Hello Drew (and others), Following up from last week's infrastructure roundtable. I promised to write a short wrap-up on how I see the situation with funding in the OSS. So here it is.
*TL:DR; I think there is a need to somehow (not sure how and who should lead it from the Foundation "officer" point of view - if anyone), but I feel there is an interesting opportunity to use Foundations membership communication channels and encouragement at the "foundation" level to enable and encourage maintainers of ASF projects to take matters in their own hands when it comes to funding their time spent on improving security for the projects they maintain. * Disclaimer: I do not have concrete ask, and also due to my involvement, I do not volunteer to lead all that effort, but if there are people who are interested and would like to lead and drive it, I am happy to spend quite some of my experience on time to help and to "do" some stuff - writing docs, explaining, being mentor and advisor, but I have no energy and time to "lead" any organisational level changes there. I just see there is an opportunity and will to spend time on it, but I am also not very good in "engaging in leading organisational changes" - that would take too much of my energy - and I've been burned out already literally trying to do something like that in the past, and I know my mental health would suffer If I do. Also I am starting my 1-week short holiday in Ireland and still have some things to catch-up so not sure if I will be able to participate a lot during that week, but I will pay attention and respond daily or oso - so I would love to see what others think about it. In short - with the CRA and security focus of both Government and Commercial entities to improve security for OSS, there are a lot of funds available for individuals, maintainers of open-source projects who want to improve the security of their projects. Those funds are targeted to both organizations (foundations, package management organizations, but also directly to individuals running the projects - because many of the open-source projects are not (yet - that will likely change a lot when CRA will be effective) under any foundation umbrella and run by individuals. *So why is it relatively easy to get the money without a lot of red tape?* Many of those individuals do not have established business entities/legal structure, so all those funds have to be prepared to handle the situation where: * their agreements are possible to be signed with individuals or small business entities and they do not require a lot of red-tape and putting the entities on "vendor list". * they have no actual "prepared and established" legal entity they interact with - this might be "sole-proprietorship" of the individuals, group of individuals working together, or simply an individual who is employed (or not) somewhere and they have no experience with "consuming" money from funds/grants etc. * that also means that most of those funds have a very relaxed approach and very little bureaucracy involved. It's usually a very short agreement "all you do is open-source", "you will work for this and that time in open source on that project and focus on security", "here are the things we think are important". * Those maintainers have to fulfill very little criteria - usually "report monthly or quarterly what you have done" ,"talk about what you are doing publicly - say at conferences", "involve others" to do similar things with their projects. Generally "do what you think is best to improve security of the project and we trust you will do the job (because you are an established maintainer who has the merit and show interest and some kind of record in working on security - that's the most important precondition). *How it works:* The way things are funded might be different - those maintainers can get money via GitHub Sponsors, Patronite, Tidelift and similar - or paid to their "sole proprietor company account". Those maintainers will need to be active to get those money - apply for a programme, maybe reach out to those who offer such funding, generally speaking they have to become their own "businessmen" and take matters in their own hands. I think we - as ASF could potentially make our maintainers aware that this is happening and that this is possible and (this is most important) it's not only OK from the point of view of ASF but also encouraged and very much what we want our maintainers will do to improve security of their projects. ASF does not need to provide any framework for that or help, those maintainers should do it themselves, and should take the burden on finding, reaching out and getting the money and reporting if they want to make use of those money, But I think there is likely a big role of the Foundation (but not sure who exactly and how) to make people aware of that in **some** ways and provide some kind of "you are free to do that as long as you follow some generic guidelines here (vendor neutrality, money cannot go through ASF etc. etc.) . Having it publicly available for both funds and maintainer on how they can established the relationship *List of Funds I am aware of (and worked/work in some capacity with all of them)* * *Sovereign Tech Fund* - they are running "Fellowship" program now https://www.sovereign.tech/programs/fellowship doing exactly this - targeted for multi-year funding. They already closed applications for 2025 funding But there will be follow ups, possibly even much more frequently that yearly. * *Alpha-Omega *- they are focusing on more "impactful" projects - like Airflow Beach Cleaning but also sponsoring "fellowships" - such as "Python Security Developer in Residence" for PSF and bigger organisations. https://alpha-omega.dev/ . I work on "Airflow Beach Cleaning" project with them - https://airflowsummit.org/sessions/2024/security-united-collaborative-effort-on-securing-airflow-ecosystem-with-alpha-omega-psf-asf/. They have various programs and more individual approach to projects. * *Github Security Fund* - announced at "Github Universe 2024" a few weeks ago, and they will start the application process soon and plan to start paying people Q1/Q2 next year. Few years ago when I saw it coming I attempted to propose something - a page / guideline https://docs.google.com/document/d/1vp0eOeAHhRuTtps5I602MPduW7hYxtPORkkDtnlrIFo/edit?tab=t.0#heading=h.ox5yt836fmf5 which I proposed without "security" focus but there was a very little interest in it . I resurrected the proposal once or twice once in dev@community org https://lists.apache.org/thread/fy11shp2b1rdrqpb5lw4cq2nxl7d15q4 - with no interest from people. Also one other discussion at members list (Dec 2023) with a bit more interest, but I did not get enough attention and someone who would like to help to turn it into a concrete organisational proposal. *Why am I writing all that and why do I not volunteer to lead it?* Again, I understand "If you have a good idea just make it happen" and all that - but I am mostly an individual contributor, and you need a leader(s) and organisational manager(s) to make any good use of it. I simply have absolutely no time for leading it - and for me leading things take so much energy, mental power and drags me away from actually "doing" stuff, that if I had someone (say "organisational leader") who would like to make it happen - likely even few people who would be really interested to actually spend their energy on it, I think there is a very interesting potential in it. I am unable to lead it and drive it alone. So you might treat it as "here - there is an opportunity, lots of ground work already done, I am willing to serve as an example, mentor and "doer" whenever "doing" will be needed, but I can't do "leading" part on it, But I see great opportunity there for ASF, security and individual maintainers - and community as a whole. J.
