2024·07·03 · 48:44
Keynote: Sustainable open source is the future
This is a WordCamp Europe 2024 keynote I gave with Juliet Reinders Folmer on the long-term sustainability of open source. Open source software has been around since 1953, and for most of that time contributors either got paid through their employer or simply lived on less. We argue that this model is reaching its limits, and that several major projects nearly dying or being abandoned in 2023 is a symptom of that. I cover how to think about funding open source as a business investment rather than charity, how to make the case to finance teams, and what we are actually buying when we fund an open source project.
0:07 good morning um my name is Rus uh I'll be your MC for today thank you or at least this morning um we are here we are all here today because we love open source um we're opening Work Camp Europe 2024 with a key keynote that is near and dear to my heart and I respect uh near and dear to your heart as well this keynote is presented by two
0:38 giants of the open source community and I use these words very lightly but also very heavy because they are giants um this keynote is also presented by two giants in the warp Community Juliet reinders Fulmer is an opinionated passionate Powerhouse with a very very prolific portfolio of cont contributions to various high-profile open source projects you will have used her work whenever you were doing
1:10 something with WordPress Yost the Fulk is the founder of yast um but who is now an open-source investor or an investor into open source however you would like to see it um with ailia capital together with his wife Marik f um and he still develops open source S software himself as well everyone please welcome yast and Juliet to the
1:45 [Applause] stage thank you for this introduction remas yeah now for us to live up to that chati we're here are you all in ready for word Camp Europe I I didn't hear you good right so we were talking about reg X weren't we we we yeah regular Expressions is that what we you're all here for no okay okay no we're going to talk
2:17 about open source and sustainability and maybe we should talk about why we are talking about this yeah well I've been working in open source for about 20 years probably more and a lot of the time I lived under social minimum didn't make any money of it but had a great life because I enjoyed what I did so my my story is probably the opposite I we did make some
2:50 money um but we're not going to talk about money that much are we no I mean we both while we come from both different sides of the spectrum we both see a problem with open source at the moment and it's a problem which I think a lot of us see but is not talked about and that's why we want to talk about it today so we're not here to appeal to your wallet we are here to appeal to your business sense that's what we're going to talk
3:23 about for the next well I hope 14 longer it's good to know that open source is old old older even than we are oh yeah um first open source software was released in 1953 this was people buying main frames and getting the software along with the package and and they paid for those mainframes and they paid for the software which was on those mainframes and they were allowed to contribute to it and sent those contributions back to the
3:56 creators so these were the people that started thinking about open source actually if you see on these slides this is Eric Raymond and Bruce baren were two of their founders of the open source found of the open source community and they talked about open source and they wer solving for sharing information they were not talking about money no they were talking about collaboration making things better for everyone so everyone could benefit if you fixed
4:27 something and you didn't keep it for yourself you just shared it with people people a community yeah these people had jobs and were paid for money was not their issue they were thinking about the Four Freedoms of the GPL yeah but those freedoms were about Freedom it wasn't about free as in money or beer yeah it's it's something Insidious in
4:59 the English language that those two words freedom and free are so close together and and people get confused by that freedom is not the same as free so all of this was happening and open source was very much an academic thing and then it became the foundation for so much more literally everything I mean imagine
5:30 for a moment and I'm I'm serious now imagine for a moment look around you what would happen if with a click of a finger open source would stop to exist think about this of all the people here I think 80% wouldn't be here because planes wouldn't fly anymore cars wouldn't start anymore trains wouldn't ride anymore and even if your car did start because you have a really old model your GPS wouldn't work anymore
6:04 so imagine a world without open source you people don't realize how per face of Open Source have become over 90% of all software is now open source and it's not just your computer it's not just your phone it's your kitchen appliances it's it's your dishwasher your Phillips U or whatever lights you have in your home it's everything it's that cheap in your bank
6:37 pass so as this was happening something went wrong we started relying on all this open source software but we didn't really solve for the underlying problems of how to maintain all that in the long term basically a lot of companies thought oh Freedom means free so let's just take this software and make a [ __ ] outad of money of it that's called exploitative capitalism remember that term because
7:09 it's real the quote on the slide is a quot is a real reply I'd gotten at some point after someone had proposed to fund a couple of projects and this was the reply from you know one of the six seven figure CEOs my response to this is quite simple supermarkets still don't accept the Gratitude of the community as payment for my
