How'd you like to listen to dot net rocks with no ads? Easy? Become a patron for just five dollars a month. You get access to a private RSS feed where all the shows have no ads. Twenty dollars a month, we'll get you that and a special dot net Rocks patron mug. Sign up now at Patreon dot dot NetRocks dot com. Hey, welcome back to dot net rocks. I'm Carl Franklin at Amateur Cable, and we're here doing the thing with the stuff. You know what, we like it. I think I might make a write a song called
the Thing with this Stuffing with the stuff. It's just so so useful in everyday conversation because you know, it's just what it says, is you know that whole context, the thing we've been talking about lately. Yeah, that's what I'm doing.
The thing that's the thing with the stuff and the stuffy. Definitely need them both. Yeah.
Now, if you just walk down the stairs in the morning and say you got to do the thing with the stuff, now there's a problem because there's no context.
But if we've been there yet, all right anyway, so you put just fully in the bit, right fully how are you man's puppy. You know, she's a chaos monkey. She's head there and you but uh, you know it's very good. Yeah, I'm not. You know, I'm not unhappy to have a dog around. I didn't need to have a dog around.
Of course you're not.
But most people will know that animals adore me, and this one does too. So yeah, we all get along just fine. We'll see, you know, with the grandchild coming up. You know, we got a bit of a hurting dog here. My goal is that this dog annoys the grandchild so much because won't let her near the ocean. I want this kid to say, Grandpa, Joe, Joe won't let me get near the ocean, And I'll say, that'll do, dog, that'll do. All right.
Well, let's roll along right into better no frameworks awesome. I know we're talking about open source today, but I found a GitHub repo that is trending and it turns out this is kind.
Of a hub who uses get hub.
Yeah, I know this is actually on GitHub marketplace, so it's not really an OSS thing, but it is on GitHub and it is trending. And I noticed this because when I looked at the list like translation systems seem to be very much in demand right now.
Yeah, you know, especially with a on the new LLM tools are just tokenization of language has led to better translators without a doubt.
Yeah, well this one is a little bit different. So this is PO editor, and it does have a free version, but then you got to pay for more use, right, So it's a sort of a try before you buy kind of thing. But here's here's what it is, and I'm just reading. It's a PO editor is a highly scalable translation management system and localization platform. So it's an online collaboration environment for the entire localization team. But you don't need a team. So here's how. There's a couple
of options of how you can use this. You can assign translators to specific languages by adding them as contributors. You can crowdsource translations from your community using public projects because it integrates with GitHub. You can order professional human translation services from one of their partners, or you can use machine translation or any combination of those things. And so it supports all sorts of different file formats.
Which is what you need, right. You want all that all that text, all that sourcing in centralized formats, so it can be swapped out.
Right or even in multiple formats. If you have a dot net application, you have something that doesn't read Jason, it needs to read Angular XMB files or something.
You're making iOS and Android and you want to do translation as well. Those are different file formats. Man.
Yeah, yeah, that's right. It even supports any files. Oh boy, how about that.
I don't know. That is a good thing. But okay, I don't know.
I don't know, Rob, how do you feel about any files?
I have a custom XMEL format that I remember we did work when I was in office to make sure it could ship over to Ireland where we did all our translation and come back. So I hope that they have access to or have the ability to support WXL files because that's what we use for all our stuff.
I don't let me look down the list. I don't see WXL files.
No, I don't see WXL. I means it.
I see XML files, but I see XML, but it's XML.
So most people be like, yeah, this parts translated, this parts, and ID go.
Yeah, nice.
Well anyway, so that's where it is, and right on there you get it for free. You can get three thousand strings and then medium projects and premium and enterprise. You can go all the way up to a couple of files a year. So that's awesome. That's it. It's just interesting. How you know these two, this one and the one I showed last week, we're right at the top of the list of trending GitHub projects.
Interesting.
So well, that's what I got. Richard, who's talking to us today.
I'm going into the wayback machine here and grabbing.
Yeah.
Rob's first show, the one we did back in March at twenty twelve, episode seven four seven, so only twelve hundred episodes ago or so. Wow, talking about the Wicks tool Set, which had a ton of comments on it, really like sixteen eighteen something like that. Yeah, and one of them is from Timothy Klink in a mid at least from thirteen years ago.
Oh wait a minute. We should differentiate between WIS the popular web development environment. I know Rob is shaking his head like, oh my god, these guys ruined my life.
Yeah, who stole your name? Man?
And but WIS that Rob did is a set of tools for building Windows installation packages.
The Wix tool Set is what we call it to avoid all the legal problems there, right, Yeah, may or may not exist that we have never investigated. No never, never, help don't want to under We call it the Wicks toolset, and then you could call it Wix and all the lawyers at Microsoft HILP come toool it that way back when.
Yeah, there you go, all right, so sorry to interrupt.
So that's all that problem. So, yeah, it was an installer. And this is what exactly where Tim clinkwaed where you said this is a great show. I was doing a lot of nodding during the discussion. And how still today many people dismiss how critically important a good installation package is. It's all about the first impressions. The user's first impression of your app does not begin when they double click the desktop short top of the first time begins when
they double click set up XM. I was reminded of his story a long time ago about an applicant to Harvard Paper clipping a dollar bill to their application along with a short note. The note requests of the reviewer go get a donut, take a break, relax, and get into their happy place before they read the application.
That's great.
A good installation package is like this. It's a dope. It we'll set the user's mood to frustrated or happy place prior to them clicking on your applications debtstop icon for the first time. Legit absolutely and that's an old comment, too right. It's an old comment. It is so right. It's still writes today by a mile. It's still true, Tiffyth. Thank you so much for your comment. In a copy of music, Coby. It's on its way to you. And
if you'd like a copy of music go buy. I write a comment on the website at dot at rocks dot com or on the facebooks. We publish every show there, and if I comment there and every reading on the show, we'll send you copy music to go buy.
And you can get music to Koby music to code by dot net and that is a u r L DNS entry, so don't put hgdps in front of it. And that brings you to another place where you can listen to a sample and get track twenty two or
the entire collection rob before we get started here. When Richard was reading that, I was reminded of Mark Miller's new invention that he unleashed unveiled on Mondays, which was called the install Buddy and so the install buddy, when you're running an installer, it's in the background and it's just clicking next, next, next, next, next, next, next, next, finish.
