Ep. #3, The Open Source Pledge with Chad Whitacre of Sentry
In episode 3 of Open Source Ready, Brian and John sit down with Chad Whitacre from Sentry to discuss the Open Source Pledge, a new initiative aimed at addressing the sustainability crisis in open source software. Chad shares insights on how companies can better support the maintainers behind the projects they rely on and explores the cultural challenges of funding open source development.
Chad Whitacre is the Head of Open Source at Sentry, where he leads initiatives to promote sustainable funding for open source projects. With over a decade of experience in the open source community, including founding the crowdfunding platform Gittip (a precursor to GitHub Sponsors), Chad is a passionate advocate for maintainer support and open source sustainability.
- Sentry
- Open Source Pledge
- Article: Wild billboards around the Bay…
- Article: 300k USD Donation Pledged by Mitchell Hashimoto
- XKCD Comic on Dependencies
- GitHub Sponsors
- Open Collective
- Thanks.dev
- Book: Crossing the Chasm
- Reads: What is Polymarket? A Crypto Story.
- Reads: "SRE" doesn't seem to mean anything useful any more
- Reads: Caring for yourself while caring for others
- Reads: Balancing Makers and Takers to scale and sustain Open Source
- Reads: Solving the Maker-Taker problem
In episode 3 of Open Source Ready, Brian and John sit down with Chad Whitacre from Sentry to discuss the Open Source Pledge, a new initiative aimed at addressing the sustainability crisis in open source software. Chad shares insights on how companies can better support the maintainers behind the projects they rely on and explores the cultural challenges of funding open source development.
transcript
Brian Douglas: Welcome to another installment of Open Source Ready, the podcast where we talk about open source with folks, leaders in the industry. So we got John here, co-host, John McBride. How you doing? Welcome back.
John McBride: Hey, Brian, doing good, how are you?
Brian: Good, good, I am not as, I have no snow outside, so I'm doing very good. Not a lot of snow in Oakland.
John: Yeah, we're getting about a foot of snow in Denver right now, so I'll go shovel after this I think.
Chad Whitacre: John, will it be there tomorrow?
John: It definitely will, but in a week or two, it probably will melt. Usually we don't keep too much snow in Denver, but it got cold and it snowed, so here we are.
Chad: That's cool.
Brian: I was going to say the other voice that you're hearing, everyone, listeners, is Chad Whitaker from Sentry and most recently Open Source Pledge. Chad, do you want to say hello?
Chad: Yeah, absolutely, thanks for having me on. I'm out here in Pittsburgh, Pennsylvania where we do not have a foot of snow. It's unseasonably warm, 65 degrees and sunny which is quite rare.
Enjoying it, but I'm sure that cold front will come across and we'll get cold and rainy is what we'll end up with in a couple days. Yeah, so enjoy the snow, John.
John: I'll try.
Brian: Yeah, speaking of snow, we're coming up to winter, but we just had a really interesting summer, early fall. I was actually driving around Oakland and actually Oakland and San Francisco up on the 101.
I saw these billboards, these crazy-looking billboards that basically, like chief, actually you probably know the acronyms because it's instead of CFO, like chief freakout officer or something, I don't know.
Chad: Yeah, so what you're referring to are these billboards we put out for the Open Source Pledge that, let me see, they're probably coming down right about now. They went up on October 8th and they were up for a month, so I think they're probably coming down right about now.
But yeah, we bought three, rented, I guess, three of the most expensive billboards in the world there on the Bay Bridge and right outside downtown San Francisco, one over on the Oakland side, and the three acronyms you're referring to, CEO, CFO, and CTO.
These were kind of lighthearted call-outs let's say for companies that maybe don't support the open source maintainers in their dependency stack maybe as much as we need to.
So CEO, we went with chief excuse officer, and then CTO was chief tightwad officer, and then CFO was chief freeload officer.
Brian: Yeah, there we go.
Chad: Yeah, then we had the buses and we had bus shelters and everything. Had a lot of fun with it.
Brian: Yeah, so what's the goal? Billboards are great, what's the ultimate goal for having this content out there?
Chad: Sure, so again, so this was a promotional campaign to kick off this new initiative that Sentry is launching with a bunch of other partner companies called the Open Source Pledge and again, kicked off on October 8th.
Open Source Pledge is a group of companies that are working together to change the status quo in open source sustainability.
Many of us have seen this famous "XKCD" comic. The title is "Dependency." If I have the number right, I think it's 2,347. It's the one with the Lego blocks.
There's the Nebraska Project buried deep in the stack. This one library thankless maintained by somebody in Nebraska for the past 20 years and it's holding up all of our modern digital infrastructure. So the pledge is really about companies coming together to make sure that that maintainer is paid, that maintainer is maintained.
