Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about trying to build a sustainable universe for open source maintainers. This ties into Vlad’s FOSDEM talk which was all about the challenge of just knowing what open source you are using. The importance of trying to make open source sustainable is a really important topic, but it’s also a really hard topic. Vlad helps explain all of this as well as some ideas for the solving this in the future.
Episode Links
- Vlad
- Open Source Pledge
- thanks.dev
- Vlad’s FOSDEM talk
- Burnout in Open Source: A Structural Problem We Can Fix Together
- https://github.com/chadwhitacre/openpath/issues/20
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:00) Today, open source security is talking to Vlad Harbuz He works on the open source pledge and open source sustainability. I am very excited for this one because I feel like Vlad has a lot he’s going to teach us. So Vlad, welcome to the show.
Vlad-Stefan Harbuz (00:12) Thanks so much, Josh. Thank you for making time to have me on. really appreciate it.
Josh Bressers (00:16) So, I mean, it’s your show, kind of, you know, where do you want to start?
Vlad-Stefan Harbuz (00:21) ⁓ I mean, I’d love to talk about the pledge. I think it might be interesting to talk about how, what my journey was getting started working on the pledge. just because especially, I think it’s interesting how so often we think of open source as a technical thing and it is very much a technical thing, but it’s also hugely philosophical and like social thing. And I really get excited to talk about that. So.
Josh Bressers (00:27) Yeah, for sure.
Yeah.
Vlad-Stefan Harbuz (00:46) Um, basically my story is, um, I ran the software company that I started with my friend a very long time ago. It’s called Saffron and we ran it for something like 10 years. And it really highlighted for me, the sort of interdependency of, um, you know, collaborating on software because. You know, we ran the company. It was fine for like six or seven years. And then I, you know, things started to get a bit weird for me personally, because in the last few years of running this company, um,
I noticed that in what I guess would be like a, you know, for someone else, a capitalist success story, I was basically doing nothing, like not basically, I was doing literally nothing. During COVID, I was at home, I was playing like video games on my PlayStation with my wife and I was getting paid a bunch of money for all of the work that everyone else was doing, right? And, you know, obviously I don’t want to like, you everyone, every…
Josh Bressers (01:25) Nice.
Amazing.
Vlad-Stefan Harbuz (01:39) company and work arrangement is different and so on. But for me, I just got to the point where it felt like something was wrong, right? And it felt like there was, ⁓ you know, I was basically getting a bunch of money off of what other people were doing exclusively, right? Without me contributing. So.
At that point, I decided to shut down the company and start thinking about the sort of philosophical and social aspects of software. And I started doing a philosophy degree to think about this. I’m doing a philosophy PhD now, which I’m hoping to make it about, you know, the ethics of open source. But what ended up happening one day was I was on mastodon as I often am and
Josh Bressers (02:03) Wow.
Vlad-Stefan Harbuz (02:24) I saw Tim Perry from HTTP toolkit say something like, we should do like 1 % for the environment or whatever, but for open source or like 1 % for supporting open source maintainers. And I was like, that’s a great idea. Let’s do it. And so Tim got back to me like a couple of weeks later and he was like, I did some research. It looks like Sentry is
Josh Bressers (02:33) ⁓
Vlad-Stefan Harbuz (02:48) doing this is called at that point it was the OSS pledge. ⁓ and, ⁓ it wasn’t sort of yet launched and Chad Whitaker, who has been working on open source sustainability for so long and who I really cherish and I love working with, it’s, she’s an amazing guy, ⁓ was, was working on this. And so I decided, okay, like this is, this really to me put into focus this frustration that I had where
we as software developers and me in a sort of more for-profit world, but also generally in open source, we don’t quite acknowledge how much we depend on other people’s work. ⁓ And so maybe I should also talk about what the open source pledge is. So the idea is it’s this initiative where we try to get companies to pay the, well, any open source maintainers really, but we generally recommend that they pay the open source maintainers that their products depend on.
Josh Bressers (03:27) Yeah, yeah.
