Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-05 Thread Phil Steitz

On 3/5/22 12:08, Jarek Potiuk wrote:

I am talking about *user* companies here

Of course this is (as I wrote) a perfectly valid case - and it works
beautifully in many cases. I know plenty of examples :).
Maybe there was a misunderstanding of my "(unlike the models 2. 3)". I
think those models were (and still are) crucial to the success of many
projects. And I think there is no argument about it.
I am not sure if this is some kind of argument we are having or whether we
agree so let me reiterate what I thin I want to say in the context of the
topic of the discussion.
Just to remind the topic: "Effective ways of getting individuals funded to
work on ASF projects"

Both 2) and 3) contain "employers" who pay their employees or allow them to
scratch itches independently and I am not sure if ASF can help here somehow
in making it "better".

On the other hand my proposed "model 4)" is different and I believe ASF
**might** play some role in making it easier for both individuals and
stakeholders.


All good.  I did not mean to be argumentative - just to point out that 
it is possible to be funded to work on OSS without working for a vendor 
either directly or indirectly as a contractor.


Phil



In this model, you have no "employees". You have stakeholders reaching out
to individuals - committers/PMC members/contributors who are already
working on the project (or the other way round - it could be committers
reaching out) to pay them.
All this without a pre-existing Employee <-> Employer relationship.

I think this is the very model that the ASF can help to "facilitate"
establishing such relationships (which is the most difficult and crucial
part of making the model works).

* make both individuals and stakeholders aware it's OK and what are the
conditions (for example making sure there is "no non-compete" and
"community makes decisions" clauses) in such relationships
* show the path how both sides can act to establish relationship between
them and what could the "protocol" there
* provide some guidelines on how contracts should be written (without
providing legal advice of course as ASF can't do that and those will be
subject to local laws especially in case of IP clauses there)
* possibly provide a list of intermediaries that can help with the
"bureaucracy" (handling invoices, signing, preparing contracts etc.)

I think if we are (at least that was the initial topic) discussing ways
"how we can improve the situation as an ASF" - this is my thinking where it
could help - specifically in model 4.

I am also happy to help prepare some of that (following Roman's proposal).

For example I am - as we speak - discussing some details with my lawyers
(who actually specialise both anglo-saxon and east-european IP law) about
some IP clauses in my contracts that I am sending to a new customer. And
while I can afford that and have friendly lawyers whom I trust with it, and
I run a business before, so I know you need to involve lawyers there. I am
sure that might be one of the obstacles for multiple individuals who would
like to set up similar, direct contracts with the stakeholders, but do not
know where to start and what to look for  - I think sharing some outcome
and guidelines here might help.

J.



On Sat, Mar 5, 2022 at 12:32 AM Phil Steitz  wrote:


On 3/4/22 11:28 AM, Jarek Potiuk wrote:

Definitely another good way to support projects.  I think 2. and 3.
originating in user companies can actually help foster vendor neutrality
as these companies are really just users.  Whether the people are
employees or contractors is not important.  What *is* important is that
they have time and mandate to contribute broadly to the project rather
than just trying to get specific features in.

There is a huge difference actually.

Employees - almost by definition - cannot work for competitors at the
same time. Individual contributors can.

I am talking about *user* companies here - companies that do not
directly make $ on the software being produced by the project. However
they pay - either employees or contractors - they are going to protect
their proprietary IP and they need to have policies around that, but in
the vast majority of cases for actual user companies, this is irrelevant.

There are a *huge* number of companies that use ASF and other OSS
software that do not compete in any way shape or form with the various
vendors involved in the projects.  I am talking about those companies -
the actual users of the software.  It is very possible for these
companies to employ people and allow and encourage them to contribute
*independently* to OSS, sometimes scratching work-related itches,
sometimes just doing what needs doing.  I know that seems a slightly
foreign concept these days, but there have been a whole lot of people
over the years who have done exactly this.  The nice thing 

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-05 Thread Jarek Potiuk
> I am talking about *user* companies here

Of course this is (as I wrote) a perfectly valid case - and it works
beautifully in many cases. I know plenty of examples :).
Maybe there was a misunderstanding of my "(unlike the models 2. 3)". I
think those models were (and still are) crucial to the success of many
projects. And I think there is no argument about it.
I am not sure if this is some kind of argument we are having or whether we
agree so let me reiterate what I thin I want to say in the context of the
topic of the discussion.
Just to remind the topic: "Effective ways of getting individuals funded to
work on ASF projects"

Both 2) and 3) contain "employers" who pay their employees or allow them to
scratch itches independently and I am not sure if ASF can help here somehow
in making it "better".

On the other hand my proposed "model 4)" is different and I believe ASF
**might** play some role in making it easier for both individuals and
stakeholders.

In this model, you have no "employees". You have stakeholders reaching out
to individuals - committers/PMC members/contributors who are already
working on the project (or the other way round - it could be committers
reaching out) to pay them.
All this without a pre-existing Employee <-> Employer relationship.

I think this is the very model that the ASF can help to "facilitate"
establishing such relationships (which is the most difficult and crucial
part of making the model works).

* make both individuals and stakeholders aware it's OK and what are the
conditions (for example making sure there is "no non-compete" and
"community makes decisions" clauses) in such relationships
* show the path how both sides can act to establish relationship between
them and what could the "protocol" there
* provide some guidelines on how contracts should be written (without
providing legal advice of course as ASF can't do that and those will be
subject to local laws especially in case of IP clauses there)
* possibly provide a list of intermediaries that can help with the
"bureaucracy" (handling invoices, signing, preparing contracts etc.)

I think if we are (at least that was the initial topic) discussing ways
"how we can improve the situation as an ASF" - this is my thinking where it
could help - specifically in model 4.

I am also happy to help prepare some of that (following Roman's proposal).

For example I am - as we speak - discussing some details with my lawyers
(who actually specialise both anglo-saxon and east-european IP law) about
some IP clauses in my contracts that I am sending to a new customer. And
while I can afford that and have friendly lawyers whom I trust with it, and
I run a business before, so I know you need to involve lawyers there. I am
sure that might be one of the obstacles for multiple individuals who would
like to set up similar, direct contracts with the stakeholders, but do not
know where to start and what to look for  - I think sharing some outcome
and guidelines here might help.

J.



On Sat, Mar 5, 2022 at 12:32 AM Phil Steitz  wrote:

>
> On 3/4/22 11:28 AM, Jarek Potiuk wrote:
> >> Definitely another good way to support projects.  I think 2. and 3.
> >> originating in user companies can actually help foster vendor neutrality
> >> as these companies are really just users.  Whether the people are
> >> employees or contractors is not important.  What *is* important is that
> >> they have time and mandate to contribute broadly to the project rather
> >> than just trying to get specific features in.
> > There is a huge difference actually.
> >
> > Employees - almost by definition - cannot work for competitors at the
> > same time. Individual contributors can.
>
> I am talking about *user* companies here - companies that do not
> directly make $ on the software being produced by the project. However
> they pay - either employees or contractors - they are going to protect
> their proprietary IP and they need to have policies around that, but in
> the vast majority of cases for actual user companies, this is irrelevant.
>
> There are a *huge* number of companies that use ASF and other OSS
> software that do not compete in any way shape or form with the various
> vendors involved in the projects.  I am talking about those companies -
> the actual users of the software.  It is very possible for these
> companies to employ people and allow and encourage them to contribute
> *independently* to OSS, sometimes scratching work-related itches,
> sometimes just doing what needs doing.  I know that seems a slightly
> foreign concept these days, but there have been a whole lot of people
> over the years who have done exactly this.  The nice thing about working
> for a compan

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-04 Thread Phil Steitz



On 3/4/22 11:28 AM, Jarek Potiuk wrote:

Definitely another good way to support projects.  I think 2. and 3.
originating in user companies can actually help foster vendor neutrality
as these companies are really just users.  Whether the people are
employees or contractors is not important.  What *is* important is that
they have time and mandate to contribute broadly to the project rather
than just trying to get specific features in.

There is a huge difference actually.

Employees - almost by definition - cannot work for competitors at the
same time. Individual contributors can.


I am talking about *user* companies here - companies that do not 
directly make $ on the software being produced by the project. However 
they pay - either employees or contractors - they are going to protect 
their proprietary IP and they need to have policies around that, but in 
the vast majority of cases for actual user companies, this is irrelevant.


There are a *huge* number of companies that use ASF and other OSS 
software that do not compete in any way shape or form with the various 
vendors involved in the projects.  I am talking about those companies - 
the actual users of the software.  It is very possible for these 
companies to employ people and allow and encourage them to contribute 
*independently* to OSS, sometimes scratching work-related itches, 
sometimes just doing what needs doing.  I know that seems a slightly 
foreign concept these days, but there have been a whole lot of people 
over the years who have done exactly this.  The nice thing about working 
for a company that actually uses the software is you get a clear picture 
of what is important. Your direct experience using and supporting the 
software comes directly back into the project.  As I said, our projects 
used to be full of people like this.  One of our most successful early 
Java projects - Struts - had no vendor-paid developers when it became 
the leading Java MVC framework.  The committers all used struts in 
@dayjob, but they were actual users.  As we have become more 
vendor-dominated, contributors like that have become more sparse.   That 
does not mean though that this it is not a vast resource of potential 
contributors and a good way to get paid at least partially to work on OSS.


Phil



As a contractor (and that also should be part of any other
contributor's clause) I can work with multiple stakeholders - even
competitors (and this is an important clause that I make sure in my
contract).

Currently, as an independent contributor i have/had business relationship with:

* Google
* AWS
* Astronomer

(And some more are coming). They are competitors, buti also they are
cooperating on Airflow - so called "coopetition". This is next to
impossible for an Employee to have several employment contracts with
competitors at the same time.

Also it allows me to lead projects and initiatives, where there is a
value brought by all those different stakeholders. Being independent
and paid by all of those make it also easier for other stakeholders to
join the efforts.

This is all extremely different to situations where the people
contributing are employed by  a single Employer. That also works - of
course, and there is nothing wrong with that. But it is very
different.

J.

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-04 Thread Dave Fisher


> On Mar 4, 2022, at 10:28 AM, Jarek Potiuk  wrote:
> 
>> Definitely another good way to support projects.  I think 2. and 3.
>> originating in user companies can actually help foster vendor neutrality
>> as these companies are really just users.  Whether the people are
>> employees or contractors is not important.  What *is* important is that
>> they have time and mandate to contribute broadly to the project rather
>> than just trying to get specific features in.

This is a subtle and important point.
- how do vendors enable their individuals to upstream changes?
- how easy does the project make it for individuals to upstream their changes?

> 
> There is a huge difference actually.
> 
> Employees - almost by definition - cannot work for competitors at the
> same time. Individual contributors can.

That depends on the terms of employment. I’m employed currently and explicitly 
expected to contribute. This hasn’t always been the case.

> 
> As a contractor (and that also should be part of any other
> contributor's clause) I can work with multiple stakeholders - even
> competitors (and this is an important clause that I make sure in my
> contract).

There are reasons for competitors to co-operate.


> 
> Currently, as an independent contributor i have/had business relationship 
> with:
> 
> * Google
> * AWS
> * Astronomer
> 
> (And some more are coming). They are competitors, buti also they are
> cooperating on Airflow - so called "coopetition". This is next to
> impossible for an Employee to have several employment contracts with
> competitors at the same time.

This is how a vendor independent project ought to work.

Perhaps a review of 
https://blogs.apache.org/foundation/entry/the-apache-way-to-sustainable ?


> 
> Also it allows me to lead projects and initiatives, where there is a
> value brought by all those different stakeholders. Being independent
> and paid by all of those make it also easier for other stakeholders to
> join the efforts.
> 
> This is all extremely different to situations where the people
> contributing are employed by  a single Employer. That also works - of
> course, and there is nothing wrong with that. But it is very
> different.

Everyone’s situation is uniquely theirs.

All the best,
Dave

> 
> J.
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-04 Thread Jarek Potiuk
> Definitely another good way to support projects.  I think 2. and 3.
> originating in user companies can actually help foster vendor neutrality
> as these companies are really just users.  Whether the people are
> employees or contractors is not important.  What *is* important is that
> they have time and mandate to contribute broadly to the project rather
> than just trying to get specific features in.

There is a huge difference actually.

Employees - almost by definition - cannot work for competitors at the
same time. Individual contributors can.

As a contractor (and that also should be part of any other
contributor's clause) I can work with multiple stakeholders - even
competitors (and this is an important clause that I make sure in my
contract).

Currently, as an independent contributor i have/had business relationship with:

* Google
* AWS
* Astronomer

(And some more are coming). They are competitors, buti also they are
cooperating on Airflow - so called "coopetition". This is next to
impossible for an Employee to have several employment contracts with
competitors at the same time.

Also it allows me to lead projects and initiatives, where there is a
value brought by all those different stakeholders. Being independent
and paid by all of those make it also easier for other stakeholders to
join the efforts.

This is all extremely different to situations where the people
contributing are employed by  a single Employer. That also works - of
course, and there is nothing wrong with that. But it is very
different.

J.

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-04 Thread Phil Steitz




On 3/4/22 4:08 AM, Jarek Potiuk wrote:

1.  We can all afford to volunteer our discretionary time as we see
fit.  Not just rich or retired people have discretionary time.
2.  Employers can support OSS communities by allowing their employees to
contribute as part of their jobs, but not in a "job shop" or directed way.
3.  Employers can support OSS by allowing their people to scratch itches
directly.

I personally think there is a 4 th way.  I discovered it ~4 years ago
in Polidea, the
software house I co-owned, worked on and sold and eventually turned it
successfully
into my personal "business model". This is is not at all obvious why
it would work and
it was a bit of surprise for me when I discovered it and when I
successfully made living
from it (and also successfully helped with upp-ing the value of the
company I co founded
so that it could be acquired) - at the same time contributing a lot to
the success of
Apache Airflow project which became the most contributed (in terms of numbers of
contributors) project of the ASF.

The model is:

4. Organization and stakeholders in the project, rather than paying
their own employees,
pay independent third-parties to contribute to the OSS (software
houses or individuals).
This all with understanding the limitations it brings in influencing
direction of the project
and recognizing value of the parties who are intimately familiar with
not only code,
but also community and simply are the best to "make things happens" -
all according
to the rules and limitations of the ASF and (unlike the models 2. 3. )
increasing
vendor neutrality in the project rather than  decreasing it.
Definitely another good way to support projects.  I think 2. and 3. 
originating in user companies can actually help foster vendor neutrality 
as these companies are really just users.  Whether the people are 
employees or contractors is not important.  What *is* important is that 
they have time and mandate to contribute broadly to the project rather 
than just trying to get specific features in.