Yep, so that's where we're about. We've got I believe it's 26 companies that are onboarded today and hoping to have some announcements for some more in the coming weeks, but that's what it's about, man, pay the maintainers.
Brian: Excellent, and you're, so I know a bit of your background. We've shared this offline, but I don't know, why is Chad working on this?
Chad: Oh, goodness.
Brian: What's the historical record of your involvement in open source funding?
Chad: Yeah, well, Aristotle distinguishes four different senses of the question why, the formal, the material, the past, and the future.
The historical reason why I'm working on this, I sort of started my career in tech in, I finished up college in 1999, late 1999, and kind of went into tech because it was the height of the .com bubble.
I spent the 20-aughts, whatever we call it, cutting my teeth on open source software, learning as a developer or self-taught as a developer, and I learned as a developer within the kind of early open source community in the 20-aughts and kind of experienced firsthand the tension between working on open source projects, freely collaborating on the internet with the whole world, the tension between that way of working and having to work for the man, get a paid job and work on closed source software for money.
So yeah, cut my teeth in the aughts working on open source software, but also having to pay the bills. And then in the 2010s, I ended up doing a startup called Gittip which was about, it was a crowdfunding platform for open source projects. So it was, yeah, it was a funding platform for open source.
Nowadays it was a predecessor to GitHub Sponsors, predecessor to Open Collective, predecessor to Patreon. It's kind of fun when Patreon first came out, here's a tidbit for you. When Patreon first came out, you can go back and check this, the "Hacker News" post announcing Patreon said, "Patreon, it's like Gittip, but for YouTube creators," YouTube content creators.
So did Gittip for about five years and then I ended up here at Sentry. So I've been at Sentry for four years. Sentry an open source, deep roots in the open source world, and Sentry was actually a customer of Gittip's.
So Sentry has always funded open source projects and David and Chris, even before there was a company, they were funding open source projects just themselves and they still do. So it's always been kind of core to Sentry's company culture to be part of the community, right? To take care of other people in the community, to do right by the other maintainers in the community.
Yeah, so sort of historical story would be, right, 20-aughts cutting my teeth in Open Source, 2010s doing this Gittip startup, and then here in the 20s, here we are in 2024, almost 2025, here at Sentry, been running this funding program at Sentry, kind of getting organized with it the past three years, and then this year the ask was okay, Chad, go get other companies to also contribute and also be part of this solution.
Brian: I didn't know about the Gittip and Patreon quotable moment, so that's actually pretty cool.
John: Yeah, yeah, that's interesting that you've been kind of around the block with a bunch of the different technologies working in this space.
I remember this was years ago when Web3 was becoming a thing and I got involved in this thing called Gitcoin that was you're going to pay people on the blockchain, and then those smart contracts when issues and PRs get resolved are going to finally land in your wallet. And it was like-
Chad: Did it work, John, did it work?
John: It did not work unfortunately.
Chad: Why not so you think?
John: I don't know, I suspect it was a cultural problem, but that's my question to you is do you see this as mostly a technology problem? Like we don't quite have the technology at scale yet to be able to support all these people doing these different things? Or is it mostly a people, cultural problem? What's your perspective on that?
Chad: Yeah, I definitely think it's a cultural problem and not a technology problem. And 10, 12 years ago, we were doing Gittip. It was the early days of Bitcoin and everybody was kind of like a, right? You talk about Web3, well, this was everybody getting into crypto for the first time and this being invented really.
And everybody's like oh, we got to do crypto, we got to do crypto. We always resisted that in Gittip because it's like what's the problem we're actually trying to solve, okay?
The way that I think about this, I think in terms of what I call the open source sustainability crisis, all right? I mean something very specific by that. What I mean is that the world I want to see is anybody who's sufficiently qualified and sufficiently motivated can go out and produce open source software, produce software that they put out into the world. Companies pick it up, the community picks it up, becomes widely adopted, and then the person who made it can be fairly paid without having to jump through hoops, okay?
So people do the work, they put the work out there, it gets picked up, and then they're fairly paid without having to jump through hoops. That's my definition of open source sustainability, okay?
And the reason that we have this crisis of open source sustainability is that we're not paying people fairly and they're burning out. It's the burnout that's really the clearest sign of what I mean by this open source sustainability crisis.
So it's the security vulnerabilities that kind of get the headlines, but what I see with that is that that's shining a light on this constant underlying reality that we're burning out maintainers, that this is not a sustainable model.