Vlad-Stefan Harbuz (03:45) And the ask is to pay $2,000 per full-time equivalent developer that they employ per year. And it has to be to project meeting the open source definition or to open source foundations. The idea there is that ⁓ companies certainly give a lot to open source developers in other ways. So, you know, gifts in kind, know, cloud credits or whatever. ⁓ But it’s really difficult to make.
open source development sustainable if you can’t pay rent. you know, that’s, we can talk about what the best way to do that is. And, you know, there’s a lot of people like Mike McQuaid that question like, what’s the best way to, you know, sometimes paying maintainers can have bad results, right? And I’m open to all of those conversations, but I think at the end of the day, it’s inescapable that we need the people who build the software that we rely on every day to be able to make a living.
Josh Bressers (04:20) Yes.
Yeah, 100%. I mean, this has been kind of a long running theme on this podcast that comes up on a regular basis is like.
There are many problems in the open source world and money is definitely a big one for open source maintainers. And so, okay, I have a lot of questions. I’m to try to break this apart into pieces, but let’s just start with like the actual mechanics saying company, you should pay $2,000 per developer to open source Like there’s a lot of moving parts in that. It sounds simple in theory, but it’s actually as a company, it can be difficult to actually like pay a person money, right? And also if you have
to split this apart, how do we carve up this money we’re going to give to maintainers? So I’m curious how open source pledge handles helping with those mechanics for a company.
Vlad-Stefan Harbuz (05:34) That’s a great question. So we don’t mandate anything. So we’re happy for companies to choose whatever works for them. One thing that we started out with was obviously GitHub sponsors historically has been a big channel that companies use to pay developers. It has a few limitations.
One limitation is that, you know, I’ve also seen that a lot of GitHub sponsors usage is maintainers paying each other. for example, ⁓ you know, know people were like, you know, a is paying B paying C paying A. And so nothing ends up happening except you’re just ending up paying fees for the payment processing, which is not ideal. Another thing is, I don’t know for sure, but my impression is that GitHub has not.
Josh Bressers (06:13) Yeah, yeah, that’s right.
Vlad-Stefan Harbuz (06:23) been investing as much effort into developing GitHub sponsors recently as I personally think would be really cool. So I do hope that they can do that in the future. But for us, a big limitation was just the API, right? So it’s not even trivial to get a list of your own payments, right? So I tried to develop some tools to make that work where I tried to infer from other results of other API calls what your payments must have been.
Josh Bressers (06:40) Yes.
Vlad-Stefan Harbuz (06:53) mixed results, right? ⁓ the best thing that we recommend is thanks.dev ⁓ which is the service which companies can use to, you you basically give things out of access to your repos. And this is sort of in confidentiality. Things.dev scans all of those dependency trees that, know, that you rely on. There’s a certain waiting that happens that you can customize. And, based on that.
You can get a decent picture. You know, it tries to connect it to people. sort of reserves the funds for, for maintainers to claim. It’s the best system we have. Obviously it has some limitations and it will also miss a lot of important dependencies. So I just saw Daniel Stenberg recently post about how, I don’t know if it was a GitHub service or whatever. think it was a GitHub dependency. know, how many projects depend on da, da, da.
Josh Bressers (07:40) Yeah.
Vlad-Stefan Harbuz (07:49) It was how many projects depend on curl and it was like 50. Linux finder. Okay. Right. Okay.
Josh Bressers (07:55) Yes. No, that was a Linux foundation report, I believe. was like, there’s their scorecard or insights or one of those projects.
Yes. Yes. Which was hilarious, obviously.
Vlad-Stefan Harbuz (08:04) Yeah, I think it’s, I don’t have the numbers, but I’m pretty sure it’s more than 50. So, and then, then you have, yeah, binary dependencies, which I’ve spoken about recently, which is, ⁓ another thing where we just, you know, if you’re using Python, it’s not really trivial to even find the, to, to reliably identify that you depend on C or Rust libraries, let alone to find the people.
Josh Bressers (08:08) Little bit.
Yes.
Vlad-Stefan Harbuz (08:33) that wrote those libraries, let alone didn’t pay them.
Josh Bressers (08:37) For sure. So that’s a FOSDEM talk you gave, I think it was this year. And I’ll put a link in the show notes to that. But yeah, you basically talk about the fact that like, you run it and I’ll pick on, you I work for a company called Anchore have an SBOM scanner called Syft If you run Syft, it’s going to tell you, have this Python package installed. But inside of that Python wheel, there could be curl, for example, but we’re not necessarily going to find that because we’re only going to tell you about the Python package installed.
