Open Source Sustainability

The status quo in open source is broken. Corporations profit hugely from open source libraries, and give almost nothing back, which leads to burnout which is bad for everyone.

Posted in Coding
July 1, 2020 - 10 min read
Open Source Sustainability

As we round the bend into the second half of this most exceptional year, 2020, two things happened that affected me and my open source work: CodeFund announced they were shutting down, and social pressure forced Tanner Linsley and myself to remove the Scarf analytics service from our open source libraries.


CodeFund has meant a lot to me over the years. I was an early adopter, and the monthly revenue it generated – which has never been more than roughly equivalent to what my dayjob pays me for a single day of work – was really motivating. When I was 85% done with the MVP of Final Form, I was stalled for motivation, and seeing that I could potentially get some income from having another popular library gave me the stamina to make it to the finish line.

(That metaphor was not intentionally related to Final Form's logo, I swear.)

I still think that radio, television, the internet, social media, YouTube, and podcasts have shown us that making something that people want, giving it to them for free, but with ads, is a viable strategy for a producer-consumer relationship that works with how our brains make decisions. The eyes that peruse the documentation pages for open source libraries are very valuable to advertisers. Developers not only can influence decisions about which SaaS solutions their employers adopt, but are also, generally, pretty well paid and have disposable income to spend on gadgets and things.

In the future, I hope more companies like CodeFund spring up to offer themselves as middlemen between OSS devs and advertisers; I think there's still money to be conjured from this space. I think Microsoft, as the owner of both GitHub and NPM, is uniquely positioned to make a difference in open source sustainability via advertising.


Installing an analytics tracker in my open source library had never occurred to me before Avi, from Scarf, approached me to talk about it. The way it works is simple. Much like how this very webpage, totally unbeknownst to you and without your consent, probably caused your computer to download half a dozen (or more) little 1x1px gifs, allowing some unknown-to-you corporations to triangulate, using only the HTTP headers of those requests, where you are, what device you're on, and sometimes all the way down to your actually identity, including Scarf as a dependency in my library caused a single HTTP request to fire off whenever anyone ran npm install on a project that included my library as a dependency. Scarf would then determine the location of the request, only to the resolution of the country, and attempt to deduce if the IP address belonged to a corporation, and then record the name of the corporation and the country, discarding the IP address itself.

My initial reaction to this idea was similar to that of most developers I have spoken to about it. Eww! Gross! That's creepy to have a library reporting to some third party every time I run npm install. The implicit contract when I run npm install is that I expect my computer to go fetch some metadata and possibly published library code from NPM, and NPM only. But then Avi explained that the long term goal of Scarf was to then approach these corporations to request financial support, and it was a novel idea to the seemingly intractable problem that this post is about, so I consented to give it a try.

The results that rolled in over the next few weeks were stunning. Microsoft, Google, Amazon, and Apple were all using my library! It was hugely validating and motivating. ...but it also made more salient the fact that, between Github Sponsors and Open Collective, the library was receiving a grand total of just under $30/month in sponsorship.

In the end, I'm glad that briefly had Scarf enabled as a test of open source analytics and get a feel for that avenue of attack on this problem, but, unlike all the Silicon Valley behemouths that are gaining value from my library, I cannot, in good faith, continue to force my consumers to give up any information about themselves in exchange for using my library.

NPM has all of these analytics, but does not share them. I think Microsoft, as the owner of NPM, is uniquely positioned to make a difference in open source sustainability via analytics.

What is the value of Open Source?

For the purposes of this discussion, I'm going to ignore that, on most platforms, most of the code all the way down to the kernel is open source. Let's start at the web app level. You want to build a web application that can receive Hypertext Transfer Protocol requests and return Hypertext Markup Language. Personally, I'm old enough to remember when web applications were actual compiled executables (or scripts) in the /cgi-bin directory that did exactly that: listened to a port for HTTP requests and squirted out HTML. If you had to start at that level every single time, double-checking the HTTP specs, to design your web application, you'd never get anywhere. The reason the web even exists is that it has been collaborative from the beginning, with people sharing their code and having others improve upon it, like Science in Academia.