So if I am a developer and I'm putting open source software out in the world, and I want to get paid fairly without having to jump through hoops. .. There's some aficionados of crypto that want crypto. Most of us want dollars in the bank. It's like I need to pay my rent. I need to buy groceries. I need to live my life. I need to support my family, right?
What am I going to do with the crypto? I'm going to convert it to fiat so I can pay my rent 'cause I'm not paying my rent with crypto, right? So if we kind of work backwards from the end goal that we're going for, it's what we want is thousands of dollars in the bank accounts of the individuals that are propping up our economy through this open source software that they're putting out of the world.
So crypto just feels like a complication to me, right? Because here's the other thing then, let's do it this way. So at the end of this flow of funds, there's thousands of dollars, USD or whatever, fiat, sitting in people's bank accounts, what's on the other end of the flow?
It's money in companies' bank accounts because that's the source of the funding flow. That's the source and the sink, okay? So money needs to come from companies and go to developers so they can pay the rent, their mortgage or whatever, right?
All right, so it's going to be in fiat in the developer's bank account and you know it's in fiat in the company's bank account. Companies aren't holding their assets in crypto, right? They're holding their assets in USD. So to me it's why introduce this complication of crypto into this equation?
So I've never that crypto is really an important part of the solution. It feels like crypto's good for something. I don't think that it has much to offer here when we really kind of clarify what the problem is that we're trying to solve and the system we're trying to build. So yeah, it ends up being much more of a cultural problem.
John: Yeah, the economies of scale around this are fascinating and crazy because it is a worldwide technology scale for all these technologies that people are using across nearly every company, right?
Chad: You're thinking in terms of somebody can put something out there and you have one individual that thousands of companies are depending on, that kind of?
John: Exactly, yeah, the scale gets crazy really quickly. Speaking of that, why not ask individuals, kind of democratize it, which I think is kind of an approach people have taken in the past, the kind of Patreon support kind of route where it's like I built a library and I'm going to give you $5 'cause I'm an individual-
Brian: Or buy me a coffee.
John: Yeah, buy me a coffee, buy me a beer, free Beerware or something. Why companies, why target these CTOs CEOs?
Chad: Well, the zeros, man, it's the zeros. How much money does Apple have in their bank account and how much money do you have in your bank account? You know what I mean?
John: A lot less.
Chad: Yeah, I mean, it goes back to that question of scale. When we reason about where's the money? Well, the money's in these corporations and they're the ones that hold the assets, hold the money, and also are the ones that are benefiting, that are built, the value that they're accruing is directly built on the software that we're all building and putting out in the world.
Yeah, so, I mean, it's as simple as that, right? It's that's where the money is, so there are some really, really generous people. Mitchell, Mitchell Hashimoto, didn't he announced $300,000 to Zig I think it was and yeah, so some really generous people out there.
And there's people that I've seen regularly giving to open source projects, not as kind of flashy as Mitchell's able to be, but very faithful and that's wonderful to see, that care for the community from a lot of individuals.
Yeah, but at the end of the day, the money's in the corporations and they're the ones benefiting from it, so and that's the tough nut to crack, right? That's the tough nut to crack.
Brian: How's the nut been cracking so far in the last, you guys had a month of a billboard, had a lot of ramp up?
Chad: Yeah, I did actually get to see these, so I said I'm out here in Pittsburgh, Pennsylvania, but I did get to witness these billboards firsthand. I was out in San Francisco a couple weeks ago. Got to drive around and see these billboards, really fun.
And when I fly to San Francisco, what I love to do is read the most embarrassingly basic business books on the plane. Paper books and make sure everybody sees what I'm reading, that they see that I'm reading the "Innovator's Dilemma" or whatever, right?
So this time, it's "Crossing the Chasm," this like classic business book.
Brian: It's on the library.
Chad: Yeah, there you go, right? It's the one with kind of that bell curve of adoption where you've got the innovators, kind of the small group of innovators, the beginning of a technology adoption curve.
Then you've got the early adopters and then this chasm that they talk about, he talks about the book you got to cross the chasm to get to the early majority and the late majority, okay? So it really does seem to me to be kind of the playbook for what we're doing with the pledge.
The end goal is this is a new status quo in the industry, that all of the companies that are depending on this open source software come together to maintain the maintainers, to pay the maintainers, to take care of the folks that are doing this.
How do we get there? Well, we don't start with Google. We don't start with Microsoft. We don't start with the Apple and the Facebook and say hey, we take kind of a strategic approach where we look for a beachhead, where we look for a much smaller segment that we can actually speak to and help and bring along into this, and then we grow from there.
