the team working on Cargo, or the Rust team itself are definitely things that, even if maybe it was not by design, but I think it was partly by design, do help unlock some of stuff in this hobbyist maintainers.
And the results are great, right? I don’t remember who was it. Was it you? Someone else that discovered ripgrep recently? burntsushi ripgrep at RG.
Josh Bressers (42:03) I don’t, that doesn’t ring a bell.
Thomas Depierre (42:05) ⁓ then you are in for surprise. Go search for it. It’s basically… ⁓ edgy.
you know, the silver bullet ⁓ search, like grep, through command line. Better 10 times faster.
Josh Bressers (42:19) Right?
Interesting. I do run grep a lot. ⁓ nice.
Thomas Depierre (42:23) Invest.
And like
better. And it’s, it’s an old thing. everyone, mean, for example, VS code use it and does a hood for the search, but, yeah, you know, it’s, it’s, it’s everywhere, but it’s, burntsushi did that and burntsushi as all kinds of stuff. like, this is the kind of stuff you get. Right. All as I Linux. Right. Or all these stuff you see around Russ with tool written in rust for your shell and that stuff.
Josh Bressers (42:36) cool.
Thomas Depierre (42:56) It doesn’t come from nowhere for no reason that suddenly everyone managed to do amazing things. Right? So we have an example that it works.
And so that’s, I think what we were in is like, I would love to be paid. We all would love to be paid. The reality doesn’t seem to align with this being realistic for now. Maybe it is, but in that case, you need the people that are interested in helping, need to start with the hobbyist maintainers constraints and problems and situation in mind and start there. Listen.
learn, look at what we do, maybe do it a bit, like go sit behind someone’s shoulder while they do it, talk with them, you can offer them a coffee, they would probably be happy to shoot the shit on this right, or go in, I mean it’s not IRC anymore but Zulip, Discord, Slack, like find the place where they are and observe what they say and how they say it. And then
From that we will probably get solutions. Hey look at how full I am for pessimists.
Josh Bressers (44:12) No, this is good. This is really good. This is not the sort of advice I’ve heard many times in the past. I think in a lot of companies, especially, their solution is just write a big fat check to some foundation and then say, good job, everyone. We did it.
Thomas Depierre (44:25) And the foundation do a different job. They do something different, right? Like the Linux foundation, most of its budget doesn’t go to developers.
Josh Bressers (44:29) Yes, exactly. Right.
No.
Thomas Depierre (44:40) And
that’s not a bad thing. They have a different job and that’s written on their website, right? It’s not hidden. It’s ⁓ the Apache foundation doesn’t pay developers that’s written in big bold letters on their website and on what they do. It’s not their job.
Josh Bressers (45:01) Right, right. That’s right. And, I think there is an expectation. It is funny because I know I ran into someone a couple of months ago that thought the Linux foundation was paying all of the open source developers. And I’m like, holy cow, no, there’s, don’t even know where to start with that one, but it is, it is one of the challenges.
Thomas Depierre (45:17) Yeah, the foundation is a whole different…
If you ever want to see salt, real salt and bad shit, take our base maintenance like me, put us in a room and make us talk about what we think of the Linux foundation.
It’s not going to be pretty and all the CNCF, ⁓ gorgeous. CNCF. Like you are going to get really bad stuff because it’s not our world. It’s a different one. And that’s okay.
Josh Bressers (45:38) I can imagine.
Thomas Depierre (45:58) We are not represented in the room. And that’s because we don’t have time, we’re hobbyist. Right? The premise is that the hobbyist are now the ones that keep the world running. Oops.
Josh Bressers (46:01) For sure, for sure. Yes.
Yes, but you are right. maybe, I mean, that’s almost certainly part of a solution is the regulators need to make sure they understand and talk to people like you.
Thomas Depierre (46:20) I mean… Maybe? I…
Josh Bressers (46:24) I think they
have to understand it, because if they don’t, they’re going to make a mess.
Thomas Depierre (46:28) no, we’ll just ignore it, what can they do?
Josh Bressers (46:31) Well, that’s true. Well, you can ignore it.
Thomas Depierre (46:34) Yes, but we are the ones that do everything. That’s
Josh Bressers (46:38) Yeah.
Thomas Depierre (46:39) another part of this and that’s probably something for another discussion. But what are you going to do? Are you going to put us in prison? Sure, you’re not going to make the code more maintained. What are going to do? You have no pressure point on us. Yeah. Yeah.
Josh Bressers (46:52) Well, we don’t know. And look, I think this is one of the things that we’ll talk about this another day,
because like the CRA has carve out. So the hobbyist developers don’t have to deal with this crap, right?
Thomas Depierre (47:03) Yeah,
mean, yeah, and Gina Sturley did not put that count to carve out when she was talking about CISA legal liability runs, but that’s all now. We cannot forget everything about that stuff. But the way to see that even if it was not carved out in there, what are you going to do?
Josh Bressers (47:15) Right. Sadly.
Right, right, right. Exactly. Exactly.