7:40 shopping nor does your landlord or your bank for your mortgage um this is a problem so sustainable open source is not something that we have it's something we have to create and when talking about soci sustainability in terms of open Source we talk about the resources we use and in open- Source software the resource we use the most is
8:12 humans it's people and the weird thing about all of this is that then you get what Juliet very aptly calls the maintainers Paradox sometimes things just work the thing about that is when things just work people do not think about it you know any software you use which just works you forget it exists until it tells you you you've been doing something wrong but then when something doesn't work even if it's only a tiny tiny tiny
8:44 part which doesn't work you you start complaining and you don't want to fund it so when things work you don't think it needs funding when things don't work you don't want to fund it because it does it doesn't work and the problem we we see is that we're getting older and we're not that old yet I mean we're very young right but there's no new generation stepping up yet to take over these
9:15 projects and to start helping the maintenance as enough in our opinion yeah and we're reaching the point that if we look in the next 10 15 years a lot of the original maintainers of Open Source are reaching pension a and at some point they do want to step back we need the Next Generation to step up but they don't want to do it for free
9:46 them and to explain to you how pervasive this is maybe we should give you some examples of where it goes wrong so how many of you have ever heard of the ex exet back door I see a few hands I'm not going to go deep into it please go Google it but basically this was most likely a state sponsored attack which could have added worldwide and it was caught by one
10:17 person yeah noticing tiny performance decrease so did it was accidentally caught just in the nick of time and these are attacks which built on the fact that a lot of lot of Open Source maintainers are overworked unpaid need help and if you then add social pressure like literally so social engineering pressure to add more maintainance something like this can happen and this was more a several year
10:49 plan two two two and a half years to get this in attack in place this is an orated attack on open source but it's happening it's happening now there's also examples that are a bit more dare I say it's stupid this is left bad if you're a developer you know what this does it adds spaces to the left of your of whatever you're outputting this was used in so many
11:20 programs and then the developer decided to take it away and a lot of dependency 3es everywhere broke because people used this and the developer was like I'm done now this is not going to happen that easily again because safeguards have been put in place things have been learned all the same why shouldn't that person have the
11:53 quit and I don't know whether anyone knows the person in this slide recognizes them anyone here I can see two hands this is the founder of postest SQL which is an awesome database luckily the post project project by now has a pool of maintainers and this this the fact that this person died did not kill the project but we can all think about things like this in the abstract and think like yeah but this is happening
12:24 elsewhere this doesn't happen to us we've seen people ding in the WordPress community and let's let's make this real how many of you use the word for coding standards okay that's about half the room all of you we use the word for coding standards use the composer phpcs plug-in I'm one of the maintainers of that and luckily we're with a team of three I say three but in reality we're now
12:57 two because one of us has been diagnosed this is real this is happening and what makes it even more painful is the only reason I know about this it is because the other two maintainers know each other in real life and we have off get up contact because it's not really the kind of thing you put an issue up like by the way I I have to stop maintaining I have a brain tumor
13:30 so something like this people can just fall away drop away and you wouldn't even know it's happening because there's no way to communicate about this on the use and this is just the tip of the iceberg this is the stuff we see and now hear about every dependency we have as the WordPress project has dependencies itself finally enough I'm not even
14:01 worried that much about WordPress itself I'm worried way more about all the dependencies let me give you an example this is a non-exhaustive simple view of like a couple of the dependencies that WordPress has this is literally me going into the source code and looking okay quickly this looks like a lot of dependencies already and you might already see things that you've never heard about but the thing is that this tree is actually way
14:34 bigger and that we could do this forever like I could make this thing go on and on and on and on and we simply lack the time yeah it's basically like you know those videos where they zoom in on the sun and then zoom out zoom out zoom out until you see the this um there's this famous XKCD comic the funny thing is that the project that
15:05 someone has been thanklessly maintaining in Nebraska is actually something we rely on with WordPress as well because it's image magic but reality is that this in my opinion this cartoon is wrong you see that one little block which everything depends on in reality it's a thousand little blocks and all of them as as little as that and all of them you know single maintainer or or few maintainer projects and if any of them get knocked
15:44 down so we need to make open source more sustainable and when I was making this slide Juliet was sitting next to me and she said this is not about green sustainability so maybe this is not the right image but maybe it's good to explain why yeah and explain what the Cambridge Dictionary actually says about sustainable yeah so I'm moving this way to make sure I actually quote the dictionary correctly the dictionary says the quality of being able to continue over a period of time that is what