So you asked how it's going, so we soft launched the pledge. So I said we launched it on October 8th. We soft launched on August 28th. That's the date when Sentry and another small startup called Astral, A-S-T-R-A-L, Astral.sh. They're building Python dev tools using Rust.
Astral and Sentry were the first two companies to join the ledge on August 28th and we launched on October 8th with 25 companies, Sentry, Astral, and 23 others. So it was a big push through September, get people on board for this launch. I mentioned this too.
Nasdaq helped us out with the tower in Times Square. So we got to put a bunch of logos in Times Square which is fun. Since then we've only added one, but some of that was because we had such a push to get people on board, there was that rush to get people on board and then I disappeared for a couple weeks of travel.
We just kind of had the wave of publicity that we're getting ready to kind of announce our second round of folks. So my goal, and we'll see, I don't know, I don't want to announce anything that's not ready to be announced.
But so hopefully between now and the time this airs, we'll at least have a few more folks announced. And what I'm realizing is I'm in sales now. There was this big push to get there with getting the thing launched, but now it's just execution. Now it's just a numbers game. Now it's just how many companies out there are already giving?
We should talk about the specifics of the pledge to make sense of this, but how many companies are out there that are already supporting open source in a significant way? Let's get those folks onboarded. That's the low-hanging fruit.
How many companies are out there that are building DevTool startups and they're in series A, B, C? Let's get them onboarded, that kind of thing. Yeah, so we're running that playbook and hopefully have some things to announce between now and when the show goes out.
Brian: At this point, I mean, listeners are probably thinking, if they're not Googling already, what is the pledge? What's the structure of it? So we got 25 companies on board, but what does that mean for the companies?
Chad: Exactly, yeah.
The pledge is basically a two-step process to join, okay? Number one, pay maintainers. Number two, talk about it, that's the basis.
So first, a company goes out and pays maintainers and what's unique about the pledge is that we say here's the amount that you need to at least hit if you're going to be part of the pledge.
That amount is $2,000 per developer on staff per year. So if a company has 50 developers on staff that they employ, then their dues essentially would be $100,000 per year. So that company would go pay maintainers $100,000.
How do they do that? It's up to them. Use GitHub Sponsors, use thanks.dev, use Open Collective, pay directly to foundations. We give some guidelines, but what we mean, really it's no strings attached payments to your upstream dependencies is kind of the intent.
But the pledge itself does not handle any money. We're not an entity that's taking money and handing it out. We're really just about this marketing piece. So yeah, step one, go pay maintainers.
Step two, blog about it. Publish an annual report, quote, unquote, where you tell us here's the projects we paid, here's how much, so you give the receipts, okay? And tell your story about open source.
We're a developer tools company, and we love open source, and we contribute to these open source projects and whatever, and we also pay maintainers this way, right? So that blogging piece really does two things.
Number one, it drives awareness because again, this is all, maybe unpack this a little more, but this is all marketing. This is all social validation. This is all saying here's the new status quo that we're trying to build together.
So we need the post on everybody's blog to say yeah, we're bought in, we're part of this. We're putting our brand behind this Open Source Pledge. So driving awareness, the other thing is the accountability.
So bringing the receipts so folks in the community can kind of inspect, right? And read through, and click through, and see yeah, okay, this company really is paying these maintainers. We can kind of have that transparency and visibility.
So that's how you join the pledge. Pay maintainers, $2,000 per debt per year, and then blog about it, and then come to us with a PR. We add you to the site and then you get a nice little Open Source Pledge member badge that you can put in the footer of your website or whatever it is.
Brian: Yeah, that makes sense. Actually I didn't even know about the, it sounds like this is more of a movement to drive momentum in to paying maintainers. Didn't realize there was not actually a platform underneath as well so.
Chad: We already got great platforms, man. We already got great platforms. We're trying to incentivize kind the growth of this ecosystem.
We have thanks.dev, we have Open Collective, we have GitHub Sponsors. I'll tell you, 'cause again, I've been running a program at Sentry for three years now where I'm really maxing out the limits of these tools. I'm trying to pay...
Last year was really fun 'cause I said you know what? I want Sentry to be the first company in existence to hit 100% coverage of our dependencies on GitHub Sponsors 'cause I went into GitHub Sponsors and then I saw they gave you this little dial where they show you what percentage of your dependencies you're funding, and I'm not above being gamified guys, okay?
I'll just say this, okay? I'm not above being gamified. So I saw this and I was like oh, man. I was like you're you're going to put me at 10% on this? No way, we're going for 100%. So they said I want to be the first company to hit 100% and Sentry, we're big enough now.