Phil

I think this model makes it possible to kill two birds with the same stone:

* make the model when you can make living from open source contributions
* increase vendor neutrality in the projects

It is largely described in the article which I wrote a few years back in Polidea
and reposted it after Polidea has been acquired. Since then I learned (and
tested on myself) that this is a sustainable model not only for 3rd party
software houses, but also for independent contributors like me.

https://medium.com/@jarekpotiuk/the-evolution-of-open-source-standing-on-the-shoulders-of-giants-db22dcdbca04

I really wish we could together find some ways to replicate that and
make many individual
contributors to follow this model.

J.

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-04 Thread Jarek Potiuk
>
> 1.  We can all afford to volunteer our discretionary time as we see
> fit.  Not just rich or retired people have discretionary time.
> 2.  Employers can support OSS communities by allowing their employees to
> contribute as part of their jobs, but not in a "job shop" or directed way.
> 3.  Employers can support OSS by allowing their people to scratch itches
> directly.

I personally think there is a 4 th way.  I discovered it ~4 years ago
in Polidea, the
software house I co-owned, worked on and sold and eventually turned it
successfully
into my personal "business model". This is is not at all obvious why
it would work and
it was a bit of surprise for me when I discovered it and when I
successfully made living
from it (and also successfully helped with upp-ing the value of the
company I co founded
so that it could be acquired) - at the same time contributing a lot to
the success of
Apache Airflow project which became the most contributed (in terms of numbers of
contributors) project of the ASF.

The model is:

4. Organization and stakeholders in the project, rather than paying
their own employees,
pay independent third-parties to contribute to the OSS (software
houses or individuals).
This all with understanding the limitations it brings in influencing
direction of the project
and recognizing value of the parties who are intimately familiar with
not only code,
but also community and simply are the best to "make things happens" -
all according
to the rules and limitations of the ASF and (unlike the models 2. 3. )
increasing
vendor neutrality in the project rather than  decreasing it.

I think this model makes it possible to kill two birds with the same stone:

* make the model when you can make living from open source contributions
* increase vendor neutrality in the projects

It is largely described in the article which I wrote a few years back in Polidea
and reposted it after Polidea has been acquired. Since then I learned (and
tested on myself) that this is a sustainable model not only for 3rd party
software houses, but also for independent contributors like me.

https://medium.com/@jarekpotiuk/the-evolution-of-open-source-standing-on-the-shoulders-of-giants-db22dcdbca04

I really wish we could together find some ways to replicate that and
make many individual
contributors to follow this model.

J.

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-03 Thread Phil Steitz




On 3/3/22 3:20 PM, Matt Sicker wrote:

I'd like to see a better solution proposed for maintaining vendor
neutrality while funding the individuals working on the project. If
every workable solution is denied, then the only people who can afford
to work on Apache projects would be rich people, retired people, and
those who are being paid by another employer to do the exact same
thing. In fact, this is probably relevant to the demographics here as
discovered in D&I surveys.

Umm,  no.

1.  We can all afford to volunteer our discretionary time as we see 
fit.  Not just rich or retired people have discretionary time.
2.  Employers can support OSS communities by allowing their employees to 
contribute as part of their jobs, but not in a "job shop" or directed way.
3.  Employers can support OSS by allowing their people to scratch itches 
directly.


I have personally done 1 and enabled 2 and 3 for 20+ years now.  I think 
1 and 3 are really what built the ASF.  People working on things that 
they are actually interested in and scratching their own itches leads to 
great software that developers love to work on and use.  We don't need 
to turn into some kind of job shop, glorified joint venture or 
pseudo-employer to tap into the vast and renewable resource in the user 
-> contributor -> committer pipeline. Getting more *user* employers to 
support 2 and 3 is definitely needed, but I think it is smarter and 
better for the long term health of the ASF to focus on that (and 
removing barriers to entry in vendor-dominated projects) rather than 
becoming a de facto commercial software company.


Phil


On Thu, Mar 3, 2022 at 4:15 PM Craig Russell  wrote:

I very much like the direction here.

One other top post that falls into item 2 (rules of engagement):

Apache does operate in the open with discussions, bug fixes, etc. all out for 
anyone to see. Except for security issues.

I'd like to discuss how we treat committers with security privileges with 
regard to third parties who may be contracting for the committers' resources.

Is it acceptable for committers to inform a third party of security issues 
before the CVE is public because of their relationship with the third party?

Regards,
Craig


On Mar 2, 2022, at 6:12 AM, Roman Shaposhnik  wrote:

Hi!

top-posting here, since I'd like to summarize a few points to see where we
can
take this discussion. Before I do that I wanted to thank Bertrand and Jim
for
excellent, short emails/summaries and also special thanks to Chris for an
extremely informative recap of his efforts.

Personally, I'd like to focus on 3 things. Please let me know if I'm missing
anything or you disagree:

1. building a robust list of what we at ASF perceive as potential value
that can be offered to *our* members, committers and contributors
by the 3d parties like Tidelift (again, I'm simply using them as an
example here -- anybody else would do just fine).

2. building a list of "rules of engagement" that we feel must be met
for these types of relationships to be compatible with the way we
govern our communities.

3. document all the learning, pitfalls, etc. that we've collectively
amassed by trying to solve this type of a problem on a one-by-one
basis.

To expand on those points: I really do think that 3d parties (if done
right) can take care of a lot of pain points for us. Again -- I'm NOT
saying that a magic entity like that even exists today (maybe Tidelift
is really not the right solution for us -- dunno yet) -- what I'm saying
is that I really would like to understand how that type of a service
should look like. Or take Jarek's example of ridesharing: most
of people focus on ridesharing companies just matching riders to
drivers, but that's just the tip of the iceberg -- ridesharing companies
solve huge amounts of arbitration issues (such as insurance, license,
etc.). Common folk don't get to see those -- but that's a huge value they
offer to drivers (and arguably riders) on top of just finding "customers".
Same with 3d parties for us I have in mind (see Chris's list of gotchas).

For now, I propose a few Cofluence pages under ComDev where this
type of information gets collected. I'll do it later tonight -- so feel free
to just add to this thread for now.

Once we've collected that type of info -- we can then sort of "evaluate
vendors" against that list and see what they are missing, etc. We can
even issue a wide "call to apply" for various companies if we feel like it.

Makes sense?

Thanks,
Roman.

On Tue, Mar 1, 2022 at 9:43 AM Bertrand Delacretaz 
wrote:


Hi,

Le lun. 28 févr. 2022 à 21:15, Jarek Potiuk  a écrit :


...Proposal:
I think we all agree that ASF meets the criteria of Tidelift already.
Why don't Tidelift (in the places where open-source projects included are
listed) explain that ASF projects meet the criteria, and any one is free
to deal directly with the committers of all ASF projects directly...

I'd say we all agree that *in theory* ASF projects meet Tidelift's
criter

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-03 Thread Matt Sicker
I'd like to see a better solution proposed for maintaining vendor
neutrality while funding the individuals working on the project. If
every workable solution is denied, then the only people who can afford
to work on Apache projects would be rich people, retired people, and
those who are being paid by another employer to do the exact same
thing. In fact, this is probably relevant to the demographics here as
discovered in D&I surveys.

On Thu, Mar 3, 2022 at 4:15 PM Craig Russell  wrote:
>
> I very much like the direction here.
>
> One other top post that falls into item 2 (rules of engagement):
>
> Apache does operate in the open with discussions, bug fixes, etc. all out for 
> anyone to see. Except for security issues.
>
> I'd like to discuss how we treat committers with security privileges with 
> regard to third parties who may be contracting for the committers' resources.
>
> Is it acceptable for committers to inform a third party of security issues 
> before the CVE is public because of their relationship with the third party?
>
> Regards,
> Craig
>
> > On Mar 2, 2022, at 6:12 AM, Roman Shaposhnik  wrote:
> >
> > Hi!
> >
> > top-posting here, since I'd like to summarize a few points to see where we
> > can
> > take this discussion. Before I do that I wanted to thank Bertrand and Jim
> > for
> > excellent, short emails/summaries and also special thanks to Chris for an
> > extremely informative recap of his efforts.
> >
> > Personally, I'd like to focus on 3 things. Please let me know if I'm missing
> > anything or you disagree:
> >
> > 1. building a robust list of what we at ASF perceive as potential value
> > that can be offered to *our* members, committers and contributors
> > by the 3d parties like Tidelift (again, I'm simply using them as an
> > example here -- anybody else would do just fine).
> >
> > 2. building a list of "rules of engagement" that we feel must be met
> > for these types of relationships to be compatible with the way we
> > govern our communities.
> >
> > 3. document all the learning, pitfalls, etc. that we've collectively
> > amassed by trying to solve this type of a problem on a one-by-one
> > basis.
> >
> > To expand on those points: I really do think that 3d parties (if done
> > right) can take care of a lot of pain points for us. Again -- I'm NOT
> > saying that a magic entity like that even exists today (maybe Tidelift
> > is really not the right solution for us -- dunno yet) -- what I'm saying
> > is that I really would like to understand how that type of a service
> > should look like. Or take Jarek's example of ridesharing: most
> > of people focus on ridesharing companies just matching riders to
> > drivers, but that's just the tip of the iceberg -- ridesharing companies
> > solve huge amounts of arbitration issues (such as insurance, license,
> > etc.). Common folk don't get to see those -- but that's a huge value they
> > offer to drivers (and arguably riders) on top of just finding "customers".
> > Same with 3d parties for us I have in mind (see Chris's list of gotchas).
> >
> > For now, I propose a few Cofluence pages under ComDev where this
> > type of information gets collected. I'll do it later tonight -- so feel free
> > to just add to this thread for now.
> >
> > Once we've collected that type of info -- we can then sort of "evaluate
> > vendors" against that list and see what they are missing, etc. We can
> > even issue a wide "call to apply" for various companies if we feel like it.
> >
> > Makes sense?
> >
> > Thanks,
> > Roman.
> >
> > On Tue, Mar 1, 2022 at 9:43 AM Bertrand Delacretaz 
> > wrote:
> >
> >> Hi,
> >>
> >> Le lun. 28 févr. 2022 à 21:15, Jarek Potiuk  a écrit :
> >>
> >>> ...Proposal:
> >>> I think we all agree that ASF meets the criteria of Tidelift already.
> >>> Why don't Tidelift (in the places where open-source projects included are
> >>> listed) explain that ASF projects meet the criteria, and any one is free
> >>> to deal directly with the committers of all ASF projects directly...
> >>
> >> I'd say we all agree that *in theory* ASF projects meet Tidelift's
> >> criteria, quoting from earlier in this thread, with my own numbering
> >> added:
> >>
> >> Le lun. 28 févr. 2022 à 19:30, Joshua Simmons
> >>  a écrit :
> >>> ...*What Tidelift expects from maintainers*Maintainers provide two
> >> things to
> >>> our customers: (1) information (licensing details, context on CVEs) and
> >>> (2) continuity (comfort that the package is maintained and is highly
> >> likely to
> >>> continue to be maintained). We also expect maintainers (3) to abide by a
> >> Code
> >>> of Conduct
> >>
> >> I think for (3) we're good, the ASF will intervene if projects are not ok.
> >>
> >> But for (1) and (2) I think the ASF *wants* our projects to be good
> >> citizens, and we work towards that and support them, but entities such
> >> as Tidelift or others could add value by measuring and reporting what
> >> actually happens.
> >>
> >> Does Apache FOO actually pr

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-03 Thread Craig Russell
I very much like the direction here.

One other top post that falls into item 2 (rules of engagement):

Apache does operate in the open with discussions, bug fixes, etc. all out for 
anyone to see. Except for security issues.

I'd like to discuss how we treat committers with security privileges with 
regard to third parties who may be contracting for the committers' resources.

Is it acceptable for committers to inform a third party of security issues 
before the CVE is public because of their relationship with the third party? 

Regards,
Craig

> On Mar 2, 2022, at 6:12 AM, Roman Shaposhnik  wrote:
> 
> Hi!
> 
> top-posting here, since I'd like to summarize a few points to see where we
> can
> take this discussion. Before I do that I wanted to thank Bertrand and Jim
> for
> excellent, short emails/summaries and also special thanks to Chris for an
> extremely informative recap of his efforts.
> 
> Personally, I'd like to focus on 3 things. Please let me know if I'm missing
> anything or you disagree:
> 
> 1. building a robust list of what we at ASF perceive as potential value
> that can be offered to *our* members, committers and contributors
> by the 3d parties like Tidelift (again, I'm simply using them as an
> example here -- anybody else would do just fine).
> 
> 2. building a list of "rules of engagement" that we feel must be met
> for these types of relationships to be compatible with the way we
> govern our communities.
> 
> 3. document all the learning, pitfalls, etc. that we've collectively
> amassed by trying to solve this type of a problem on a one-by-one
> basis.
> 
> To expand on those points: I really do think that 3d parties (if done
> right) can take care of a lot of pain points for us. Again -- I'm NOT
> saying that a magic entity like that even exists today (maybe Tidelift
> is really not the right solution for us -- dunno yet) -- what I'm saying
> is that I really would like to understand how that type of a service
> should look like. Or take Jarek's example of ridesharing: most
> of people focus on ridesharing companies just matching riders to
> drivers, but that's just the tip of the iceberg -- ridesharing companies
> solve huge amounts of arbitration issues (such as insurance, license,
> etc.). Common folk don't get to see those -- but that's a huge value they
> offer to drivers (and arguably riders) on top of just finding "customers".
> Same with 3d parties for us I have in mind (see Chris's list of gotchas).
> 
> For now, I propose a few Cofluence pages under ComDev where this
> type of information gets collected. I'll do it later tonight -- so feel free
> to just add to this thread for now.
> 
> Once we've collected that type of info -- we can then sort of "evaluate
> vendors" against that list and see what they are missing, etc. We can
> even issue a wide "call to apply" for various companies if we feel like it.
> 
> Makes sense?
> 
> Thanks,
> Roman.
> 
> On Tue, Mar 1, 2022 at 9:43 AM Bertrand Delacretaz 
> wrote:
> 
>> Hi,
>> 
>> Le lun. 28 févr. 2022 à 21:15, Jarek Potiuk  a écrit :
>> 
>>> ...Proposal:
>>> I think we all agree that ASF meets the criteria of Tidelift already.
>>> Why don't Tidelift (in the places where open-source projects included are
>>> listed) explain that ASF projects meet the criteria, and any one is free
>>> to deal directly with the committers of all ASF projects directly...
>> 
>> I'd say we all agree that *in theory* ASF projects meet Tidelift's
>> criteria, quoting from earlier in this thread, with my own numbering
>> added:
>> 
>> Le lun. 28 févr. 2022 à 19:30, Joshua Simmons
>>  a écrit :
>>> ...*What Tidelift expects from maintainers*Maintainers provide two
>> things to
>>> our customers: (1) information (licensing details, context on CVEs) and
>>> (2) continuity (comfort that the package is maintained and is highly
>> likely to
>>> continue to be maintained). We also expect maintainers (3) to abide by a
>> Code
>>> of Conduct
>> 
>> I think for (3) we're good, the ASF will intervene if projects are not ok.
>> 
>> But for (1) and (2) I think the ASF *wants* our projects to be good
>> citizens, and we work towards that and support them, but entities such
>> as Tidelift or others could add value by measuring and reporting what
>> actually happens.
>> 
>> Does Apache FOO actually provide good information on security issues and
>> CVEs?
>> Timely response? What's their average/min/max response time, how many
>> "in-flight" CVEs?
>> Does Apache FOO release often enough? Maybe based on project maturity
>> categories, new, established, mostly dormant etc.
>> 
>> We could of course measure these things ourselves, and we do have some
>> data.
>> 
>> But I think having external entities provide factual data on how well
>> our projects are doing can be useful, and for customers of Tidelift
>> and the like that certainly has value.
>> 
>> Whatever mechanism our contributors use to finance themselves, having
>> information on which projects are most worth

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-03 Thread Bill Cole
On 2022-03-03 at 02:40:09 UTC-0500 (Thu, 3 Mar 2022 07:40:09 +)
Christofer Dutz 
is rumored to have said:

> Just thinking out loud ...
>
> The ASF could never be an entity that people could come to looking for 
> commercial support.
> That would just be in conflict with being a non-profit charitable 
> organization.

