Why is there never any money in FOSS (where it's needed)?

According to the 2020 FOSS Contributor Survey conducted by the Linux Foundation, 48.7% of respondents are paid for work on free and open-source software[1].

And yet there a critical free and open-source software projects that are chronically underfunded and that have no realistic ability to monetize.

Difficulty of financially supporting “FOSS”

Finding projects to support

It is surprisingly difficult to financially support “FOSS”. You can of course support some projects that you know you use or that you know you like. But this will always just be a small fraction of the projects you actually use.

A company or an individual has only one option when trying to support FOSS: they have to research what projects they actually use. They can’t fund all the projects they use, because even just using a single FOSS project (e.g. Mastodon, the Linux kernel) entails depending on hundreds, if not thousands of independent projects. Only the wealthiest donors can afford to split their donation into a thousand pieces and still end up with amounts that justify the transaction fees.

Most willing donors have to prioritize their donations.

A project thus has to clear two obstacles before being funded:

  1. They have to be visible to willing donors.
  2. They have to be significant enough to the donors that found them, to be supported financially.

There are too many projects that never clear these obstacles before something disastrous happens. XZ and Log4j to name the most famous ones.

This is not the fault of any of these projects, this is the nature of the modern software supply chain. We depend on more projects than we could possibly fund individually, so we need to fund them collectively.

A very similar problem occurs when trying to find projects to contribute, though here the solution cannot be collective support as no one can contribute to all FOSS projects at once.

Funding “FOSS” vs. Funding a FOSS Project

The second funding problem for “FOSS” is that there is a meaningful difference between “Funding FOSS” and “Funding a FOSS Project”.

The first means to fund not just the development of FOSS projects, but also the supporting infrastructure that FOSS needs. The conferences, the support groups, the mental health hotlines for burned out volunteers and the discussion forums, like the one that this article is published on - to name just a small part of it.

When financial support only exists for a set of FOSS projects, this infrastructure either falls into neglect or is never built up in the first place. But it is necessary for all of the FOSS community to survive.

Without connections, without support, without exchange across projects and without help from burn-out, stress, abuse and other mental health crises, fewer and fewer projects will succeed and those projects that persist will do so despite the environment and not because of it.

Collectively funding Free and Open Source Software

I only see one solution to this problem of overly targeted funding. We need trusted institutions - foundations and companies with a reputation in the FOSS community - to start fundraising for the FOSS community as a whole. They can find the projects that are vital and in critical states, provide support in the form of counseling, connecting maintainers to trusted contributors and maintainers and paying the maintainers and contributors for there work on a case by case basis.

And they can also dedicate resources better to supporting the FOSS movement as a whole.

We don’t need another grant program that maintainers need to take time out of their day to apply to for a very limited amount of funding over a very limited amount of time. This initiative needs to be available to FOSS maintainers for advice and support, but it also needs to pro-actively reach out to projects it deems critical, vulnerable or desperate.

Otherwise disasters, like the XZ vulnerability, will keep happening.

1 Like

There’s been a ton of discussion on HN, and a buncha thoughts on funding. There’s a bullet point 0) to add to obstacles of “A project has to be willing to be funded”. There’s many that don’t, esp. in early days, where they scratch the devs itch, are considered to be hobby project, and/or the devs don’t wanna feel the weight of responsibility that receiving money (implicitly) incurs.

On that Linux Foundation survey I have some question marks. On the Linux project itself there are many companies that contribute either financially or by allowing their employees to contribute work. Also the word “FOSS” is liberally used and refers to (F)OSS, where the biggest part is actually OSS. The kind that companies like best. You can see that for instance in the Cloud Native Computing Foundation by Linux Foundation… its all cloud vendors here, solidifying their (often open core) foundation, upon which their (often SaaS) products & services are based.

OSS is very different than FOSS. The “OSS market” is rapidly professionalising, while FOSS is not. That is imho a big risk to FOSS. The truth is that the corporate world has learned from log4j and is transforming itself to get a better control over the software supply chain. Overall this advantages OSS, not FOSS. Large companies and governments are creating OSPO departments, where vetting of (F)OSS takes place against a range of criteria.