Vlad-Stefan Harbuz (08:41) It was this year,
Josh Bressers (09:06) And this happens to a lot of Python packages where there are just binaries all the way down to make some of this stuff work.
Vlad-Stefan Harbuz (09:14) Yeah. And, know, ultimately, basically when you install the Python package, the native, ⁓ the binary dependency, the C library or whatever, needs to be somewhere, right?
Ideally, you would manage it with something like your system’s package manager that is more well equipped to find and download, you know, those things. Practically what ends up happening is we don’t unfortunately have tools and this is something that I’m trying to develop. I’m also, and we can talk about this in the future, I’m working on starting a nonprofit that is based around… ⁓
open source sustainability research, so bringing to their researchers that will work on exactly this kind of thing. And, yeah, to see what we can do together as opposed to just sort of doing little bits, separately. But, ⁓ what ends up happening basically is because there are no good tools for interoperation in between, say PIP or UV and the system package manager. What people do, and I don’t blame them, is they compile.
Josh Bressers (09:56) Nice.
Vlad-Stefan Harbuz (10:19) the native library, however, and then they just put it inside the wheel. But then as a consumer of that package, I can’t really know where that build came from. ⁓ And so there you end up with a security issue where ⁓ it’s difficult to trace the provenance of or even identify all of the things that you depend on. what my strategy has been to ⁓
basically download every wheel or the most popular wheels, look at ⁓ dynamic libraries contained within those wheels. And based on the information in the ELF files, identify, it looks like you depend on this library.
Josh Bressers (11:08) which is really hard to do. Like really hard.
Vlad-Stefan Harbuz (11:10) Yeah, you’d think…
Yeah, you’d think… I was thinking like, well look, the dynamic linker!
uses that information to find it on your file system when you compile the thing. So you would think that there’s information in there to reliably, you you have the name and you can find based on the name, you can identify the package, but there’s also two problems, you know, for one thing, different things are called different names in different places. And, ⁓ you know, there’s, you know, you can do package URLs and when you do package URLs that incorporates, you know, you’re referring to not only the package, but also the
channel that you got it from and then you have two, you have the same package, which is two different. So it’s like, this is kind of my thing right now is I’m trying to just convey to people just how much work still needs to be done to develop tools for us to be able to more reliably work with these huge dependency chains that are increasingly getting out of hand. ⁓ for one thing, because, you know, for security reasons, which I’m sure you, you know, you know more about than I do when it comes to.
Josh Bressers (12:10) Yes.
Vlad-Stefan Harbuz (12:20) just the ramifications that, you know, that native library has a vulnerability, how am going to know? I depend on it, but I don’t know about it. I can’t even figure out that I depend on it, let alone that there’s a vulnerability in there. But then also from the financial sustainability perspective, right? ⁓ have you seen, so we published this on the open source pledge blog, got shared on socials as well. Miranda Heath wrote this, a report on burnout in open source. It’s…
Josh Bressers (12:47) Yes.
Vlad-Stefan Harbuz (12:48) Yeah, it’s, it’s really fascinating. And I think it really, a lot of people really, you know, it, it was a powerful thing for a lot of people just because of, think, especially some of the quotes in there where you see how much people are struggling with balancing what the community expects of them, what they can realistically do in a financially responsible way, balancing it with their day job, you know, ⁓ and
Yeah, we’ve seen a lot of cases of burnout, which in addition to just being a sad thing to happen to these people that we care about, it just means that this technology that we rely on maybe just is not stably maintained.
Josh Bressers (13:33) Yes, yes, I’m-
I know exactly what you’re talking about. so this is such a weird problem. So there’s ⁓ a friend who’s been on the show multiple times. His name is Thomas de Pierre and he’s a guy who wrote the I am not a supplier blog like way back in the Log4j days. Like he’s, I love talking to Thomas cause he always like sets me straight. I feel like where I I’m not understanding something necessarily correctly. And like he’s an example of someone who has some fairly popular packages that he maintains, but not as his job. And so he’s, has
Vlad-Stefan Harbuz (13:49) Radio.