Thomas Depierre (47:27) Okay,
we are liable. Okay, so what we stop coding because we can’t take the liability good Do you really want all that code out there to not be maintained anymore? Because i’m happy if that’s what you want, but I don’t think that’s what you want Right, like there is no That’s it’s your first time but the regret is like we can walk out
Josh Bressers (47:39) Right, right, right, exactly, yes.
Right. Just take it out of your pay, right?
Thomas Depierre (47:54) And you don’t
want that workout to happen. And when I say that, I say that with a people will die in my voice. Imagine XZ.
Josh Bressers (47:58) No, no, for sure, for sure. Absolutely.
Yeah? Yeah.
Thomas Depierre (48:15) If the maintainers couldn’t come back.
Right?
Josh Bressers (48:25) Yes.
Thomas Depierre (48:26) Exactly. Imagine if… I mean the left pad guy wrote a blog post today with his own years after point of view on it. I will link it if you want to look at it after.
left pad is still a really really painful like hot point between hobbyist maintainers.
every package manager repository out there for line programming language. I have a stipulation in this that you cannot put Yankout code. Once you have put it there, it has to stay forever.
Josh Bressers (49:04) Yeah. Yeah.
Right, right.
Thomas Depierre (49:11) Why? Why did we make… And? Is that your problem?
Josh Bressers (49:12) Well, because it’s gonna, it’ll break their customers.
Right. Well, because they don’t want to break their customers, which are the people pulling the code out of that, right?
Thomas Depierre (49:22) Yeah, first of all, it’s not for the customers most
of the time, it just uses. There’s a difference because they don’t pay. Yeah, but that’s a real big deal because we are talking hobbyist here. And the second thing is, sure, but also like the reason they could do that is what else could we do?
Josh Bressers (49:26) Well, we’ll put customers in quotes, but.
Right? Right.
Thomas Depierre (49:43) And so the discussion here is why, for example, are you a package manager or is there no tool for the customers to be able to have cache that makes sense locally or to have a copy of this? Because it’s that much data or it’s not that it’s text, it’s not that big stuff. It’s not that big of a deal in terms of size, right? why couldn’t AWS offer you a cache of this?
Josh Bressers (50:09) I mean, some of them do.
Thomas Depierre (50:09) Right? Why?
Yes, but that’s kind of what I mean. Right? Why do we expect from package managers that honestly are a losing money business?
Josh Bressers (50:19) Yes.
Thomas Depierre (50:19) to keep this forever and to force people once they have put the code in there to never be able to take it back.
Josh Bressers (50:29) That is a conversation for another day that I have many thoughts on and I think I have the answer to and it’s who’s writing the checks to the foundations, but that’s another discussion.
Thomas Depierre (50:30) Yeah! ⁓
I
I think there’s another aspect which is, would people die if that happened?
Josh Bressers (50:45) yeah, probably.
Thomas Depierre (50:47) I mean, yes, Leftpad could have killed people because imagine if you have to have an emergency thing that you can only book through a website that need leftpad.
Josh Bressers (51:00) Yeah. Yeah, that’s true.
Thomas Depierre (51:00) Done. Like imagine
middle of COVID when everyone goes to this website to take their vaccine to be able to find it and left pad is yanked and all this website fail. That’s not an overreach. I am not going in a full, you know, impossible scenario here, right? And so the reality is that we decided because we’re hobbyist but we still are engineers and we care about this, that we will not do that because like, no, we keep the world running.
Josh Bressers (51:10) Yep. Yep.
Thomas Depierre (51:30) But…
Like where is a regulator around package managers?
Josh Bressers (51:38) Well, I mean the CRA will see but yeah, okay. All right. All right. I’m I’m gonna call this
Thomas Depierre (51:39) No. But yeah, that’s another discussion. we should talk.
next discussion, what we’ll talk about is the impact of this kind of stuff on funding and this. Let’s do that.
Josh Bressers (51:52) Yes, for sure,
absolutely. this is, is, is, Thomas this is holy crap. Every time I talk to you, I feel like I know nothing and I’ve learned an enormous amount. So I love it.
Thomas Depierre (52:02) But also,
nothing surprises you is what I say.
Josh Bressers (52:07) No, no, it doesn’t. Well, I mean, part of that is I talk to you a lot, but some of it, some of
Thomas Depierre (52:08) Right? You know nothing but you actually knew it. No, but even
without that, right? When I explain to people this is what my hobbyist life is. Updating package. And that I have a job and that it takes all my time. with like none of this is something new to people. They just don’t put it together in this way. But like I’m not surprised. Like this is not like a, my God, this is how you do it. Like when you go into an eldritch part of sea and discover what they do.
Josh Bressers (52:18) ⁓ I see.
Sure, sure.
Thomas Depierre (52:38) That’s not that. So yeah, but yeah, thank you. Thank you.
Josh Bressers (52:41) Yeah, yeah.
No, thank you, man. Holy cow. I love it. All right. All right, Thomas until next time. Thank you so much.
Thomas Depierre (52:48) Thank you, Josh.
Bye bye everyone.