More on this book
Community
Kindle Notes & Highlights
By focusing on the developer experience, GitHub made open source much more about people than projects, in what developer Mikeal Rogers calls the “amateurization of open source,” where “pushing code became almost as routine as tweeting”: I’ve been contributing to open source projects for over 10 years, but what’s different now is that I’m not a “member” of these projects – I’m just a “user,” and contributing a little is a part of being a user.41
Today, GitHub projects are developed in a wide variety of programming languages, including Java, Ruby, and PHP, but JavaScript dominates more than any other language. On GitHub, JavaScript is more than twice as popular as Python, the second-place contender.
JavaScript’s most recognizable developers are known for the talks they give, the videos they record, the tweets and blog posts they write. They command large followings and attract eager audiences in a way that, say, PHP developers just don’t.
Eric S. Raymond was banned from the OSI’s mailing lists for combative language.54 And Richard Stallman resigned from his positions at MIT and the Free Software Foundation after making controversial comments on MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) mailing list.
Open source is complicated because it contains a messy mix of both technical and social norms, most of which play out in public. It is documented extensively (nearly every decision is written down somewhere) but not clearly (you have to dig through years of mailing list archives to find what you need).
The term “open source” refers only to how code is distributed and consumed. It says nothing about how code is produced. “Open source” projects have nothing more in common with one another than “companies” do.
In some projects, nobody gets commit access besides the author, no matter how big the project gets. Alex Miller, for example, is a longtime maintainer of the programming language Clojure, but he doesn’t merge patches. Instead, he triages and uplevels patches from the community, which are then reviewed and merged by a few maintainers with commit access, primarily Rich Hickey—Clojure’s author and lead developer—and Stuart Halloway, another co-maintainer.
Bitcoin’s community, like Clojure’s, prioritizes stability and security, preferring to move slowly and with care, even if it means including fewer features and contributors. Ethereum is more like Node.js: it’s a platform for others to develop on, flinging itself far and wide. It resembles a sprawling city like Los Angeles, comprised of many neighborhoods and subcultures.
Issues and pull requests, on the other hand, live on GitHub. Although the concepts of an issue (also called a ticket) and a pull request (also called a patch) are much older than GitHub, issues and pull requests are GitHub’s branding of these features, and therefore aren’t quite so easy to migrate between platforms.
Stack Overflow, a Q&A website for developers, became a significant complementary tool to GitHub (though its usefulness varies depending on the programming language or framework) because it is where users often ask questions and receive answers; the site has its own social dynamics and reward system.
One infrastructure developer, who worked for years on projects with different tooling, told me that he’s now so used to GitHub that if he finds a bug on a project that uses a different issue tracker, he won’t even bother filing an issue anymore—it’s too much work.
Less than a year later, the library’s developers moved their issue tracker back to GitHub. While Phabricator may have been a more powerful tool, people weren’t as familiar with it. Rather than adapt to a new issue tracker, Babel’s users would instead report their issues on Twitter, in unrelated repositories, and in commits.
The same goes for tooling: I’ve heard more than one Go developer confess they like that Go uses Gerrit instead of GitHub because this cuts down on the noise. On the other end, projects with widespread user adoption can create a sort of bystander effect: nobody contributes because they assume someone else is probably doing it.
(One developer told me, somewhat tongue in cheek, that knowing Haskell means you’ll always have a job, because companies that hire for Haskell developers are thrilled to find anyone who can write Haskell at all.)
Coase’s theory of the firm fails to explain why these developers would find one another and make software together, despite a lack of both formal contracts and financial compensation. In terms of transaction costs, collaborating on open source software with unaffiliated individuals should be too “expensive,” compared to writing software with one’s coworkers.
Members also have a low discount rate, which is another way of saying they have “skin in the game,” meaning they intend to participate in the community for a while. This means that sanctions, and even the threat of sanctions, help set social norms effectively, because members care about not getting kicked out of the community.