16:17 sustainability means it basically means something so what does sustainability or sustainable mean in the context of Open Source let's talk about it let's go through what that means to us first we have the bus Factor um everyone knows what the bus factor means not that many people put up their hands so I'm going to explain it anyway basically how many people do you need to
16:48 put in a bus that if that bus crashes the project or the company is dead if the bus factor is one or or zero you have a serious problem if the bus factor is 200 and you need several buses you don't have that much of a problem so Chet can talk about this because she is the bus factor of one for quite a few projects that we all rely on um this this has related things who
17:21 has the keys to the castle if that bus happens who can take over is there someone else who has admin to your repo is there someone else who has admin to fund platforms is there someone else who has the access to change the DNS of your domains just some examples the list is not exhaustive but there's far more to go through one of our all of our biggest dependencies is PHP and the PHP Foundation was actually
17:52 created with a problem like this in mind ex exactly and basically at some point we reached the point that there were basically two persons in PHP who really really really really understood the internals and one of them had said I'm leaving and that's when the uh PHP Foundation was created to help fund maintainers for the PHP project but it's it's something to think about we are not the only project in the open source community that relies on
18:23 PHP the fact that that that we've reached the point where PHP is two people maintaining the thing should be you well to grow the maintainer pool you first have to make sure your project actually is inclusive is welcoming to new contributors I mean if it's an Inc company project or a project which is largely maintained by a company that might be difficult because you use internal processes it's not as easy for
18:55 someone from outside to step in and actually start contributing then again if it's company and that company exists of multiple people you might have some safeguards in place already however if you're not a company it can still be you know an small group of people who do things fire back channels make sure you open it up make sure there are good first issues make sure you show that the project is welcoming new contributors this is why I'm not as worried about WordPress
19:27 itself as I am about the dependencies because you all are Lov bunch and we are usually very welcoming to new people definitely gotten better over the years absolutely if you want new new contributors though you have to also be clear about your expectations yeah what are the quality standards you expect people to work with where what are typical issues they can start with uh what what are your expectations of
19:58 contributions to the project have you got a good contributor guide have you got good quality standards automated in place so people know what's expected it is at that point also actually important to respond in time and to find a good balance between we'll get to that later having a life and actually responding quickly I have to say yesterday during contributor day I did a pull request on Jetpack and it was
20:30 merged with within 2 hours of me doing the pull request which is worth an unique um this doesn't usually happen very often you do a poor request or you you start an issue and you can wait but the thing is it it's a balancing act on the one hand the maintainer wants to well often wants to look at your poll request on the other hand they need to find the time and and
21:01 they may have other commitments other PID paid jobs uh and don't have the time to look at it immediately but for an contributor it's very discouraging if they have to wait for six months to get a response or even a year and I yeah I do have full requests open for more than a year I have track tickets that have been open for eight years I mean you probably do too yep um at the same time julot is here now so she can't respond to tickets
21:32 being created today on phpcs there is this reality where we all have to find balance a public road map is also very important but it's also scary yeah with a you want people to know where you want to take the project so as a maintaining you need to show people the road you're taking and that leaves room also for them to come up with ideas which fit into that road map at the same time you need to also be
22:04 careful not to over for promise because it's easy for people when when you publish a road map which is really ambitious and is multi-year to then get really disgruntled when you don't live it when you accept new maintenance you also want a bit of a growth path for them yeah you want to be clear on hey if you start contributing what would we need for you to become a
22:35 maintainer and and when we talk about maintainer and in the whole talk we're not just talking about code maintainers and code project maintainers we're talking about maintainers in the widest sense of the word that can also be a documentation maintainer it can also be a community maintainer it can also be a marketing Guru who helps the project get in the spotlight maintain does not necessarily mean code so the grow part can be all sorts
23:06 of things as long as it's within that field which you're a maintainer in and at the same time as we do all this we have to keep in mind work life balance um there are many many things that I would encourage you to take Juliet as an example in this is not one of them I have no life do not be like me but it's good to realize that the person that's maintaining the these
23:38 projects that these are people and you have you have to also realize that as the project gets bigger that it's very lonely at the top of a maintainer tree the buck stops with you you carry the responsibility and if you take the wrong decision it will damage the project it might damage you if you didn't correct quickly then it might not damage it but in the end that
