I think a lot of the challenges around #oss in the #dotnet community exist because both MS and OSS have enabled businesses, and to an extent individual developers, to avoid considering the full costs of their supply chain. It came from a good place, but needs fixing. 1/
The software packages and libraries you depend on are part of a supply chain for whatever you're delivering.
As in, they're something you didn't have to build yourself, and without them, you'd have to write a bunch of code that would have its own costs. 2/
As in, they're something you didn't have to build yourself, and without them, you'd have to write a bunch of code that would have its own costs. 2/
You typically either build software, or buy software. But OSS has introduced an additional category: "software you can use and thankfully don't have to buy."
The problem occurs when we remove the "thankfully" and it becomes an expectation of an entire ecosystem. 3/
The problem occurs when we remove the "thankfully" and it becomes an expectation of an entire ecosystem. 3/
By centralizing on great libraries, many people can save time. But saving time doesn't mean something is free, and it doesn't mean we get to ignore where it comes from. There is still a cost to build and maintain these tools. It doesn't magically happen. 4/
As a business, if you don't understand your supply chain, you are going to have problems. As developers, it is our responsibility to educate businesses and teams on software supply chains. How can we do that? 5/
To start: we can make our stakeholders, clients, and business partners aware of the number of tools and libraries we're using and how critical they are to the delivery of the value we're building for them. 6/
Once the supply chain is understood, we can suggest investment in the supply chain to keep it healthy. Many projects are asking for money, or person hours, or both in order to keep things going. This is something businesses can choose to provide. 7/
So we experience a cognitive dissonance of sorts, where many want a strong OSS ecosystem to the extent that it benefits them, but haven't left the "consumer mindset" of wanting a supply chain they don't have to consciously consider. 8/
This is paired with a "magical thinking" that hopes this supply chain won't be disrupted, even as investment from consumers is almost nil. So I think a lot of the stress we see in the .NET OSS community is when these ideas collide. 9/
Of *course* people feel disrupted when a package restricts itself in some way, or adds commercial licensing, or goes dark. But the issue isn't those decisions; the issue is our inability to recognize their value in our supply chain and act accordingly. 10/
So MS is often put in a difficult position. Customers have long expected MS to provide all the value in their supply chains (which was encouraged), but MS now (correctly) recognizes it can't be all things to all people, not if it also wants a healthy ecosystem. /11
But, this is a cultural shift (and one that MS inconsistently encourages).
We have to help developers recognize their responsibility to communicate supply chains and their value, and to help businesses understand the risk reduction in supporting that ecosystem. /12
We have to help developers recognize their responsibility to communicate supply chains and their value, and to help businesses understand the risk reduction in supporting that ecosystem. /12
The cost right now is being paid for with 1) the burnout of stellar maintainers 2) the stagnation of important OSS projects 3) the usurpation of OSS by MS responding to customer expectations 4) the disruption of supply chains. /13
OK, so what can we do about this? My suggestions:
* Tooling to report on the supply chain and show the work that teams are building upon. And a way for those projects to programmatically indicate they'd like help.
14/
* Tooling to report on the supply chain and show the work that teams are building upon. And a way for those projects to programmatically indicate they'd like help.
14/
* Literature/language to empower devs to advocate around the software supply chain and its value/risk.
* Tools to help companies budget time / effort to balance risk.
* Call-outs and support for companies doing this well. 15/
* Tools to help companies budget time / effort to balance risk.
* Call-outs and support for companies doing this well. 15/
* Tools and literature to help ensure those libraries are also being a responsible part of the supply chain so that it works both ways. There are some efforts underway here I believe though I'm not sure how I feel about them as a starting place. 16/
One final note: I think we in .NET often argue about this because we see the fault lying with MS, or OSS maintainers, or consumers, rather than the collective failure to understand the supply chain system and be transparent about it. 17/
Consumers / businesses are allowed to want a less risky supply chain. OSS devs are allowed to want to exist separately from MS and without burnout. MS is allowed to want a great supply chain experience for consumers.
But we will only achieve that collectively. 18/
But we will only achieve that collectively. 18/
Well, I originally intended this to be like 3 tweets but instead it took on a meandering life of its own. 😅Going to roll with it.
I'll try to write this into a more long-form version with an impact map to flesh things out soon. 19/19.
I'll try to write this into a more long-form version with an impact map to flesh things out soon. 19/19.
To sum this all up -- a phrase I'm trying out to see if it resonates (or if people hate it):
Open source might be free as in speech and/or free as in beer, but it can't be free as in pyramids.
Open source might be free as in speech and/or free as in beer, but it can't be free as in pyramids.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