Josh Bressers (14:05) like a week, a month, or I’m sorry, like maybe a weekend, a month, maybe, probably not even that, to work on this stuff, right? And he talked about the fact that like giving him a couple thousand dollars doesn’t help him in any meaningful way because what he actually needs is more time, right? Not thousands of dollars. unless you could employ him full-time, and he’s admitted like the packages he maintains are probably not like full-time jobs, but unless he was given enough money to literally quit his day job and do this as his job,
Vlad-Stefan Harbuz (14:24) Yeah.
Josh Bressers (14:35) Like no amount of money is going to help get bugs fixed faster because what he needs is time. Right. And like that’s a perfect example of where like the burnout is real because these people now are, you people complaining. get like, I mean, one of my favorites is, know, like, like looking at some open source projects that I help with. You’ll see people file bugs like in every three days. They’re like, what’s the status of this? It’s super important. It’s like, well, the status is nothing’s going to happen for a long time. And you bugging me is actually going to make it worse. So like.
just stop and be patient or write me a patch and send it along and then maybe we can talk, right?
Vlad-Stefan Harbuz (15:11) Yeah. And, you know, it might be that there’s no one size fits all. I think for me with the open source pledge, I tried to advocate for maintainers getting paid. And I think that there needs to be someone to advocate for that. And I think that’s an important thing. Do I think that’s a hundred percent of the solution? Probably not. Right. I think there’s also a big question about like how employers want to treat the importance of contributing back to open source, which I know that for a lot of companies does happen, but how can we make that be a sort of universally acknowledged thing?
Josh Bressers (15:23) Yes.
Yes.
Vlad-Stefan Harbuz (15:41) And the other thing is I remembered this tailwind AI thing that happened ⁓ a couple months back, think, where…
Adam from Tailwind was saying that like their, business model was kind of failing because people are consuming their documentation through LLMs and not directly, you know, which means that people can’t see their paid offerings and so on. You know, without necessarily making a comment on what the best thing is there to do, because I just don’t know. What is interesting to me is a lot of the time it’s really just not visible. Like it’s difficult to translate a.
Josh Bressers (16:00) Yes.
Vlad-Stefan Harbuz (16:25) supply chain relationship into a human relationship. And so often we should. So for example, I maintain MPLD free, which is a package that I didn’t create. inherited basically, and it’s in the top 1 % most downloaded Python packages. I really struggle to find time to maintain that. And I always feel awkward on the issue track because I’m like, I’m doing my best. I’m going to, you know, and it’s small. It isn’t even, you know,
Josh Bressers (16:38) Wow.
Vlad-Stefan Harbuz (16:50) It’s not even a lot of development work. just, reviewing, making sure that this, this pull request that I’ve gotten is well tested and that I trust that, you know, it’s going to be okay. I don’t know who uses MPLB3. Like I just have no idea. And you would think it’s in the 1 % most popular Python packages. You would think that there would be some way to find out or the, know, but I just, for all I know, any number of companies could be using it. might be really important to them.
They might even say like, hey, we’ll pay for you or for someone else or we’ll work on it or whatever. But it’s just hard to connect to the people on the other side of the supply chain.
Josh Bressers (17:30) Yes, 100%. Well, it can even get weird because I mean, look at the whole XZ incident. Every open source maintainer is like super on edge now of like, who is this person? Can I trust them? Is this patch okay? Like, I don’t know. I mean, I see this all the time where like the projects, you know, my company has that are public. Like we get a pull request and it’s like, this looks weird. Like, is this North Korea? Like what’s going on? You know, and that’s like where we immediately jump of, of, don’t know if I can trust this person. I have no idea what’s going on, which is also like super
Vlad-Stefan Harbuz (17:37) Yeah. Yeah.
Yeah.
Josh Bressers (18:00) mentally straining on the developers, right?
Vlad-Stefan Harbuz (18:04) For sure. actually was wondering, so I have a question for you. In your security work, did you ⁓ come across instances where, mean, XZ I think is a particularly visible example of burnout related to, or vulnerabilities that, you the origin of the vulnerabilities is related to burnout. But in your work, do you often come across security problems where it’s identifiable that the…
maintainer is burnt out or has disappeared or like there’s a human element there that’s sort of causing a security problem.