24:09 responsibility is yours and unless you have a multi- maintainer project it's very lonely to take that responsibility on so as we do all this one of the things that's very important and and something that I think we've actually done very well in WordPress is a publicly documented release process you have to actually know if you take over how to release a software who here has has ever joined a WordPress release
24:42 party more of you should join the WordPress release party I really really urge you to join for for even for a minor version just see the follow the process along go into the core Channel see what happens it is one of the most glorious things to see when you're in the WordPress Community to to just in a slack channel before you see everyone go through the Rhythm and test and do all the steps that are needed and it's it's
25:18 see at the same time a release process isn't the only thing to document you can also document things like do we accept applications and if so when or when will we drop support for a certain PHP version or when will we drop a certain dependency if those things aren't documented and decided in back rooms it makes the project a lot less transparent with and this is where we talk about
25:51 money there's a very big difference between someone who's fully funded as a maintainer to work on something and projects that have no or too limited funding you know this all too well um shilat has been doing this for a long time and well as she said she was on or beneath the social minimum for a long time building projects that we all use and now at this moment there still there's some projects fully funded which I contribute to some projects partially
26:22 and some projects them so how can you help it's not necessarily about money but it could be one of the things but how do we find out where to help well first thing to do if the project has one look at contributing guide or look at the documentation to see if there's an on-ramp for contributing or if there's particular things the maintainers ask
26:53 for help with if those things don't exist what about just asking yeah why not ask open a ticket and say I'd like to help what do you need and i' want to urge you to look at your own dependency tree at the things that you use in your whatever it is you do and which open- source software is part of that and and which one you can help and it might not always be the most obvious ones that need help so look a
27:24 bit deeper look at all these projects and and and look at who is this who's behind this especially at those which you normally don't think about because wpcs adding a funded contributor to a project can often be a good idea but it can also be hard the thing is if there is an overworked underfunded or unfunded maintainer uh and you say Okay I want to
27:56 help the project as a company so we're just going to put someone on that project and let them contribute to it you are now basically overworking that maintainer even more because that maintainer is now basically expected to train your employee for free so yes please ask them whether that's the kind of of contribution which is needed in the project a new contributor or if that's only welcome in combination with funding because the funding might allow
28:27 the maintainer to then actually review those PRS overworked so we've had nine topics so far and eight of them are the responsibility of the maintainer in some way money is only one of them but it is the one that outside contributors can help with most easily it is also the one that facilitates more time for the other
28:58 eight and some of you might now say hang on but Yos do you build a successful business around your open source project shouldn't all open source maintainers do that well a not every open source project would do well as a business and B not every open source maintainer also happens to have come on this Earth with business SKS and all the
29:30 other skills required to actually build a company every time every minute an open source maintainer needs to spend on building a business is basically time which is being cannibalized away from the open source project and whe if they do build a successful business around the project nobody's funding the open source project except for that their own
30:05 relationship so this only truly works in the long run if every company contributes and resources are divided in a meaningful way yeah absolutely I mean in WordPress we have the five for the future project yes which is awesome except yeah again how how do you contribute your 5% and where and how and and what and there's definitely companies and and I'm just going to call one out here but there's definitely more like automatic
30:36 which actually take their responsibility and take it seriously they do really contribute to open source in every single way they can see fit but we can't just look at automatic to solve this for you if all those companies making money of Wordpress and of the dependencies of Wordpress why should one company take the responsibility for all of it that's not healthy again and when we're talking about this I think it's really good that we realize
31:10 the size of the market we're talking about I think people don't realize what these numbers actually mean 3,000 people here is a lot it's also like one 100,000 of a percent of the users we have we're not talking about thousands of Euros or hundreds of thousands or Millions we're literally talking about billions of Euros being
31:43 Wordpress and a lot of these companies have very healthy margins and you might go hey I'm not making that much money and others might go yeah we do that but without giving back to the software that this all depends on we're actually well we have a problem oh your business is built on quicksound so who should we be giving our money to good question if I knew and if I
