Some slightly unsettling billboards and ads have recently popped up around the city. They feature phrases like “Chief Freeload Officer” and “Chief Excuse Officer” accompanied by unsubtle caricatures, including one of a creepy guy with dollar signs for eyes, and money flying out of his drooling mouth.
The billboards and ads, which you can see on Muni bus stops and buses, are part of a campaign from an initiative called the Open Source Pledge. The pledge encourages tech companies to give cash directly to the people who maintain the various free open source software projects that underpin many for-profit businesses. Pretty much every big tech company you could think of uses some type of open source software, including Apple, Google, and Facebook.
There are tens of millions of free and open source software projects, which make up 70-90% of today’s software solutions, according to a Linux Foundation report. These projects live on repositories like GitHub, Maven, and npm. Despite their enormous importance to digital infrastructure, a good chunk of widely used pieces of open source software are developed and maintained by a handful of people.
Just one person, for example, maintains OpenSSH, an open source software that enables secure remote logins. Mac OS X, Microsoft Windows and other major platforms integrate OpenSSH into their own systems.
Open Source Pledge’s billboards feature what the group’s creators call “mooch monsters,” an “admittedly slightly silly” caricature of executives who prioritize short-term profits over a healthy open-source ecosystem, Vlad-Stefan Harbuz, a core contributor to the Open Source Pledge, told Gazetteer SF over email.
“We're trying to caution against this by showing that there can be real harm in neglecting to give back to the software ecosystem we all depend on,” he wrote. “We're hoping that this will motivate companies to give back to maintainers.” He added, “It’s not fair” that many of these maintainers don’t get paid, despite creating huge value for commercial businesses.
That’s where the pledge comes in. It encourages companies to pay $2,000 per year for every developer they employ to an open source maintainer of their choosing, and then publish an annual report detailing the company’s payments to the open-source ecosystem in the past year.
Paying the people who keep vital software in good working shape is critical “because not doing so will render our global tech infrastructure vulnerable,” Harbuz told Gazetteer. Otherwise, he said, maintainers will continue to be vulnerable to burnout, which could lead to global security issues. And Harbuz said this has already happened, pointing to the supply chain attack against open source data compression utility XZ Utils earlier this year.
In March, a Microsoft engineer identified malicious code in XZ Utils, which is part of the Linux operation system. The Linux operating system, meanwhile, is a major piece of open-source software that many banks, hospitals, governments and Fortune 500 companies run on. Thankfully, the engineer discovered the malicious code before it was added to production versions of Linux.
But crisis was not averted back in 2011, when the Heartbleed bug made its way into open source encryption software OpenSSL, making about 500,000 sites vulnerable to attacks. The bug, which wasn’t announced and fixed until 2014, made users of popular sites like Facebook, Google and YouTube all vulnerable to having their personal information stolen.
So far, 26 companies have joined the Open Source Pledge, including HeroDevs, Antithesis, and StackBlitz. Sentry, a developer tools company that funded the development of the Pledge, is the largest contributor to date.
David Cramer, co-founder of Sentry, explained in a blog post earlier this month that he and his co-collaboraters have been kicking the idea around for years, but is just now coming into fruition. The goal is to get fellow tech companies to not just talk about the problem, but to do something about it.
“We don’t think it’s the only solution, nor do we think it’s the only way to give back, but we do believe giving cash money to maintainers is an appropriate way to show your thanks, to recognize their hard work, the value they create for you,” he wrote. “Maybe, just maybe, we’ll do our small part in encouraging the maintainers to keep putting up with us in the enormous ecosystem we rely on.”
Apple, Google, and Facebook did not respond to Gazetteer’s requests for comment on whether they plan to support the efforts.
The group behind the Open Source Pledge aren’t the only ones looking for a way to better support open-source infrastructure. On the national level, the Biden administration in August pledged $11 million to better understand how companies, government agencies, and institutions use open source software, with the ultimate goal of strengthening national security.
Editor’s note: The author’s wife worked at Sentry from July 2016-July 2017, but has no ongoing financial ties to the company.