We've actually got multiple GitHub orgs, okay? And so there's three that we use for this. Funny, we use Sentry, we use Codecov, and then Syntax, I found the podcast, is under Sentry. So those three GitHub orgs, I was like I want to hit 100% on all three of those orgs.
And I came pretty close. I was 98% or so 'cause it's employees at Sentry, we're not going to fund them through this, right? Stuff like that, somebody has a minimum that's $1,000 a month or whatever. It's like well, we're not going to do that with this approach.
Anyway, so it was really hard to actually do that though. It was very manual. Actually the guys at thanks.dev wrote me some tooling to be able to custom GitHub API usage to be able to pull this off, so the tooling's not there is my point.
And so we want to, but rather than taking it upon ourselves with the pledge to build that platform, it's we want them to succeed. We want to create the conditions where thanks.dev, Open Collective, GitHub Sponsors, other players here can innovate, can create the tooling and the platforms to make this happen for companies.
Brian: Yeah, it's the age-old rising tide raises all boats. So if you're just making the opportunity for folks to get out in the ocean and swim forward or I don't know, I'm not sure what the analogy I'm aiming for.
Chad: Well, Tidelift's another one next door to that.
Brian: Oh, yeah, exactly.
Chad: Trying to figure how to deal them in, right? Yeah, and yeah, our goal is to see everybody kind of work together on this.
John: One of the things that really struck me when reading the About page on the pledge was kind of some of the focus on the security vulnerabilities that have been really high profile in the last few years. Log4j, the XZ vulnerability, open SSH having one person maintaining it.
How has that resonated with companies? How has that, in relation to actually funding people, impacted these people you're talking to.
Chad: Yeah, well, that's definitely the bumper sticker that is the easy way to kind of click people into the conversation you're talking about, right? XZ, Log4Shell, Heartbleed's the OG where they're like let's give this a brand. Let's buy a domain name for this.
I think that that kind of opens a lot of conversations to start talking about security. When we look at what's behind that, what we see, and honestly XZ's the clearest example of this we've had where burnout was a direct contributor, right? It's like that was, 'cause XZ, to remind ourselves, this is a social engineering attack.
This was Jia Tan or whatever the profile handle was, right? Comes with this project, plays this long game. Couple years if I remember right. I know there's some great kind of timelines out there and wearing down this maintainer who was burned out.
Of their own admission, they're like, "Hey, I'm burned out. I would love for you to take over more and more responsibility, help me with this project."
So there's that direct connection, that's the clearest we're going to see, right? Of burnout is leading directly to security and vulnerabilities, but that's the constant that we don't see until the light is shined on it. But yeah, that burnout is really, yeah, the underlying symptom.
But yeah, absolutely the security vulnerabilities and I mean, it's a little tricky, right? Because Microsoft has security vulnerabilities. Apple has security vulnerabilities. Google probably does too, right? You don't hear about them as much maybe, but...
All software has security bugs and this is where I feel like it's maybe a double-edged sword to talk about security here because in a lot of ways, open source is more secure.
Even this XZ example, look at how quickly it was fixed from when it was identified, all right? Andrews, if I remember right, the fellow that found this vulnerability, announced it, disclosed to everybody, got on everybody's radar.
It was a matter of, speaking without my notes in front of me, but I mean, order of magnitude is 24 hours, right? 24 to 48 hours from we all find out that there's this problem to it's patched to all major distributions, right?
That's amazing, that's open source, right? That's the power of open source to fix security vulnerabilities and to deal with them when they arise. There was a paper about this where they try to look at does more funding actually decrease the security vulnerabilities?
And that's where I kind of start to hesitate because that's sort of where that conversation leads, right? It's like if you open the conversation and focus only on the security vulnerabilities, you're kind of stuck in this rut where it's like well, or you're in this mindset where it's like well, I'm paying.
My payment is an investment and the return on the investment is lowering the security vulnerabilities, right? And I don't know that that's actually the way it will play out, right? Because open source I think already has a great track record in terms of security.
What's shocking about these is almost that open source is generally so secure that when something crops up, we're all like oh, my gosh, right? It's like if we've only got three in the past 10 years, that's actually pretty good, right? XE, Log4Shell, Heartbleed in the past 10 or 15 years or whatever. And again, really well-funded companies also produce security vulnerabilities.
John: Yeah, one of the basic assumptions you can make and this was prevalent for AWS when I worked there on the Amazon Linux org, was you can just kind of assume that there's going to be nation state actors just always...
Chad: Hammering away.
John: Yeah, and it's just like yeah, especially a huge massive target like AWS or AWS Linux which is used everywhere, you can just assume that there's going to be these things that happen. So yeah, I definitely heard that funding isn't automatically this one thing that just fixes all. There's still going to be nation state actors or just vulnerabilities and bugs that happen, right?
