re: How do we improve security in the npm ecosystem? VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Also it's obvious that people need a way to get paid for working on open-source. Free lucrative startup idea below: Let's create a service à-la Sp...
 

Sounds a bit like tidelift.com/ 🤔
I've seen it beeing used by chalk, vue and babel.

First, someone purchases the Tidelift Subscription. Then, we scan the subscriber’s open source stack for packages and dependencies. We split up the subscription fee and use it to pay the exact packages they use.

Source

 
 

Yeah this could lead to a better maintained kind-of stdlib for js.
But it might also lead to an even more fragmented ecosystem, where it is most lucrative to publish a lot of one-liners and hope that a big project will use it somewhere in it's dependency graph.

It would also leave other kinds of packages more or less unpaid. Take for example a cli app. No one will depend on it, while it could have millions of downloads at the same time. On the other hand, that's a different kind of problem as it wouldn't have such an impact on the generell ecosystem and could be targeted by donations, one time payments or something like that.

The revenue split is certainly a tricky question, however at this point it seems obvious that:

  1. Open-source maintainers
  2. The only thing that seriously dented piracy is Netflix/Spotify/Steam

When it's easier to buy it people tend to do so. I definitely think it's worth working around that idea.

The problem I see is we're not dealing with people, we're dealing with organizations. Its a bit odd but I don't think a company would decide to pay for such a service.

code of conduct - report abuse