Mike McQuaid: If You Don’t Like It, Quit

Mike McQuaid: If You Don't Like It, Quit

17 October 2025

Interviewed by Breaking Change - Hotfix podcast

Also available in swear-free/bleeped version on The Changelog and Friends podcast There will be bleeps.

Show transcript

0:00 It's really funny to hear them talk about it.
0:03 All right, let's begin because we know we got a hard stop.
0:10 Well, we are here with a breaking changelog.
0:19 Justin asked me to do that pun.
0:21 A crossover episode.
0:23 We are publishing shows to both changelog and friends and to Justin's breaking change.
0:30 Merge conflict.
0:32 I don't know what this is on his pod, but it'll be there.
0:35 The explicit version will be over on Justin's side.
0:39 On our side, there will be bleeps because we also have not just Justin, but also Mike McQuaid with us.
0:46 What's up, Mike?
0:47 Thanks for having me.
0:48 I hope to make heavy use of your bleep counter today, as is my Scottish self-employed tradition.
0:55 Well, Mike's only requirement was that there would become a non-bleeped version of his voice out there on the internet talking about this, and so Justin will happily oblige.
1:05 Yes, and I'm not going to make it a contest or anything, but I've got a feeling I'm not going to go bleep-free for what we're about to talk about.
1:12 And the reason for the bleeps is because we've got trouble right here at Ruby Central.
1:16 Yes, that's an old music man.
1:20 What is that?
1:21 Reference.
1:23 For a new problem.
1:25 Maybe not a new problem.
1:26 An old problem.
1:27 An issue that's been going on with Ruby Gems, with Ruby Central, with Ruby Together, with Ruby.
1:35 The community, more so than the programming language.
1:38 Language is doing just fine, isn't it, Mike?
1:39 Seems to be.
1:41 I wrote some today.
1:42 It still works.
1:43 Yeah.
1:45 Did you install any Gems?
1:47 I did.
1:48 They installed okay.
1:49 It seems to be fine.
1:52 Yeah, I was actually doing an iOS project when all this stuff broke, but then I was worried that, like, you know, Ruby would stop working.
1:58 So I dropped that, switched gears, and now I've been working on my posse party project in earnest to try to get it done before the servers turn off.
2:05 Just in case.
2:06 Just in case.
2:07 Well, there's a lot of ins, a lot of outs, a lot of what have yous, as the dude would say, to this particular story.
2:12 More, probably, than I can summarize, which is why I've mostly ignored this in Changelog News, because there's just so much going on.
2:20 And every once in a while, I just link over to Justin, who's been commentating and color commentating.
2:26 But we're going to let Mike try to set the table for us, just some of the events that's going on.
2:30 For those who are uninitiated with some of the Ruby drama that's been percolating and coming to a head recently with an actual root access event published on rubygems.org.
2:42 So, Mike, help everybody understand exactly what's been going down.
2:46 Yeah, so I guess things kicked off probably what we are.
2:51 We're October 15th at the time of recording.
2:53 So, this time a month ago, things seemed to all be fairly normal and stable and whatever.
3:01 No one seemed to really know much.
3:02 And I guess my first personal involvement was there was like a governance PR on RubyGems that was based on the homebrew one.
3:13 I was pulled in and asked to kind of give my thoughts on that.
3:16 And then a few people started messaging me and whatever.
3:19 But essentially what went down is Ruby Central, for the main parties involved here, is the nonprofit organization that controls rubygems.org.
3:30 And they had as employees and contractors at various points, various maintainers of RubyGems, the open source projects.
3:39 And those people were involved with rubygems.org, kind of on-call rotations and whatever.
3:45 So, essentially, kind of, I guess, last month, you know, we're talking, I think, September the 18th or whatever.
3:53 From then onwards, over the kind of following few weeks, the Ruby Central notified RubyGems maintainers, including, I guess, Andre Arco.
4:04 Like, I guess, if you want to read the two differences of accounts, I guess the starkest extremes here are Andre's written a few things on his blog.
4:13 RubyGems have written a few things on their blog.
4:14 And basically, from September the 18th onwards, Andre and some other RubyGems maintainers were removed from the on-call rotation.
4:24 They were removed from their GitHub access and various bits and pieces went down.
4:29 There's kind of back and forth and arguments and disputes about what was communicated exactly by who and when and what happened and what didn't happen and whatever.
4:39 But, essentially, we're at the point today where almost no one who was involved with RubyGems, the open source project, has access to be involved with it today.
4:51 Andre and a bunch of the other RubyGems maintainers have created their own thing called gem.coop, which right now is essentially like a modified version fork, whatever you want to call it, of rubygems.org.
5:06 It's run as, like, separate infrastructure.
5:07 Andre has personally been involved with kind of some competitors to, like, Bundler and RubyGems and whatever.
5:14 I think there's a tool called RV.
5:15 And what seems to be now public knowledge is that both parties are writing various blog posts, targeting the other, and it sounds like there's some kind of lawsuits in action between various parties as well.
5:31 Does that provide the overview you're looking for, Jared, or do you want a bit more color on particular bits?
5:35 I think that's a good overview.
5:37 I think that brings us to what seems to be the biggest milestone or moment, which was published just last week by Shan Kiriton, executive director at Ruby Central of this AWS Root Access event that happened in September.
5:59 Justin, you want to hop in here on that, or do you want Mike to continue?
6:02 Yeah, so if you're, uh, if you, if you had been following along the thing that everybody had been clamoring for, kind of regardless, like, people are taking sides.