Perhaps in principle but at least in the US, not in law. Non-profits are able 
to support themselves with commercial operations, although they may need to be 
careful about anti-competitive practices.

Having worked in commercial operations of non-profits a couple of times in my 
life, I would concur that the ASF *SHOULD NEVER* be an entity that people could 
come to looking for commercial support, even if it were in an entirely legal 
way. Paying people to provide support feels tantamount to paying them for 
development. A perfectly good thing for others to do, not the ASF.

> However, we also have this discussion about the endowment from the pinaple 
> funds donation.
> How about having the ASF as it is, was and hopefully will always be, and a 
> second entity that people could come to for commercial support.
> In contrast to the usual external companies, the board of this entity could 
> be linked to the board of the ASF?
> This would ensure that the company is run in line with the values of the ASF.
>
> Please tell me if this is just complete nonsense ;-)

This is akin to Mozilla Corp. and Mozilla Fdn. Not fundamentally nonsense, but 
not really a fit for ASF in my opinion.

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-03 Thread Maxim Solodovnik
Commertial support link at our project
Is not very much visited :(

from mobile (sorry for typos ;)


On Thu, Mar 3, 2022, 14:41 Christofer Dutz 
wrote:

> Just thinking out loud ...
>
> The ASF could never be an entity that people could come to looking for
> commercial support.
> That would just be in conflict with being a non-profit charitable
> organization.
>
> However, we also have this discussion about the endowment from the pinaple
> funds donation.
> How about having the ASF as it is, was and hopefully will always be, and a
> second entity that people could come to for commercial support.
> In contrast to the usual external companies, the board of this entity
> could be linked to the board of the ASF?
> This would ensure that the company is run in line with the values of the
> ASF.
>
> Please tell me if this is just complete nonsense ;-)
>
> Chris
>
>
>
> -Original Message-
> From: Dave Fisher 
> Sent: Donnerstag, 3. März 2022 07:33
> To: dev@community.apache.org
> Subject: Re: Effective ways of getting individuals funded to work on ASF
> projects
>
> We can’t know the motivations of anyone funding a “tidelift” effort.
>
> And we have trademarks / brand to help deal with misnamed vendor product.
>
> PMCs have the same guarantees with vendors and funders - none.
>
> Do we need a clearer statement about participation as individuals?
>
> Do we need clarification about how a PMC can ask for help?
>
> Trying to keep it simple.
>
> All the best,
> Dave
>
> Sent from my iPhone
>
> > On Mar 2, 2022, at 10:20 PM, Ralph Goers 
> wrote:
> >
> > My experience with vendors that employee people to work on ASF
> > projects is that they have their own internal processes that are
> > separate from the ASF’s. For example, as part of their product they
> > might deliver Apache Foo for Acme Bar. The version they ship might not
> exactly match what the ASF distributes.
> >
> > Tidelift doesn’t deliver a product so has no way to achieve this.
> >
> > That said, Tidelift certainly could provide resources to run the
> > processes they deem necessary and get the folks they are paying to
> > execute those. But any issues that are found would have to be resolved
> in the project, not in something Tidelift distributes.
> >
> > Ralph
> >
> >
> >
> >> On Mar 2, 2022, at 6:10 PM, Dave Fisher  wrote:
> >>
> >> The way this discussion is going makes me want to ask why should
> tidelift be any different from a vendor that pays individuals to work on
> ASF projects as part of their employment?
> >>
> >> The same neutrality ought to apply. Why do we need to make a new
> classification?
> >>
> >> All the best,
> >> Dave
> >>
> >> Sent from my iPhone
> >>
> >>>> On Mar 2, 2022, at 4:31 PM, Willem Jiang 
> wrote:
> >>>
> >>> +1.
> >>> It will make the maintainer's life easier with this collected
> information.
> >>> When we bring the commercial support to the ASF project daily
> >>> development,  we still need to follow certain rules to avoid the
> >>> conflict with the Apache way we believed.
> >>>
> >>> Willem Jiang
> >>>
> >>> Twitter: willemjiang
> >>> Weibo: 姜宁willem
> >>>
> >>>> On Thu, Mar 3, 2022 at 1:08 AM Jarek Potiuk  wrote:
> >>>>
> >>>> Thanks Roman for the initiative. +1 on it.
> >>>>
> >>>> I think this might allow us to focus on what we (ASF) think is
> >>>> really important and needed by the individuals who work on ASF
> >>>> projects, and set our boundaries and limits their individual
> >>>> approach as well as clear limits and boundaries for the
> >>>> organisations that would like to apply - and then let any entity who
> wants to help to see how they can fit-in.
> >>>>
> >>>> Happy to help with hashing it out.
> >>>>
> >>>> J.
> >>>>
> >>>> On Wed, Mar 2, 2022 at 3:30 PM Bertrand Delacretaz
> >>>> 
> >>>> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik
> >>>>>  a écrit :
> >>>>>> ...Once we've collected that type of info -- we can then sort of
> >>>>> "evaluate
> >&g

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-03 Thread Jarek Potiuk
I quite agree with Dave - Tidelift should not be any different and should
be treated exactly the same as anyone else.

I really think what ASF could do is to (and this is how I understand
Roman's proposal):

* clarify the rules and limits (so that companies like Tidelift  - or
Google, or AWS or whoever else knows what to expect and how to adjust their
expectations (i.e not approaching the ASF and PMC but  approaching
individuals instead, not expecting PMC to endorse the company)
* help individual contributors - for example by providing them with
"compatible" or "example" rules and expectations that the contracts with
individuals can have
* make it clear that such practices are OK and somewhat promote/endorse it
(in the sense of laying out transparent, easy to find and refer-to rules
above) - also that would give some of the contributors a courage to discuss
and reach out themselves, they might not even be aware that they can ask to
be paid and what the rules are.

I think currently many of the contributors and stakeholders simply do not
know that there are some limits and rules and we can simply continue having
companies like Tidelift approaching ASF and attempting to convince ASF over
and over to something that is not compatible with the ASF rules - simply
because they do not know.

J.


On Thu, Mar 3, 2022 at 8:41 AM Christofer Dutz 
wrote:

> Just thinking out loud ...
>
> The ASF could never be an entity that people could come to looking for
> commercial support.
> That would just be in conflict with being a non-profit charitable
> organization.
>
> However, we also have this discussion about the endowment from the pinaple
> funds donation.
> How about having the ASF as it is, was and hopefully will always be, and a
> second entity that people could come to for commercial support.
> In contrast to the usual external companies, the board of this entity
> could be linked to the board of the ASF?
> This would ensure that the company is run in line with the values of the
> ASF.
>
> Please tell me if this is just complete nonsense ;-)
>
> Chris
>
>
>
> -Original Message-
> From: Dave Fisher 
> Sent: Donnerstag, 3. März 2022 07:33
> To: dev@community.apache.org
> Subject: Re: Effective ways of getting individuals funded to work on ASF
> projects
>
> We can’t know the motivations of anyone funding a “tidelift” effort.
>
> And we have trademarks / brand to help deal with misnamed vendor product.
>
> PMCs have the same guarantees with vendors and funders - none.
>
> Do we need a clearer statement about participation as individuals?
>
> Do we need clarification about how a PMC can ask for help?
>
> Trying to keep it simple.
>
> All the best,
> Dave
>
> Sent from my iPhone
>
> > On Mar 2, 2022, at 10:20 PM, Ralph Goers 
> wrote:
> >
> > My experience with vendors that employee people to work on ASF
> > projects is that they have their own internal processes that are
> > separate from the ASF’s. For example, as part of their product they
> > might deliver Apache Foo for Acme Bar. The version they ship might not
> exactly match what the ASF distributes.
> >
> > Tidelift doesn’t deliver a product so has no way to achieve this.
> >
> > That said, Tidelift certainly could provide resources to run the
> > processes they deem necessary and get the folks they are paying to
> > execute those. But any issues that are found would have to be resolved
> in the project, not in something Tidelift distributes.
> >
> > Ralph
> >
> >
> >
> >> On Mar 2, 2022, at 6:10 PM, Dave Fisher  wrote:
> >>
> >> The way this discussion is going makes me want to ask why should
> tidelift be any different from a vendor that pays individuals to work on
> ASF projects as part of their employment?
> >>
> >> The same neutrality ought to apply. Why do we need to make a new
> classification?
> >>
> >> All the best,
> >> Dave
> >>
> >> Sent from my iPhone
> >>
> >>>> On Mar 2, 2022, at 4:31 PM, Willem Jiang 
> wrote:
> >>>
> >>> +1.
> >>> It will make the maintainer's life easier with this collected
> information.
> >>> When we bring the commercial support to the ASF project daily
> >>> development,  we still need to follow certain rules to avoid the
> >>> conflict with the Apache way we believed.
> >>>
> >>> Willem Jiang
> >>>
> >>> Twitter: willemjiang
> >>> Weibo: 姜宁willem
> >>>
> >>>> On Thu, Mar 3, 2022 at 1:08 AM Jarek Potiuk  wrote:
> >>>>
> >>>

RE: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Christofer Dutz
Just thinking out loud ...

The ASF could never be an entity that people could come to looking for 
commercial support. 
That would just be in conflict with being a non-profit charitable organization.

However, we also have this discussion about the endowment from the pinaple 
funds donation.
How about having the ASF as it is, was and hopefully will always be, and a 
second entity that people could come to for commercial support.
In contrast to the usual external companies, the board of this entity could be 
linked to the board of the ASF? 
This would ensure that the company is run in line with the values of the ASF.

Please tell me if this is just complete nonsense ;-)

Chris



-Original Message-
From: Dave Fisher  
Sent: Donnerstag, 3. März 2022 07:33
To: dev@community.apache.org
Subject: Re: Effective ways of getting individuals funded to work on ASF 
projects

We can’t know the motivations of anyone funding a “tidelift” effort.

And we have trademarks / brand to help deal with misnamed vendor product.

PMCs have the same guarantees with vendors and funders - none.

Do we need a clearer statement about participation as individuals?

Do we need clarification about how a PMC can ask for help?

Trying to keep it simple.

All the best,
Dave

Sent from my iPhone

> On Mar 2, 2022, at 10:20 PM, Ralph Goers  wrote:
> 
> My experience with vendors that employee people to work on ASF 
> projects is that they have their own internal processes that are 
> separate from the ASF’s. For example, as part of their product they 
> might deliver Apache Foo for Acme Bar. The version they ship might not 
> exactly match what the ASF distributes.
> 
> Tidelift doesn’t deliver a product so has no way to achieve this. 
> 
> That said, Tidelift certainly could provide resources to run the 
> processes they deem necessary and get the folks they are paying to 
> execute those. But any issues that are found would have to be resolved in the 
> project, not in something Tidelift distributes.
> 
> Ralph
> 
> 
> 
>> On Mar 2, 2022, at 6:10 PM, Dave Fisher  wrote:
>> 
>> The way this discussion is going makes me want to ask why should tidelift be 
>> any different from a vendor that pays individuals to work on ASF projects as 
>> part of their employment?
>> 
>> The same neutrality ought to apply. Why do we need to make a new 
>> classification?
>> 
>> All the best,
>> Dave
>> 
>> Sent from my iPhone
>> 
>>>> On Mar 2, 2022, at 4:31 PM, Willem Jiang  wrote:
>>> 
>>> +1.
>>> It will make the maintainer's life easier with this collected information.
>>> When we bring the commercial support to the ASF project daily 
>>> development,  we still need to follow certain rules to avoid the 
>>> conflict with the Apache way we believed.
>>> 
>>> Willem Jiang
>>> 
>>> Twitter: willemjiang
>>> Weibo: 姜宁willem
>>> 
>>>> On Thu, Mar 3, 2022 at 1:08 AM Jarek Potiuk  wrote:
>>>> 
>>>> Thanks Roman for the initiative. +1 on it.
>>>> 
>>>> I think this might allow us to focus on what we (ASF) think is 
>>>> really important and needed by the individuals who work on ASF 
>>>> projects, and set our boundaries and limits their individual 
>>>> approach as well as clear limits and boundaries for the 
>>>> organisations that would like to apply - and then let any entity who wants 
>>>> to help to see how they can fit-in.
>>>> 
>>>> Happy to help with hashing it out.
>>>> 
>>>> J.
>>>> 
>>>> On Wed, Mar 2, 2022 at 3:30 PM Bertrand Delacretaz 
>>>> 
>>>> wrote:
>>>> 
>>>>> Hi,
>>>>> 
>>>>> Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik 
>>>>>  a écrit :
>>>>>> ...Once we've collected that type of info -- we can then sort of
>>>>> "evaluate
>>>>>> vendors" against that list and see what they are missing, etc. We 
>>>>>> can even issue a wide "call to apply" for various companies if we 
>>>>>> feel like
>>>>> it...
>>>>> 
>>>>> +1, I like the idea!
>>>>> 
>>>>> -Bertrand
>>>>> 
>>>>> --
>>>>> --- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>>>>> For additional commands, e-mail: dev-h...@community.apache.org
>>>>> 
>>>>> 
>&

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Dave Fisher
We can’t know the motivations of anyone funding a “tidelift” effort.

And we have trademarks / brand to help deal with misnamed vendor product.

PMCs have the same guarantees with vendors and funders - none.

Do we need a clearer statement about participation as individuals?

Do we need clarification about how a PMC can ask for help?

Trying to keep it simple.