Maybe a good OSPO can convince the higher ups in the organization that donating to projects in the dependency chain is smart practice. On the whole business processes are such that when a dev requests donations for a project, that is likely not to get honored by Finance eventually. And most often that request isn’t even killed by a policy of “freeriding” and such. It is just fundamentally different to how the business operates.

I do think that your fundraising idea by trusted institutions has something to it. And some of that already exists. The Linux Foundation for instance (though afaik it doesn’t fund members atm). Now, this foundation isn’t universally loved in FOSS circles. It is seen as too corporate, having ‘sold its soul’ to capitalism. Same with conferences like FOSDEM who ask speakers to please not criticize the big tech sponsors.

What Linux Foundation dedicates to is matching supply and demand. You mention wrt difficulty of overcoming obstacles to receiving funding that:

This is not the fault of any of these projects, this is the nature of the modern software supply chain.

This modern supply chain doesn’t exist yet… it is being built right now. And in that light the 2nd obstacle of:

They have to be significant enough to the donors that found them, to be supported financially.

… is where this match between supply and demand should be made. The “significant enough” means holding up to all the standards that corporations and governments set for the software they’ll use. And that goes way beyond the code itself. That goes into addressing the FSDL of the project.

And this is what Linux Foundation offers… a way to ‘graduate’ a project to ever more strict set of compliance criteria whereby it can offer assurances to businesses/governments that they are safe for use.

TL;DR thus far:

  • FOSS is disadvantaged in the trend of professionalising the software supply chain.
  • Institutions that help FOSS should encourage adaptation to where the “demand” is.
  • Most of that work is still on FOSS project plate, who must address more of the FSDL.
  • Institutions might fundraise, but the success of fundraising depends on ‘FSDL-focused’ members.

Given the above… while I am not against better institutions in any way, I think we can do better, and the time is right to think of and implement better ways. The Social Coding movement was started from the recognition that other aspects of the FSDL become more important with the growing popularity and adoption of a FOSS project, and that these are areas where FOSS is particularly weak. And also that there’s tremendous power in grassroots movements (such as underlying FOSS landscape), if only there were better collaboration and less of the endless “going-it-alone” fragmentation.

Most institutions that help FOSS have a “our way or the highway” intake process. You either defer to that process, or don’t join. And you give up some of your project’s independence, and must adopt your governance organization to fit in with the institution.

I’ve compared these institutions before as the mythical temples and wizard’s towers standing aloof in the landscape in a fantasy tale. You leave your bustling town to go on a heroes quest and pray at the altar of a shrine to gain your blessing. Now, that’s a bit unfavorable reading of well-meaning institutions that are out there. But the thing is that these institutions place themself a hierarchical step above the FOSS projects they help foster.

That shouldn’t be. It does not fit grassroots organization, that is not hierarchical. Instead these institutions should be just “service providers” on an equal footing. And you get healthy service supply & demand. You give something, get something back. If that sustains some US non-profit with a 20 person well-paid staff, fine. If not, it may sustain a more FOSS’y group of 3 people instead.

Take a non-software context. Nowadays for about any expensive service you have DIY alternatives. Wanna buy/sell a house? You can opt to leave everything to a real-estate agent, and pay the price. Or you go to a website and do most of the agent’s work by yourself for way less money. Maybe you delegate some tasks, like hire a professional photographer to showcase your house. At a fraction the cost, but by spending some more time, you can get same results. Same alternatives exist for mortgages, notary services, you-name-it.

Not so much in FOSS circles… yet.

And here there is great opportunity. We have:

  • The dormant power of the grassroots movement.
  • The decentralized technology to support that movement.
  • A big threat to our movement that must be tackled, as a motivator… to act.

I’m not considering this point an obstacle because we should assume that any project that is critical and in a desperate state is willing to be funded. Even when the maintainer does not want to receive compensation for their time, having the ability to hire a trusted contributor or maintainer to take over when the volunteer is exhausted, burned-out or wants to give up their hobby. The willingness to receive funds for your own work does not mean you don’t need money for other purposes. As the XZ affair has shown, it is increasingly difficult to impossible for a maintainer to find a trusted maintainer to take over from them and if the previous maintainer has to suspend work on a project urgently, the only way to get a trustworthy maintainer in quickly and reliably is to hire them.