That's awesome.
That's awesome. So I have a rebuttle to that if you care.
But yeah, sure, why not.
I appreciate the sentiment one hundred percent, And we actually talk to our customers a lot about minimizing the amount of input that you have to put in install Again, first impression, let's get to the product. That's where they want to be. They want to get past your progress bar and to the end. So to that point, I one hundred percent agree. Fortunately, the industry has definitely been moving that direction. Like app installer now is just one button.
But at the same time, a lot of customers that I work with are large organizations with very large and complex software, and you're not going to next, next, next your way through it. There is complex information you have to provide up front in order to configure it. So there are different worlds, and we see all kinds in the insulation space because we see all software in the
slation space, which makes it interesting for me. So yes, I totally get it next, next, next, except when you have some really heavy software.
Well it was. It was a joke, so it was funny, a funny joke, but it did hit all right, So let me introduce Rob.
Did you want to do nineteen forty eight?
Yes, I do want to do nineteen forty eight before I introduced Rob officially. Okay, because this is episode nineteen forty eight. We have been doing this lately. We go back in history and see, you know, try to summarize what happened.
Pretty much till we once we got in the nineteen hundred's, the history part came more. Yeah. Yeah.
So nineteen forty eight was a pivotal year several major events, including the assassination of Mahatma Gandhi, the declaration of independence for the State of Israel, and the start of the Arab Israeli War. It also saw the beginning of the Berlin Airlift, the US establishing the Marshall planted as I said last week, to aid post war Europe and the United States. It's recognizing the state of Israel, which was it happened at the same you know, in the same year.
Also in the United States, President Truman signed executive Order in nine to nine to eight one ending racial segregation in the United States Armed Forces. Do you have anything to add, Richard.
The land Camera, the Polaroids and Camera nineteen forty eight, No kidding. Yeah. For Canadians, the Davelin Beaver, the DHC two. This is a prop plane float typically float planes, the ultimate bush plane and I flew on one like a month ago. It's called the Beaver. Yeah. Wow. Of course in the dash too. Uh and it's like it's a legend, just an unbelievable machine. Wow. Only made for until in
nineteen sixties, still flying today. And finally, because it is a tech show, so let's talk about the men Chester Baby, which was one of the very they arguably the very first electronic quote stored program computers coming out of World War Too. There was a lot of computers being built, but this was a computer that could actually store a program within it and execute that program. It added thirty two words of memory of thirty two bits each for a total of one twenty four bits.
Wow.
Good Lord, and the Baby was the test bed for the Mark one, which eventually became what they called the Manchester Ferrante, which was the first commercially available stored program computer in the world.
Also the first Canadian land cruiser was called the Moose Nice and the first Canadian boat was called the Otter and then the sister submersal submersible. Anyway, I kid, you're making this stuff all right, So let's now let me finally introduce Rob Officially. Rob MenShing is the CEO and co founder of fire Giant, a company that provides commercial support in tools for the Wicks tool set. He's also
the creator and maintainer of Wicks. Of course, we talked about the most powerful set of tools for running building Windows installation packages. The Wicks tool set holds the unique distinction of being the first open source project released by Microsoft, and Rob has been deeply involved in open source over twenty five years. He's passionate about making open source sustainable and his latest proposal, the open Source Maintenance Fee, is
all about creating a better path toward. It is all about creating a better path forward for projects and their maintainers. This ought to be really good, Rob, welcome back.
Thank you. I'm looking forward to talking to you guys. It's I didn't realize that twenty twelve that was that was easy for show. You had some after that, but yeah, twenty twelve of you were still a Blue badge.
That's how long ago that was.
Just barely that's right. I started fire Giant twenty thirteen.
Wow, yes, there you go. So it's like it's been twelve years in fire Giant. But yeah, it's a way back, yeah, way back moment.
As long as that's kind of throws me off. I think I've been fire Giant as long as I've been at Microsoft, as I was at.
Microsoft, as long as your Microsoft n Yeah, and he still feels like it's your new thing.
Yeah, it feels like a startup. It feels like I've been doing this for about three years. But when I look back, we've done more than three years of work, and I just can't reconcile the two together. So when you say it's been twelve years, I have to and go really, I guess, man, we have so much more to do.
Yeah, it's not like I'm getting the bottom eye to do list. That's not a thing.
So when did you go solo again? Thirty thirteen twenty.
Right at the beginning. I retired from Microsoft in twenty twelve and started fire Giant. Fire Giant officially launched in June, But you know, takes six months to put everything together, but we had the idea, you know, to begin to my thirteen I was working towards that.
Yeah, well, when immediately came to mind when I read your bio. There in the things that you're talking about for open source, making it sustainable and better, you know, better prospects for owners of OSS projects. Is that we is that show that we did at NDC in twenty
twenty two with David Whitney. I was in November twenty twenty two making open Source Work for Everyone with David Whitney, and I remember we got into this really cool what if discussion about what if you know, places like GitHub would have some sort of pay mechanism built in, so like write in Visual Studio, you could say, hey, this is open source, but they would really appreciate your donations or something like that. Just make it low friction for
people to donate to open source projects. You're nodding your head.
Yeah, there have been ideas in this space for a long time, and lots of different ideas floating around this space, which is fantastic because I don't think we're going to end up with one solution to what do we do with open source to make it viable for everybody to continue working in it. So I do believe there are many different options that we need to consider because there
are many different kinds of projects. And the idea of having some way to pay maintainers in GitHub was very present because now they have sponsors, which turned into very much that even if it's not deeply in a Grandville studio, it is exactly in that space. So yeah, there's been lots of thinking and talking about this, and I decided I had to formalize some of it. So that's why I want to talk to you today about.
So let's get to it. What are your ideas?
Do you want the history? Do you want the idea first?
That tweet thread is really important, Okay, because it's an encapsulation of so many projects I've seen.
Yeah, so maintainers. When you're a maintainer of a successful project for a long term, the world changes a little bit, the changes for you a little bit. And I have this theory that I've been developing of there are these mega projects that people know about, that's the ones they think of. They usually have corporates running them, and they
have a different way of operating. You have the hobby projects, I don't have like that term acoungement, but you know, startup projects, they're just getting off the ground and the people are still very enthusiastic about what they are, what they could be, the future is everything ahead of them, right, and they're just trying to find more users. And that
place is awesome. Then you hit the what I call the working class projects, where you've usually graduated from being a hobby project and you've now ended up in a space where people depend on you, and you take that responsibility seriously that you have an important piece of the ecosystem. It's the what is that the Ohio project? You are that tiny little cog standing up the whole system on top of you from SKCD, Yeah, you are that little block and you take it seriously, like this is my project.
