Hi everyone! My name is Emma. For those I havenāt met before: Iāve spent 20+ years in open source at Benetech, Mozilla, and Microsoftās OSPO including several years in education technology at Royal Roads University.
After being laid off last year, I started Open Source Wishlist, a project focused on making sustainability risk visible, actionable with paid and attributed support.
This solves a few problems I have experienced as a funder:
Difficult to know, who and where in my dependencies sustainable risk is present and what type of risk it is
Impossible to know, what help would change that risk even if itās clear
Impossible (unless specifically a grant program) to track impact of dollars on that risk
As a community leader and maintainer/community leader, it solves problems I have experienced in that role as well:
How to ask for help in a way that resonates with funders
How to get human help in addition to funds (more new work, even paid mean I am stretched even further)
Compensation for my time mitigating risk that my users care about (even if working with another person its more time)
Product teams and funders discover wishlists in their dependencies via the website, or GitHub Action (which uses SBOM and Ecosyste.ms to match wishes with projects).
We also proactively reach out to users of projects with wishlists to advocate for these one-time investments (increasing the chance of fullfillment)
Funders can fulfill one or more wishes on a wishlist, and indicate whether they would like to assign employee help, or pay one of our expert open source practitioners.
Fullfilled wishes are managed by a PM (me at the moment) to ensure milestones are met outcomes are measured (rubric). This helps funders a lot (showing impact means more budget).
Attribution for the wish is given to a person, company, or organization which will be part of a bigger effort around attribution in OSS ( blog post for context).
I am doing this on my own time right now (unpaid labor working on the unpaid labor problem :D) , but minimally want to show how this might work end to end to solve some of the problems I encountered. My goal (by the end of FOSDEM) is to obtain 200 wishlists from maintainers. Appreciate visibility to maintainer audiences who may want this type of support - once I have that 200, I will shift into 'get fundingā mode which I am most excited about.
Note: I am working at the intersection of other projects like CycloneDX standard for sustainability, Open Source Economy, and others. No one does this on their own. In that light, we are also holding someOpen Source Practitioner callsto explore touch points on things we all care about (independently of tech companies or products) - you are welcome to join the next one of course!
I understand that corporate way of looking at Open Source might be like this, but I treat Open Source code as an art. Not commercial art like Michelangelo paintings, but the idealistic itch to make things the way they should be done. Just what youāre doing with this project.
For me the gameplay that starts withunpaid laboris not fun. It is like I am begging for money. Yes, I donāt have motivation to continue maintaining my projects, and money could solve me. Only if corporate knew what I need. Then they will be able to help me. I doubt that. They donāt. The consensus or agreement between people in commercial companies is that they all gather to earn money, not to spend them. The beauty of Open Source as an art is in the Eye of Beholder, and there are no beholders in corporate.
If we want this kind of Open Source gameplay with money, we need to do market making for that. Wishlists? I donāt have one. Or maybe I do, but over years nobody bought anything from it including myself. Do wishlists work for streamers? If they do, they might work for Open Source too. But what is this āOpen Sourceā - for me it is specific people I met, through commits, messages and in person. It is not something that corporate sees as a āriskā, but also as āunpaid laborā. If corporate could pay, they would hire Congnizant and other humongous āIT consultingā companies to just do things. And if we are lucky, there might be some people who maintain Open Source projects..
I am not saying you project is not going to work. I am just trying to explain my narrow point of how I see things work from here.
I donāt disagree with anything youāve said. Iām a long time contributor and maintainer, open source communities are where I always go to be a part of something, and to give back.
I spent a lot of years pleading for people to connect with and care about open source in the way communities do; as we do but it honestly never worked. What worked is drawing a line between what communities need, and what funders want to see. This is my attempt to see if we can make that easier.
I donāt know if this will be successful, Iām not sure success is even my goal - rather it will teach us something. Maybe it will tell us - actually funders donāt care about leadership continuity, governance etc (even if xz proved they should), maybe it will show maintainers only want stable income and not help, or nothing at all -maybe companies will look at declared need as its own risk and have AI build an alternative (they have dollars, thatās not debatable). Thereās only one way to find out.
