Start-ups and smaller companies that are extremely cash strapped are willing to take an opensource project, compile it themselves, turn it into deployment artifacts and manage that whole lifecycle. There is a threshold where paying someone to manage and certify the lifecycle of tools is more valuable than keeping it in house.

This is pushing those enterprise customers that are just using and updating binary releases because they don't want to take on the compliance risks of first-party support to pay for official versions.

▲

hiAndrewQuinn 2 days ago | parent | next [-]

I agree with your point. In the name of promoting basic numeracy:

"""

Sign up for GitHub Sponsorship and create the tiers: Small organization (< 20 people): $10/mo Medium organization (20-100 people): $40/mo Large organization (> 100 people): $60/mo

"""

You are beyond 'cash strapped' if $10/month for something as fundamental as this breaks the bank. The fully loaded cost of a single US software developer is already above $100/hour.

▲

aetherspawn 2 days ago | parent | next [-]

It’s $10/mo and then like 15min/$50/mo in everyone’s time in admin chasing down and filing receipts, reconciling to bank statements, etc.

If you’re a founder doing your own finances, well every additional little monthly charge even if it’s just $1 is quite annoying:

Filing and reconciling 12 receipts takes say 1 hour per year, what if you’re using 20 dependencies? That’s an extra 3-5 days per annum of admin.

	▲	jononor a day ago \| parent [-]
		One nice thing about GitHub sponsorship is that there is only one bill for the sponsor, and one can support NN projects/creators there. I think it is even bundled with the regular Github invoice?

▲

TrueDuality 2 days ago | parent | prev | next [-]

Sure, but that also doesn't scale reasonably and is entirely a facile argument. My original comment supports organization paying this price instead of dealing with internal compliance burdens. Looking at one of the package lock files for a previous company I still occasionally contract for, there are 9400 dependencies referenced.

So in the name of promoting basic numeracy, and taking into account the realities of scale. Matching that cost for those dependencies (this is a >100 person company) would be $560k per month. That gets you minimal support, just a guarantee that you can submit issues. No guaranteed security maintenance, compliance, or governance of the project.

You can spin up a very strong developer team for forking and maintaining an internal copy of opensource projects at that cost and a lot of large companies do just that. Should they contribute those changes back? Sure if that made sense.

A lot of time in my experience that internal copy is stripped to the bones of functionality to remove the surface area of vulnerabilities if the useful piece isn't extracted into the larger body of code directly. It's less functional with major changes specific to that environment. Would the upstream accept that massive gutting? Probably not. Could the company publish their minimal version? Sure but there are costs there as well and you DO have to justify that time and cost.

Would a company in-house the support and development of a tool over $40/month? Absolutely not, for a one-off case that's probably fine. If you want to meaningfully address the compensation issue from enterprises, opensource single-project subscriptions aren't going to be the answer.

I would LOVE to see more developer incentive programs, but one-by-one options aren't scalable and most projects don't want to provide the table-stakes level of support required of any vendor they work with. It's not optional for those organizations, its law and private contracts.

	▲	robmensching 2 days ago \| parent [-]
		Note that the package.lock file is not the place to look for your OSMF dependencies. That file will list your project's dependencies and all of their dependencies and so on and so on. You want to look at the list of packages in your package.json file. That will almost certainly be an order of magnitude (or two) smaller. For example, IIRC, GitHub (all of GitHub) calculated they had 660 direct dependencies. That's still a lot but it's not 9400. :)

▲

codedokode a day ago | parent | prev | next [-]

> The fully loaded cost of a single US software developer is already above $100/hour.

To be pedantic, it can be $0 if the developer is you yourself, or your friends, wives, husbands and other relatives.

▲

x0x0 2 days ago | parent | prev [-]

The only object is that monthly fees are super annoying. I'd much prefer an annual :shrug:

	▲	robmensching a day ago \| parent [-]
		You can pay annually. GitHub Sponsors allows that.

▲

9cb14c1ec0 2 days ago | parent | prev | next [-]

Yes, just a couple of minutes setting up a Github action on a fork, and you're good to go.

▲

robmensching a day ago | parent [-]

Yep, and now you have about half a million lines of code* to maintain as well. Have fun with it!*

* Last count the WiX Toolset had 589,719 loc but 444,936 if you skip comments and whitespace.

* This is the point, maintaining successful (and often non-trivial) projects requires a good bit of work.

	▲	9cb14c1ec0 a day ago \| parent [-]
		You can always just merge in the latest changes from the upstream project with a click or too. No need to maintain it on your own.

▲

ApolloFortyNine 2 days ago | parent | prev [-]

They actually provide the github action they use to build the releases in their repo already, so you could likely get this done in under 5 minutes.

▲

zvr 2 days ago | parent [-]

And that's what a number of organizations have set up since March.

	▲	robmensching 2 days ago \| parent [-]
		No. Not really. There are 406 forks, and ~10 were created in the last 5 months. The other people on this thread are more correct.