Tidelift GC: Paid open source can stave off another Log4j
If the industry wants to thwart software supply chain attacks and prevent another Log4Shell, the way forward is to pay open source maintainers, Tidelift GC Luis Villa says.
Pay for open source maintainers will become a growing trend in the new year as enterprises confront software supply chain security issues and threats to the long-term sustainability of the open source projects enterprises rely on, according to Tidelift general counsel Luis Villa.
Villa's company, which he co-founded in 2017, funnels funding from enterprise users to thousands of small open source projects. Villa, an attorney, has more than a decade of experience in open source from previous legal roles at companies such as the Wikimedia Foundation and the Mozilla Corporation.
In this Q&A, Villa discusses why software supply chain security concerns will spur a movement to compensate open source maintainers in 2023, how capitalism and Free and Open Source Software (FOSS) can coexist, and Tidelift's role in the open source ecosystem.
Why do you think more people will be willing to pay open source maintainers in 2023?
Luis Villa: We're going to see a lot more attention on this space because there's so much focus on the [software] supply chain. People are realizing that [open source maintainers] didn't volunteer to be part of your supply chain -- they volunteered to put some software on the internet. And if you are going to want to treat these volunteers as somebody who has this deep responsibility to do piles and piles of additional work, that's just not going to work.
I think six months or a year ago, I would have told you there'd be slow and steady growth, slow and steady awareness. But the supply chain stuff is just really pushing people to rethink that.
Luis VillaCo-founder and general counsel, Tidelift
As in Log4j?
Villa: Exactly. The Log4j folks did tremendous work as volunteers. If we want to prevent the next one ... lots of people have lots of plans about, 'Well, we'll have new security standards.' We're like, 'OK, but already people don't do the standards we've already got, and how are we going to change that?'
And the answer is not to get them to volunteer harder ... The problem is not lack of training. The problem is lack of time and lack of motivation. That's where we think we can come in.
FOSS by its very nature is free. By introducing capitalism into this model, you're turning FOSS into 'not FOSS.' How will this affect open source down the road?
Villa: The ship has sailed on capitalism and FOSS. The first open source company went public -- IPO'd -- in the '90s with Red Hat. The money has been coming in, and the question for some time has not been, 'Should money be in FOSS?' The question is, 'How should the money in FOSS be distributed?' Right now, it goes to a handful of large brand-name projects and the for-profit companies associated with those projects.
We talk to customers all the time who say, 'But I support open source: I give to the Linux Foundation.' Well, OK, that's not bad that you're giving to Linux Foundation, but the Linux Foundation has a few hundred projects, and you use a few thousand projects. What are you doing about those other few thousand?
How does Tidelift work?
Villa: We take money from large enterprises that are concerned about the long-term future of the projects that they rely on. All these big banks, insurance companies, governments -- all running on tens of thousands of pieces of open source -- they cannot feasibly go out and contract with each of those individual users of open source. It's hard to identify who they are. And if they did identify who they are, going through and contracting would eat you alive in overhead.
If you're one of these developers, you know that all these big companies are using you, but you don't have a sales team, you don't have a legal team, etc. And those, again, would eat you alive in overhead.
We have a sales team and we have the legal team. We go out to these enterprises and we say, 'Well, look, you're using 10,000 pieces of open source -- we've already got contracts that cover 1,000 of those with the original developers, and we work with them to maintain security standards and legal standards.' What they're paying for is that assurance. That sense that a lot of their top packages are going to be better maintained and longer-term maintained. And we work with industry standards like OpenSSF to make sure that what the maintainers are doing is legible to enterprises.
How much of a cut does Tidelift take?
Villa: The overhead will vary depending on a variety of factors, and it's hard to put one number on it. But we try to keep that to a reasonable amount, given the large sales team and a large amount of legal services that we're providing.
Do you try to go to the original developer of the open source project?
Villa: As close to the original developer as we can get. There are situations where the original developers aren't available, for example, because their job doesn't allow them to have side gigs. There was one situation where a developer went to jail for something unrelated to their software activities. In some cases, the original author has gone -- has chucked their laptop in a lake and sworn off all technology or whatever.
But at the least, the current maintainers have to be aware that [another person is] doing this work and have to agree that it's OK for [them] to do this work. They may ... decline to participate themselves, but they have to at least sign off on whoever the other person is.
Does a developer get paid by the hour?
Villa: No, they get paid by the usage of their products by our customers. If more of our customers are using it, then you get paid more, and what you're getting paid for is simply the task of completing things like, 'Is your licensing accurate?' 'Are you following the latest security standards from OpenSSF?' and that kind of thing. The idea is once you do initial onboarding, there should be minimal additional labor required on the maintainer's part, if you don't actively break things.
The big exception to that is security vulnerabilities. We don't pay extra if there's a vulnerability -- that would introduce perverse incentives. But we do help support [the maintainer] in that situation ... with logistical support, helping them understand, 'What are the expectations of me?'
Can developers bring in a full-time income?
Villa: We do have a few developers who do have full-time or near full-time income depending on where they live. It's harder in the U.S. with healthcare, easier in other places where there's a lower cost of living or better government provision -- a basic safety net.
Editor's note: This Q&A has been edited for clarity and conciseness.