A low discount rate also means that members are biased toward cooperation. Like being trapped in an elevator with strangers, if members are all stuck with one another for a while, they’re more inclined to figure out strategies to make things work, such as developing governance processes to handle future disputes.
Imagine an icebreaker game in which a group of strangers must line themselves up based on each person’s birthdays, from January to December. How do they do this quickly? One strategy might be to have everyone write down their name and birthday on a single piece of paper, then choose a designated leader to read names off the sheet and assign each person to the right place. But the more common outcome is that everyone starts to take charge. One person shouts, “Januarys, over here!,” while another raises their hand for the March birthdays. Once everyone is clustered by month, the subgroups
...more
Guido van Rossum, for example, wrote the programming language Python while looking for a “‘hobby’ programming project that would keep me occupied during the week around Christmas.”113 And Linus Torvalds released the Linux kernel and operating system as “just a hobby, won’t be big and professional,”
The modular, granular approach to software is embodied by the Unix philosophy, originating from the developers of the Unix operating system, which heavily influenced the design of open source software. As Doug McIlroy, one of its developers, counsels, “Write programs that do one thing and do it well. Write programs to work together.”
Commons-based peer production also explains why some developers hold the view that money and open source don’t mix. If production runs on intrinsic motivation, money is an extrinsic motivator that is thought to interfere with an already well-coordinated system.
By connecting towns to one another, highways change communities’ underlying social structure. Highways enable migration and cross-pollination of ideas. Without highways, residents tend to stay in the towns they grew up in. When these pathways are opened, collective identity is eroded.
The newcomer effect is also known as the “Eternal September” problem, a term coined by members of the early online community Usenet, which experienced an influx of newcomers every September due to new students getting access for the first time. But once America Online (a sort of early highway system itself) began offering access to Usenet, the service provider exposed the community to a constant stream of new users, creating an “eternal September.”
A maintainer who attempts to assert their authority will risk more wrath and ire, as evinced in the case of Opalgate, by inadvertently creating a beacon that attracts more outsiders to their community.
Membership is a two-way social contract. Some developers don’t want the responsibilities of being recognized as a contributor. It’s possible they just want to contribute a one-time fix and be on their way, the equivalent of picking up a stray piece of trash on the street.
Pandas, a Python library for data analysis, lists over 1,400 contributors, but just four developers contributed nearly half of all commits in 2018.
Given that users aren’t usually visible to maintainers, we can characterize them as default-passive: They just want something that works. If users don’t make themselves known, it implies they are happy enough with the direction of the project that they don’t seek further interaction with its developers.
A project’s bus factor is the number of contributors that would need to get hit by a bus before the project is compromised. For example, if a project has a bus factor of 1, that means there is only one maintainer, who, if they were hit by a bus, would take all their knowledge of the project to their grave.
But as Fred Brooks notes in The Mythical Man-Month, “Men and months are interchangeable commodities only when a task can be partitioned among many workers with no communication among them”—in other words, the idealized version of the commons.
To quote Norbert Wiener, the mathematician who pioneered the field of cybernetics, “Information and entropy are not conserved, and are equally unsuited to being commodities.”200
As more developers have adopted PyPI, the project’s costs have grown significantly. According to Stufft, in April 2013, PyPI used 11.84GB of bandwidth.205 By April 2019, that figure had increased to 4.5PB.206 On a smaller scale, open source developer Drew DeVault estimates that he spends $380 each month on server hosting for his projects, which he pays for with user donations.
It’s not just code itself that requires maintenance either, but all the supporting knowledge that surrounds it. When code changes, its documentation must also change. The most upvoted answers on a Q&A site eventually become outdated and incorrect.
Maintenance makes up a significant aspect of software’s hidden costs. A 2018 Stripe study of software developers suggested that developers spend 42% of their time maintaining code.