Josh Bressers (18:38) So this is something we talk about at work all the time. And I’ve discussed this with more people than I can count. And I’m very hesitant to try to do this work. And the reason being that trying to look at, like we don’t know what the signals are yet to kind of identify some of this right there. If someone says I’m burnt out, I’m not doing this, obviously that’s a pretty good signal. But looking at like open source repositories and saying, okay, this developer suddenly stopped doing work for a month.
Like what’s going, you know, is are they, have they been taken over by a bot? Are they sick? Did their kid get hurt? You know, there’s like a million things. And so I think like when you talk about the human angle, right, it’s really hard to look at some of this data and be able to make anything resembling a reasonable decision, right? Because saying, this person has been compromised. Suddenly their time zone has shifted from, you know,
European Central to whatever timezone Beijing is in or something like is it did they you know, I don’t know and so I’m I’m always kind of critical of a lot of the projects that claim they can do this because I think what you’re actually doing is you’re dehumanizing the developer and then you’re gonna throw something in their face that’s like ⁓ your project is untrustworthy now because you haven’t you know committed anything in two months and it’s like
I’ve been with my kid who’s in the hospital, you know, jackass. And so now you’ve things even worse, right? And so like, this is such a difficult problem and I don’t have a good answer for it.
Vlad-Stefan Harbuz (20:02) Yeah.
For sure. That totally makes sense. And like one thing that I’m looking forward to is, so a year, two years ago, I think there was this GitHub issue that is one of my favorite GitHub issues. It’s a github.com slash Chad Whitaker slash open path slash issue slash 20. It’s open path issue 20. And it’s, it’s called better defined success. And there are chats talking about how many, ⁓
critical or, know, as I prefer to call them Keystone to use ⁓ Nadia Akbol’s terminology, Keystone maintainers are there to build most of the stuff that we rely on. And Andrew Nesbitt ⁓ gave it a go and there are some very interesting numbers in that issue. And basically what ⁓ he ended up with is a number, something like 4,000 maintainers are responsible for something like 80 % of the dependencies that we rely on.
Which is fascinating because it makes you wonder who are those guys? Can we talk to them? Can we find out more? so ⁓ Miranda Heath, after doing the burnout report, now is looking at doing research into, can we identify some of those people? And also what are their stories? Can we talk to the person and figure out, you need to get paid? Do you want to get paid? Are you…
⁓ unemployed, are you working at a software company? you doing this open source maintenance ⁓ as a second shift after work and so on? Because it’s just difficult to, know, there’s such like a human element here that we just don’t quite hear about. ⁓ And yeah, so this is something that Miranda is going to be doing and I’m very excited ⁓ to see the results. And yeah, it’s something that Sentry supporting as part of the open source pledge, which is really awesome.
Josh Bressers (21:56) That’s amazing.
I love this. This is, yes, this is perfect. mean…
My example I’ll give to you is so at the OpenSSF some time ago, is several years now, I was on their technical advisory committee and an issue someone filed was like, is the correct number of maintainers an open source project should have? And I actually, I’ve taken all of Andrew’s ecosystems data. In fact, Andrew was on the show not long ago. I’ve taken all his data and I do all kinds of wacky stuff with it, right? Just because I think it’s fascinating to look at. And if you look at the data, like the number of projects that have
one maintainer is a frightening number of projects. Like it is absolutely bananas. Now granted, a lot of those are like, I’ve uploaded a thing to NPM and I will never use it ever again or look at it and no one else uses it sort of projects. But I remember I showed these graphs to a bunch of like.
OpenSSF people and OpenSSF you think open source security foundation like these people should understand this and they’re like, that’s just NPM. Everything else is fine. So I pulled in the Python data. I’m like, look, the graphs look the same. It’s just, you know, magnitudes are a little different and like, no, no, it’s, it’s fine. And I kept showing ecosystems. I’m like, this is the data. And like, there were still some of them were like, I don’t believe that. I’m like, I don’t even know what to say to this, you know, there’s like such a disconnect. I think sometimes between like the
how this all works and how people think it works, which is, mean, thank goodness you guys are gonna do some research on that, because we desperately need it.