All the best,
Dave

Sent from my iPhone

> On Mar 2, 2022, at 10:20 PM, Ralph Goers  wrote:
> 
> My experience with vendors that employee people to work on ASF projects is 
> that 
> they have their own internal processes that are separate from the ASF’s. For 
> example, 
> as part of their product they might deliver Apache Foo for Acme Bar. The 
> version they 
> ship might not exactly match what the ASF distributes. 
> 
> Tidelift doesn’t deliver a product so has no way to achieve this. 
> 
> That said, Tidelift certainly could provide resources to run the processes 
> they deem 
> necessary and get the folks they are paying to execute those. But any issues 
> that are 
> found would have to be resolved in the project, not in something Tidelift 
> distributes.
> 
> Ralph
> 
> 
> 
>> On Mar 2, 2022, at 6:10 PM, Dave Fisher  wrote:
>> 
>> The way this discussion is going makes me want to ask why should tidelift be 
>> any different from a vendor that pays individuals to work on ASF projects as 
>> part of their employment?
>> 
>> The same neutrality ought to apply. Why do we need to make a new 
>> classification?
>> 
>> All the best,
>> Dave
>> 
>> Sent from my iPhone
>> 
 On Mar 2, 2022, at 4:31 PM, Willem Jiang  wrote:
>>> 
>>> +1.
>>> It will make the maintainer's life easier with this collected information.
>>> When we bring the commercial support to the ASF project daily
>>> development,  we still need to follow certain rules to avoid the
>>> conflict with the Apache way we believed.
>>> 
>>> Willem Jiang
>>> 
>>> Twitter: willemjiang
>>> Weibo: 姜宁willem
>>> 
 On Thu, Mar 3, 2022 at 1:08 AM Jarek Potiuk  wrote:
 
 Thanks Roman for the initiative. +1 on it.
 
 I think this might allow us to focus on what we (ASF) think is really
 important and needed by the individuals who work on ASF projects, and set
 our boundaries and limits their individual approach as well as clear limits
 and boundaries for the organisations that would like to apply - and then
 let any entity who wants to help to see how they can fit-in.
 
 Happy to help with hashing it out.
 
 J.
 
 On Wed, Mar 2, 2022 at 3:30 PM Bertrand Delacretaz 
 wrote:
 
> Hi,
> 
> Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik  a
> écrit :
>> ...Once we've collected that type of info -- we can then sort of
> "evaluate
>> vendors" against that list and see what they are missing, etc. We can
>> even issue a wide "call to apply" for various companies if we feel like
> it...
> 
> +1, I like the idea!
> 
> -Bertrand
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 
> 
>>> 
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>>> For additional commands, e-mail: dev-h...@community.apache.org
>>> 
>> 
>> 
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>> For additional commands, e-mail: dev-h...@community.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Ralph Goers
My experience with vendors that employee people to work on ASF projects is that 
they have their own internal processes that are separate from the ASF’s. For 
example, 
as part of their product they might deliver Apache Foo for Acme Bar. The 
version they 
ship might not exactly match what the ASF distributes. 

Tidelift doesn’t deliver a product so has no way to achieve this. 

That said, Tidelift certainly could provide resources to run the processes they 
deem 
necessary and get the folks they are paying to execute those. But any issues 
that are 
found would have to be resolved in the project, not in something Tidelift 
distributes.

Ralph



> On Mar 2, 2022, at 6:10 PM, Dave Fisher  wrote:
> 
> The way this discussion is going makes me want to ask why should tidelift be 
> any different from a vendor that pays individuals to work on ASF projects as 
> part of their employment?
> 
> The same neutrality ought to apply. Why do we need to make a new 
> classification?
> 
> All the best,
> Dave
> 
> Sent from my iPhone
> 
>> On Mar 2, 2022, at 4:31 PM, Willem Jiang  wrote:
>> 
>> +1.
>> It will make the maintainer's life easier with this collected information.
>> When we bring the commercial support to the ASF project daily
>> development,  we still need to follow certain rules to avoid the
>> conflict with the Apache way we believed.
>> 
>> Willem Jiang
>> 
>> Twitter: willemjiang
>> Weibo: 姜宁willem
>> 
>>> On Thu, Mar 3, 2022 at 1:08 AM Jarek Potiuk  wrote:
>>> 
>>> Thanks Roman for the initiative. +1 on it.
>>> 
>>> I think this might allow us to focus on what we (ASF) think is really
>>> important and needed by the individuals who work on ASF projects, and set
>>> our boundaries and limits their individual approach as well as clear limits
>>> and boundaries for the organisations that would like to apply - and then
>>> let any entity who wants to help to see how they can fit-in.
>>> 
>>> Happy to help with hashing it out.
>>> 
>>> J.
>>> 
>>> On Wed, Mar 2, 2022 at 3:30 PM Bertrand Delacretaz 
>>> wrote:
>>> 
 Hi,
 
 Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik  a
 écrit :
> ...Once we've collected that type of info -- we can then sort of
 "evaluate
> vendors" against that list and see what they are missing, etc. We can
> even issue a wide "call to apply" for various companies if we feel like
 it...
 
 +1, I like the idea!
 
 -Bertrand
 
 -
 To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
 For additional commands, e-mail: dev-h...@community.apache.org
 
 
>> 
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>> For additional commands, e-mail: dev-h...@community.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Dave Fisher
The way this discussion is going makes me want to ask why should tidelift be 
any different from a vendor that pays individuals to work on ASF projects as 
part of their employment?

The same neutrality ought to apply. Why do we need to make a new classification?

All the best,
Dave

Sent from my iPhone

> On Mar 2, 2022, at 4:31 PM, Willem Jiang  wrote:
> 
> +1.
> It will make the maintainer's life easier with this collected information.
> When we bring the commercial support to the ASF project daily
> development,  we still need to follow certain rules to avoid the
> conflict with the Apache way we believed.
> 
> Willem Jiang
> 
> Twitter: willemjiang
> Weibo: 姜宁willem
> 
>> On Thu, Mar 3, 2022 at 1:08 AM Jarek Potiuk  wrote:
>> 
>> Thanks Roman for the initiative. +1 on it.
>> 
>> I think this might allow us to focus on what we (ASF) think is really
>> important and needed by the individuals who work on ASF projects, and set
>> our boundaries and limits their individual approach as well as clear limits
>> and boundaries for the organisations that would like to apply - and then
>> let any entity who wants to help to see how they can fit-in.
>> 
>> Happy to help with hashing it out.
>> 
>> J.
>> 
>> On Wed, Mar 2, 2022 at 3:30 PM Bertrand Delacretaz 
>> wrote:
>> 
>>> Hi,
>>> 
>>> Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik  a
>>> écrit :
 ...Once we've collected that type of info -- we can then sort of
>>> "evaluate
 vendors" against that list and see what they are missing, etc. We can
 even issue a wide "call to apply" for various companies if we feel like
>>> it...
>>> 
>>> +1, I like the idea!
>>> 
>>> -Bertrand
>>> 
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>>> For additional commands, e-mail: dev-h...@community.apache.org
>>> 
>>> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Willem Jiang
+1.
It will make the maintainer's life easier with this collected information.
When we bring the commercial support to the ASF project daily
development,  we still need to follow certain rules to avoid the
conflict with the Apache way we believed.

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Mar 3, 2022 at 1:08 AM Jarek Potiuk  wrote:
>
> Thanks Roman for the initiative. +1 on it.
>
> I think this might allow us to focus on what we (ASF) think is really
> important and needed by the individuals who work on ASF projects, and set
> our boundaries and limits their individual approach as well as clear limits
> and boundaries for the organisations that would like to apply - and then
> let any entity who wants to help to see how they can fit-in.
>
> Happy to help with hashing it out.
>
> J.
>
> On Wed, Mar 2, 2022 at 3:30 PM Bertrand Delacretaz 
> wrote:
>
> > Hi,
> >
> > Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik  a
> > écrit :
> > > ...Once we've collected that type of info -- we can then sort of
> > "evaluate
> > > vendors" against that list and see what they are missing, etc. We can
> > > even issue a wide "call to apply" for various companies if we feel like
> > it...
> >
> > +1, I like the idea!
> >
> > -Bertrand
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> > For additional commands, e-mail: dev-h...@community.apache.org
> >
> >

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Jarek Potiuk
Thanks Roman for the initiative. +1 on it.

I think this might allow us to focus on what we (ASF) think is really
important and needed by the individuals who work on ASF projects, and set
our boundaries and limits their individual approach as well as clear limits
and boundaries for the organisations that would like to apply - and then
let any entity who wants to help to see how they can fit-in.

Happy to help with hashing it out.

J.

On Wed, Mar 2, 2022 at 3:30 PM Bertrand Delacretaz 
wrote:

> Hi,
>
> Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik  a
> écrit :
> > ...Once we've collected that type of info -- we can then sort of
> "evaluate
> > vendors" against that list and see what they are missing, etc. We can
> > even issue a wide "call to apply" for various companies if we feel like
> it...
>
> +1, I like the idea!
>
> -Bertrand
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
>
>


Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Bertrand Delacretaz
Hi,

Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik  a écrit :
> ...Once we've collected that type of info -- we can then sort of "evaluate
> vendors" against that list and see what they are missing, etc. We can
> even issue a wide "call to apply" for various companies if we feel like it...

+1, I like the idea!

-Bertrand

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Roman Shaposhnik
Hi!

top-posting here, since I'd like to summarize a few points to see where we
can
take this discussion. Before I do that I wanted to thank Bertrand and Jim
for
excellent, short emails/summaries and also special thanks to Chris for an
extremely informative recap of his efforts.

Personally, I'd like to focus on 3 things. Please let me know if I'm missing
anything or you disagree:

1. building a robust list of what we at ASF perceive as potential value
that can be offered to *our* members, committers and contributors
by the 3d parties like Tidelift (again, I'm simply using them as an
example here -- anybody else would do just fine).

2. building a list of "rules of engagement" that we feel must be met
for these types of relationships to be compatible with the way we
govern our communities.

3. document all the learning, pitfalls, etc. that we've collectively
amassed by trying to solve this type of a problem on a one-by-one
basis.

To expand on those points: I really do think that 3d parties (if done
right) can take care of a lot of pain points for us. Again -- I'm NOT
saying that a magic entity like that even exists today (maybe Tidelift
is really not the right solution for us -- dunno yet) -- what I'm saying
is that I really would like to understand how that type of a service
should look like. Or take Jarek's example of ridesharing: most
of people focus on ridesharing companies just matching riders to
drivers, but that's just the tip of the iceberg -- ridesharing companies
solve huge amounts of arbitration issues (such as insurance, license,
etc.). Common folk don't get to see those -- but that's a huge value they
offer to drivers (and arguably riders) on top of just finding "customers".
Same with 3d parties for us I have in mind (see Chris's list of gotchas).

For now, I propose a few Cofluence pages under ComDev where this
type of information gets collected. I'll do it later tonight -- so feel free
to just add to this thread for now.

Once we've collected that type of info -- we can then sort of "evaluate
vendors" against that list and see what they are missing, etc. We can
even issue a wide "call to apply" for various companies if we feel like it.

Makes sense?

Thanks,
Roman.

On Tue, Mar 1, 2022 at 9:43 AM Bertrand Delacretaz 
wrote:

> Hi,
>
> Le lun. 28 févr. 2022 à 21:15, Jarek Potiuk  a écrit :
>
> > ...Proposal:
> > I think we all agree that ASF meets the criteria of Tidelift already.
> > Why don't Tidelift (in the places where open-source projects included are
> > listed) explain that ASF projects meet the criteria, and any one is free
> > to deal directly with the committers of all ASF projects directly...
>
> I'd say we all agree that *in theory* ASF projects meet Tidelift's
> criteria, quoting from earlier in this thread, with my own numbering
> added:
>
> Le lun. 28 févr. 2022 à 19:30, Joshua Simmons
>  a écrit :
> > ...*What Tidelift expects from maintainers*Maintainers provide two
> things to
> > our customers: (1) information (licensing details, context on CVEs) and
> > (2) continuity (comfort that the package is maintained and is highly
> likely to
> > continue to be maintained). We also expect maintainers (3) to abide by a
> Code
> > of Conduct
>
> I think for (3) we're good, the ASF will intervene if projects are not ok.
>
> But for (1) and (2) I think the ASF *wants* our projects to be good
> citizens, and we work towards that and support them, but entities such
> as Tidelift or others could add value by measuring and reporting what
> actually happens.
>
> Does Apache FOO actually provide good information on security issues and
> CVEs?
> Timely response? What's their average/min/max response time, how many
> "in-flight" CVEs?
> Does Apache FOO release often enough? Maybe based on project maturity
> categories, new, established, mostly dormant etc.
>
> We could of course measure these things ourselves, and we do have some
> data.
>
> But I think having external entities provide factual data on how well
> our projects are doing can be useful, and for customers of Tidelift
> and the like that certainly has value.
>
> Whatever mechanism our contributors use to finance themselves, having
> information on which projects are most worthy of trust can help end
> users select and finance the right projects and people.
>
> -Bertrand
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
>
>


Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-01 Thread Jarek Potiuk
On Tue, Mar 1, 2022 at 9:42 AM Bertrand Delacretaz 
wrote:

> I think for (3) we're good, the ASF will intervene if projects are not ok.
>
> But for (1) and (2) I think the ASF *wants* our projects to be good
> citizens, and we work towards that and support them, but entities such
> as Tidelift or others could add value by measuring and reporting what
> actually happens.
>

Feel free. All the data is available for ASF. Everything we do is public.

>
> But I think having external entities provide factual data on how well
> our projects are doing can be useful, and for customers of Tidelift
> and the like that certainly has value.
>

Sure. Please. Do. Measure. Publish. By all means. No problem with that.


> Whatever mechanism our contributors use to finance themselves, having
> information on which projects are most worthy of trust can help end
> users select and finance the right projects and people.
>

Of course. Feel Free to provide objective data on it. Publishing
information about
how well projects are doing is great way to incentivise the committers to
do better.
I am 150% for it. This could be a great service to all OSS projects.

But the Tidelift model is talking about "limiting" the individuals in the
choices they
made NOT measuring what they do. For multiple reasons those individuals in
those projects might make different decisions (and be responsible for it).
Imposing
rules and limits by Tidelift is just against the rules of ASF. Measuring is
not.

If Tidelift adjusts the model to just measure, report and make the
customers decide
based on that - I think that is far more consistent with the way how
ASF works.

Don't try to make yourself a "policeman" controlling it.


>
> -Bertrand
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
>
>


RE: Effective ways of getting individuals funded to work on ASF projects

2022-03-01 Thread Christofer Dutz
Hi all,

As I was confronted with the question of how commercial support or paid feature 
development and Apache would work together. I came up with this way of handling 
it:
If I am offering any form of commercial support or feature development I say: 
"I will fix your problem. The fix then can become part of the open-source 
project, but if the project decides to decline It, I'll make it available to 
you in a fork that I create for you." This should work for Tidelift or any 
similar form of platform too.