On the question of which institution should take over this role? I’m not sure. There are few foundations in the FOSS space that aren’t controversial in some way.

I believe that whatever institution is interested in doing something like this (e.g. EFF, FSF, CCC, NLnet) will do something positive with it. It would of course be preferable if there was in institution, like a Guild, that had the reputation amongst FOSS developers and was organized by them and could take charge of such an initiative.

Referencing a long discussion to the author’s article on the subject:

To narrow the scope a tad here. I’d mentioned this before elsewhere but the Bevy game engine becoming a non-profit was quite interesting to me.

They list the reasons they took this step in the “Some History” section:

  • Funding Bevy Has Been A Popularity Contest
  • We Lacked "Organizational Legitimacy"
  • Carter Held (And Owned) The Keys

The Donor Mindset

Interestingly, within the “Funding Bevy Has Been A Popularity Contest” point they state: “Presenting donors with the task of picking someone to back also deeply complicated the donation process, which likely turned some donors off.”.

I would like to explore the mindset of someone donating, for a moment, by breaking it into 3 parts:

The idea is that you give money to a developer, they can afford to spend more time on a specific project. Simple. Logically, you want 100% of your money to go towards that project.

Now lets say we have two developers each with their own donation pages listed underneath a project. One is the creator, 100% of their time goes to this project. The other developer spends 50% of their time on this project and the other 50% on their own projects.

Which is the better value?

Often times it’s not obvious who spends the most time on a project so you go with whoever is the safest bet to spend most of their time on the project. You also don’t know the state of the project at this very moment. It could be that the donation page is out of date.

Who are the safest bets to get the best return for your donation?

People are inherently lazy. They’ll always take the path of least resistance. They’re not going to manage 10 different donations to different projects let alone on the same project. Especially if there’s fees.

They also don’t want to be micromanaging their subscriptions in the case of a developer leaving a project. So they’ll choose the one who’s least likely to cause them to take future action.

What gives you the satisfaction of donating with the least possible effort, now and in the future?

So the donor side of this problem is simple then: A platform that maximises reward, minimises risk and is the easiest option for donors. Well, I do know a kind of platform that at least states to do these things, trading platforms.

One I want to flag for attention is called etoro (because I have access to it). It’s a trading platform with social elements and the typical stuff: stocks & shares, copy trading and index/grouped trading.

I want something like this for the donation-based economy. The ability to place money into a platform and easily distribute it. I want to be able to copy the donations of people I trust, lowering the knowledge barrier. I want people to create groups of projects to raise awareness, for example underfunded important libraries, that I can state X amount and have it split between all of them. I want to feel empowered to donate to any and all projects without having to worry about a 100 fees and maximising my reward.

Let’s see how we can expand on this idea with the points the Bevy team raised.

The Donatee Mindset

A donatee is a person or project that receives donations.

Funding Bevy Has Been A Popularity Contest

For some context they had a list of major devs on the “Donate” page, but the project lead/creator received a majorly skewed amount of these donations.

Bevy decided they needed a “centralised donation model” to fairly distribute funds. This is a formalisation of their project structure because they were unable to mimic it within out current donation-based systems.

A platform like any social platform would have an account system for individuals and formalised groups. You can reconstruct most project structures from these basic building blocks. Individuals could form a Circle which can be associated with a project but also part of a larger Guild.

The larger points of funds distribution within projects, I’m leaving out as that’s an entirely different prospect.

Funding FOSS Has Been a Poplularity Contest

This popularity problem can be extrapolated, I think, past developers on an individual project, to a project composed of other projects. Even with the best intentions, the most visible gets the funds.

A donation platform should allow donatees to list dependencies. Libraries or tools. A donor could then donate to a donatee only or including dependencies. A donatee could even enforce a certain amount of income towards their dependencies.

Projects could have dependencies which have dependencies which all get a share.

We Lacked “Organizational Legitimacy”

It’s more legal backing. But I’m getting a bit tired of writing and I’m not sure I have anything interesting to say here.