Vlad-Stefan Harbuz (23:33) Yeah. And, and not to make it even more scary, but, um, I think a huge part is also just project governance. Right? So I think one thing that to me stood out, uh, or, know, the, to me showed the importance of governance structures is I remembered this WordPress drama that happened a couple of years back. I spoke about it at a conference at one point where WordPress is open source, right? But if Matt Mullenweg controls the infrastructure that you need to use the open source stuff.
Josh Bressers (23:52) yes.
Vlad-Stefan Harbuz (24:02) It’s still controlled by one guy. It’s not like you get the benefits of like collective governance, cause it’s open source. It’s like, we need more than just open source cause open source is describing the source code, right? Which is awesome. And I love that, but we need a bit more than that. And it could be the case that you could look at a project, look at the data and you see, it’s 10 people that have push access to this. That’s better. And that’s why we think of the quote unquote bus factor sometimes. But I think that that sort of leaves a lot of important information out.
Josh Bressers (24:04) Yeah.
Vlad-Stefan Harbuz (24:31) Because what is the governance there? Is it the case that 10 people have push access, but just because of the norms of the project, it’s really just the one guy, you know, a lot of people can have access, but you can have a situation where, because one person is more trusted or just has done it more or is intimidating or I don’t know, is the person that ends up making all the decisions. And to be
You know, and I’m really sympathetic to open source projects in this respect because we just don’t have good guides, good tools, good blueprints for here’s how you can set up your project in a sustainable way. Here’s a sustainable way to do governance, which is why I was really impressed by NPMX. If you’ve seen that project.
Josh Bressers (25:13) I don’t know what their
governance structure is, but I mean, know of NPMX.
Vlad-Stefan Harbuz (25:16) Yeah.
Well, in any case, I, you know, without saying that that’s the best governance structure or something, I was really impressed how, um, a couple of weeks, literally two weeks after the project got started, they had, I don’t know, 10, 15 maintainers that had access to the project and were actively involved in some I think it’s really part of why the project became so popular because it was able to receive input and control from all of these really knowledgeable people because there was not that fear.
of, if I give you push access, who knows, can I really trust you? It’s sort of making that leap of faith to say, we need to collaborate on this and to have this shared governance. Otherwise we’re going to end up in this BDFL sad place, right? And where the project is vulnerable and then what have we accomplished?
Josh Bressers (26:06) Yeah, yeah, 100%. I mean, but also there are plenty of open source projects that will only be one person. And so like, what do we do about those? How do we make sure, know, when that person gets sick or gets hit by a bus? I mean, so I have a project I maintain called ULARN, which is an old like dungeon crawler, you know, terminal thing. The author of that, the original author is literally dead. Right. Like this happens.
Vlad-Stefan Harbuz (26:15) Yeah. Yeah.
Josh Bressers (26:34) and we have no idea what to do about it in many instances.
Vlad-Stefan Harbuz (26:39) And I was particularly worried to see a jazz band shutting down if you saw those news as well, which was intended in my understanding as a kind of project where people can come together and share maintenance and governance over exactly, you know, those kinds of projects that are small or maybe abandoned or maybe don’t have full-time maintainership. And it ended up that basically it was just one person.
Josh Bressers (26:43) Yes, yes.
Vlad-Stefan Harbuz (27:04) that was the, uh, the sort of meta maintainer of all of these projects. And it just was not able to progress beyond that. And so now the, I think the projects were transferred to some other organization, but, um, it just, think highlights even more how much, uh, we need to do research into this stuff to be like, okay, what, what, what happened there? Why did it fail? How can we do it better next time? Otherwise we’re going to end up with all of this technology that we rely on that is ambiguously controlled, which scares me.
Josh Bressers (27:05) I’m shocked to learn this.
Yeah.
Yeah.
Yeah,
yeah, oh, 100%, 100%. And I mean, yeah, Jazz Band was like, I understand why, without question. I don’t blame anyone for that, but it’s a great example of how a lot of this happens where I think it almost, it’s like trickle down, right, where everything lands on one person eventually in a lot of these projects. And then they also, there’s maintainer guilt.
Vlad-Stefan Harbuz (27:40) Yeah.
Josh Bressers (27:59) Right? Where people feel like I have to do these things because people are counting on me. And like, I always tell open source people like, you owe no one anything. Like do not feel bad saying no or going to the park with your kid. Like that is way more valuable than feeling guilt and wasting your weekend on bugs from someone that has no idea who you are and doesn’t care who you are.