Chris

-Original Message-
From: Jim Jagielski  
Sent: Montag, 28. Februar 2022 19:24
To: dev@community.apache.org
Subject: Re: Effective ways of getting individuals funded to work on ASF 
projects

Tidelift's model, which expects that maintainers do have direct and almost 
unassailable control over a project, is not compatible with the Apache Way. 
Tidelift's model works well with projects in which developers and maintainers 
can "do stuff" without worrying about building a consensus around whether or 
not their contributions are OK or not.

I'd like to see how that model and Apache could fit together, but I'm at a loss 
to think about how. The main benefit that those who fund the work is not just 
an expectation that code will be fixed, etc, but a *requirement* that it be 
done. They are paying for the guarantee. This requires a development model in 
which those paid by Tidelift can forcibly introduce code and contributions at 
will. This conflicts with the ASF development model.

> On Feb 28, 2022, at 12:50 PM, Jarek Potiuk  wrote:
> 
>> So while I agree with everything Bertrand said I don’t think it 
>> resolves
> the real issue.
> TideLift is providing a guarantee to its customers that projects it 
> sponsors meet certain standards. The standards they are looking for 
> should really be set by the ASF, not individual projects.
> 
> This is the part I do not understand. What Tidelift can promise to 
> their customers and on what basis?
> According to ASF rules where only individuals in the project can make 
> decisions - this means that Tidelift has no mechanisms whatsoever to 
> fulfill their promise.
> 
> And if ASF sets the standards - why do we need Tidelift at all ?
> To be perfectly blunt -  I am afraid that until Tidelift resolves any 
> of the real problems of individual committers we mentioned with 
> Bertrand (including facilitating direct relationship commiter <> 
> stakeholder), I do not see what's the added value of Tidelift. Seems 
> like unnecessary intermediary.
> 
> J.
> 
> 
> On Mon, Feb 28, 2022 at 5:10 PM Ralph Goers 
> 
> wrote:
> 
>> First, I would like to clarify Gary’s email as I don’t think he 
>> characterized it quite correctly.
>> The Logging PMC concluded we could not be part of an arrangement with 
>> TideLift and that the issues needed to be worked out at the 
>> foundation level. The primary issue was that TideLift had 
>> requirements on advertising and process details that required 
>> approval of the PMC in order for individuals to be able to be paid. 
>> We met with a Google security team in January and had similar issues 
>> where they required a process that isn’t aligned with the ASF’s 
>> requirements on how releases are to be performed.
>> 
>> Second, from my point of view the ASF should have discussions with 
>> TideLift and Google to see if those issues can be resolved. The ideal 
>> scenario would be that TideLift and Google can simply sponsor 
>> individuals from any ASF project because all ASF projects must 
>> conform to guidelines that meet their criteria - i.e. the PMC doesn’t 
>> even have to be involved. But this obviously requires that the 
>> foundation work with these third parties to either improve our 
>> processes where needed or get the third party to accept our 
>> processes.
>> 
>> So while I agree with everything Bertrand said I don’t think it 
>> resolves the real issue.
>> TideLift is providing a guarantee to its customers that projects it 
>> sponsors meet certain standards. The standards they are looking for 
>> should really be set by the ASF, not individual projects.
>> 
>> Ralph
>> 
>> 
>>> On Feb 28, 2022, at 5:03 AM, Bertrand Delacretaz 
>>> 
>> wrote:
>>> 
>>> Hi,
>>> 
>>> Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
>>>> ...the relationships I have is direct relationship with the 
>>>> stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely
>> "removing
>>>> bureaucratic obstacles" but they are not "between" me and my
>> stakeholders.
&g

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-01 Thread Bertrand Delacretaz
Hi,

Le lun. 28 févr. 2022 à 21:15, Jarek Potiuk  a écrit :

> ...Proposal:
> I think we all agree that ASF meets the criteria of Tidelift already.
> Why don't Tidelift (in the places where open-source projects included are
> listed) explain that ASF projects meet the criteria, and any one is free
> to deal directly with the committers of all ASF projects directly...

I'd say we all agree that *in theory* ASF projects meet Tidelift's
criteria, quoting from earlier in this thread, with my own numbering
added:

Le lun. 28 févr. 2022 à 19:30, Joshua Simmons
 a écrit :
> ...*What Tidelift expects from maintainers*Maintainers provide two things to
> our customers: (1) information (licensing details, context on CVEs) and
> (2) continuity (comfort that the package is maintained and is highly likely to
> continue to be maintained). We also expect maintainers (3) to abide by a Code
> of Conduct

I think for (3) we're good, the ASF will intervene if projects are not ok.

But for (1) and (2) I think the ASF *wants* our projects to be good
citizens, and we work towards that and support them, but entities such
as Tidelift or others could add value by measuring and reporting what
actually happens.

Does Apache FOO actually provide good information on security issues and CVEs?
Timely response? What's their average/min/max response time, how many
"in-flight" CVEs?
Does Apache FOO release often enough? Maybe based on project maturity
categories, new, established, mostly dormant etc.

We could of course measure these things ourselves, and we do have some data.

But I think having external entities provide factual data on how well
our projects are doing can be useful, and for customers of Tidelift
and the like that certainly has value.

Whatever mechanism our contributors use to finance themselves, having
information on which projects are most worthy of trust can help end
users select and finance the right projects and people.

-Bertrand

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Jarek Potiuk
>
>
> I don’t care why people pay Tidelift nor do I see a reason I should have
> to.

The fact that you see no added
> value doesn’t mean people won’t pay them, even if it is just so they can
> feel
> that they are contributing to the open source they use.


Proposal:

I think we all agree that ASF meets the criteria of Tidelift already.
Why don't Tidelift (in the places where open-source projects included are
listed) explain that ASF projects meet the criteria, and any one is free
to deal directly with the committers of all ASF projects directly (with
links to the list to projects and committers which are all publicly
available)

The goal of Tidelift is achieved, the rules of ASF are followed. All money
will
go directly to the committers, Tidelift has less coordination and
communication
to do.

Does this make sense?

J,


Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Ralph Goers
You are still confusing how individuals in ASF projects can work with Tidelift 
(or vice versa) vs why anyone would pay them. I don’t care why people pay 
Tidelift nor do I see a reason I should have to. The fact that you see no added 
value doesn’t mean people won’t pay them, even if it is just so they can feel 
that they are contributing to the open source they use.

I’m glad you get paid by Google, although I am not sure that it is the same 
group that spoke with the Logging Services PMC. But the fact is, you should 
be able to be paid by anyone who wants to pay you, assuming they aren’t 
expecting things of you as an individual that you cannot guarantee.

The important difference with Tidelift is that they are not asking for any 
specific work to be done, rather they are paying to ensure the project meets 
certain standards and will still be around for a good while. To be honest, 
I can appreciate that. I’ve seen a lot of projects on GitHub that are pretty 
neat but have lots of issues and PRs that no one is looking at and no 
commits have been done in years.  

Ralph



> On Feb 28, 2022, at 12:40 PM, Jarek Potiuk  wrote:
> 
> Ralph:
> 
>> The ASF doesn’t “need” Tidelift. Nor do we need Google. But there are
> individuals who work on projects who would welcome the opportunity to be
> paid by them
> 
> I am being paid for part of my time with Google (among others). With
> contract that recognizes that I cannot "do stuff they want"
> if the community will not agree to it.
> 
> Let's enable it for others and show them the path how to do it.
> 
> Neither Google nor I needed Tidelift for that. I still do not see what
> Tidelift could
> provide to either me or Google as the intermediary if they cannot influence
> what
> individuals running the project will do. I am scratching my head over and
> over
> and I can't see what it is.
> 
> Joshua:
> 
> I read the doc carefully. Few times. And I still am puzzled on what
> Tidelift provides
> to either individuals or stakeholders who want to pay those individuals for
> ASF
> projects. The processes are there, maintainers are there, responsible
> disclosure
> is there. Why stakeholders or ASF or individuals would need Tidelift as an
> intermediary ? I don't get it.
> 
> J.
> 
> 
> On Mon, Feb 28, 2022 at 7:30 PM Joshua Simmons 
> wrote:
> 
>> Good $localtime, folks! I just want to underscore a really important
>> section of the document I provided yesterday, as it seems this detail is
>> lost in the mix. Tidelift very deliberately does not direct development.
>> I'll remain on the sidelines here as y'all deliberate, but I want to make
>> sure we're operating from the same set of facts.
>> 
>> 
>> *Why Tidelift works with maintainers*We want the open source projects used
>> by our customers—your downstream users—to be as healthy and secure as
>> possible. We believe this requires directly supporting maintainers and
>> their work, both financially and through providing tools and resources that
>> make it easier for them to be successful.
>> 
>> 
>> *What Tidelift expects from maintainers*Maintainers provide two things to
>> our customers: information (licensing details, context on CVEs) and
>> continuity (comfort that the package is maintained and is highly likely to
>> continue to be maintained). We also expect maintainers to abide by a Code
>> of Conduct. Neither Tidelift nor our customers direct development of
>> Tidelift-supported packages.
>> 
>> 
>> *What Tidelift expects of projects*We only work with projects that meet
>> certain standards: there must be a responsible vulnerability disclosure
>> process in place, and clear licensing metadata. While mature projects have
>> these standards in place, many of the open source projects we work with
>> have just 1 or 2 maintainers, and it’s not unusual for them to implement
>> these standards as part of preparing to work with us.
>> 
>> Some projects–such as those at the ASF–can’t implement those things on our
>> behalf due to policy constraints. Good news is that those projects tend to
>> already meet these standards! Our goal here is to promote good governance.
>> 
>> Josh Simmons (he/they), Sr. Ecosystem Strategy Lead @ Tidelift
>> 
>> @joshsimmons  |
>> joshua.simm...@tidelift.com
>> | bluesomewhere on IRC
>> TZ: US/Pacific; UTC-07:00 Mar-Nov; UTC-08:00 Nov-Mar
>> ad astra per aspera 🚀
>> 
>> 
>> On Mon, Feb 28, 2022 at 10:24 AM Jim Jagielski  wrote:
>> 
>>> Tidelift's model, which expects that maintainers do have direct and
>> almost
>>> unassailable control over a project, is not compatible with the Apache
>> Way.
>>> Tidelift's model works well with projects in which developers and
>>> maintainers can "do stuff" without worrying about building a consensus
>>> around whether or not their contributions are OK or not.
>>> 
>>> I'd like to see how that model and Apache could fit together, but I'm at
>> a
>>> loss to think about how. The main benefit that those

Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Rob Tompkins



> On Feb 27, 2022, at 5:06 PM, Roman Shaposhnik  wrote:
> 
> Hi!
> 
> over the past couple of years there has been a number
> of efforts trying to figure out effective ways of getting funded
> for working on ASF projects as individuals and not employees
> at companies building on top of these projects.
> 
> Chris's recent experience is but one of them:
>https://lists.apache.org/thread/momxgzzyq03lz54knvzhxm16r8j40vog
> 
> My personal frustration with all these threads is that we never
> seem to arrive at any actionable suggestions for how developers
> like Chris can *easily* create these additional income streams.
> 
> Rightfully, we at ASF basically say that it must be a 3d party issue
> to solve. It very much is. The problem is that doing so one one-off
> just perpetuates the logistical pain of setting up contracts, etc. etc.
> This creates a pretty significant barrier and, as Chris's experience
> would suggest it typically becomes too insurmountable for individual
> developers.

I whole heartedly agree that this is indeed a problem. During my tenure at 
Capital One I repeatedly got poor reviews for making contributions to the ASF, 
even though I had gone through their trusted contributor program. It’s almost 
as if I had to hide my open source contributions from my employeer. I think 
this problem is far deeper and more systemic than people think it is at first 
sight.

-Rob

> 
> Sure, there have been interesting attempts to "hack the system"
> and use things like GitCoin, BugMark and a few others to solve for
> this "how do we get back to our open source roots when individuals,
> not corporations were the economic agents around open source".
> But I honestly don't know of any of them becoming viable either.
> At least not so far.
> 
> At the risk of tilting at windmills once again, I'd like to see if there's
> enough interest to take a crack at this problem yet again.
> 
> And in the spirit of "hacking the system" I'd like to suggest that we
> focus on a 3d party solving it for us. In fact, I suggest we pick a
> very particular 3d party -- TideLift
> 
> https://support.tidelift.com/hc/en-us/articles/4406293106324-Quickstart-guide
> 
> Now, before you exclaim "who the heck appointed TideLift to solve it for
> us?"
> I'd be the first one to admit that I picked them because I know them
> really well and I do think they are the closest to giving us some of the
> answers.
> But above all, I'm suggesting we look at TideLift because they seem to
> be very much willing to work with us on actually changing their engagement
> model to fit our needs. IOW, it is not like their rules are cast in stone
> -- we can
> assume they are malleable. If anyone knows of a similar 3d party -- let's
> discuss
> that too.
> 
> If, however, there's a general consensus about seriously looking
> at them as that 3d party -- I'd like to start collecting names of ASF
> developers (and PMCs) who would be willing to participate in
> a trial program with them of sorts and report back.
> 
> If you have comments on anything above -- please reply in-thread.
> 
> If you'd be interested in this trial -- you can either do that or just
> reply to me personally.
> 
> Thanks,
> Roman.


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Jarek Potiuk
Ralph:

> The ASF doesn’t “need” Tidelift. Nor do we need Google. But there are
individuals who work on projects who would welcome the opportunity to be
paid by them

I am being paid for part of my time with Google (among others). With
contract that recognizes that I cannot "do stuff they want"
if the community will not agree to it.

Let's enable it for others and show them the path how to do it.

Neither Google nor I needed Tidelift for that. I still do not see what
Tidelift could
provide to either me or Google as the intermediary if they cannot influence
what
individuals running the project will do. I am scratching my head over and
over
and I can't see what it is.

Joshua:

I read the doc carefully. Few times. And I still am puzzled on what
Tidelift provides
to either individuals or stakeholders who want to pay those individuals for
ASF
projects. The processes are there, maintainers are there, responsible
disclosure
is there. Why stakeholders or ASF or individuals would need Tidelift as an
intermediary ? I don't get it.

J.