Brian: Yeah, I feel like the acronym, the Chief Freeload Officer, really comes to mind here 'cause I agree with you. I don't think the more money you throw at this is going to solve much more security issues, but I think the awareness thing is even bigger.
The old adage, it takes a tribe to raise a child. Takes a tribe to raise a open source project. But I think what's interesting 'cause I put in the show notes about Daniel Stenberg, about his contingency plan for cURL.
So Daniel, back in 2019, 2017, there was an article where it was basically everyone figured out oh, cURL is only maintained by one person, and it was a Mozilla employee and he got laid off. So it was at that point in the history, it was like hey, how do we get to this point?
Why do we not know who Daniel is? And then when I worked at GitHub, we spent way more time, like hey, Daniel, come on, do a podcast. Come chat with us. Let's give you some time, get you exposed to GitHub Sponsors.
But I think Daniel's one story, but I think there's a lot of other folks who are up and coming who have no awareness of them and maybe it's because they're just doing it for the goodwill of the people or for code.
But I see with the pledge, an opportunity for other people to be like hey, you know what? I want to get involved. I saw this person make this impact. I saw at Amazon, we instituted this thing and hypothetically hopefully in the future you'll get this, but they're involved in this way.
I want to be involved and help support and it's again, going at the culture thing. Perhaps in the next two to four years, the culture's changed where now we're just more aware of who's touching stuff and it's less about how fast we fix.
It's more about who do we reach out to? Who's actually controlling the bips and bloops that are actually getting deployed?
Chad: Yeah, I think there's a really important opportunity for the open source foundations that we have to play an even more critical role than they already do in this ecosystem that we're trying to build, this world that we're trying to build where maintainers are getting paid for the work they do.
I think I just heard you use the word attention in there, having more attention paid to the people that are building the things. And I would actually push back on that a little bit because attention's really expensive, okay?
And even at Sentry, we're not the biggest company in the world, we're not the smallest, we're at five to 600 maintainers that we're paying out. I'm actually in the process of running this year's payment program.
That's too many people for me to know. That's too many people for me to pay attention to and that's just, honestly I just look at my first level dependencies too. I don't try and pay anybody below that first level because I figure I went a Starbucks or the coffee shop or whatever and I buy a cup of coffee, I don't know where they got the beans.
I don't know where they got the cup. Honestly I don't even know who's in the kitchen, right? I'm talking to somebody up front at the cash register. And so there's this abstraction or this encapsulation which I think is necessary for scale where companies, especially when we cross the chasm, go back to that.
If it's hard enough for me at Sentry who really, really cares about this and our company is really committed to this to know and kind of have this really fine grain relationship with every single maintainer, no chance that the giant bank that's going to be in the middle of that bell curve, in the middle of that pack is going to take the time to invest in the attention because both are expensive, right?
We are asking with the Pledge, hey, pay a significant amount of money to these maintainers. If we also ask also pay a significant amount of attention to these maintainers, that's two big asks and I think that the open source foundations are a key component of this encapsulation of this, it's really about allocation is the conversation, okay?
So we get the money flowing from companies. Where does it go? And this kind of ties in with the security conversations. How do we make sure that it has the impact that we want, that it does strengthen the projects and it does help them implement security policies and best practices and whatnot.
When I was in All Things Open in Raleigh last week, I talked to a few folks that are leaders of open source foundation. I said, "I want to add a zero to your budget." That's what I'm trying to do with the pledge, add a zero to your budget.
What are you going to do with it, right? And the first thing that they were saying to me was security audit. Security audit is expensive to run and it's precisely answering this issue that is on everyone's minds is how do we secure this open source supply chain?
Yeah, but I think that those foundations are the critical component or part of this ecosystem to do that allocation the way that make sure that that money has the best impact. And then in turn, transparently show the rest of us well, here's how much went to events and marketing, and here's how much went to legal and administrative and finance, and here's how much actually went to developers, right?
And here's how much we paid for the security audit and whatnot. I think that's how we're going to build this together in the coming years so that when we go across the chasm in a few years and we're trying to pitch this to the larger organizations, it's a clear story where we say this much, you pay the five foundations for the tech stacks that you're dependent on, right?
And then they're the ones that are going to take that money and make sure it flows out within their community to the right people. You guys buy it? What do you think?
Brian: I'm intrigued, I appreciate the pushback and I'm not disagreeing, but I think there's a lot that you said there and I think there's a large conversation.
So I agree, the foundation part, yeah. There's definitely folks who can put some muscle into even shaking some of these enterprises, but also of co-locating the funds, helping with the support, and deciding what to do with that.
