Reading about open source sustainability the past few weeks, I’ve been trying to find some pithy and useful quotes to start building out my FOSS Sustainability website. I started with a listing of the obvious resources – key funding sources, some overviews about how governance and funding mesh (or don’t), and the like. But between reading industry blogs and scratching the surface of research papers on sustainability, I haven’t found great answers yet. What have I found?
More questions.
Sustainability as a concept around open source projects and communities is such an overloaded idea that I’m having a hard time finding a specific place to start. So instead, let’s start with a list of some focus areas and questions to ponder, in terms of what perspective or audience we’re starting with. Thankfully, I’m also finding out many other folks are in the same boat, and are working on figuring out how to define this in broader, more useful ways.
Who is our primary focus?
The obvious group are “Pay the maintainers”, individual coders managing widely-used independent projects. The flip side are enterprises – who might pay for the projects they use, and various funding organizers: either grantmakers, collectives working on pooling and releasing funds, or even simple sponsorship buttons you can put on your repo.
The other kinds of maintainers are in community-governed, foundation-based, or corporate-sponsored projects. Plenty of projects are written by a combination of paid employees by one or more leading corporations, plus a constellation of individual coders or smaller companies.
The enterprise perspective is an entire universe of it’s own: often the people who understand the value of software they use are disconnected from people who control funding or strategy in a company.
Governments, NGOs, standards bodies, and the like are another universe of people concered about sustainability. Their perspectives are starting to get broadened by the growning research about both FOSS software impacts, but also risks, security, supply chain issues, and all the other news we read about lately.
Oh, and of course end users. Where do they fit in with sustainabilty? Does the average user even understand they’re using open source inside whenever they touch a smartphone or computer?
What kinds of sustainability do we mean?
How do we keep open source software secure? Heartbleed’s giant security scare eventually turned into Core Infrastructure Initiative, a foundation to help fund quality and development of OpenSSL. But what about security across the hundreds of other critical projects used everywhere?
Are we concerned with keeping certain kinds of projects alive and self-managing and making bugfixes? Or are we concerned with the core infrastructure bits that everyone uses, and keeping them as solid upstream projects – instead of one particular vendor simply making all the fixes to their version, which becomes the de facto one most folks use?
How about long-term sustainability of the code itself, physically? How long are archives guaranteed, will they be findable, include history and releases?
How about keeping tooling current to today’s versions of other software bits in the dependency chain? Is there anyone around who can even recompile Tool X that uses frequently updated Dependency Y to ensure the binaries work correctly?
Of course all these questions might be changed subtly depending on the programming languages, and how projects are architected – or documented. The kinds of long-term tweaks to a UNIX utility are very different than a bit of Java middleware.
Does money come into it?
It’s more difficult, but you can find ways to make some projects sustainable without throwing money at them. But in most cases, we need someone to make a financial investment. And while sharing code has zero cost across any sort of boundaries, sharing financing and legal relationships (of employees, contractors, service providers, or whatever!) have significant costs – and lots of asymmetry in terms of knowledge and capacity to manage transactions – or even know they could ask for transactions (or some funding).
Which organizations are we considering?
Software companies (who build something related here) behave differently than other companies. Enterprises have very different resources and constraints than midsize or smaller companies. What about nationality and local law factors in how companies use or maintain their software dependencies?
By now you can see my theme: each of these general topic areas has a whole host of sub-topics, many with very different concerns even when they might seem similar. And of course the real world is a matrix of matricies of relationships between the who, the what, the money, and the how.
Feeling a little overwhelmed? I’m right there with you. Thankfully, that’s one of the exact questions some smart folks are thinking about right now: how can we define “sustainability” with some concrete concepts and shared terms / categorizations that we can all understand and agree on?
We’ll see! But I’m meeting some people that are making this very, very interesting to work on!