And I've been running the Wicks tool set for twenty plus years longer if you count the stuff I did in Microsoft, but twenty plus years. And after a while you kind of get to a place where not everybody's treating the project particularly well or you particularly well. And for the last few years I've been very frustrated with what's been going on around the project. And then the EXZ UTLS issue hit at the March last year. I
think it was fourth that issue. I saw all these people talking about the attack vector that almost turned into a back door on Linux that got into cloud servers and every Linux like it was crazy, and I knew people are going to do the analysis of what it was and how it worked, because that's like the geeky technical stuff. But for me, I saw the story behind it.
We better recap what happened last year because not everybody's yeah, good idea. All right.
So someone found a way to use and xx udles, which is this like compression library and tool that was included in I think every major Linux distribution, and a we believe an attacker. Now at this point, someone very dedicated found a way to use the build system to inject code that did not appear until inside the Linux build or something in that effect, so that they could insert a back door into the Linux build system that they could then connect back in and it would end
up on all Linux machines. And it happened to be found by a dev working on performance some performance issue was like Microsoft and Azure and said hey, wait this is acting a little slow and found the problem.
It was like a half a second or something, right, Yeah, it was minuscule.
It was talked about narrow, narrow, narrow by the slimmest margins that someone found that that could have been catastrophic, and then nobody might have even noticed once it's out there, it could have just been an invisible back door.
Well, they also bags the question how many we not noticed? Right?
Yeah it was. It was a very very sophisticated attack, so obviously fascinating to every developer out there, like, wow, how did this work? How did you get in there?
How do you slip yourself into s sh or all the And I'll be honest, I didn't dig into those details because the part that I saw was the a thread and someone pointed out a thread, the email thread archived on you know, set of way pages of their their their mailing list, and I started at the top and I found the maintainer of the project talking to the people that are then believed to have put in
this attack. And in it you have people pushing on this maintainer saying you're not doing enough for the project. Why haven't you submitted all these prs, why haven't you fixed all these bugs? And you can hear the maintainer saying, oh, yeah, I'm going to get to that. It's just it's been really hard and I've just been a lot of pressure. And you can hear like there's other things in their life going on, right and and he says, oh, and there's someone that's been helping me on the side. You know,
that's been really helpful. But you know, it's it's really hard finding people to take over a project or helping a project. And then you have repeated cases that if people, well, you should give up on your project because clearly you're not going to take care of it, and someone else saying, oh, we understand, it's really hard to maintain your project. You know, you could be really busy, but you really should do something because your project will suffer because you're not doing this.
And at the end, the guy's like, well, you know, this other person's been really helpful, and you know we'll probably have them helping more. It turns out that that person, that named person is the person that's tracked back to it's the attack or inserting the attack vector into make files and the data files and everything else.
And they made themselves look like, you know, they were going to help out like they.
Well, they be clear. They they had been more helping out, They had been making contributions, like one person had been helping.
Right, it's what I'm saying. But all the way along the goal must have been to at once they gain their trust to launch this attack, and nobody would ever suspect them.
Right, So one person was helping, and then two other people showed up in this particular thread, and the timing spread out. It's not like immediately back in back and forth. It's like a week spread out, two weeks here. I mean, it's not obvious. And when I originally saw this thread and I wrote down a tweet about this, that I realized, oh, and it was like, I don't know, thirty tweets and I was like, oh, I hate it when people write
tweet thread. So I ran and put in my blog so you can read it all one big pass much as you read, and I had more contexts. At that time, there were theories that this could be a truly coordinated attack, with multiple people operating what we call sock puppets pretend to people pretending to be different. I don't characters in a play trying to manipulate what they wanted I thought that felt a little far fetched at the time, because
it felt very real. Everything that was being discussed and treated and the way that people were acting was very common for what you get on maintainers. You get sets of people just showing up going why haven't you fed me yet? I want my fix? Where's my build? I can't believe you haven't fixed this in ten years. I just got that comment this morning from somebody. I can't believe you haven't fixed this in ten years.
And that's when you offer them the refund of everything they've paid.
I actually offered to assign them the issue, which is my new tactic. In the end, I ended up really mad, like just stomping mad. And I've been low key mad for quite a while having seen other maintainers treated the same way, feeling it myself. And I'm fortunate that I have Bob who works who's a co maintainer on the WHIS tool set with me, so I have someone I can talk to and kind of, you know, walk off that ledge. No, sorry, step away from the ledge from
the ledge. Yeah, just like this is this is too much?
You're really a friend, you'll jump off with me? No, No, that's not the goal here.
Well, and when you're in a project that is popular and successful and you have lots of users, you will hit this space where you went up with a non trivial number of people showing up making demands of the project without any thoughts of any contributions. And so the xc udels that event and then finding out that it was very possibly Nation State actors. Nobody knows for sure, but that level of coordination made me just go that that's it. I'm going to do something. I don't know
what I'm going to do. But at April last year, you know, about a year ago now, I said, I'm going to find something and I'm not doing it like this anymore. We're not just going to have maintainers out here unprotected from every you know, everything. We need to change the culture and the way that we treat maintainers. And so I sat for months just I couldn't put it down. I had job to do. This is not
my job. But I had this thought process in the back of my head, going what can we do that builds a system that works well for maintainers, that is fair to everybody involved, and can scale. And it was all based off this tweet of mine that got a million in some views, which I don't write tweets like that. I'm not a mean person, right, I write tweets communicate Moory project, my company and what I do. That thing went crazy and everybody in the thread agreed that it
was a problem. I have never seen so many people agree on Twitter.
The Internet. You're not supposed to get along, that's not how Ever.
The only discussion that went sideways where people were disagreeing was whether we should have universal basic income. And I was like, Okay, I'm not touching that. You guys, go have fun on that conversation. That's a bit far. Yeah, a bit far, And it just was like a side thread on the whole thing. But everybody agreed.
So yeah.