Vlad-Stefan Harbuz (28:21) Yeah, I actually have Miranda’s burnout report on my second monitor here. And, it’s just, there’s so many quotes that are really, ⁓ moving and just one that I’m looking at from Ashley Williams. I was doing nights and weekends. It was wrecking my health and I was just devastated. So after a while, enough issue followups, like, is this maintained? Are you going to fix my issue? I had to say that I had to give up. And this is especially apparent when you, sort of put together.
the sense of entitlement that some people sometimes have when it comes to why aren’t you, you know, because we are so accustomed and again, I understand the impulse, but it’s not a good one. We’re so accustomed to sort of buying a product that we didn’t have this expectation of what the product is faulty. I’m the customer, you need to fix it for me, which is just another way that, you know, we approach it with this market mentality, both sort of psychological and economical and
Josh Bressers (28:49) Yes.
Vlad-Stefan Harbuz (29:12) That’s its own sphere, but this is not the sphere that we’re working with an open source. And you get all of that pressure while at the same time thinking, okay, but what is for me, my family, what is financially irresponsible? How much dedication to triaging 500 issues is going to take away from my time that, you know, that I can use to focus on my
Josh Bressers (29:15) Yeah. Yeah.
Yes.
Vlad-Stefan Harbuz (29:37) paying job so I can pay my bills right that’s that’s tough that’s just a difficult position.
Josh Bressers (29:44) For sure. Okay. Okay. Vlad. So let’s, let’s start to land this plane. So I know we’ve talked a lot about many of the challenges and I will definitely have you back because this is, this is a conversation that could go on for an infinite number of hours, which is, mean, that’s good and bad. It’s interesting and fascinating, but so you work with open source pledge and open source pledge is meant to kind of start solving some of these problems or at least understanding them. Maybe we’ll say not necessarily solving them, but if I am a listener,
Vlad-Stefan Harbuz (29:48) Okay.
Yeah.
Yeah, I think so.
Josh Bressers (30:12) And this sounds like something I want to learn more about is something I should really think about kind of doing with my organization. Like, how do you suggest like getting started? Cause obviously if I’m a developer and I go to my leadership and say, we should give $2,000 per developer to open source projects. It’s to be like, get out of here, hippie. This is ridiculous. You know? So, so like, what is the, what does this journey look like?
Vlad-Stefan Harbuz (30:34) Well, I think I would say to those companies that it also is in their interest to pay the maintenance they depend on. There’s a few reasons. One reason is just you want to make sure that the stuff you rely on keeps working. I understand that it looks like it’s going to keep working and we’re taking it for granted. I think there’s good reason to be a little bit worried about whether it’s going to keep working. And I think, and I think that one really impactful thing that companies can do is pay the maintainers. And of course there’s still that doesn’t
Josh Bressers (30:55) A lot worried.
Vlad-Stefan Harbuz (31:04) finish, it’s not a complete solution, but I think it’s a thing that needs to happen one way or another. Other than that, we’ve heard from, well, for one thing, our responsibility as the pledge team is we try to promote these companies and their work in supporting open source. And so we’ve done promotional campaigns in Times Square where we put all the company logos up and we said, we were celebrating these companies today. And this is, I think, something that our members appreciate.
And that’s useful for them. And then we’ve also had, I’ve seen people on blue sky say, I applied for a job at such and such company and got the job. And part of the reason why I chose that company is because they’re members of the pledge, because I want to work for a company that I know cares about open source just the way that I do. And so I think, those are a few of the real benefits to joining the pledge. also think that, you know, it’s also.
Josh Bressers (31:48) Nice.
Vlad-Stefan Harbuz (32:03) Companies can show a sort of ⁓ leadership role by joining the pledge. You can show customers like, Hey, we’re ahead of the game. Right. ⁓ And I understand that it’s difficult to identify the people and so on. think a lot of companies take advantage of their in-house talent and the developers know through their experience, what software is being used and what is most important. At the same time, I would say if companies need, we don’t want to talk about that, need any kind of help.
⁓ they can, if you go on opensourcepledge.com, have contact details and we’re very happy to talk about that and make suggestions. And we’re always happy to chat.
