The FOSS Community Has the Same Payroll Problems As The Rest Of Us

Last Updated: 2022-07-12 04:30:00 -0500

Enterprise operations having been interrupted by the sudden disappearance or modification of a FOSS dependancy happens so often that we have a term for it - a “leftpad moment”. Industry got a reminder of this yesterday when the developer of popular python module atomicwrites pulled their file in response to security policy changes from PyPI.

For context and clarity, the Python Package Index (PyPI) is, effectively, to python development as npm is to node js environments. PyPI is the back-end of pip, the main package manager for python, and their recent move to enforce MFA for contributor accounts is the correct decision from a security and risk management perspective, and I say that as someone who at least once a week has to stop what he’s doing before he can push git commits because he has, once again, lost his yubikey. PyPI’s parent organization, the Python Software Foundation, has correctly identified that PyPI would be a Golden Goose target if you wanted to do supply chain attacks. Major organizations, including my day job, rely on several packages from PyPI to maintain daily ops.

However, Markus “Unitaker” Unterwaditzer, the developer and sole maintainer of atomicwrites, has also correctly identified that maintaining FOSS library packages is labour and the imposition of MFA was, for them, a bridge too far, and so deprecated his library. This is an undesirable outcome, but also his right. The popularity of a library dramatically increases the amount of work required to maintain it, but in no way does it ever create an obligation to labour on in perpetuity for free.

There is no easy solution to the problem, of course, but there are clear “first steps”. I would like you to join me in calling on the Python Software Foundation to create an incentives-based financial support program for heavily-used packages, and to do the same for the organizers of other ecosystems, such as those you use. I would also like you to join me in creating similar pressures at your day job. If you work for a company that heavily uses FOSS tools like Jinja2, Flask, Django, and so on, consider pushing at work for programs to support the tooling you are essentially recieving for free.

Ultimately, there is one easy, straightforward solution to leftpad moments; start having to build your own. And nobody wants that.

Let’s be honest here; most Arcana Labs projects are too small time to ever participate in any kind of equitable-by-usage centralized funding programs. If you wanted to show your support financially, for free tools and toys like Pyminder, Tapestry, and PETI, your best avenue is via my Github Sponsors account or by making a one-time donation to Arcana Labs via or through other avenues detailed here. Github Sponsors also get access to a special patrons-only section of the Arcana Labs Discord Server, where we talk about the ongoing super-secret project.