I went from there and my experience with frustration of where I was at as a maintainer, because like a year before that, I remember one morning I woke up and you know, dealt so with me and I just get my wife said that's it. I'm done. I'm not going to do this anymore. Like why am I Why do I even do this? Why am I putting myself through this? I have a company built on this open source project. I'll just do it a different way. And I'm the guy that worked for years inside Microsoft to
make open source happen. So I was like, I'm walking I my mind was torn. It was I was I was broken. It was pretty bad in this space. So to hear other maintainers having these same problems and pains, I reached out to a number of them. And every maintainer that has a project that you think of successful, that you thought was successful, if you know it by name and you know that maintainer, they are in either
one of two camps. One they don't care about what happens to the project and they're just distracted from it. DHH has this famous slide where he's just like, f you, Like, that's the way he approaches his project. He doesn't care about you. That's a fine way to go. I know no maintainer, I personally know no maintainers that operate that way because they care too much about their project and being how it work well. All the ones I talked
to all have were like, yep, I totally agree. I've all thought about quitting every single one of them, all of the major projects, all of them are all in the same spot.
So now you wake up in the morning up, you know, immediately anxious about I haven't dealt with I haven't got to like you're dreading going to your office.
Yeah, And so that was the reality. That's where it's at.
End.
I decided I was going to have to create a solution. So, like I said before, I think there will be many solutions for many different sized projects, for different kind of types of projects. I know, my project, it's about half a million lines of code. There's two of us that work on it. Often there's only one person that works on it. And we have you know, millions of downloads, tens of millions of downloads, ten million downloads, twelve million downs.
Now it's a big project, all that kind of good stuff. And I said, all right, in this space, what can I do? And so I sat down for a while and started going, what if we charge a fee for people to use the project? And from there I started putting it together. So should I go jump into the details of the maintenance.
Fe then yeah, let's go all right, yeah, let's do it.
So the maintenance feek idea came as I slowly started teasing apart the problem and I realized that there's open source software and that has a license on it that we all know and love. All of our various license out there, whether you're like MIT or GPL or my favorite MSRL, whatever license, we know all of that. And what I got to was that license applies to the source code. And if we say that that license will only apply to the source code and stop there, that's
an open source project. Like that's enough to say that your software is open source. Right. You don't have to build the source code for people. You don't have to have an issue tracker, You don't have to take changes from other people and apply them to your open source software. Your open source software is open source. Are done?
Yeah?
You you have successfully created an open source project. So all that other stuff that is generally expected of maintainers. Build a binary that other people can use. Answer the discussions that people have, keep a discussion list where people can ask questions, have an issue tracker, deal with them. Some people expect you to fix all of them. Do regular builds, stay up to date with all of the dependencies that you have, as those keep changing. Dot A
framework I'm looking at you. You know, security vulnerabilities that pop up, you know all of the you know, spam shows up. Yeah, go make sure that doesn't show up. Oh, you have to have signing certificates for your binaries, we'll keep those up to date, so on and so forth. So there's all this other stuff that's actually that's the project, that's the work that the maintainers do regularly, outside of
maybe choosing to write some lines of code as a contributor. Right, So if we separate those two concepts and we say, I'm going to make the open source software open source by this license, but the rest of this stuff that I have to do to maintain the project to make it viable as most people expect it to be. What if I have a fee? And in that tweet thread that we were talking about, I kept throwing out the idea of what if you paid ten bucks per month
for a project? Nobody ever said peepe. They're like, yeah, that seems fine, right, maintainers ten bucks a month, no problem. So I said, all right, we're going to create the maintenance fee and for all of the stuff that isn't the source code itself. You want the bills, you want issue tracker and discussion lists, and you want signing certificates and all that stuff maintained. You pay ten bucks a month if you make money. So if you're a student, if you don't make money, if you don't want to
play in the money game, no problem, you're in. Hang out. Let's go right, we're talking source code, we're talking open source. But if you're making money, if you're a compan or your employee at a company using a project, you're in a different world. You're using this and you are getting some value out of it. So you get to.
Pay, and you're taking a dependency on it a.
Fee, right, right, And you depend on it and you want to presumably want it to be there, so you pay the fee. Really simple. And then I stacked it and I said, all right, we have dependencies an open source project. So if an open source project says I'm going to start charging a fee for all of the stuff that isn't the software, than any dependency that you have, you pay their fee too. Okay, Right, So if I have a dependency us on some other project, then I
pay them. My project takes a fee, then I pay them however many fees they have.
So you basically now are in a money distribution royalty kind of right system.
Right, You you taking a fee in your project means you now have decided to take money, So now you play as money. If your project doesn't take money, then you don't have to pay money. At the idea of being like, look, if you're not making money, you're not paying people, right, You're not trying to bankrupt people or
anything like that. We're trying to get to a place where maintainers now can get paid for the work that they have to do to keep the software going and viable in an environment where people expect it to be.
Any you're driving this through GitHub.
Yeah. What I realized was that with the system, I ended up with about the tightest feedback loop that I could create. Consumers pay a maintenance fee for the maintainers to maintain the project. The maintainers maintain the project, so that the consumers continue to pay the fee, so that the consumers pay the fee to maintain the projects, and the maintainers continue to part and you end up with
this tiny little loop cycle. Nobody else involved. There's nothing else out there, because so many other proposal I'd seen required somebody out there to do something to make this possible. Usually some company is going to come down on high and say I have now created a system by which you will get paid, and the maintainers could be like, oh, thank you, finally good assuming payment what they want. But you know, a solution from outside here. Maintainer just says
I require a fee and it all works. It's just between you and the consumer on that fee. You're good to go.
All right?
And I have so many questions, but we got to take a little break here, so we'll be right back after these very important messages. Stay tuned. Did you know that you can work with AWS directly from your ID? AWS provides toolkits for visual studio, visual studio, code, and jet brains rider. Learn more at AWS dot Amazon dot com, slash net slash tools. And we're back. It's dot net rox.
I'm Carl Franklin and that's my friend Richard Campbell and our friend Rob Menching, and we're talking about making open source sustainable. I have so many questions, but the first question I have is do you just work on the honor system? Do you just say, how do you prove that you're not making money? How do you prove that you are? How do you do you go after for people if they start using it and making money without it without paying?
This is this is a fantastic question. And I sat here for a long time going how do we do enforcement? And every maintainer as I presented this idea to them always kind of got to this point, like I really love this idea. I never thought of it that way. How do you make it happen?