There's a whole world that I think a lot of folks has not tapped into when it comes to open source. You might be consuming stuff and enjoying the contributions from other folks, but I think there's still an education thing that even myself, there's a lot of stuff I'll be learning in the next year, trying to figure out how this open source world works and what my part is in participating in this as well.
And I think hopefully the listeners are joining the conversation and feel the same way. I did want to get us the reads, but I wanted a CTA for this podcast. So we talked about the pledge. Chad, what's the call-to-action for folks listening?
Chad: Yeah, well, join the pledge if you can. If you're a decision maker at a company that is ready to do this, OpenSourcePledge.com/join has the onboarding instructions there. We would love to have you. Feel free to reach out to me, happy to jump on a call or whatever to help talk this through.
But yeah, that's number one. If you're a decision maker at a tech company, join the pledge. Number two, if you're not a decision maker but you want to see this happen, socialize it with us.
Share it with your friends, share it internally. Bring it up internally. That's really how we're going to convince companies that this is what we need to be doing when we all start talking about it together. Again, this is all about social validation.
This is all about enough people, are you guys on Bluesky, right? This past week, everybody moved from Twitter to Blue Sky. I don't know why. It's the herd mentality where it's maybe somebody was driving it and I don't see that probably, but I don't know, this was the week when the herd moved from Twitter to Blue Sky.
That's what it's going to be. We're going to push at this together in the next year or two and we're going to see that tipping point. Yeah, so be part of that with us. Promote the pledge, help us spread the word. Yeah, and we're open source on GitHub too if you want to get involved.
Brian: Excellent, so last question, Chad. Are you ready to read?
Chad: Yeah, let's do it.
Brian: We mentioned this earlier around crypto funding and we just came out of the wildest election day. I don't think even think this was as wild as 2016, but we had our election, but prior to election we had this tool called Polymarket.
And honestly I never gave it the time of day. I knew it was you could bet on if eggs are going to turn brown or white. It's pretty wild stuff like that. You just bet on whatever. And there's an article, I actually wanted to find out more about Polymarket 'cause I never paid attention to it. It's only been around says 2020.
There's a Medium article talking about in 2022 what Polymarket was meant to be and what it is I guess in the last couple weeks was betting on the presidential election in the US. So I was just really more curious of how do we get here? What is this thing?
I saw the CEO of Polymarket also tweet about how he was broke and living in a broken toilet or whatever. I don't know, he did a post on X about a hole in his wall and he had no money, and how now Polymarket's this platform that's essentially making him rich I think maybe on, he didn't disclose numbers, but talked about crypto and that world.
So I will put it in the show notes, but there's quite a few articles about betting. We're in a world where you could bet on now NFL games in the US. It's just a whole nother world. I don't think I want to bet on chicken eggs and stuff like that but.
Chad: Are you betting?
Brian: I'm not betting on anything.
Chad: Have you bet, have you bet on Polymarket?
Brian: I have not. I'm pretty risk averse to be quite honest, so I don't think I've actually bet outside of playing poker with friends in college which is a long time ago. I don't think I'm much of a gambler to be quite honest.
Chad: Okay, but you got your eye on it.
Brian: Yeah, I'm just watching it. See if it's going to influence the next either election or if I'm going to start, I keep joking about this, but if I'm going to buy white or brown eggs from the Trader Joe's.
John: I think at one point I had some Polygon which I think is what this is based on and I think I lost it. So that was my attempt.
Brian: Bet lost.
John: Yep, I lost.
Brian: Cool, Chad, did you have a read for us?
Chad: Yeah, definitely, so this one's pretty adjacent to the whole topic of open source sustainability and also quite, I don't know, is WordPress still in the news or is things dying down over there in WordPress land?
John: I wouldn't know, I'm not on Twitter.
Chad: Yeah, there you go. It's pretty interesting, the Drupal project I think is a really interesting contrast to the WordPress project and I didn't learn how to pronounce your name Dries, but Dries Buytaert, the founder of the Drupal project, has a post, a couple posts, he published one recently called "Solving the Maker-Taker Problem" which is kind of speaking into the WordPress situation.
But it points back to this post, this much longer post called "Balancing Makers and Takers to Scale and Sustain Open Source," okay? And that post is from five years ago and it's really his thinking on how to build an open source ecosystem that isn't subject to a tragedy of the commons where people, the companies that are benefiting from it are contributing back to the project.
Yeah, a lot of interesting stuff in there, so I wanted to give a shout out to Dries and his hard work over many years on this challenge of balancing makers and takers to scale and sustain open source.
