Hey, I’m in most of those graphs! :) Just not the last one. My most popular package only gets about 40k downloads a month.

Great post.

People are very eager to eat shit but nobody wants to do the shit.

We need a new license. My hope is currently residing in the Post Open License. IINM it will legally define how commercial instances have to contribute back or pay to opensource maintainers/devs and how it will work in complicated dependency trees.

Also, IMO, we should stop using weak copyleft stuff like MIT, Apache, MPL, etc. GPL and AGPL seem like the best licenses to force companies to contribute back, even if it’s not monetarily.

I do like projects that say “any support requests require a contribution (monetary or otherwise) and will be ignored otherwise”. It’s a fuck you to companies that create support requests and don’t pay or contribute.

Anti Commercial-AI license

If you want to talk about possible risks to your supply chain, a single maintainer that’s grossly underpaid and overworked. That’s the risk. The country they are from is irrelevant.

Total nonsense.

A good open-source maintainer won’t act maliciously, even when underfunded, until they are forced to.

A FOSS project that is underfunded has its own problems. But if it becomes unmaintained, you can take over or react. The other risks are assessable.

Russia is an oppressive regime that continuously attacks other parties through hybrid warfare. Who knows what environment and pressures the maintainer is under? The more important the project is, the more value it has as an attack surface.

How can they think and publicize “nah, underfunded is more important”? And even going further than that, claiming the country is irrelevant?