Right?
So, in the new gut world, we produce nugat package. Sorry, in the dot net world mostly about nugat packages. That's how a lot of things are attributed. Even my own system is now msbilled, SDKs and dot net tools and a whole bunch of NEWGAT packages. So we're all in on nugat. I kind of sat and got all right, So what do I want? I want to declare a I have a license, an open source license that applies to source code. I need a YULA, an end user license agreement to apply to the binaries and the rest
of the project. Okay, oh, I can have a license for this source code. I can write AYULA that does not impinge on your rights that the license gives you. I can put that ULA in the nugat package, and then lo and behold. Nugat has a way to say require acceptance when you accept a Nugat package. So you have to say I accept the terms of the ULA AKAI will pay the maintenance fee because I am making money,
and you have to check that box. And now you have legally said that you are complying with the maintenance fee for any project that you want.
And that amounts to Diddley Squad, however, because we've all agreed to ULA's because otherwise we can't use the software.
Yeah.
Yeah, So nobody's ever knocked on my door and said, hey, did you read that ULA?
Yeah. But if you remember, lawyers had a huge, huge challenge when they first started trying to pick up open source, and they held up everything saying no, no, no, we can't pull source code into the company that open source license until we understand what those licenses will do to us and our company. The maintenance fee puts a legal document in there that if a lawyer sees it and you've accepted it, you're on the hook for it. I believe it's written correctly. I've had another lawyer write it.
You're now on the hook. So any lawyer that saw it inside the company be like, we're on the hook for this.
Yeah, okay.
And this is actually important because there are many maintainers out there that I've come out and said, oh, you know, I would I would pay I you know, get how sponsors is great. I would pay it, and my company, you know, should pay it. But you know, the procurement team, I just they they won't do anything. They're so hard to get work through, and I believe them. Procurement teams
are very challenging with my own company. You know, we can spend six months with the company and their procurement team just trying to get them to pay us for the legal agreement they already signed up for and the services they're paying for. It's a challenge, I get it. So let's create a system by which the curement team has to pay it because the legal team will show up and say, hey, you know this open source thing, we already went through our time and figured out how
to deal with open source. Now you, as a procurement team, you now need to figure out how to deal with open source projects that require this maintenance because you have to pay them because the license says that you have to.
And for big businesses with lawyers, I think that's probably a valid thing. What about all the small businesses.
But that's that's who we want to pay.
But what about a small business that's making a million dollars a year and it's Joe and his wife and they don't have lawyers. You know, maybe they do, but they're going to take the chance. How are you going to enforce? How are you going to enforce it?
So I've been slow walking the enforcement past the legal requirements that will hopefully build the structure that everything else stands on. Okay, I've had people ask, hey, what do you do with the issues in the Wicks tool set. We've called out that you check a box if you're using money and you go through our templates, it says you're using this for monetary value. Check the box it says you are sponsoring the project. So we're getting the education and awareness out there.
Now.
There are some projects that I saw that lock their issue tracker unless you sponsor.
So you can't submit an issue.
Enter that, you can't submit the issues, you can't get the issues unless you sponsor the projects. That's doable through GitHub sponsors. Straight up, that's.
Only if you're making money, right What about the student who.
Isn't Again, So that's the challenge of the enforcement on that front for people that aren't making money. We have to find a place in there. After I made this announcement, the GitHub sponsors lead reached out to me and we
had some conversations about what could be done. So there, what I'm saying is right now, we're in the beginning, and I want to start the enforcement by assuming that the developers that said I want to be able to help you and maintain your project, but I can't get through procurement now have the tool they need to go to their legal team and say, I now need to pay this project because it has a legal requirement. Please help me solve this issue with the procurement team.
And people have told me, but also coming to them with the documents to say here's how it solved exactly.
Yeah, it's not. Before it was like, you know, let's say as an individual contributed company and you're using this project that you want to support it, and you're like, yes, I want to help them, and you go to your boss and your boss says, no, dude, too much work. Let's not bother. Just just go do it and be done. Now you're able to go to the boss and boss say, hey, boss, there's now this legal requirement. We have to do this.
Boss will be like, well, if we're going to continue this project, we have to go do with legal, we have to go do with procurement. They now have that tool, will they maybe say, you know what, forget it. Let's just go use a different project that's free, that doesn't have this open source maintenance fee. Absolutely, that may absolutely happen.
So I have ideas. I have some ideas, which always happens when I have these great conversations with guys like you. But one idea is to have a sort of an outside agency that does enforcement. And I don't because I think, you know, software developers, they don't want to be in that position. You know, nobody wants to be the bad guy and have to on top of having to write good code. Now you got to wake up every morning and wonder who's not paying me that needs to be
paying me. So an outside agency is not like a union or something, but just somebody that works on behalf of contributors to enforce this. The other thing that I was thinking of was is gone from my head. It's just gone.
These ideas are great. I want the ideas, and honestly, if someone comes up with an idea and is inspired by the open Source Maintenance Fee and says, ah, this is a good idea, but it is fatally flawed this way. But I can create a system that works better. I hope that happens. Or people say, hey, here are different ways that you can do enforcement with the structure that the open Source Maintenance fee happens, I'm going to write them down. I have a discussion list on the open
Source Maintenance Fee dot org. It says, hey, if you have more facts that your more ideas, you want to add, more questions that need to be answered, let's put them up there. There is a place to have the conversation to say, here's what we need to do. And I want to be really clear. The Wix tool set is the first project to apply the open Source Maintenance Fee, and we did so on the seventh, so a week ago today.
The seventh of April, of April of.
Twenty twenty five, the seventh of April twenty twenty five, so a week ago today. That has put all the pieces in place, and I've been then using that experience to update the step by step list for maintainers on the open Source Maintenance Fee dot org site. So if you want to go through it. It just lays out all the five or seventh steps you have to do to work your way through.
It's really cool, right, so I found I remembered the second idea. Okay, the second idea was to require by law companies to publish as software bill of materials. So on every website in there about page or whatever, there should be a link to a s bomb page and then every dependency that they've taken must be listed there. And that way would it be easier for an auditor, even if the auditor was GitHub?
Right yep, you know.
GitHub seems like the logical place where this kind of thing would happen for getthub repost. But maybe in another place. I don't know.
I actually had someone ask me if we would try to get an SPDX identifier for the OSMF.