On Mon, Feb 28, 2022 at 7:30 PM Joshua Simmons 
wrote:

> Good $localtime, folks! I just want to underscore a really important
> section of the document I provided yesterday, as it seems this detail is
> lost in the mix. Tidelift very deliberately does not direct development.
> I'll remain on the sidelines here as y'all deliberate, but I want to make
> sure we're operating from the same set of facts.
>
>
> *Why Tidelift works with maintainers*We want the open source projects used
> by our customers—your downstream users—to be as healthy and secure as
> possible. We believe this requires directly supporting maintainers and
> their work, both financially and through providing tools and resources that
> make it easier for them to be successful.
>
>
> *What Tidelift expects from maintainers*Maintainers provide two things to
> our customers: information (licensing details, context on CVEs) and
> continuity (comfort that the package is maintained and is highly likely to
> continue to be maintained). We also expect maintainers to abide by a Code
> of Conduct. Neither Tidelift nor our customers direct development of
> Tidelift-supported packages.
>
>
> *What Tidelift expects of projects*We only work with projects that meet
> certain standards: there must be a responsible vulnerability disclosure
> process in place, and clear licensing metadata. While mature projects have
> these standards in place, many of the open source projects we work with
> have just 1 or 2 maintainers, and it’s not unusual for them to implement
> these standards as part of preparing to work with us.
>
> Some projects–such as those at the ASF–can’t implement those things on our
> behalf due to policy constraints. Good news is that those projects tend to
> already meet these standards! Our goal here is to promote good governance.
>
> Josh Simmons (he/they), Sr. Ecosystem Strategy Lead @ Tidelift
> 
> @joshsimmons  |
> joshua.simm...@tidelift.com
> | bluesomewhere on IRC
> TZ: US/Pacific; UTC-07:00 Mar-Nov; UTC-08:00 Nov-Mar
> ad astra per aspera 🚀
>
>
> On Mon, Feb 28, 2022 at 10:24 AM Jim Jagielski  wrote:
>
> > Tidelift's model, which expects that maintainers do have direct and
> almost
> > unassailable control over a project, is not compatible with the Apache
> Way.
> > Tidelift's model works well with projects in which developers and
> > maintainers can "do stuff" without worrying about building a consensus
> > around whether or not their contributions are OK or not.
> >
> > I'd like to see how that model and Apache could fit together, but I'm at
> a
> > loss to think about how. The main benefit that those who fund the work is
> > not just an expectation that code will be fixed, etc, but a *requirement*
> > that it be done. They are paying for the guarantee. This requires a
> > development model in which those paid by Tidelift can forcibly introduce
> > code and contributions at will. This conflicts with the ASF development
> > model.
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> > For additional commands, e-mail: dev-h...@community.apache.org
> >
> >
>


Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Joshua Simmons
Good $localtime, folks! I just want to underscore a really important
section of the document I provided yesterday, as it seems this detail is
lost in the mix. Tidelift very deliberately does not direct development.
I'll remain on the sidelines here as y'all deliberate, but I want to make
sure we're operating from the same set of facts.


*Why Tidelift works with maintainers*We want the open source projects used
by our customers—your downstream users—to be as healthy and secure as
possible. We believe this requires directly supporting maintainers and
their work, both financially and through providing tools and resources that
make it easier for them to be successful.


*What Tidelift expects from maintainers*Maintainers provide two things to
our customers: information (licensing details, context on CVEs) and
continuity (comfort that the package is maintained and is highly likely to
continue to be maintained). We also expect maintainers to abide by a Code
of Conduct. Neither Tidelift nor our customers direct development of
Tidelift-supported packages.


*What Tidelift expects of projects*We only work with projects that meet
certain standards: there must be a responsible vulnerability disclosure
process in place, and clear licensing metadata. While mature projects have
these standards in place, many of the open source projects we work with
have just 1 or 2 maintainers, and it’s not unusual for them to implement
these standards as part of preparing to work with us.

Some projects–such as those at the ASF–can’t implement those things on our
behalf due to policy constraints. Good news is that those projects tend to
already meet these standards! Our goal here is to promote good governance.

Josh Simmons (he/they), Sr. Ecosystem Strategy Lead @ Tidelift

@joshsimmons  | joshua.simm...@tidelift.com
| bluesomewhere on IRC
TZ: US/Pacific; UTC-07:00 Mar-Nov; UTC-08:00 Nov-Mar
ad astra per aspera 🚀


On Mon, Feb 28, 2022 at 10:24 AM Jim Jagielski  wrote:

> Tidelift's model, which expects that maintainers do have direct and almost
> unassailable control over a project, is not compatible with the Apache Way.
> Tidelift's model works well with projects in which developers and
> maintainers can "do stuff" without worrying about building a consensus
> around whether or not their contributions are OK or not.
>
> I'd like to see how that model and Apache could fit together, but I'm at a
> loss to think about how. The main benefit that those who fund the work is
> not just an expectation that code will be fixed, etc, but a *requirement*
> that it be done. They are paying for the guarantee. This requires a
> development model in which those paid by Tidelift can forcibly introduce
> code and contributions at will. This conflicts with the ASF development
> model.
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
>
>


Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Jim Jagielski
Tidelift's model, which expects that maintainers do have direct and almost 
unassailable control over a project, is not compatible with the Apache Way. 
Tidelift's model works well with projects in which developers and maintainers 
can "do stuff" without worrying about building a consensus around whether or 
not their contributions are OK or not.

I'd like to see how that model and Apache could fit together, but I'm at a loss 
to think about how. The main benefit that those who fund the work is not just 
an expectation that code will be fixed, etc, but a *requirement* that it be 
done. They are paying for the guarantee. This requires a development model in 
which those paid by Tidelift can forcibly introduce code and contributions at 
will. This conflicts with the ASF development model.

> On Feb 28, 2022, at 12:50 PM, Jarek Potiuk  wrote:
> 
>> So while I agree with everything Bertrand said I don’t think it resolves
> the real issue.
> TideLift is providing a guarantee to its customers that projects it
> sponsors meet certain
> standards. The standards they are looking for should really be set by the
> ASF, not
> individual projects.
> 
> This is the part I do not understand. What Tidelift can promise to their
> customers and on what basis?
> According to ASF rules where only individuals in the project can make
> decisions - this means that Tidelift
> has no mechanisms whatsoever to fulfill their promise.
> 
> And if ASF sets the standards - why do we need Tidelift at all ?
> To be perfectly blunt -  I am afraid that until Tidelift resolves any
> of the real problems of individual committers we mentioned with Bertrand
> (including facilitating direct relationship commiter <> stakeholder),
> I do not see what's the added value of Tidelift. Seems like unnecessary
> intermediary.
> 
> J.
> 
> 
> On Mon, Feb 28, 2022 at 5:10 PM Ralph Goers 
> wrote:
> 
>> First, I would like to clarify Gary’s email as I don’t think he
>> characterized it quite correctly.
>> The Logging PMC concluded we could not be part of an arrangement with
>> TideLift and
>> that the issues needed to be worked out at the foundation level. The
>> primary issue was
>> that TideLift had requirements on advertising and process details that
>> required approval
>> of the PMC in order for individuals to be able to be paid. We met with a
>> Google
>> security team in January and had similar issues where they required a
>> process that isn’t
>> aligned with the ASF’s requirements on how releases are to be performed.
>> 
>> Second, from my point of view the ASF should have discussions with
>> TideLift and Google to
>> see if those issues can be resolved. The ideal scenario would be that
>> TideLift and Google
>> can simply sponsor individuals from any ASF project because all ASF
>> projects must
>> conform to guidelines that meet their criteria - i.e. the PMC doesn’t even
>> have to be
>> involved. But this obviously requires that the foundation work with these
>> third parties to
>> either improve our processes where needed or get the third party to accept
>> our processes.
>> 
>> So while I agree with everything Bertrand said I don’t think it resolves
>> the real issue.
>> TideLift is providing a guarantee to its customers that projects it
>> sponsors meet certain
>> standards. The standards they are looking for should really be set by the
>> ASF, not
>> individual projects.
>> 
>> Ralph
>> 
>> 
>>> On Feb 28, 2022, at 5:03 AM, Bertrand Delacretaz 
>> wrote:
>>> 
>>> Hi,
>>> 
>>> Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
 ...the relationships I have is direct relationship with the
 stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely
>> "removing
 bureaucratic obstacles" but they are not "between" me and my
>> stakeholders.
 They are "on a side". They get a small cut sometimes (which I gladly
>> pay)
 but I want to talk to the stakeholders directly without any
>> intermediaries
 and establish a long-term relationship with them as an individual
>>> 
>>> I think that's a key point, and listing such requirements for
>>> platforms that can help our contributors get funding sounds useful.
>>> 
>>> Here's a quick list of initial requirements that we might include:
>>> -Contributors can get steady funding for their work
>>> -ASF is out of the loop of financial transactions
>>> -Contributors must use a standard ASF disclaimer (draft at [1])
>>> -Contributors can establish a direct relationship with sponsors
>>> -Several "funding intermediaries" are available
>>> -ASF might define the wording that contributors can use when
>>> advertising themselves (based on facts, etc.)
>>> 
>>> I like the idea of the ASF facilitating these things.
>>> 
>>> Maintaining a comdev page that lists criteria like the above, with
>>> pointers to the relevant ASF policies, and lists intermediaries that
>>> our contributors have successfully used, might be a good start.
>>> 
>>> -Bertrand
>>> 
>>> [1] https://community.apache.o

Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Ralph Goers
I don’t agree. First, the “added value” Tidelift provides is not our problem. 
If they can’t attract customers then the individuals on the projects they 
support won’t get any money.

But, as I said, Tidelift could have a mechanism to fulfill their promises if 
the 
ASF had overall project requirements such as requiring that a project have 
3 active committers AND 3 active PMC members. The distinction might not 
seem like much but there are projects that are still functioning because they 
still have 3 PMC members but no one is committing anything. So when 
issues arise it could take a long timeto get a release cut to fix the issue 
since,  
presumably there could be a lot of dependency updates required.

“Why do we need Tidelift at all?”

The ASF doesn’t “need” Tidelift. Nor do we need Google. But there are 
individuals who work on projects who would welcome the opportunity to be 
paid by them. Currently, they cannot because Tidelift can’t guarantee 
anything to their customers regarding ASF projects and Google has security 
requirements that we can’t meet because they contract the ASF release policies.

Tidelift cannot resolve problems that are not in its control. Neither can ASF 
projects.

I had thought that both the VPs of Fundraising and Legal were going to reach 
out to Tidelift to discuss these issues. I don’t recall seeing any feedback 
from 
that to see if any progress was made.

> On Feb 28, 2022, at 10:50 AM, Jarek Potiuk  wrote:
> 
>> So while I agree with everything Bertrand said I don’t think it resolves
> the real issue.
> TideLift is providing a guarantee to its customers that projects it
> sponsors meet certain
> standards. The standards they are looking for should really be set by the
> ASF, not
> individual projects.
> 
> This is the part I do not understand. What Tidelift can promise to their
> customers and on what basis?
> According to ASF rules where only individuals in the project can make
> decisions - this means that Tidelift
> has no mechanisms whatsoever to fulfill their promise.
> 
> And if ASF sets the standards - why do we need Tidelift at all ?
> To be perfectly blunt -  I am afraid that until Tidelift resolves any
> of the real problems of individual committers we mentioned with Bertrand
> (including facilitating direct relationship commiter <> stakeholder),
> I do not see what's the added value of Tidelift. Seems like unnecessary
> intermediary.
> 
> J.
> 
> 
> On Mon, Feb 28, 2022 at 5:10 PM Ralph Goers 
> wrote:
> 
>> First, I would like to clarify Gary’s email as I don’t think he
>> characterized it quite correctly.
>> The Logging PMC concluded we could not be part of an arrangement with
>> TideLift and
>> that the issues needed to be worked out at the foundation level. The
>> primary issue was
>> that TideLift had requirements on advertising and process details that
>> required approval
>> of the PMC in order for individuals to be able to be paid. We met with a
>> Google
>> security team in January and had similar issues where they required a
>> process that isn’t
>> aligned with the ASF’s requirements on how releases are to be performed.
>> 
>> Second, from my point of view the ASF should have discussions with
>> TideLift and Google to
>> see if those issues can be resolved. The ideal scenario would be that
>> TideLift and Google
>> can simply sponsor individuals from any ASF project because all ASF
>> projects must
>> conform to guidelines that meet their criteria - i.e. the PMC doesn’t even
>> have to be
>> involved. But this obviously requires that the foundation work with these
>> third parties to
>> either improve our processes where needed or get the third party to accept
>> our processes.
>> 
>> So while I agree with everything Bertrand said I don’t think it resolves
>> the real issue.
>> TideLift is providing a guarantee to its customers that projects it
>> sponsors meet certain
>> standards. The standards they are looking for should really be set by the
>> ASF, not
>> individual projects.
>> 
>> Ralph
>> 
>> 
>>> On Feb 28, 2022, at 5:03 AM, Bertrand Delacretaz 
>> wrote:
>>> 
>>> Hi,
>>> 
>>> Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
 ...the relationships I have is direct relationship with the
 stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely
>> "removing
 bureaucratic obstacles" but they are not "between" me and my
>> stakeholders.
 They are "on a side". They get a small cut sometimes (which I gladly
>> pay)
 but I want to talk to the stakeholders directly without any
>> intermediaries
 and establish a long-term relationship with them as an individual
>>> 
>>> I think that's a key point, and listing such requirements for
>>> platforms that can help our contributors get funding sounds useful.
>>> 
>>> Here's a quick list of initial requirements that we might include:
>>> -Contributors can get steady funding for their work
>>> -ASF is out of the loop of financial transactions
>>> -Contributors must use 

Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Jarek Potiuk
> So while I agree with everything Bertrand said I don’t think it resolves
the real issue.
TideLift is providing a guarantee to its customers that projects it
sponsors meet certain
standards. The standards they are looking for should really be set by the
ASF, not
individual projects.

This is the part I do not understand. What Tidelift can promise to their
customers and on what basis?
According to ASF rules where only individuals in the project can make
decisions - this means that Tidelift
has no mechanisms whatsoever to fulfill their promise.

And if ASF sets the standards - why do we need Tidelift at all ?
To be perfectly blunt -  I am afraid that until Tidelift resolves any
of the real problems of individual committers we mentioned with Bertrand
(including facilitating direct relationship commiter <> stakeholder),
I do not see what's the added value of Tidelift. Seems like unnecessary
intermediary.

J.