Brian: Cool, yeah, and when you get a chance, drop a link to that in the show notes so we can share it out with the listeners.
Chad: Absolutely, will do.
Brian: John, you've got a couple.
John: Just two. So the first one from this week was a blog post from rachelbythebay.com which is a really excellent blog, one of my favorites. But it is titled "SRE Doesn't Seem to Mean Anything Useful Anymore" which feels kind of relevant to the current just job market, as well as maybe the current mood around this weird shift in the industry from microservices to back to monoliths and people building and running their own infrastructure in-house.
Kind of going back into an ops world of things, and a great book I read about this years and years ago was "The Phoenix Project" where it's a company trying to accelerate their operations through smaller iterations and getting away from kind of the ops mindset.
So it's fascinating to see everything seems cyclical. We're going back to just these pure ops kind of minded operation things where at one point, being an SRE was yeah, I write software, maybe I do some ops stuff, but my main function is to ensure the reliability of the site at scale by mostly writing software.
Doesn't seem to mean that anymore, I don't know. Either of you have a hot take on what SRE means these days?
Brian: All I know is that DevOps engineers don't exist.
John: Spicy, very spicy.
Brian: Yeah, everyone wants to be at SRE 'cause that's actually a title bump. I think there was a Hacker News post about that a couple years ago. Quite a few years ago, but yeah, yeah.
John: At one point, it was a significant pay bump as well. If you had SRE, it meant that you were probably getting paid 50, 75,000 more than just writing software and those people had to be excellent 'cause they're cutting code, they're doing the operations stuff, they're automating and orchestrating all of it, and kind of had to be a wizard at all these different areas of expertise.
But yeah, some of that is getting teased apart it seems. The second article I had, actually another one from Hacker News, love reading Hacker News, go check it out, but it was actually from the NIH about caring for yourself while caring for others, specifically in the context of medical professionals.
And I always love when I see these kind of non-tech things pop up on Hacker News or just kind of catch some attention of the tech-minded people on the internet. But I found this interesting 'cause I actually have a background in medicine, I worked as a registered nurse for a number of years, and this is just so true.
I saw this in my own life working nights. The quote from it that I really pulled out was, "Caregivers often put their own health on the back burner. Research shows that caregivers are at greater risk of chronic health conditions such as high blood pressure, heart disease, and depression. That's why it's so important to pay attention to your own health needs."
And I think it's interesting from maybe the tech perspective, maybe Chad, I wanted to ask you what it maybe means to care for other people while caring for yourself from that maintainer perspective? You even had a great little quote in there, maintaining the maintainers. You can almost think of it for caring for the maintainers or finding ways to create space for those to care for themselves. Any thoughts on that?
Chad: Yeah, and maybe this is where I'll swing the pendulum back a little bit because a minute ago I was saying you can't expect companies to pay attention to all the maintainers which doesn't mean that nobody should be, and this is where I want to kind of emphasize that I see the open source foundations as critical to this role, to this care.
Because what I mean is there's the JavaScript community and there's the OpenJS Foundation. There's the Rust community and the Rust Foundation. There's the Python community and the Python Foundation.
And I see an opportunities for those foundations, the folks running those foundations do and should know the maintainers in their ecosystem and that I think is the place to kind of locate that community, and that care, and that kind of knowing each other and what we're after here.
So it is not that nobody should be paying attention. It's that we should locate that at the right place and I think FOSS foundations are the right place to do that to be a community together.
Brian: Yeah, I mean, I give to my 401K. I pay the Medicaid. It sounds like there's a world where we're like eventually we'll have the pledge today, but if I could donate 3% to JavaScript or to node getting faster, I think there's a world where we could check that box in the future.
John: Pre-tax, right?
Brian: Yes, pre-tax, I want the write off.
John: There you go.
Chad: Absolutely, a lot more to talk about there if you want to. (light music) You're stirring the pot. There's a lot more to talk about there.
Brian: Part two, part two, 2025. I imagine next October, I need more billboards.
Chad: Deal.
Brian: Excellent, well, Chad, thanks very much for coming on, talking about the Pledge, sharing some reads with us, and listeners, stay ready.
Content from the Library
Understanding Business Models & Defensibility in Open Source
First-Principles Business Models Matter for Open Source A key concern for open-source startup founders is defensibility–how to...
How to Successfully Fork an Open-Source Project
Why is Heavybit writing a startup guide to forking open-source projects? Because while open source has been an incredible boon to...
Open Source Ready Ep. #4, A Billion-Dollar Idea with Tobie Langel
In episode 4 of Open Source Ready, Brian and John chat with open source expert Tobie Langel about the critical issues of...