So.
SPDX is the software what identity system They have a way of saying s bombs. Basically, they're one of the standards for specifying s bombs and one of the big features they've provided are the standard list for all the various open source licenses out there.
Because it's advantageous for every software company to have an s bomb, right Yes, it's absolutely advantageous to them. Yes, because of security problems, right, and so you know when there's a problem, oh, we're using.
That, right. And if the maintenance fee was in SPDX, then you would just use the identifier and then you'd know, hey, they're already doing this, and they would they'd all roll down the direction that you're saying. Now. Yeah, there's only one project using the open source maintenance fee right now, and we are slowly working our way through the experience
of what does it mean to do so? And enforcement is an area where I'm trying to be extremely respectful to the challenges that I know individual developers will have inside their companies. I worked in Microsoft, I know big company challenges. I spent a lot of time with lawyers when I was first trying to get the WISK tools set released as an open source I think part of that training helped me design the open source maintenance fee is learn how to use lawyers to help you get
a problem solved. Where we go through enforcement is a question. I think getting the first foundation and then normalizing the idea that maintainers should be paid to maintain the projects, and that if you don't want to use the project, and you don't want to pay a maintainer money for them maintaining the project, then you can go take the source code because it's still available, it's still a source. You can go take the source code and maintain it yourself, which is the alternative.
You know, in the interest of security. This is the same reason that that bill got pass that requires everybody to allow cookies, yes or no. Right that is required by law right in GDPR. Yeah, the GDPR. And so just like that the way that got passed, this could be you know, you you must have an s bomb and you must be able to well.
I would point out that that is not enforced. No one has ever been charged for not doing that. Yeah, so, and yet lots of people have done it. Like enforcement is a separate issue here, yea, And I would argue long before you get to anywhere near that, you can have nudges from within GitHub. Like the main thing we're hoping for is a get hub. Here is poke at obvious large organizations that are utilizing these resources to write, Hey, you know you should be making a contry.
Here is the path and to basically put a system in place that starts allowing people to do the right thing.
Yeah, make it reduced to friction doing the right thing.
He says, Look, you have to do this. So now the people that want to do the right thing are now empowered to go take care of the larger systems that naturally would not change or continue to run the way they do. And we will continue to have large companies with their procurement systems which are designed not to spend money to you know, not spend money on maintainers
for these projects. I mean. One of the interesting comments I got very recently was someone left a comment saying, hey, I will need some extra verification of to give you money. I will need some extra verification to know that you're not a terrorist organization, right right, because my procurement team can't fund terrorist organizations. And I was like, sure, whatever you need, let me know, we'll answer those questions. But then I stopped and said, it is harder for the
the procurement team. The procurement team has higher standards than the developers do for taking the code, like you already took the code the binary code usually and are using it, and I don't remember a background check or anything like that to take the bus. I heard terror because I use my code. What we have done is create some artificially high bar on the procurement and the sustaining the project if projects want to be sustained by money, and the way that you can take the code into the
sources world. And we've also created a culture where I just take it and I don't have to do anything else after that.
Well, and there's an advantage to that too, because you want to take it out for a spin. You want to prove that it's valuable to the organization, Like you need to get to a place before you even have the conversation about you know, do I want to spend money on this or not? I mean, I do appreciate and I've included the link to how wix tool sets maintenance fee is set up where it's based on the size of the organization with the size of the contribution.
Is because this now roll the other way where a CFO should be able to go to gethub and say, hey, what libraries is my company using? What is the total fee I should be paying. My experience with CFOs is they'll kind of check once a year, but don't make it more complicated than that.
And so we fell upon I fell upon GitHub sponsors because it was very straightforward for a lot of maintainers to be able to access that directly without having to do a whole lot of extra work. And also because gethub sponsors has may have relationships has larritionships a lot of companies through their enterprise system, and through that enterprise system, you can say pay for sponsorships by invoice. It doesn't
have to be a credit card. So you can walk up with an invoice to get Hub and say here, I want you know, give me. I think the minimum invoice is like five thousand dollars. It's a pretty large number. But you can pay an invoice in bulk and know I will pay my maintenance fees, you know, in bulk for this amount of time for all projects.
Yeah, so GitHub will disperse it.
There's a process.
Well that's important, right, Like that's the important part of it.
And it can also wire straight into your enterprise buss. So if you're already paying for repose and you know actions and all time, and you know space inside GitHub with they already have that, then your sponsors just end up as line items inside that nice payment system.
Already.
I'll tell you what we don't want. We don't want the Spotify model. Like imagine GitHub. In order for you to access any of this open store of source stuff, you'd have to pay GitHub, you know, ten dollars a month or thirty dollars a month or whatever, and then you can use whatever you want for free, and then that gets dispersed among all of the projects. Like that model is horrible. It's horrible for the music business, and it would be even more horrible for the software business.
I'm just the anti patterns are community.
I've seen proposals for doing that through like Newgate, like nugat would get a bulk upload and then send out whoever has most downloads.
I don't like that at all.
I don't like any of those systems either, because they all can be gamed. With the numbers. With the open source maintenance fee, you basically say, here are the projects I use. Whatever you know in your package reference or your package cafig. If you're still using that, you look at your packages you depend on. You chose them. They didn't get in there because someone out of them. You chose them. You go to each others project, you go, oh,
there's the fee for that one. There's a feed for that win there's a feed for that, and there's a fee, but there all of the things that I use and the people that I depend on, I've now paid the fee. You're done. You don't have to go down some crazy train, you know, tree.
And ultimately the maintainers are setting the fear for their projects.
Correct.
And if you don't like that fee, don't use that project.
Right, if a fee is like ten thousand dollars per month, you might go, hmm, I think I can have an engineer use that source FEDE and maintain it myself and all the overhead that goes with staying on top of the source code, being awarable, security vulnerabilities, that whole list I brought back. You're like, yeah, that makes sense. But for a small company, ten dollars And I've had many business people tell me ten dollars is too low, just flat.
That depends on depends on the value right that you're providing, correct.
And so the Wix toolset I use as a tiered model. So we're going to try to also show that where if you're a small company less than twenty people, it's ten, if you're twenty to one hundred people, it's forty. And if you're over that at sixty. That tiered model basic to say that you're getting more value out of it as a bigger company, that those tiering systems will see how all that works. But the goal is basically, look, nobody's arguing that ten dollars is too much.
