Chris Grams

Well, that was fun. Good day, everyone! 🤗

A few minutes ago, @juliaferraioli stated this very eloquently: Software is not just bits. It’s a complex, socio-technical system, and you can’t simply abstract the people out of it. bit.ly/3JmSKuP #upstream2023

“Lauren shared some highlights of the multi-year effort we’ve made at Tidelift to pay maintainers to validate they are following common software security practices. Paid maintainers achieved a better than 2x OSSF Scorecard score!” 🎉 bit.ly/3qyuorq #upstream2023

“There’s a reason why corporations employ people and pay them. Because that’s the best way to get work done. Getting paid should be considered normal, not out of the ordinary.” @dff quoting maintainer @GaryGregory bit.ly/3OWNDVH #upstream2023

“If we want healthier, more secure open source software, we can’t think of it as a zero-sum equation anymore. We need to think about how everyone can win, both the creators and users of open source.” bit.ly/43roYwD #upstream2023

“Let’s stop winging it, and instead create a more intentional supply chain, with intentional, thriving open source maintainers” @dff paraphrasing @luis_in_brief bit.ly/3oNTpOC #upstream2023

“Open source won, now comes the hard part” hear 🎙️ from @mmilinkov of @EclipseFdn in his @UpstreamOSS talk, live now: bit.ly/3NfApSp #upstream2023

When it comes to relieving the loneliness of being a solo maintainer, @sethmlarson asks “how can we as an industry get at least one more person on every project?” bit.ly/43Pktfr #upstream2023

“If we start defining what open source is, in ways that are not compatible from one jurisdiction to another, it's going to be an absolute nightmare.” - @tobie Live on @UpstreamOSS now: bit.ly/45J8dih #upstream2023

We asked open source maintainers which of the common industry standards frameworks they were *aware* of (NIST, OpenSSF Scorecards, SLSA). 52% of maintainers were aware of none of them, according to @cdgrams. bit.ly/3qtlGKQ #upstream2023

“I’m not surprised at all that most maintainers aren’t up to date with everything that is happening in the open source security supply chain explosion of complexity that we are all living through right now,” says @sethmlarson. bit.ly/3Ndzx0G #upstream2023

.@sethmlarson describes himself as a semi-professional maintainer, which puts him squarely in the minority. Only 36% of maintainers self-describe as professional or semi-professional. 60% describe themselves as unpaid hobbyists! bit.ly/3WR3TcC #upstream2023

Paid maintainers are 20-30% more likely to do important security and maintenance work than unpaid maintainers, says Tidelift VP of product @partridgehouse, quoting Tidelift’s new state of the open source maintainer report. bit.ly/3OWZhQg #upstream2023

“You can think of @Tidelift as a central compliance office for upstream open source. Our job is to let folks know where there may be a gap and ensure maintainers are paid and have the clarity to do their work.” @partridgehouse bit.ly/3Ne5fKj #upstream2023

In her talk @partridgehouse shares data that as of May 2023, the OpenSSF Scorecards scores of packages in our maintainer cohort were 7.2/10 as compared to 3.3/10 for all assessed packages. Over 2x higher with paid maintainers! bit.ly/45SvyOD #upstream2023

If you want to support #OSS maintainers: - Celebrate non-code contributors - Advocate for better OSS programs at your workplace - And pay them! @borderless_dev live on @UpstreamOSS now: bit.ly/3NdvUrI #upstream2023

A final assessment from @partridgehouse from our OSSF Scorecards project: maintainers getting paid for their work are willing to improve both the measurements of things and the outcomes those things deliver. bit.ly/3qoY6id #upstream2023

Quote from maintainer @ljharb “I wouldn’t be able to put the care and attention into this critical work without being paid for it, so I’m glad to see the importance of paying maintainers has taken center stage.” bit.ly/43ObxXF #upstream2023

“Today is June 7…the five year anniversary of when the US government stepped into SBOM.” - @AllanFriedman Happy #SBOMiversary! 🎉 bit.ly/3NhFlGL #upstream2023