32:14 could solve that one um there's a lot of Open Source projects that need help and the the fact that long-standing contributors to open source people that we both have known for years years and that have been doing a lot of work are still looking to get funding and and can't really realize that is on all of us to make sure that we fix that and and it's it's painful to see because these are the people we all
32:46 rely on and they have to fight to get funded why should they have to put in that effort while that effort and that energy could be better used actually making the open source project better again so luckily we are not the only ones talking about this there are companies like tight lift than Def and even GitHub sponsors yes correct that allow you to
33:17 look at your dependencies and find the the projects that need help unfortunately this doesn't work well with WordPress because WordPress well doesn't use composer the way supposed to be used Etc yeah there's small tiny problems yeah but it's still a better starting point then not and this is where we want to talk about okay so how do we talk about this in companies companies often throw this
33:49 sort of funding of Open Source under responsibility which is also unfortunately the thing that gets cut first when well margins are thinner and that doesn't really work does it definitely not if you're the WordPress contributor who gets cut so we've talked about five for the future for a bit I I it is a good way of thinking about it but it's also maybe
34:21 it's time we give you a lesson on how to CFO one thing that you are always talking about is we should change the wording yeah if if we talk about donations if we talk about sponsoring we're basically talking about giving away money that's not something a CFO wants to hear if we just change the wording to funding that's already a different proposal vocabulary words mean a lot and
34:53 they carry meaning they carry weight funding is perceived completely differently than donations so that's the first step but there's more the harsh reality is that your dependency tree is a house of cards the tree that we always use to display these things is probably a wrong thing to display it it looks way too stable basically if you knock over one
35:24 of these cards everything falls down imagine and tell this to your CFO tell this to the C of your customer imagine if one of your critical dependencies would suddenly stop and yeah there may be 100 forks who try to continue and then they will'll still die in a year's time if you need to replace that dependency in your whole stack the the sheer effort the sheer money needed to refactor your complete
35:55 application might bankrupt your company this is what we're talking about this is the house of cards so you basically have an unmitigated business risk and this is language CP SE level people understand this is what you should be talking to your CFO and other people about we have unmitigated business risks because we don't know that our dependencies will actually keep on working and as soon as you turn it into that recognizable shape for
36:27 them they can also start to think about how they mitigate their other unmitigated business risks and this is where Julet and I have Fierce discussions on how this should work because shet likes to talk about it as insurance basically the way I see it's if you have like a company building you insure it when it's not on fire if you use open source and your
36:59 business relies on it depends on it builds on it needs that to succeed you fund open source when it's still working and being maintained same like with an insurance policy you have no guarantee that there will be a payout or that project will continue same like with an insurance policy it does not buy you a seat on the board of directors of the insurance company so it doesn't buy you influence in the project but it buys you a much
37:31 bigger chance that the project can successfully continue and be future proofed so this is where it shows that I that a I'm a socialist and B I'm a European because I think that we should solve this with taxes unfortunately we still don't have a good Global government so I yeah I know the Star Trek world I want to live in really doesn't exist um but there are good examples of this happening already
38:03 Germany started a sovereign Tech fund to fund open source unfortunately Germany is just one country it's a pretty big one but it's we can't rely on that one country to fund open source for the entire world but this but Texas is the way I think about it because what taxes are what we've used throughout the world world to fund the maintenance of a common
38:36 good which is what open source is and well maybe we have to get creative and this is actually to a degree what we ask of you get creative for now each company has to step up individually maybe at one point we'll get to do a presentation like this to the European Parliament and fix that who knows please reach out to you to us if
39:09 that so basically we're near the conclusion if someone can please explain this to me like I'm a much this was very near to actually happening in much harder way and people realize the European Union was very close to actually having laws that required QA and security protocols for
39:42 every software uh solution out there that we just can't have as open source communities because these we're we're not that professional and and set up luckily the WordPress Foundation together with Drupal jumla and other uh foundations worked and that law got changed although it still got stuff about vulnerability disclosure programs that you need to have for your open source program that are actually not necessarily easy no and and think of it this
40:14 way an unpaid overwork maintainer would now for some in some way have to find the funding to defend themselves in a lawsuit about some not complying with the European law which is actually in violation with their with their license excuse me this making laws like this which will put people on trial who have don't even get paid let alone have the funding to defend themselves there's something so