Yeah, right, like it just if it is.
It's like a dev at one hundred thousand dollars a year, it's like two hours of their time for the year. So if you can take the source code, build it, maintain it, keep up the date on all those things for less than two dollars per year, then that your procurement team's right. You should copy the code and maintain it yourself, right, right, But two hours is not a lot of time to keep up even build a project and keep tracking. Come on, it doesn't work, and that's
why we want maintainers. Do you see the reactions when other projects say, hey, we're gonna not be open source anymore. You can see people being upset. She's like, look, you have the source code, you can build it, and they're like, oh, that takes work. I'm like, wait, so.
You know it takes work. You know enough to know why I'm where I am.
You're complaining that it takes work, but we're not doing anything to support the people doing that work. And I want to be really, really really clear, because I don't think I've said this yet. These are not support contracts. These are not I if you're going to get fixed my bugs, you're going to fix my features, you're going to write the code. It's not that, it's essentially the work it takes to keep a project running that people
don't see. I know a lot of people don't even know that's there, but just sucks up so much time of a Maintainer's so much energy out of a maintainer.
Have you published the documents and the mechanisms to go ahead and do this in your own projects? Like if somebody's listening and they say, yeah, I want to implement this in my project, do you have a little zip file they can download and with instructions and everything.
Yeah.
So if you go to open Source Maintenance Fee dot org, you will get presented with two options at the top. If you're a consumer. It explains why the open source maintenance fee is there. And I have a six minute video where I tell pieces of this story in one unified video, and then it breaks it down with the fact and things like that. There's a separate route you go through as a maintainer, and that essentially lays out the Hey, you're a maintainer. Here's why you should consider
taking a maintenance fee all the work you're doing. Because when I talk to maintainers, a lot of them had never thought about all the work they'd been doing. But as I was talking to them, when I was first vetting this idea, a lot of them would like get to that point. They all start nodding, going, oh, yeah, I do a lot of wow, And I thought, oh, that's a lot of work, isn't it. So there's that, and then there's next one is this five step process. I think of the steps to do, and the first
step is communicate the change. Tell your community that you're going to introduce a maintenance fee at some point in time in the future, with the date whatever that date is for your product. And then it says here's how you can set up with GIOB sponsors. And then here's what you do and you read me, and then here's the EULA. By the way, here's a EULA already man verified by the fire Giant lawyers. So if you want it, you can have it. It should work for you, no problem.
I can't guarantee that. My lawyer won't let me tell you that. We guarantee that because lawyers won't ever do that.
You're a lawyer.
But it's good and because we got feedback on the first draft that I had up there that was not good. It had problems, and I got plenty of feedback from the internet that it was bad. But we fixed those bugs. No problem. And then it goes through on how to add the EULA to your package. And I have steps for both MPM, for for MPM and for new gits because those are the ones that I understand enough of to do that. But if people come along and say, hey, here's how I could do it for other types, I'd
love to get that information on the website. But it's it's like a five step process. And the big one up front is copy this blank you know this message, replace the date, and send it to the place where your people are. Create an issue, pin the top, put a discussion, put at the top, say we're doing this, and then you do the rest of the steps and it will take you a day, I mean or two
to do it. It's not hard to step up. Just had to get the I mean the hardest part was getting the yula put together that passed all the rules. Now you just copy and paste it and replace your license inside your your nigga peck and had.
I can't believe we haven't asked you this question, but how did it work out for you so far? And how long has it been in place?
It's been seven days?
Wow, Okay.
At the point of recording, it's been in force in seven days. It has been announced for a month and a half ish, because I announced it four weeks right after the maintenance fee was announced, which was the end of February, okay. And I got a lot of feedback and various questions up front, not a lot of pushback on doing it, not a lot of pushback on why or none of that real negativity of that. It could be that they're not saying it. I'm sure they're just
not saying out loud they're playing people. I'm sure they're very upset that we're making.
Do this work.
I have got the feedback from some people say, hey, this is a lot of work to go through our legal team and our procurement team, and I'm like yep, yep, we would pay you money, but the procurement team's really a problem. I'm like, yeah, I know, like, well what do I do. I'm like, dude, it's your procurement team. Like you're going to have to educate them, and every company's procurement team needs to be educated so.
Well, and you're going to build up more language around how to talk to your procurrement team as this goes by, because part of this is what's the cost of us moving off of this project or maintaining itself and like showing larger dollar signs to the CFO, then get this through procurement so we can keep working.
So one of the feedback I got from people was our one idea I got out there was hey, be cool if you had a list of companies that had already adopted this as yeah, we're doing this, so I'll try to go there. We're early in this, and that's why I was really happy you got had me on because I just.
Wanted super early stages. I think the main thing you READNACT right now, Rob, more than anything is more projects to set up like this.
Yeah, So that's my feeling is that I was That's why I'm really glad you guys had me here is because we can get the message out to maintainers so the day can start going, Yeah, you know what I am. I know exactly what he's saying. I know exactly how he feels. And when I first announced this at the end of February, I got so many dms from maintainers and you know them, you know who they are. They
DM me saying this is brilliant. I was like, great, but I didn't have the ule at that time, and there's a leap of faith that you have to do it. We've seen a couple so I want to talk about the commercialization that projects has been going through, because that's that's what we're kind of I'm hoping we can counter here. But the idea that maintainers will be like, you know what, my time is worth something, sure, and I should be paid for this set of work that I am doing.
That actually is taking a lot of energy out of me. And if I could put this into my project, I'm not going to retire. I might not have enough users to make a business, but one developer I talked to said he probably has fifty ten to fifty companies using his software. I was like, so that's like, you know, one hundred to five hundred bucks a month. He's like, yeah,
that's about a weekend. Okay. Oh if I had five hundred bucks a month that I could do something fun on a weekend, then I could spend the other weekend maintaining my project. Because he's just like, why am I bothering? Yeah, he's and he'll walk. Those companies will be out of luck.
But you hit on the key point, which is the alternative is they head towards commercialization, which is going to make it even more expensive for a bunch of people who want to use this. It's going to make ask a developer to do thing I maintainer, do things they don't want to do, like operating a business like that. That is a weaker choice. Then here's the low friction way that lets everybody keep doing what they're good.