If I want to build a single page app to track COVID-19 data, and building that included designing a charting library from scratch, it'd never get done. But there are a plethora of charting libraries out there that people have spent many, many hours building and perfecting, just given to strings attached. And so, I can whip up my COVID-19 tracking app in a day or two! Am I stealing from the chart devs? No, of course not. They posted their code to the public square and let anyone have it. Were I a thoughtful individual, I might be so grateful for their effort that I toss them a $20 bill in thanks for saving me 200 hours of work.

Where it gets a bit more morally murky is if my virus tracking app starts making $1M in monthly recurring revenue, and if the chart devs stopped maintaining their library, I could lose $100K in revenue, and then another $50K in development time to migrate to another library or try to build one in-house. The incentives are out of whack. It should be in ViralCorp's best interest to make sure that the chart devs are well compensated and not going to burn out or lose interest.

In no other industry would such large corporations depend so heavily on single individuals for no pay. Can you imagine a car manufacturer that gets an important cog in the engine from a guy down the street who just really likes making these cogs and leaving them out on this front porch in a "FREE, take as many as you want!" box, and has no backup plan if the guy keels over or decides to start making another thing? The accountants and shareholders would be shouting "OMFG RISK!!" from the rooftops. And yet that is how the software industry operates.

To me, the value of open source is in the time that it saves all of us to get an app off the ground and working. That profitable corporations should give back is a bit like corporations paying taxes because they built their business on the roads the taxes pay for... oops, bad analogy...they don't pay taxes either!

Donations are NOT the answer

This is the current model, and I don't even think this obvious fact warrants an argument.

The Spotify Model is NOT the answer

Some people suggest some system where you can pay $X every month to "some arbitrator?", and then every library in your package.json with 75 dependencies recieves $X/75 every month. This "by usage" model is how Spotify pays artists, and how Egghead pays its content producers. The problem is that this model incentivizes the tiny small utility, like the infamous leftpad, and disincentives complex logic that actually saves devs time.

Don't get me wrong; I love that I will never have to think about how to parse or format a query string ever again. I could write that function in a few minutes, but to write it properly with tests would be closer to an hour, and even then I'm certain I'd miss some edge case that I know for sure that query-string or qs has faced and addressed.

That said, a function that takes a string and converts it into an object does not deserve the same compensation as a complex calendar widget. I challenge you to find a website that doesn't contain some code from Sindre Sorhus. He deserves $1M in annual recurring royalties, but not $1B.

So if we can't divvy it up evenly, how?

There's the rub. I guess it would have to be by which libraries the devs that use them appreciate most. What I'm suggesting is that companies should provide their devs with "gift vouchers" or some sort of credits for them to distribute to open source libraries. Open Collective already supports vouchers, but I don't see why the Github Sponsors program couldn't create "GitBucks" or something. I think Microsoft, as the owner of NPM and GitHub, is uniquely positioned to make a difference in open source sustainability via gift vouchers.

Licensing is NOT the answer

A startup approached me recentlly, offering to handle all the recurring billing and access restriction for me to have two versions of my library, one free and open source, and a second one with more features that required a license to use. I listened to their spiel intently and then pointed directly to the Emperor's exposed genitals: "Who enforces this?" Their answer was, "Yeeeahhh, well.... it's up to the library consumer's internal legal team to remember that they have to pay you, which is why we only expect about 2% of your so-called 'paying' customers to actually pay." Wow! Roll. On. The. Floor. Laughing!

If I switched from MIT to GPL tomorrow, 80% of people wouldn't notice, 19% wouldn't care, and the remaining 1% would dump my library and migrate to another free one with a slightly worse API and larger bundle size, and yet, 100% would hate me. Open Source Licensing is a joke, at least as it currently stands. I wonder if Microsoft, as the owner of NPM and GitHub, is not uniquely positioned to make a difference in open source sustainability via licensing?


It doesn't take a report from the Ford Foundation to see that the status quo is broken; it sucks for the little guy, and it sucks for the corporate capitalist that's taking advantage of him even if they don't know it yet. I don't really have a solid course of action to suggest. I guess it's about awareness raising and asking your boss for some funding to go to libraries you use; you can frame it like insurance: you hope there's never a disaster, but you pay a little every month so that, if/when the disaster happens, it's not so bad. If anyone can think of a corporation uniquely positioned to help fix this problem, let me know.

Discuss on Twitter

© 2023 Erik Rasmussen