re: How do we improve security in the npm ecosystem? VIEW POST

FULL DISCUSSION
 

Also it's obvious that people need a way to get paid for working on open-source. Free lucrative startup idea below:

Let's create a service à-la Spotify:

  • You pay a fixed amount every month (you choose how much)
  • An IDE/editor/git/... plugin analyzes your code and finds out which packages you use the most
  • Each of those package can subscribe to the service to receive donations
  • At the end of the month, you can review the money split and when you validate it all the maintainers get paid
 

Sounds a bit like tidelift.com/ 🤔
I've seen it beeing used by chalk, vue and babel.

First, someone purchases the Tidelift Subscription. Then, we scan the subscriber’s open source stack for packages and dependencies. We split up the subscription fee and use it to pay the exact packages they use.

Source

 
 

Yeah this could lead to a better maintained kind-of stdlib for js.
But it might also lead to an even more fragmented ecosystem, where it is most lucrative to publish a lot of one-liners and hope that a big project will use it somewhere in it's dependency graph.

It would also leave other kinds of packages more or less unpaid. Take for example a cli app. No one will depend on it, while it could have millions of downloads at the same time. On the other hand, that's a different kind of problem as it wouldn't have such an impact on the generell ecosystem and could be targeted by donations, one time payments or something like that.

The revenue split is certainly a tricky question, however at this point it seems obvious that:

  1. Open-source maintainers
  2. The only thing that seriously dented piracy is Netflix/Spotify/Steam

When it's easier to buy it people tend to do so. I definitely think it's worth working around that idea.

The problem I see is we're not dealing with people, we're dealing with organizations. Its a bit odd but I don't think a company would decide to pay for such a service.

code of conduct - report abuse