At, and it walks away from open source, which I don't want. I don't want that to be the way.
The alternative open source starts to implode.
Yeah right, It basically says, you know what open source failed, and that requires me to say, yeah, no, that idea that I had well in nineteen ninety nine, and then finally made a reality in two thousand and four that you know, companies should do open source and it should be a thing, and people and developer should do open source. You should be able to go out there and create communities around your source code. Wow, that should be possible.
It just says no, don't or don't be successful because you will end up in a space.
Yeah, you can do it, you just won't be successful.
Where you hate it. Yeah, just don't be successful. Don't don't have your project work out because you will end up in a space that you want, or if you do, you have to enter that space where I don't care about any of you, which is a completely different way of interacting with your project and the community. It's not a community. It pains me and I'm I'm very conflicted in this whole space still because I'm seeing people commercializing their projects. At the same time, I couldn't reach out.
I couldn't reach out to everybody. So I'm hoping here, at least take a little maintenance fee and go you know what, I will follow that because there's a list or no, no, I'm going to go route like that, but a different way or a different spin on it great.
I want to see where people go. I just want maintainers to have an option that they don't have to give up and commercialize or just walk away, and they can have a space that you know what, I could fund a bit of my world here and feel good about this space and if you know, and they'll have other maintainers with them. I'm out here, right. So people told me I was gonna get fired at Microsoft when I said I was going to try to open source my little project. It didn't. I was there for eight
more years until I decided to retire. I'm doing this now. I was afraid I was going to get lambasted off the internet. I haven't been, and I hope so we could do something to change the ecosystem, because that's where I want us.
Well, I have a few open source projects that are popular that then I think I might visit this with So yeah, I'm going to be looking through my repos and it.
Looks like a weekend's worth of work. Yeah. To learn the pattern, yeah, and put it into your project.
Yeah. Yah, Yeah, you follow pattern and if there's issues, you know, send them to me and will revise the document and make it better.
Yeah. And the more we can refine the material the better.
Yeah, yeah, exactly, it's good stuff. Yeah, that's that's the I hope we can get to a better space.
I'm sure we will at some point.
Can I add a couple of gripes at the end here? Yeah, go ahead, you could try to stick where you want, all right. So one people will say it's a rug pull. You're going to get that the whole open source maintenance fee, any charging for anything turns into rug poole. I don't have a good answer that, because they're not entirely wrong. It is a bit of a rug pull. It is we're changing the rules on you.
The ultimate rug pool is a project you're depending on no longer being dependent and being maintained. Right, which rug pole would you like? Yeah?
Yeah, the alternative is exactly. The alternative is they just go away. And my hope is that we can get out get to a place where it's no longer a rug pole. Because everybody expects it that companies walk up to a project, go man, this one doesn't take a maintenance fee or anything. How do we know that the companies the project is going to stick around for us?
So I'd love for us to get to the other side where it's not a rug pull, it's a you need to do this so that we can, like, we would like to have some interaction here, so we know that you'll continue to maintain this project for us. So I'd love for the to turn around. Maintainers may still say I don't want money, because I don't want money, that's fine. I'd love for it to be turned around,
so it's not a rug pull. The second right is that I've been seeing this a lot as the commercialization has started happening, or as this whole all these issues have popped up. I see people saying they shouldn't have made an open source in the first place if they didn't want to give it away for free, and it just it. It makes me so mad.
Is an awesome piece of ignorance there.
Because I didn't make it open source to make it free. I made it open source so that people could join and we could build something right right, But that's not what happened. The fact that the source code is available for you to do as you wish with it, as in freedom to go forth, is what this is about. It was never about me giving my time away for twenty five years for free and having people not appreciate it.
That was never the goal. And it also is never the goal that we'd get to the end twenty five years later and say, haha, I'm now going to charge you for this thing that you become dependent on.
That was the goal. That's what I wanted all along.
Like, come on, well, and the fact is right, you're not paying.
No maintainer's doing that.
You're not paying if you're not making money on it. If you are making money on it, it should be less of an issue exactly.
But this whole attitude I see about. They never should have made it free in the first place.
Say just I get so torq staggering bullshit.
That never made it free. I expected contributions. They never came. Now I'm buried either pay me or contribute. Well, not anymore.
You know, I don't even expect contributions, like like, let's be like, even as a maintainer, I didn't expect contributions. I wanted people talking about it, helping people participating, working together. I would have my project suffered significantly in documentation because I'd hope that people would contribute what they learned is a great contribution and just write it down and give it back to us. Nobody did that. They wrote it on their own blogs in their own places, and they
spread it all about the internet. They never came back to a project. That's probably partly a failure on my maintenance of my project and my doctition and my community. But the goal was that people would work together and we could all be set up ninjas together.
Yep.
Right, those sixteen people you talked about the beginning, Yeah, those my people, right, that's why we're out here, right, we're making these things happen, and we are not alone. And then there's way, way, way too many people are out here. Well, it's free, so I'm just going to use it. And I can't believe that you didn't take care of I issue ten years ago when someone else opened it.
Yeah. The original mantra of the open source community was this small group of peers building stuff and helping each other to make it better. Right, And that's I think one tenth of one percent of the audience is actually out there. And I'm not saying anything bad about that. It's like, but recognize where you're sitting. Yeah, there's a whole other show here to talk about. How do we work with contributors to just recognize their value. But we
can do that today. Let's work on the reality of where we are right now, which is that most of these open source projects have a maintainer and that person needs help. Rob.
We got to pull the clock here and say thank you very much. This is great. It's a great idea, it's great stuff. I hope that I can get involved in it, and I hope other people listening will evaluate their open source projects and see whether this makes sense to you.
It's the beginning of a conversation that we need to have. I'm hoping it can unlock more ideas so that we get to a place that is sustainable for all these maintainers. Thanks Rob, Thanks guys.
And thank you for listening, and we'll see you next time on dot net rocks. Dot dot net Rocks is brought to you by Franklin's Net and produced by Pop Studios, a full service audio, video and post production facility located physically in New London, Connecticut, and of course in the cloud online at pwop dot com. Visit our website at d O T N E t R O c k S dot com for RSS feeds, downloads, mobile apps, comments, and access to the full archives going back to show
number one, recorded in September two thousand and two. And make sure you check out our sponsors. They keep us in business. Now go write some code. See you next time.
You got JAD middle vans. Then I