Josh Bressers (32:40) Awesome. so let me ask that kind of what’s your angle because if I’m a company, you’re saying the company is going to pay the developers directly. So how is open source pledge like sustaining itself then to keep this going?
Vlad-Stefan Harbuz (32:52) Great question. So we don’t process any, we don’t touch any of the money. goes directly to the developers, the open source pledge. So my work on the pledge is funded by Sentry and I’m very grateful to Sentry for enabling me to do that work. I would love in the long-term, and this is also part of why I’m working on this nonprofit that other people like Andrew Nesbitt are also a part of and that I’d love to talk to you about in the future, where we can find the place to do this independently.
Josh Bressers (32:58) Right. Right.
Vlad-Stefan Harbuz (33:20) as its own organization, because I think it’s awesome that Sentry is paying for this. Wouldn’t it be nice though, if in the long-term we could have these kinds of initiatives just be supported by tech companies more generally, right? Like in the same way that it’s kind of funny, it’s kind of a catch 22, right? It’s like, how do we make sure that open source projects are sustainable? we, well, we need to build tools for that. We need to do work to understand and research and ensure that. Well, who’s going to fund that work?
And so we end up in situations which I’ve seen, which with a lot of open source sustainability tools, where the makers of the tools can’t get funding. it’s like, well, okay, well, it’s kind of ironic, right? Like the open source sustainability technology is unsustainable. So yeah.
Josh Bressers (33:56) Yes.
I know, right?
And this was a topic, I talked to Michael Winser from Alpha Omega about a bunch of this a couple episodes ago. And like, this is one of the things he talked about is, know, in all these like package ecosystems, they’re basically barely paying their bills. So yeah, like building tools to do kind of the next thing to help with this kind of stuff. Like there’s just, there’s no resources for it at all. And these are things that could definitely have an impact. So I get it. Yeah, yeah, it’s tough, man.
Vlad-Stefan Harbuz (34:09) Michael Winser yeah.
Yeah.
So this is not, you know, me or anyone trying to make a profit or anything like that. This is just saying it’s in everyone’s interest, right? it, it all, all of us, all of us who use open source, it’s in our collective interest to make sure that it keeps working and let’s come together to support that financially and with our time and research.
Josh Bressers (34:47) Yes.
mean, what did Harvard say like $8 trillion or some ungodly amount of money that open source is worth?
Vlad-Stefan Harbuz (34:56) Yeah. The,
the, the, estimate is very funny. Chad loves to, it’s, it’s a bit of a pet peeve. You always, when people bring that up, he’s like, no, it’s impossible. Which I think is probably right. think it’s, a, it’s an overinflated number because it assumes that every company would, the replacement cost that every company would replace the same software separately. But even if you divide that by whatever integer you want, it’s, it’s a lot, right? It’s a lot. Yeah. Yeah. Yeah.
Josh Bressers (35:09) Yeah.
It’s a lot. Yeah, it’s a big number. 100%. Yes.
All right, Vlad, take us home. Let us know whatever you want us to know and kind of the next steps for everyone listening.
Vlad-Stefan Harbuz (35:32) what I would say is if you want to know more about the challenges that maintainers face, read Miranda Heath’s burnout report. It’s on the open source pledge blog. The report is hosted on the full report is on her website. have a blog post that summarizes it. and I honestly just want to give a shout out to people like Chad Whitaker and Andrew Nesbitt who have done.
so much for so long that is acknowledged by people but I want to do more to acknowledge it because they have done so much work they have taught me so much that enables me to do all this work ⁓ and yeah I just wanted to say thanks to them.
Josh Bressers (36:10) ⁓ 100%. It always fascinates me that there are just like, there are morlocks of open source that almost no one knows about, but the things they do are absolutely amazing. And yeah, those guys are definitely on my list.
Vlad-Stefan Harbuz (36:19) Yeah.
Yeah. And companies join the pledge, opensourcepledge.com. Always happy to talk. Any questions, we’ll schedule a call.
Josh Bressers (36:30) Yes.
And links in the show notes for anyone listening. So go hit them up and I’ll have links to all this stuff. But Vlad, thank you so much. This has been an amazing discussion. I cannot wait to have you back.
Vlad-Stefan Harbuz (36:41) Thank you so much, Josh.