The Last Time

10 years ago, in the wake of the the Heartbleed bug, OpenSSL found itself at the center of a not unrelated discourse about opensource labor and key infrastructure. There were two basic responses. a) Just Pay People and b) Fork It.

Unfortunately, both approaches have failed. The LibreSSL fork came from the OpenBSD community. Their critique of OpenSSL included dropping a lot of support and compatibility and I believe changing some interfaces, to the point it is no longer a drop in replacement. As I noted a year ago when there was yet another high severity bug in OpenSSL, support for using LibreSSL has been removed from Python and from the Alpine and Gentoo Linux distros. Though the BSDs are going strong, I'm not sure if they are maintaining out of tree patches to replace OpenSSL, or still using it for some packages. The corporate backed forks have not made community projects safer (neither Google's BoringSSL nor Tink are even available in any Gentoo overlay, let alone exist as dependency in the main repository). And the Core Infrastructure Initiative, who was supposed to Pay People, was clearly abandoned.

Now I've seen that the CII has been swept into the Open Source Security Foundation whose webpage looks exactly like a tech vendor's. The about page says nothing about paying people.

What Does It Mean to Be Paid

Cohost itself is structured essentially as a rejection of opensource business models. Opensource-as-business has been successful in select areas. But why should one have to start a business on top of everything else an open source project requires?

I am curious what it would look like to be paid for opensource work. As I see it, one could be hired to do it, one could be paid enough to do the work full time but not be on payroll, or one could be paid but still maintain other employment.

If you are an employee (and I don't mean for a company selling a linux distro, just one that Depends On open source), does the company think they own the project now? are you fixing competitor's bugs on company time? are you still working on it in your free time?

If you are receiving periodic donations, can you trust that the money will keep coming, to the point that you can quit your job and expect this to be your future? do you have healthcare? do you have time off or are you expected to always be on call?

If you keep working but get paid on the side, do you still have free time and time off?

I think any of these arrangements are inherently precarious for individuals.

also how does any of this work for projects with multiple contributors? will the biggest names get paid and work alongside others whose labor is free, hoping one day they too will make it?

All I can say is that I think we are stronger together. A guild union stands a better chance of both protecting working conditions and distributing resources beyond the extremely recognizable and flavor of the week projects. But, this thinking still broadly follows the paradigm of selling labor, i.e. of work.


You must log in to comment.

in reply to @wolfwood's post:

Yes!! I love the idea of a Software Engineer's Guild. I daydream about a Software Guild License, whereby commercial use is allowed only for dues-paying members of the guild and guild shops, which then supports stipends for maintainers. Institutional educational use would be conditioned on the institution allowing a guild rep to talk to all the first-years for an hour about the perks of organized labor.