40:52 this so maybe we should talk about this differently maybe we had this far as we were discussing this we should make our hosting companies our tax collectors every WordPress inide the out there is hosted somewhere if every hosting provider Would S put some of the money they earn on the hosting towards the open source projects which are run on their surface that would be great would be good start
41:24 and not just Wess also Duma and Drupal and larel and Symphony all of it is open Source but we're not going to solve this we'd love for you all to help us figure this out so our challenge for you during this word Camp is please keep talking about this start you know in the coffee break during lunch start talking with each other about this subject start brainstorming start thinking about
41:55 creative ways we can actually fix this because if we do not fix this we will have a serious problem with open source in 10 15 years so we need to start the change now and it's up to us to start that change it's up to you to help us start that change and with that good [Applause]
42:28 luck thank you so much um we have a little bit of time for questions um we have two microphones to the left of me and to the right of me we question um sound can someone turn this mic on please can you turn on the mic for phone Hello friends uh so thank you very much for what you have shared so far today and the inspiration that you
42:59 have both been um I am so thankful that you are speaking so publicly about the need for a lot of this one of the things that I have been doing so behind the scenes I help make possible some of the funding that Juliet is receiving from my employer as well um and I want more data to be able to provide you know why we need to continue this work why we need to continue funding open source one of the other areas that I have started contributing to outside of Wordpress is related to esbon and for those that don't know that means
43:32 software bill of materials I'm wondering in the open source world so a software bill of materials basically does the dependency chart if you go into GitHub and look at the dependencies of the open source software it lists this big long Json file for you of all of your dependencies have you found tools or other open source projects that are really making it visible the dependencies that we have Upstream so all of our languages all of the little tiny libraries like why can't we upload
44:05 our plug-in zip files this week or why is the email not going out have you found a way to see more clearly than just that big ES bomb and our other projects elevating kind of what else they're dependent upon well we mentioned tight lift and S Dev which are both projects and and also open uh get up sponsors which all use that dependency tree that that stack to help you find the projects to fund but it isn't very visual it isn't very graphic I agree there's definitely better tooling which
44:37 could be built there so if someone wants to open source a project and do it please do thank you Julia I'm not going it are there any more questions I'm sure you have some so don't be shy walk up to the mic hi um well the part about uh the fact that you said money is useful great thanks for that realization second thing
45:08 I liked was uh the fact that you said you need our help to figure this out um the first thought that came to me was uh I live in India but I walk around in Italy as a local by using a an app the Google Maps and if Google came to me and said uh can you pay me a dollar for the entire year i' we say yes thank you because you're making my life so so easy then it says uh pay me a dollar a
45:40 month I'll be very happy and that's about it license the damn thing what's the problem in licensing the problem in this is that most open source projects aren't the your the frontend user facing interface on your phone you don't you don't have to license it to end users you to use you to license it to the people who use it and they'll be happy to pay a dollar or whatever the reasonable number it is and the whole problem will be solved we'll have a much bigger Conference next year let let me well having built a company that has
46:12 software that's used by 13 million something users and seeing that about 1% of them paid for it uh that's the harsh reality of Licensing and the other part people are not willing to pay and the other part is people just don't even realize they're using open source they're so used to surveillance capitalism where people are used as the product everything is free you are the product will sell your data that people can't even imagine that open
46:45 source does not get collect your data that open source does not sell your data that open source is not making money that it it just doesn't come up in people's minds to realize that they thank you thank you it's loud do you have one question that will be our um please keep it brief I'll try to keep it brief
47:17 fantastic talk really enjoyed it got into areas where we don't often talk but are very important and tax is very public okay how what do do we need to do to change the way that WordPress as a community engages with other open- source projects in the community and I say this in the context of someone that I've done uh mozfest and this is great and it's very very different to Drupal events and then Linux events and Apache
47:49 and stuff but it feels like we have to come together to make this work so what would be good next steps well step one is for you all to go to not just the word camp but something else for a change spread the words I I mean I I love word camps and word camps are very good but I agree with you an we people should well we should talk to more people and and we all should be in more of these
48:20 communities and there's relatively few of us that actually go to other things although it it is getting bigger but it is yeah it's important that we do that I agree un uh unfortunately we have to uh cut it off now um thank you so much y Juliet thank you all for listening and