I only mention my unpaid status so people will know this comes from a sincere place of wanting to bridge the conversation. Itās not gameplay, at all. Best of luck to you, thanks for the note.
Okay. Letās see if we can strip that to bare bones. Because as a maintainer (and also as a funder on Gratipay/Liberapay and Gitcoin platforms) I couldnāt immediately see what is the final benefit for me. Maybe the design is targeted for corporates, and implies a bit of human touch to explain and introduce people doing their jobs to platform. Thatās perfectly fine. However, for the individuals/hackers (who might be employed by the same company), it might be good to have a hatch to click through too.
When I read words like āthey should careā, I have a picture in my head that a corporate person always reply āof course we careā. Because what is a responsibility if they really donāt? Apologize maybe.. They only way I could see it can work is metrics. Company profile, listing its involvement on platforms like OpenCollective. A profile that will make me think if I want to join these guys, or more important - if as a government official I want to give this company contract, because the company amplifies the impact of Open Source, and the contract would do more good.
For example, outsourcing company Epam made https://opensourceindex.io/ Open Source Contributors Index, where it ranks enterprise commits under Open Source license. Forking and refactoring it can be a good start to get more human-centric metrics for funders vs maintainers gameplay.
I donāt use words like āpoliticsā and āeconomicsā, because they are generalized to the point of being useless. But I use āgameplayā to refer to specific activities that people do or could to do. Daily job, for example, is a gameplay of exchanging time to money, which is then enhanced by various mechanics (not always human friendly, but thatās how it works).
People outplay any rules. They have their goals. Originally Economics was designed to watch and look what people do, but with time it became speculative media manipulative term. Now it is useless, but game design will never became old.
I would say AI is quite mature today to be included in the loop too. Somebody just need to ask the models - who wants to participate?
Thanks for your effort. Even if it is a long road, I seriously think it might be a step in the right direction.
I suggest you listen to the latest podcast from the Center for Humane Technology:
Key framing is that game-theory itself is a paradigm with all sorts of unhealthy features, and we do not need to accept it, we can have different paradigms.
game-design is a real thing of course, but we donāt need to use that framing to see the world, and it is limiting in its own ways, just as it is to see everything as economics or politics.
Youāre right āthey should careā is weak framing, because everyone says they care. Itās like DEI a few years back: āeveryone said they caredā, but now we can see who actually meant it based on whoās still doing the work.
So let me reframe: drawing a line between risk, need and the āserviceā to resolve both doesnāt make funders care it helps answer āhow does this help meā:
show which products/services of theirs would be impacted by risk/need (it could hurt me or my customers!) via dependency tree/SBOM
show which services, * with (options for) expert paid humans can fixit, and how we will know its fixed/rubric (I can tell my boss, that I helped our product/service be more reliable/secure etc for our customers)
Brand recognition (take the pressure of our company as an OSS user, by showing weāre helping)
Thereās a whole other host of reasons people fund projects (directly or via foundations), and I wouldnāt describe those as ācaringā either.
What I would say FOR SURE, is there are lots and lots of people working in companies, and as funders who DO authentically and personally CARE (a lot) and giving them the tools to advocate is really a gap that I experienced. I would have really loved something like this to take to budget-holders (and why I built this)).
My goal again for FOSDEM is 200 wishes, if I achieve that - I will engage with funders/companies/individuals - if not then thatās its own signal, and I will park it (leave up, but not actively run). Again, I see it as a chance to learn (and already am, thanks again).
Thatās rightābusinesses donāt ācareā; they react to real risks, effects, and brand visibility. It is clear how OSS funding helps both sides when you use SBOMs/dependency trees and get help from an expert if you want it. Add a contribution dashboard and suddenly funders see the return on investment and security impact, while maintainers see recognition and stability. a lot more useful than appealing to ācare.ā
Somebody just need to ask the models - who wants to participate? 