undefined

points

[-]

It's an interesting world for sure, I maintain a somewhat popular package and got a form to fill from a Deloitte consultant about security once.

They seemed genuinely confused when I told them I was not going to fill compliance form and make patching commitments for free. Really makes you wonder how many maintainers are letting themselves be taken advantage of.

by thwarted7 hours ago|

parent|

[-]

The people who maintain open source software are considered "the vendor" by these compliance types. When it comes to open source, the user is really the vendor and the user has responsibility to themselves for compliance (this is pretty much spelled out in the licence and WARRANTY file). The compliance industry doesn't acknowledge how open source works and have tried, since forever, to shoehorn it into a paid vendor model. Open source maintainers creating destination/marketing websites espousing the advantages of their software as if it is a sellable/buyable product doesn't help and perpetuates that perception.

by Aurornis3 hours ago|

parent|

prev|

[-]

> got a form to fill from a Deloitte consultant about security once.

It could be someone trying to extract free work, but in my experience this person was probably trained by someone else about how to handle vendor compliance for contracted vendors.

Some times the people in these grunt work consulting positions aren't really knowledgable about the space. They're in those positions because they can follow directions and will diligently grind out billable hours. Their default mode for getting things done is to try what worked last time, and if that fails they just start looking for names to send the request to until someone does it.

As others mentioned, you could have said "Compliance forms are $1000, payable to ____" and the consultant may have diligently gone through their mental process about where to direct invoices for work.

by joshlemer8 hours ago|

parent|

prev|

[-]

Maybe that would be a good opportunity to offer them a quote for how much you could do the work for.

by embedding-shape8 hours ago|

parent|

[-]

Yeah, that's what I do. Anytime anyone from a company sends an email about whatever, who wants me to help them (for their company) in private with something, I ask if they're willing to pay for my time spent on it, maybe 20% says yes. Most of the time they end up getting redirected to use the same venues the rest of the community has access to too.

by SoftTalker7 hours ago|

parent|

prev|

[-]

Assuming you want to. But if you do, understand that accepting payment for services creates obligation to deliver, and possibly liability for poor performance. You may or may not want that.

by warkdarrior8 hours ago|

parent|

prev|

[-]

Missed opportunity here. You could have offered consulting services, $10,000/hour. Compliance form requires at 40 hours of work minimum.

by yunnpp5 hours ago|

parent|

[-]

No kidding. I don't maintain anything of enough popularity to warrant being approached like that, but a good hourly-rate answer would be the no-brainer response.

by OrvalWintermute3 hours ago|

parent|

prev|

[-]

I do talk with OSS devs about “we need X for security and we are willing to provide X amount of funding”

You’d be amazed how much OSS devs will do for you when your request of something they wanted to do anyways (but had no impetus for prioritization) is matched by a healthy rate

by dspillett8 hours ago|

prev|

[-]

The other common “entitlement” is getting miffed when their suggested enhancement isn't something that you intend to do, or will/might get done but is very low priority so it won't be soon. Common responses are to suggest that you should reconsider “for the community”⁰, or start a moaning campaign on social media to try to get others to chip in and nag you. Or “threaten” to use something else instead, which always amused me¹ [way back] when I had some f/oss stuff out there.

Expecting quick responses to security issues is one thing, and perfectly acceptable IMO, but new features/enhancements or major changes (that might break other workflows, most importantly mine!) is quite another.

---------

[0] My response years ago when I had f/oss code out there was sometimes “why don't you do it for the community, and submit a patch?” which usually got an indignant response. Though these days if I ever publish code again it'll be on more of an “open source not open contribution” basis, so I'd not be accepting patches like that and my response would be more along the lines of “feel free to fork and DIY”.

[1] So, if I do the thing I don't want to do right now, you'll stay and probably keep making demands, and if I don't do the thing that I don't want to do right now, you'll go away and bother someone else? Let me think about that…

by ArnoVW7 hours ago|

prev|

[-]

my more generous interpretation of the situation is that people do not see the work / effort / complexity of operating a solution. They think that open source is free, when in reality it is cheaper (generally) but not free.

You need to pay the hosting. You need to install it, configure it, and patch it. And when stuff breaks, you have no one to call upon but yourself.

But, as you say, if you can do all of that, open source is amazing value.

by hinkley6 hours ago|

prev|

[-]

People are always going to neg you in order to try to get more out of you.

During the 00’s I worked for a place that had to pivot because they had a good tool but it wasn’t a daily driver and so the customers didn’t want to pay. They kept imagining some free alternative must exist that didn’t.

They eventually got an exit. Didn’t make anyone rich but they did. But the thing is I showed up to work on that tool, not knowing they’d already pivoted. I did eventually get to work on it a bit, as we found a way to improve one of our other products by fixing bugs in it. I’m kinda glad in retrospect I didn’t work on it first because the code was a mess.