On Mon, Feb 28, 2022 at 5:10 PM Ralph Goers 
wrote:

> First, I would like to clarify Gary’s email as I don’t think he
> characterized it quite correctly.
> The Logging PMC concluded we could not be part of an arrangement with
> TideLift and
> that the issues needed to be worked out at the foundation level. The
> primary issue was
> that TideLift had requirements on advertising and process details that
> required approval
> of the PMC in order for individuals to be able to be paid. We met with a
> Google
> security team in January and had similar issues where they required a
> process that isn’t
> aligned with the ASF’s requirements on how releases are to be performed.
>
> Second, from my point of view the ASF should have discussions with
> TideLift and Google to
> see if those issues can be resolved. The ideal scenario would be that
> TideLift and Google
> can simply sponsor individuals from any ASF project because all ASF
> projects must
> conform to guidelines that meet their criteria - i.e. the PMC doesn’t even
> have to be
> involved. But this obviously requires that the foundation work with these
> third parties to
> either improve our processes where needed or get the third party to accept
> our processes.
>
> So while I agree with everything Bertrand said I don’t think it resolves
> the real issue.
> TideLift is providing a guarantee to its customers that projects it
> sponsors meet certain
> standards. The standards they are looking for should really be set by the
> ASF, not
> individual projects.
>
> Ralph
>
>
> > On Feb 28, 2022, at 5:03 AM, Bertrand Delacretaz 
> wrote:
> >
> > Hi,
> >
> > Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
> >> ...the relationships I have is direct relationship with the
> >> stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely
> "removing
> >> bureaucratic obstacles" but they are not "between" me and my
> stakeholders.
> >> They are "on a side". They get a small cut sometimes (which I gladly
> pay)
> >> but I want to talk to the stakeholders directly without any
> intermediaries
> >> and establish a long-term relationship with them as an individual
> >
> > I think that's a key point, and listing such requirements for
> > platforms that can help our contributors get funding sounds useful.
> >
> > Here's a quick list of initial requirements that we might include:
> > -Contributors can get steady funding for their work
> > -ASF is out of the loop of financial transactions
> > -Contributors must use a standard ASF disclaimer (draft at [1])
> > -Contributors can establish a direct relationship with sponsors
> > -Several "funding intermediaries" are available
> > -ASF might define the wording that contributors can use when
> > advertising themselves (based on facts, etc.)
> >
> > I like the idea of the ASF facilitating these things.
> >
> > Maintaining a comdev page that lists criteria like the above, with
> > pointers to the relevant ASF policies, and lists intermediaries that
> > our contributors have successfully used, might be a good start.
> >
> > -Bertrand
> >
> > [1] https://community.apache.org/committers/funding-disclaimer.html
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> > For additional commands, e-mail: dev-h...@community.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
>
>


Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Ralph Goers
First, I would like to clarify Gary’s email as I don’t think he characterized 
it quite correctly. 
The Logging PMC concluded we could not be part of an arrangement with TideLift 
and 
that the issues needed to be worked out at the foundation level. The primary 
issue was 
that TideLift had requirements on advertising and process details that required 
approval 
of the PMC in order for individuals to be able to be paid. We met with a Google 
security team in January and had similar issues where they required a process 
that isn’t 
aligned with the ASF’s requirements on how releases are to be performed.

Second, from my point of view the ASF should have discussions with TideLift and 
Google to 
see if those issues can be resolved. The ideal scenario would be that TideLift 
and Google 
can simply sponsor individuals from any ASF project because all ASF projects 
must 
conform to guidelines that meet their criteria - i.e. the PMC doesn’t even have 
to be 
involved. But this obviously requires that the foundation work with these third 
parties to 
either improve our processes where needed or get the third party to accept our 
processes.

So while I agree with everything Bertrand said I don’t think it resolves the 
real issue. 
TideLift is providing a guarantee to its customers that projects it sponsors 
meet certain 
standards. The standards they are looking for should really be set by the ASF, 
not 
individual projects.  

Ralph


> On Feb 28, 2022, at 5:03 AM, Bertrand Delacretaz  
> wrote:
> 
> Hi,
> 
> Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
>> ...the relationships I have is direct relationship with the
>> stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely "removing
>> bureaucratic obstacles" but they are not "between" me and my stakeholders.
>> They are "on a side". They get a small cut sometimes (which I gladly pay)
>> but I want to talk to the stakeholders directly without any intermediaries
>> and establish a long-term relationship with them as an individual
> 
> I think that's a key point, and listing such requirements for
> platforms that can help our contributors get funding sounds useful.
> 
> Here's a quick list of initial requirements that we might include:
> -Contributors can get steady funding for their work
> -ASF is out of the loop of financial transactions
> -Contributors must use a standard ASF disclaimer (draft at [1])
> -Contributors can establish a direct relationship with sponsors
> -Several "funding intermediaries" are available
> -ASF might define the wording that contributors can use when
> advertising themselves (based on facts, etc.)
> 
> I like the idea of the ASF facilitating these things.
> 
> Maintaining a comdev page that lists criteria like the above, with
> pointers to the relevant ASF policies, and lists intermediaries that
> our contributors have successfully used, might be a good start.
> 
> -Bertrand
> 
> [1] https://community.apache.org/committers/funding-disclaimer.html
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Jarek Potiuk
I love the "summary" Bertrand. It's precisely what I had in mind but this
is is a very concise version of it :)

On Mon, Feb 28, 2022 at 1:04 PM Bertrand Delacretaz 
wrote:

> Hi,
>
> Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
> >...the relationships I have is direct relationship with the
> > stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely "removing
> > bureaucratic obstacles" but they are not "between" me and my
> stakeholders.
> > They are "on a side". They get a small cut sometimes (which I gladly pay)
> > but I want to talk to the stakeholders directly without any
> intermediaries
> > and establish a long-term relationship with them as an individual
>
> I think that's a key point, and listing such requirements for
> platforms that can help our contributors get funding sounds useful.
>
> Here's a quick list of initial requirements that we might include:
> -Contributors can get steady funding for their work
> -ASF is out of the loop of financial transactions
> -Contributors must use a standard ASF disclaimer (draft at [1])
> -Contributors can establish a direct relationship with sponsors
> -Several "funding intermediaries" are available
> -ASF might define the wording that contributors can use when
> advertising themselves (based on facts, etc.)
>
> I like the idea of the ASF facilitating these things.
>
> Maintaining a comdev page that lists criteria like the above, with
> pointers to the relevant ASF policies, and lists intermediaries that
> our contributors have successfully used, might be a good start.
>
> -Bertrand
>
> [1] https://community.apache.org/committers/funding-disclaimer.html
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
>
>


Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Bertrand Delacretaz
Hi,

Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
>...the relationships I have is direct relationship with the
> stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely "removing
> bureaucratic obstacles" but they are not "between" me and my stakeholders.
> They are "on a side". They get a small cut sometimes (which I gladly pay)
> but I want to talk to the stakeholders directly without any intermediaries
> and establish a long-term relationship with them as an individual

I think that's a key point, and listing such requirements for
platforms that can help our contributors get funding sounds useful.

Here's a quick list of initial requirements that we might include:
-Contributors can get steady funding for their work
-ASF is out of the loop of financial transactions
-Contributors must use a standard ASF disclaimer (draft at [1])
-Contributors can establish a direct relationship with sponsors
-Several "funding intermediaries" are available
-ASF might define the wording that contributors can use when
advertising themselves (based on facts, etc.)

I like the idea of the ASF facilitating these things.

Maintaining a comdev page that lists criteria like the above, with
pointers to the relevant ASF policies, and lists intermediaries that
our contributors have successfully used, might be a good start.

-Bertrand

[1] https://community.apache.org/committers/funding-disclaimer.html

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Jarek Potiuk
 of sponsoring the campaigns. So right now, there are 2
> campaigns that are being sponsored and they even got the companies to
> actively participate. So, I will not be doing all the work on my own but
> we’re splitting things up between me and the companies, making them become
> more involved in the project. This is good for me and for the Project.
>
> So, I think we need to do two things:
>
>   *   List individuals or companies willing to provide services around one
> of our projects
>   *   List possible features that could be implemented and assign some
> sort of measure to them (like developer-days needed to implement … I would
> strongly object adding prices, but having developer-days should be a
> dimension they can think in and sort of get an idea on what costs to expect)
>
>
> Also, would it be good, if we could establish some sort of standard for
> projects offering this sort of thing, so people get used to it. Similarly
> to “every project has a download page” we need awareness that there’s also
> a “commercial-support” (or whatever we call it) page and some sort of
> feature catalog.
>
> I do think there are ways how we can ensure income to solo developers or
> small companies and still stay in line with the ASF mission. And finding
> these paths is what I would like to do in the future.
>
> Chris
>
> From: Roman Shaposhnik 
> Sent: Sonntag, 27. Februar 2022 23:06
> To: ComDev ; cd...@apache.org
> Subject: Effective ways of getting individuals funded to work on ASF
> projects
>
> Hi!
>
> over the past couple of years there has been a number
> of efforts trying to figure out effective ways of getting funded
> for working on ASF projects as individuals and not employees
> at companies building on top of these projects.
>
> Chris's recent experience is but one of them:
> https://lists.apache.org/thread/momxgzzyq03lz54knvzhxm16r8j40vog
>
> My personal frustration with all these threads is that we never
> seem to arrive at any actionable suggestions for how developers
> like Chris can *easily* create these additional income streams.
>
> Rightfully, we at ASF basically say that it must be a 3d party issue
> to solve. It very much is. The problem is that doing so one one-off
> just perpetuates the logistical pain of setting up contracts, etc. etc.
> This creates a pretty significant barrier and, as Chris's experience
> would suggest it typically becomes too insurmountable for individual
> developers.
>
> Sure, there have been interesting attempts to "hack the system"
> and use things like GitCoin, BugMark and a few others to solve for
> this "how do we get back to our open source roots when individuals,
> not corporations were the economic agents around open source".
> But I honestly don't know of any of them becoming viable either.
> At least not so far.
>
> At the risk of tilting at windmills once again, I'd like to see if there's
> enough interest to take a crack at this problem yet again.
>
> And in the spirit of "hacking the system" I'd like to suggest that we
> focus on a 3d party solving it for us. In fact, I suggest we pick a
> very particular 3d party -- TideLift
>
> https://support.tidelift.com/hc/en-us/articles/4406293106324-Quickstart-guide
>
> Now, before you exclaim "who the heck appointed TideLift to solve it for
> us?"
> I'd be the first one to admit that I picked them because I know them
> really well and I do think they are the closest to giving us some of the
> answers.
> But above all, I'm suggesting we look at TideLift because they seem to
> be very much willing to work with us on actually changing their engagement
> model to fit our needs. IOW, it is not like their rules are cast in stone
> -- we can
> assume they are malleable. If anyone knows of a similar 3d party -- let's
> discuss
> that too.
>
> If, however, there's a general consensus about seriously looking
> at them as that 3d party -- I'd like to start collecting names of ASF
> developers (and PMCs) who would be willing to participate in
> a trial program with them of sorts and report back.
>
> If you have comments on anything above -- please reply in-thread.
>
> If you'd be interested in this trial -- you can either do that or just
> reply to me personally.
>
> Thanks,
> Roman.
>


Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Martin Desruisseaux
There is a small but relatively successful funding happening right now. 
The Open Geospatial Consortium (OGC) is organizing a code sprint 
conjointly with ASF and another open-source organization (OSGeo) [1]. 
For this code sprint, OGC and OSGeo solicited their sponsors, but ASF 
could not (probably not the ASF way, and also geospatial may be too much 
a niche domain at ASF). The collected money goes to participants [2]. 
This is small (10,000$ a few weeks ago, I do not know the amount today) 
and only for short events, but this is the second year that this event 
happens and if successful enough, it may continue to happen next years. 
The advantage is that OGC takes in charge a lot of the burden of 
organizing those events. I wonder if ASF should participate to the calls 
for sponsors if such code sprints happen again, with some filtering for 
bothering only those who have an interest in the target domain 
(geospatial in this example).


    Martin

[1]https://www.ogc.org/pressroom/pressreleases/4659
[2}https://t.co/zxoN70sKLF


RE: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Christofer Dutz
 
like to enable others to do the same, so I added a few bucks to the lawyer bill 
and had him prepare something that I was allowed to give to others to use (Sort 
of like “terms of service” with a permissive license). This: Having a lawyer 
check if crowdfunding is possible and if yes, in which way and having them 
prepare the “terms of service” cost quite a bit.

Unfortunately, I was right with the acceptance of this platform:
Not a single cent got paid into any of the campaigns I listed. The sums some of 
them list were simply test-data I intentionally left there when going online 
;-).

But one thing I didn’t expect, was that having campaigns listed and having a 
price-tag assigned to them, made companies approach me directly asking for a 
different form of sponsoring the campaigns. So right now, there are 2 campaigns 
that are being sponsored and they even got the companies to actively 
participate. So, I will not be doing all the work on my own but we’re splitting 
things up between me and the companies, making them become more involved in the 
project. This is good for me and for the Project.

So, I think we need to do two things:

  *   List individuals or companies willing to provide services around one of 
our projects
  *   List possible features that could be implemented and assign some sort of 
measure to them (like developer-days needed to implement … I would strongly 
object adding prices, but having developer-days should be a dimension they can 
think in and sort of get an idea on what costs to expect)


Also, would it be good, if we could establish some sort of standard for 
projects offering this sort of thing, so people get used to it. Similarly to 
“every project has a download page” we need awareness that there’s also a 
“commercial-support” (or whatever we call it) page and some sort of feature 
catalog.

I do think there are ways how we can ensure income to solo developers or small 
companies and still stay in line with the ASF mission. And finding these paths 
is what I would like to do in the future.

Chris

From: Roman Shaposhnik 
Sent: Sonntag, 27. Februar 2022 23:06
To: ComDev ; cd...@apache.org
Subject: Effective ways of getting individuals funded to work on ASF projects

Hi!

over the past couple of years there has been a number
of efforts trying to figure out effective ways of getting funded
for working on ASF projects as individuals and not employees
at companies building on top of these projects.

Chris's recent experience is but one of them:
https://lists.apache.org/thread/momxgzzyq03lz54knvzhxm16r8j40vog

My personal frustration with all these threads is that we never
seem to arrive at any actionable suggestions for how developers
like Chris can *easily* create these additional income streams.

Rightfully, we at ASF basically say that it must be a 3d party issue
to solve. It very much is. The problem is that doing so one one-off
just perpetuates the logistical pain of setting up contracts, etc. etc.
This creates a pretty significant barrier and, as Chris's experience
would suggest it typically becomes too insurmountable for individual
developers.

Sure, there have been interesting attempts to "hack the system"
and use things like GitCoin, BugMark and a few others to solve for
this "how do we get back to our open source roots when individuals,
not corporations were the economic agents around open source".
But I honestly don't know of any of them becoming viable either.
At least not so far.

At the risk of tilting at windmills once again, I'd like to see if there's
enough interest to take a crack at this problem yet again.

And in the spirit of "hacking the system" I'd like to suggest that we
focus on a 3d party solving it for us. In fact, I suggest we pick a
very particular 3d party -- TideLift
 
https://support.tidelift.com/hc/en-us/articles/4406293106324-Quickstart-guide

Now, before you exclaim "who the heck appointed TideLift to solve it for us?"
I'd be the first one to admit that I picked them because I know them
really well and I do think they are the closest to giving us some of the 
answers.
But above all, I'm suggesting we look at TideLift because they seem to
be very much willing to work with us on actually changing their engagement
model to fit our needs. IOW, it is not like their rules are cast in stone -- we 
can
assume they are malleable. If anyone knows of a similar 3d party -- let's 
discuss
that too.

If, however, there's a general consensus about seriously looking
at them as that 3d party -- I'd like to start collecting names of ASF
developers (and PMCs) who would be willing to participate in
a trial program with them of sorts and report back.