Carter Held (And Owned) The Keys

A very important point outside the scope of funding per se but I feel is important to it. Without creating a central organisation how can you share ownership? We’ve had this discussion before within Guild Alpha.

I might wonder if you could provide these services to projects within this donation platform.

The Network Effect

Now lets expand our scope. Interestingly enough the FOSS community aren’t the only ones going through this problem. Streamers, video makers, sex workers, musicians, journalists, fediverse server admins and lots of other groups are all struggling. Maybe for different reasons but the solution remains the same.

If we could create a community-backed platform that served all of these groups needs. I imagine we’d see the network effect in action. The idea of streamers listing tools like OBS Studio as a dependency. There could even be nests: Mastodon server admins having Mastodon as a dependency which could have a few library dependencies for example.

Removing the barrier to forming collectives with shared revenues.

Major Points:

  • Make it more convenient for donors to donate to groups
  • Bring the “Trading Platform” style to the donation sphere
  • Enable projects to recreate their project structure within a donation-based system
  • A donation platform that can serve a wide range of groups and facilitate communication between them to support a network effect

Edit: Just some notes I thought of after the fact:
The donation platform doesn’t need a project or person to accept donations. It should also function as a way to socialise governance or post news etc. Limiting it to those who wish to accept donations acts as a barrier to adoption in my eyes.


I like the “Trading Platform” idea, @dannymate. I will add some additional thoughts…

TIP: Technology Investment Platform

I’ll first give the platform a different name, as it is not about trading.

Requirement: “Organizational Legitimacy”

Referring back to the XZ backdoor vulnerability that triggered this thread, we see a) a burnt out overworked maintainer without real payment for their work fall for social engineering, and b) huge impact in 1,000’s of sofware projects and millions of systems.

After the log4j incident and the ridiculous left-pad chaos, we see another XKCD-2347 eye-opening moment for the business world, realizing their products & services rest on unstable foundations. It empowers anti-FOSS advocates, but above all it will speed up the focus on gaining control of the software supply chain.

Here FOSS will get the short end of the stick, if it doesn’t match pace in this “professionalisation-of-the-supply-chain” trend.

Individual people donating is all fine, and has the focus for decades. It will not yield stable income for sustainable FOSS projects. Individual donations only help a bit, at best for 99.99% of the projects (I will not focus on the survival bias of the few, usually top-of-the-stack projects, that are successful here, as they are not the ones that match XKCD-2347).

The focus of TIP must be to see companies invest in the Free Software they use. And the “Organizational Legitimacy” is key here. It simply entails:

  • “Do I as a company feel comfortable having this project in my supply chain?”

Wrt the Bevy Foundation article you mentioned, this refers to the bullet points of “We lacked Organizational Legitimacy” and “Carter Held (And Owned) The Keys”. Several points mentioned:

  • Attract the attention (and funding) of people and companies.
  • Address lack of legitimacy required to attract some entities.
  • Present a centralized and transparent view of our operations.
  • Accountable and professional people at the helm.
  • Governance that delegates authority (bus factor), legally, ethically.

I argue this organizational legitimacy is one of the most major requirements for TIP. And it relates to “rewards” you mention.

Requirement: “Return on Investment”

As dirty as the word ROI is in Free Software circles, it is the best-understood word of the company manager that approves a financial investment.

Not so simple. What is this “reward”, and how to maximise it? The key is in “minimises risk”. Not just that the investment lands at the proper place, but that by investing the risk of the supply chain crumbling down is mitigated as much as possible.

So TIP should ideally make as many matches as possible to those weak ‘foundation stones’ in the tech stack. There’s a lot of software being created to manage SBOM’s and curate dependencies based on requirements set by the company or institution (e.g. wrt security). Supply chain management involves “managing risk” and often focuses on replacing risky dependencies, and much less on encouraging a project that constitutes a risky dependency to improve until it can give the required assurances.

So there may be a role for TIP in that:

  • “Investment in a ‘project portfolio’ yields measurable improvement of supply chain resilience.”

“Measurable” in boldface here as that is the ROI a financial manager demands, for their investment.

Requirement: Investment Fund

As you mentioned, it should be from Donor perspective as easy as possible to get money to the projects that need it.