In 2017, Equifax reported a security breach in which more than 140 million customers’ personal information was compromised, including Social Security numbers, credit card numbers, and addresses. The vulnerability was found not in the code that Equifax had written but in one of its open source dependencies, Apache Struts. The security vulnerability had been disclosed with a CVE ID several months before, and a patch had been released, but Equifax’s developers failed to update the company’s software in time.
We still use artificial rivalry to monetize content today. For example, although libraries now offer e-books, only a certain number of people at a time can check out the same e-book, due not to the limitations of technology but to restrictive commercial licenses.
Code, in active state, carries its value in its dependencies, or who else is currently using it. If I publish code and nobody uses it, it’s worth less than other code I’ve written that’s embedded in software used by millions. I may derive personal value from the other code I wrote, but its value to others is negligible.
In 2016, a developer named Azer Koçulu, who felt unhappy with npm over a naming dispute, decided to take down all his modules without warning, declaring in a blog post titled “I’ve Just Liberated My Modules” that “NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.”
software substitutability helps us understand why frontend web frameworks like Angular or Vue are harder to monetize than are databases like MongoDB and MySQL. There are lots of frontend frameworks to choose from (though switching costs substantially increase after you’ve chosen one to build with), but I’m less likely to want to make my own production-quality database.
Substitutability applies to other online content, too. Consider how many “10 Ways to Maximize Your Productivity”-type blog posts are published to LinkedIn every week, or how many “chill music” playlists you can swipe through on Spotify or YouTube, with little preference for the specific songs or artists involved. Each of these blog posts or playlists might attract thousands or millions of users, but they are also easily substituted.
Developers are finicky consumers. Not only are they discerning, with a high degree of sensitivity to slight differences between open source projects, but if they don’t like the options presented to them, they’re frequently inspired—and have the ability—to try making their own version.
The practice of paying maintainers to work on open source projects is not new. Donald Stufft, for example, who maintains Python’s packaging tools, was hired by Hewlett Packard Enterprise,253 and then Amazon Web Services, to improve and maintain Python’s packaging.
When assessing the value of an open source project, we typically focus on dependencies, but, increasingly, we need to assess the value of who produces that code. Thus we find Sophie Alpert, a prominent React developer, bewilderedly reporting that she was offered $600 to open a pull request on a random open source project due to the visibility she would bring, prompting her to jokingly wonder aloud, “Is this what it feels like to be an influencer?”
“Likes” and “follows” are not the same reward on social media. A viral tweet might gain thousands of likes, but those don’t necessarily translate into follows. The same goes for views and likes on a YouTube video, versus subscribing to its creator’s channel.
viral YouTube video doesn’t necessarily have ongoing costs if its creator doesn’t plan on making more videos. But if the creator aspires to become famous for their work, they also become, in a sense, a maintainer, because they need to keep producing more content in order to maintain their reputation.
In 1991, a programmer named Phil Zimmermann released an encryption program called Pretty Good Privacy (PGP). But cryptography, because it overlapped with national security, was considered a form of munitions in the United States. If cryptographic code crossed the borders to another country, it was treated as a munitions export. Early open source cryptographers, like those writing OpenSSL, had to become licensed arms dealers to be able to write and “export” (i.e., distribute) their code. As a result, Zimmermann found himself under criminal investigation by the United States government for
...more
The production of open source code, however, functions more like a commons—meaning that it is non-excludable and rivalrous—where attention is the rivalrous resource. Maintainers can’t stop users from bidding for their attention, but their attention can be depleted.
The one-way mirror pattern is used by a number of online communities today, such as Lobsters, a computing-focused community,268 and Product Hunt, a community for discovering new products.269 These communities are public for anyone to read, but in order to post new users need an invite from an existing user.
Maintenance costs are anathema to software developers. Every developer tries to reduce the amount of maintenance work they need to do over time. But software is never done, and also never dies: the cost of maintaining a project can be near-zero, but it is asymptotic.
Creators with large followings start to recognize familiar faces. Instead of trying to moderate everything themselves, they can designate trusted members of their communities to help.