If you have comments on anything above -- please reply in-thread.

If you'd be interested in this trial -- you can either do that or just reply to 
me personally.

Thanks,
Roman.


Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-27 Thread Joshua Simmons
Hi folks, Josh here with my Tidelift hat on. (I wear many hats, as some of
you know!) I want to be extremely respectful of the discourse y'all are
having here, and so will be sparing in my engagement.

The conversations that played out after I reached out to Apache Log4j
PMC–across Legal, ComDev, and Fundraising in January and February–were
extremely edifying. We found at least one area where Tidelift _does_ need
to adjust course in order to square with ASF policy, and other areas of
concern that are very worthy of discussion.

Having had those conversations, I've taken some time to prepare a brief
document (attached) that provides more background on Tidelift, and attempts
to summarize the concerns that have been raised. (I welcome corrections if
I got anything wrong, and will gladly evolve the doc to include other
salient points that come up.)

The most important thing for me, as both a member of open source
communities and as an employee of Tidelift, is that we address systemic
resource disparities in open source in a manner that amplifies the best
qualities of open source and in line with the spirit of open source.
Solving the resource problem in a way that properly rises to the challenge
requires open dialog and a collective spirit of problem solving, across
many different types of stakeholders–including critical foundations like
the ASF.

All that is to say: Tidelift is not here to offer an inflexible path to
solving these problems, nor are we here claiming to be the end-all-be-all.
Rather, we are here to learn how to work with individual community members
and align with ASF policy, to come up with creative solutions, and to make
open source work better for everyone.

I'll be happy to answer any questions that folks have, but otherwise will
mostly focus my energy on listening and learning.

With gratitude,
Josh

Josh Simmons (he/they), Sr. Ecosystem Strategy Lead @ Tidelift

@joshsimmons  | joshua.simm...@tidelift.com
| bluesomewhere on IRC
TZ: US/Pacific; UTC-07:00 Mar-Nov; UTC-08:00 Nov-Mar
ad astra per aspera 🚀


2022-02-27 Toward Tidelift compatibility with Apache Software Foundation policy.odt
Description: application/vnd.oasis.opendocument.text

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org

Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-27 Thread Jarek Potiuk
I am extremely interested in this and I very much support the effort that
Roman describes.  But I do think Tidelift is not necessarily a good (and
quite for sure not the only) solution.

I think their interest is a bit separated from ASF one. They mostly want to
promote their service to get the cut of the payments (this is what I see).
Maybe not even the payments they get through ASF but to get popularity and
get the cut later. This is fine as a business model. But I am not sure ASF
should endorse it. There should be - at most - a range of solutions that
ASF can say "you are free to use". I think the "popularity" of a service
should come from the corporate users wanting to use them as
"intermediaries". Those services should be really a solution to make it
easier (and trusted) to get money transferred between parties. And there
might be many of those.

I am currently an independent OSS contributor and get the money from the
stakeholders in various ways - direct contracts and using the preferred
mechanism of my customers (or "stakeholders"). I use various
"intermediaries":
   * SAP Ariba - for Google
   * https://www.letsdeel.com/ - for Astronomer
   * Github Sponsors - for Amazon and others (some of them in advance
discussions)

There is an initial overhead to set it up, but once it's set-up it's easy
to fulfill all the "bureaucratic" stuff on a regular basis. That's what
they promise and deliver. Those platforms provide invoicing and money
transfer mechanisms and charge very, very little for it (compared to
setting up the legal relationship). What is really important and takes a
lot of the time and effort and money is to have contracts with those
parties that protect my freedom and independence as OSS contributor for ASF
projects as well as becoming a valuable party for my partners.

I am lucky enough to be able to negotiate "independence" but also have
enough resources/contracts/stamina/negotiating power to have my lawyers (in
Poland and Slovakia where I have my second business entity) and enough
income to be able to spend a substantial amount of money on setting this
up. I am also lucky to have friendly and competent lawyers that became my
friends over time, not only business partners. I've involved my lawyers in
all the contract discussions and I have some templates but many of the
contributors do not have this freedom/capabilities.

I think some "standards", "policies", "allowed clauses", "templates" might
be of a great help to the committers who just want to "do the stuff" and
don't have enough resources. Happy to help - for starting to share my
contract templates if that might help others.

But those are just technicalities, and I have a much more important comment.

There is - of course - a completely different story. But what is really
important is how to build the relationship, how to find those who will pay
for your job and convince them to do so. But I am afraid none of
Tidelift's or other platforms can help with it. Personal reputation in the
project, building it, spending time, being vocal about it, self-promotion,
speaking, being present is the only way to get people to want you to pay
for your job and none of the platforms can help with it when personal
effort is not spent on "selling" your work. There are no shortcuts for
that. Thinking that when you do a good job, you will be noticed, is
wishful thinking IMHO. If you want success, you need to act beyond doing a
good IT job. And I think possibly making people aware of that and teaching
them how not only to do a good job but also sell it is a way to go.

That's one thing I've learned over the many years in the industry - if you
do a bad job. then selling it is hard. If you do a good job, selling is
easy - but if you won't do it yourself - no-one will do it for you. There
is no-one else but you who can sell your job and you need to learn how to
do it. But many people in our industry do not realise that. I think some
kind of awareness, sharing experience, and providing guidelines to people
who want to earn on open-source contributions (in a very good sense of it)
is something that IMHO ASF can help with (and happy to help with it too - I
am thinking on the next talk "how to make living on contributing to OSS"
talk at Apache Con for one).

Maybe in ASF we should focus on teaching our people to sell the great job
they are doing and not be afraid of it.

J.

On Sun, Feb 27, 2022 at 11:17 PM Roman Shaposhnik 
wrote:

> On Sun, Feb 27, 2022 at 11:11 PM Gary Gregory 
> wrote:
>
> > We just went through this with Log4j and decided that the Tidelift model
> > was not compatible with Apache. Hopefully someone on our PMC can provide
> a
> > recap.
> >
>
> Please correct me if I'm wrong, but as I remember there wasn't any attempt
> to work with TideLift on changing the engagement model on their end,
> was there?
> This time I'm suggesting that we work together with TideLift to come up
> with the new rules (or to agree -- together -- that no such rules ex

Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-27 Thread Ted Dunning


I was in the peanut gallery when Tidelift approached the logging project.

To me, it looked like Tidelift wanted fairly significant service level 
guarantees for a very low cost and then wanted to monetize their position of 
having such guarantees.

Aside from whether or not the details were right, the overall shape seemed 
wrong to me. Long on guarantees and indemnification by the individuals signing 
on and short on benefits to the individuals or the project.

On 2022/02/27 22:11:26 Gary Gregory wrote:
> We just went through this with Log4j and decided that the Tidelift model
> was not compatible with Apache. Hopefully someone on our PMC can provide a
> recap.
> 
> Gary
> 
> On Sun, Feb 27, 2022, 17:06 Roman Shaposhnik  wrote:
> 
> > Hi!
> >
> > over the past couple of years there has been a number
> > of efforts trying to figure out effective ways of getting funded
> > for working on ASF projects as individuals and not employees
> > at companies building on top of these projects.
> >
> > Chris's recent experience is but one of them:
> > https://lists.apache.org/thread/momxgzzyq03lz54knvzhxm16r8j40vog
> >
> > My personal frustration with all these threads is that we never
> > seem to arrive at any actionable suggestions for how developers
> > like Chris can *easily* create these additional income streams.
> >
> > Rightfully, we at ASF basically say that it must be a 3d party issue
> > to solve. It very much is. The problem is that doing so one one-off
> > just perpetuates the logistical pain of setting up contracts, etc. etc.
> > This creates a pretty significant barrier and, as Chris's experience
> > would suggest it typically becomes too insurmountable for individual
> > developers.
> >
> > Sure, there have been interesting attempts to "hack the system"
> > and use things like GitCoin, BugMark and a few others to solve for
> > this "how do we get back to our open source roots when individuals,
> > not corporations were the economic agents around open source".
> > But I honestly don't know of any of them becoming viable either.
> > At least not so far.
> >
> > At the risk of tilting at windmills once again, I'd like to see if there's
> > enough interest to take a crack at this problem yet again.
> >
> > And in the spirit of "hacking the system" I'd like to suggest that we
> > focus on a 3d party solving it for us. In fact, I suggest we pick a
> > very particular 3d party -- TideLift
> >
> >
> > https://support.tidelift.com/hc/en-us/articles/4406293106324-Quickstart-guide
> >
> > Now, before you exclaim "who the heck appointed TideLift to solve it for
> > us?"
> > I'd be the first one to admit that I picked them because I know them
> > really well and I do think they are the closest to giving us some of the
> > answers.
> > But above all, I'm suggesting we look at TideLift because they seem to
> > be very much willing to work with us on actually changing their engagement
> > model to fit our needs. IOW, it is not like their rules are cast in stone
> > -- we can
> > assume they are malleable. If anyone knows of a similar 3d party -- let's
> > discuss
> > that too.
> >
> > If, however, there's a general consensus about seriously looking
> > at them as that 3d party -- I'd like to start collecting names of ASF
> > developers (and PMCs) who would be willing to participate in
> > a trial program with them of sorts and report back.
> >
> > If you have comments on anything above -- please reply in-thread.
> >
> > If you'd be interested in this trial -- you can either do that or just
> > reply to me personally.
> >
> > Thanks,
> > Roman.
> >
> 

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org



Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-27 Thread Roman Shaposhnik
On Sun, Feb 27, 2022 at 11:11 PM Gary Gregory 
wrote:

> We just went through this with Log4j and decided that the Tidelift model
> was not compatible with Apache. Hopefully someone on our PMC can provide a
> recap.
>

Please correct me if I'm wrong, but as I remember there wasn't any attempt
to work with TideLift on changing the engagement model on their end,
was there?
This time I'm suggesting that we work together with TideLift to come up
with the new rules (or to agree -- together -- that no such rules exist).

Basically, the exercise I'm suggesting is different.

Still, the kind of recap you have in mind would be super useful.

Thanks,
Roman.


Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-27 Thread Gary Gregory
We just went through this with Log4j and decided that the Tidelift model
was not compatible with Apache. Hopefully someone on our PMC can provide a
recap.

Gary

On Sun, Feb 27, 2022, 17:06 Roman Shaposhnik  wrote:

> Hi!
>
> over the past couple of years there has been a number
> of efforts trying to figure out effective ways of getting funded
> for working on ASF projects as individuals and not employees
> at companies building on top of these projects.
>
> Chris's recent experience is but one of them:
> https://lists.apache.org/thread/momxgzzyq03lz54knvzhxm16r8j40vog
>
> My personal frustration with all these threads is that we never
> seem to arrive at any actionable suggestions for how developers
> like Chris can *easily* create these additional income streams.
>
> Rightfully, we at ASF basically say that it must be a 3d party issue
> to solve. It very much is. The problem is that doing so one one-off
> just perpetuates the logistical pain of setting up contracts, etc. etc.
> This creates a pretty significant barrier and, as Chris's experience
> would suggest it typically becomes too insurmountable for individual
> developers.
>
> Sure, there have been interesting attempts to "hack the system"
> and use things like GitCoin, BugMark and a few others to solve for
> this "how do we get back to our open source roots when individuals,
> not corporations were the economic agents around open source".
> But I honestly don't know of any of them becoming viable either.
> At least not so far.
>
> At the risk of tilting at windmills once again, I'd like to see if there's
> enough interest to take a crack at this problem yet again.
>
> And in the spirit of "hacking the system" I'd like to suggest that we
> focus on a 3d party solving it for us. In fact, I suggest we pick a
> very particular 3d party -- TideLift
>
>
> https://support.tidelift.com/hc/en-us/articles/4406293106324-Quickstart-guide
>
> Now, before you exclaim "who the heck appointed TideLift to solve it for
> us?"
> I'd be the first one to admit that I picked them because I know them
> really well and I do think they are the closest to giving us some of the
> answers.
> But above all, I'm suggesting we look at TideLift because they seem to
> be very much willing to work with us on actually changing their engagement
> model to fit our needs. IOW, it is not like their rules are cast in stone
> -- we can
> assume they are malleable. If anyone knows of a similar 3d party -- let's
> discuss
> that too.
>
> If, however, there's a general consensus about seriously looking
> at them as that 3d party -- I'd like to start collecting names of ASF
> developers (and PMCs) who would be willing to participate in
> a trial program with them of sorts and report back.
>
> If you have comments on anything above -- please reply in-thread.
>
> If you'd be interested in this trial -- you can either do that or just
> reply to me personally.
>
> Thanks,
> Roman.
>


Effective ways of getting individuals funded to work on ASF projects

2022-02-27 Thread Roman Shaposhnik
Hi!

over the past couple of years there has been a number
of efforts trying to figure out effective ways of getting funded
for working on ASF projects as individuals and not employees
at companies building on top of these projects.

Chris's recent experience is but one of them:
https://lists.apache.org/thread/momxgzzyq03lz54knvzhxm16r8j40vog

My personal frustration with all these threads is that we never
seem to arrive at any actionable suggestions for how developers
like Chris can *easily* create these additional income streams.

Rightfully, we at ASF basically say that it must be a 3d party issue
to solve. It very much is. The problem is that doing so one one-off
just perpetuates the logistical pain of setting up contracts, etc. etc.
This creates a pretty significant barrier and, as Chris's experience
would suggest it typically becomes too insurmountable for individual
developers.

Sure, there have been interesting attempts to "hack the system"
and use things like GitCoin, BugMark and a few others to solve for
this "how do we get back to our open source roots when individuals,
not corporations were the economic agents around open source".
But I honestly don't know of any of them becoming viable either.
At least not so far.

At the risk of tilting at windmills once again, I'd like to see if there's
enough interest to take a crack at this problem yet again.

And in the spirit of "hacking the system" I'd like to suggest that we
focus on a 3d party solving it for us. In fact, I suggest we pick a
very particular 3d party -- TideLift

https://support.tidelift.com/hc/en-us/articles/4406293106324-Quickstart-guide

Now, before you exclaim "who the heck appointed TideLift to solve it for
us?"
I'd be the first one to admit that I picked them because I know them
really well and I do think they are the closest to giving us some of the
answers.
But above all, I'm suggesting we look at TideLift because they seem to
be very much willing to work with us on actually changing their engagement
model to fit our needs. IOW, it is not like their rules are cast in stone
-- we can
assume they are malleable. If anyone knows of a similar 3d party -- let's
discuss
that too.

If, however, there's a general consensus about seriously looking
at them as that 3d party -- I'd like to start collecting names of ASF
developers (and PMCs) who would be willing to participate in
a trial program with them of sorts and report back.

If you have comments on anything above -- please reply in-thread.

If you'd be interested in this trial -- you can either do that or just
reply to me personally.

Thanks,
Roman.