In “Software Needs To Be More Expensive” mentioned above, there are two aspects mentioned that investments should comply with:

  • Zero up-front cost: To start using a new dependency, you still just start using it right away.
  • Zero marginal cost: There’s a fixed overhead which doesn’t scale with revenue or with profit.

In a boardroom meeting some CTO might say: “In our software stack we depend for 80% on FOSS projects, and hence it is crucial we invest in that supply chain to ensure the continuity of our services. I propose to set aside a monthly budget of $80k to me and my team to distribute as we see fit. In our quarterly reports I’ll attach full details on how the money was spent, and how that contributed to the resilience of our supply chain.”

So then for TIP you get for Donors the requirements to:

  • Make investments easy (donate single large chunks of the budget).
  • Make investments smart (ability to influence the ‘investment portfolio’ to a degree).
  • Make investments profitable (report on the results of the investment, the reward/ROI).

And when it comes to “network effects” these requirement for easy and smart can be filled in with all kinds of automated functionality in TIP that helps Donors so they don’t need to deep-dive the nitty-gritty details.

Where many investors come together, overlapping interest in parts of the supply chain form, and we can speak of a kind of “Technology Investment Funds” being formed (note: I deliberately choose “technology” rather than “software”, as that better fits the scope).

Continuing the discussion of the Technology Invesment Funds:
While the convenience that such funds provide is beneficial to acquire more donations, but the funds cannot pass on 100% of the donations to the projects and neither should they.

Operating such a fund requires at least the following costs:

  1. Researching and validating project dependencies. Projects do not necessarily disclose all of their dependencies, especially if they compete with their dependencies for funding, thus the dependencies have to be regularly and independently verified.
  2. Funding inter-project infrastructure: support hotlines, conferences, support groups - in short: Guild work.
  3. Usual operational costs of a digital business: servers, domains, administration

If these “funds” should operate as investment funds, this would be deducted as a percentage fee from any investment (i.e. 5% of all investments are used for fund operation).

Alternatively investors could be compelled to pay a more regular fee instead of the percentage fee, though this is a detailed discussion for which this is not the correct place.

The questions we should elaborate more here are: Who should initiate a TIF/TIP?

Should it be developers, a reputable foundation? How should the start capital for TIP/TIF be raised?

Rightfully you point out the corporate donor perspective, my post was entirely from the individual donor. I don’t know much about how companies think. So I can’t offer much in the way of that. I’m just going to throw out some other thoughts.

My understanding of “Technology Investment Platform” is that it’s the donation platform I was referring to in my post.

I want to underline that my original idea was to include any and all lines of work, both digitally and in real life. More a “Social Investment Platform” (SIP). I believe this is incredibly important. (Other ideas: Social Investment Ecosystem, Social Exchange. We should probably agree on nomenclature.)

As with the broad groups within the Fediverse the point above presupposes a decentralised & federated nature. Surely, it should be possible to take your livelihood into your own hands.

A tech or open source focused instance should, of course, be possible. However, the interaction between various workers, in my mind, is integral… to something. I mean if we’re talking about unions and guilds then this sounds kinda core to that mission.

One thing that interested me was a discussion by the TILVids Peertube instance admin. TILVids is an instance focused on edutainment. I can’t find it at the moment but their vision is that individual Peertube instances would get sponsored like PBS does in the USA. I imagine it could be the same for these Investment Platforms.

In terms of enforcement of such a thing like dependencies I don’t think anything needs to be enforced. It’s hard to say without having anything tangible to look at. It’s common practice in the Open Souce space to give Attribution (maybe dependencies should be attribution), those that don’t are frowned upon by the wider community. A good standing is key to receiving donations is it not? At least for individuals.

For a corporate setting it’s something an instance and their admins would manage. They’d advertise as being corpo sponsor friendly with vetting and enforcement of certain policies. Making sure projects adheres to their license and what have you.

My understanding of “Technology Investment Funds” is a corporate safe method of investing in open source projects. That can distribute the funds to projects. I imagine like if you could give money to NLNet which themselves gives out grants.

In fact I could imagine the host of one of these new SIPs could form a non-profit themselves and become such a fund. Or even NLNet even hosting their own for that matter. They could act as middlemen for corporate donations.