Unbroken: Pay for Software you Morons

If You Demand Security, Pay For Reliability

unbowed, unbent, unbroken

The xz intentional backdoor compromise happened recently, and once again we see the same pattern play out:

  • a core library or service has “problems” (whether intentional or not)
  • everybody freaks the freak out
  • everybody demands immediate fixes and global accounting
    • (also requires pulling in thousands of professionals all over the world at every company impacted for verification, validation, executive reporting, security reporting, customer reporting, all costing at a minimum global double digit millions of dollars up to three digit millions of dollars in extra unscheduled professional services per incident)
  • when problem is resolved, everybody goes back to ignoring software again
  • basically, you could have budgeted $1 million per year for competent professional maintence, but people would rather pay $100 million for each emergency incident 5 times per year to clean up after the fact.
    • You can discover weak decision makers when you over-pay during emergency times (the rules are suspended! we aren’t making proactive decision now because we MUST DO EVERYTHIG NOW AT ANY COST purely REACTIVELY!) only because nobody has the strength of conviction to make high-probability forward-looking +EV decisions during quiet times.

Software works -> nobody cares; software breaks -> you demand immediate fixes1.

What do we do? The modern software economy isn’t sustainable for creative software professionals who built the computational infrastructure of our modern society, but nobody cares until something breaks.

I was thinking about this a couple weeks ago and came up with Open Source Software Maintainer Funding Agreement (OSSMFA) as some guaranteed way to provide stable compensation to maintainers of public goods (but the most difficult part is always finding individual sponsors who recognize your value and have the budget to authorize seven to eight digit spend on security and maintenance).

One aspect of public software maintenance nobody ever talks about directly: software can live for decades. If you want your open source foundational software infrastructure to also live for decades, you must fund developers on the scale of decades. The capitalist-corporatism response is always “if you think it matters, you should build a company around it, then if it actually matters, THE MARKET will provide, then people will pay you billions of dollars; but if it doesn’t matter to the market you’ll just go bankrupt.” Except, “sell it or die” doesn’t work for core software running the planet. Nobody is ever going to pay for a compression library. Nobody is ever going to pay for a data structure library. But, those things run the world and need continual upkeep by professionals with a lifetime of invaluable experience, all unpaid in our current society. It’s also rational to not have your core global infrastructure developers subject to economic pressure from bribes or weak sauce like all the chrome extensions selling out to malware factories and crypto credential hijackers after getting large install bases.

it’s the money, stupid

The industry is at a crossroads where the initial bundles of open source single-maintainer software we used to build the Internet from 1995 to 2025 is falling to:

  • maintainers dying (without a continuity plan in place)
  • maintainers giving up because the work of one guy is used in 10 billion devices, but nobody pays the guy, so why continue doing anything or helping anybody
  • bad actors taking advantage of disengaged maintainers to backdoor globally used but functionally abandoned software

Everybody passively refusing to compensate creators and maintainers for the fundamental core architecture software of the world is not a survivable software economy. In another 10 years, every library without a funded full time maintainer will end up controlled by scammers and government agencies rooting every device on the planet.

The industry attempts to describe this problem as “security of the software supply chain” — but, here’s a secret you may not know: software is made by people — people! Saying your “supply chain” is not secure is weasel words actually meaning “we don’t value continued growth or maintenance or security of our core components, so we just expect everything to work perfectly forever for zero cost.” Of course “we” is also doing a lot of work here. Classic tragedy of the commons — no single company thinks they are individually responsible for a russian-created compression library installed in 10 billion machines. Companies aren’t fond of founding spontaneous charities, so every company from 3 person startups to $3 trillion market cap companies just never pay for core software infrastructure.

you get what you deserve

Past reliability is no guarantee of future security.

On the flip side, let’s look at Profit Town. Big Tech can’t stop paying Baby Big Tech hundreds of billions of dollars to make more for-profit capture-the-universe companies.

Recently (many of these are just in the past week when writing this), we’ve had:

These economic transactions aren’t just “crazy rich people doing crazy rich people things” — they are living their best lives off the stolen valor of thousands of open source developers who will never be compensated for subsidizing for-profit multi-trillion dollar companies. In the end, all that matters is cows in Hawaii funded by illegal extractive surveillance capitalism get the best food in the world. praise be unto the true lords of our world living better lives than you will ever have: hawaii cows.

Meanwhile, software is dying. Maintainers of software deployed across 10 billion devices have never profited from their work. As creators and maintainers of globally important software give up or burn out over time, I’m sure Lazarus/NSO/NSA/HT/IRA/8200 will all conveniently appear out of nowhere and be very super duper happy to give you unlimited free libraries with no questions asked! You know, paying maintainers also makes it difficult for anonymous weirdos to take over popular projects because opening an anonymous anime avatar github profile is easy, but tracking funds to a bank is more serious (not impossible to fake, but at least it’s one more paper trail they have to be willing to fraud against).

Nobody pays for continuity of quality or security, but everybody demands fixes.

Anecdote: the day I’m writing this, I received two emails:

  • “I work as a ground segment and systems engineering contractor for the European Space Agency and in that function, I first used a subset of your optimized C code found on github for a tool that runs in control rooms and performs ‘high-rate’ data processing from experiments on the international space station.”
  • american express informing me they are closing one of my credit cards because my credit score has dropped too low (why? layoffs, nobody is hiring except for the opposite spectrums of javascript novices with 6 months experience or 26 year old AI PhDs (also only 6 months practical experience, but with a paper!! and with built-in age and class discrimination!!))

What’s the answer? Obviously we need to create a global software income tax where 3% of global income gets redistributed to high quality open source software developers. It’s the only way. Nobody and no single company will fund global developers. It’s the exact purpose taxes were made for: to provide for common defense and common infrastructure. The military isn’t a charity, your national highway system isn’t a charity, your land-use isn’t a charity (unless you live in california), so global shared software shouldn’t be a charity case either.

Build it up and pay it out. I look forward to my first share of developer backpay off the global $100 trillion GDP, which should give us a yearly $3 trillion cash pool to pay out to open source developers. I’d be happy with just a measly $100 million per year myself, how about you?

  1. The situation where “when it works, nobody cares so nobody will pay, but when it breaks, it’s the most important thing in the world and everybody is shouting TAKE MY MONEY FOR EXPERTS TO FIX THIS IMMEDIATELY” also mirrors the modern trend of “devops.” Somehow (well, not ‘somehow’ but rather directly mis-aligned economic incentives combined with executive ignorance), ‘devops’ now means companies refuse to build out full time infrastructure, observability, and maintenance teams anymore. Everything is run by developers who are amateurs in scalability and networks and servers and reliability and infrastructure because all those fields of professional study requiring years of narrow experience to understand is all just assumed to be “something you can seach in 3 seconds on google to know.” Then, managers complain when things break all the time. Managers complain without taking responsibility for their own lack of management around not building out real departments having actual experience. The lack of experience and professional knowledge is what’s killing their companies; but I won’t go on another 12 page rant about the management class continually undermining the professional technical class here (why invest in the product by hiring more global professionals when instead you can do $50 billion in buybacks and dividends per year to personally enrich the CEO???). Everybody knows the only things you need for a company in 2024 is one javascript developer with 3 months bootcamp experience and a CEO. Everybody else is just an unnecessary expense getting in the way of expressing the CEO’s personal brilliant game-changing vision to the world.

personal
howto c (2016)py structure (2024)think you can const?email security rulesdisrupt interviewsprogrammer streetaboutthe matt curveresumeRSS