6:14 There's a lot of, even though we're not public figures, we're not famous people.
6:23 It's like Ruby's been a smallish pond for a long time.
6:26 A lot of these people have been there for 20 years, 20 plus years.
6:30 And everybody kind of knows everybody.
6:33 If you go to the conferences and we've all seen each other and people talk and there's different cliques and there's different groups.
6:38 And so like, regardless of like, kind of like where your allegiances fall in terms of who, what friend group is sort of thinking this way or that way.
6:46 And, and, and, and, and where things line up in general, that's like, I'm talking about a universe of like 200 people max and like way more people in the world use Ruby and, and also read the internet.
6:59 And so they've been operating under this complete lack of complete just information of like, what's the whole story?
7:06 Like something isn't adding up here.
7:08 Uh, you know, some people have been happy to fill the void with like sort of conspiratorial thinking throughout.
7:13 Like, this is all a takeover from Shopify.
7:16 Cause they're trying to get after this one guy.
7:18 And it was like, okay, so why?
7:19 And then no one's got an answer for that.
7:20 Right.
7:21 Like, uh, and other people are just very honestly and earnestly being like Ruby central saying that they just removed everyone for supply chain reasons.
7:29 Like why?
7:31 And Ruby central is not talking, right?
7:32 Like, and so that, and, and all you get is like kind of hand wavy.
7:35 Oh, well, because the lawyer is telling us we can't or something like that.
7:38 If you, if you ask people, uh, this blog post, which what was it?
7:43 Was it the 30th?
7:44 No, it was, it was more recently.
7:46 It was about the event on the third.
7:48 Was it published?
7:49 It was published October 9th, October 9th.
7:51 So the event might've been the 30th and not yet the event.
7:54 No, on the 30th was the blog post that raised concerns.
7:57 That's right.
7:59 So part of why this is confusing is the post is a timeline, but the timeline is like three timelines in reverse order to, to, to first talk about like the last thing that happened and in what order things happened when the last thing happened.
8:14 And then the next section explains like the why that, the why behind that.
8:18 And then the next last section is the why behind that.
8:20 Uh, and if you were to like, and I, and this is why, as soon as I read it, I put up my own blog posts.
8:26 I kind of tried to unspool it to explain like, what are the stakes, what this reads like to me when you, when you go through it.
8:33 So I'll first try to like summarize the, it's characterized as a post-mortem of a security incident response where on September 30th, uh, person named Joel Draper or Draper posts, a blog post that says, uh, yo, Andre Arco still has all these systems accesses.
8:52 Like the only person who's like the only person who's, he's the, the only owner of a particular GitHub organization.
8:57 Uh, he's still got these AWS accesses.
9:01 And, and I think that the, if not expressly stated implication of the post is this is how incompetent Ruby central is that like, here we are weeks after supposedly having these accesses removed.
9:17 He actually still has this access.
9:18 And so look at how insecure this is.
9:20 Like, you know, this is, this is Ruby central, not having their act together.
9:24 Because they had taken access away from Andre as well as other Ruby gems.org maintainers prior.
9:31 However, Andre still had access according to the Joel Draper's draper draper draper.
9:37 It's two P's.
9:38 I don't know.
9:39 Two P's, but Joel Draper just sounds more natural.
9:41 Yeah.
9:42 And my wife and I are rewatching Mad Men coincidentally.
9:45 Yes.
9:46 And so it's just like, it's really hard to separate.
9:48 I agree.
9:49 I haven't seen it for years, but I'm still saying Draper.
9:51 Anywho, this post that he says on September 30th is that they're so, I mean, the implication is that the incompetence of Ruby central, who is the, is it a foundation?
10:03 Is it a nonprofit?
10:04 Help us understand some of the entities here.
10:06 Ruby central.
10:07 Is it a for profit?
10:08 My understanding is it's a 501c3.
10:11 Okay.
10:12 Which I, frankly, I really wish I didn't know about U.S. nonprofit organizations, considering I don't live there and I never will.
10:20 But yet I've been involved with like open source nonprofit stuff long enough that I'm sadly intimately aware.
10:27 So a 501c3, they're, they're somewhat hard to establish nowadays because various government agencies have decided that like open source software is a bit too easy to look businessy, right?
10:41 So basically it's an organization that exists to own the assets of Ruby gems.
10:47 It merged previously with Ruby together, which was started by Andre.
10:52 I don't know who started Ruby central personally, but basically it exists as an entity to provide legal ownership of the service, to provide the ability to receive tax-free donations from individuals and companies,
11:08 and then redistribute those to whatever nonprofit appropriate areas that they do, which has been Ruby gems maintenance, Ruby gems on call, some conferences, et cetera.
11:25 And there's a lot of moving parts, which makes us hard to track.
11:27 There's like the repos on GitHub.
11:30 There's the servers that are actually running said code.
11:33 There's the access to the servers.
11:35 There's other things that make this just really hard to track, but back to, so that's Ruby central, the entity back to where Justin was.
11:42 They published this post about Joel Drapper's post saying that Andre still had access or implying that there was still access.
11:48 So, so, so before the post post, don't worry.
11:51 Like, like they actually were notified of, of this permissions exposure.
11:56 So it wasn't a zero day announcement.
11:59 No, yeah, they had, it looks like seven minutes where Andre emailed them that he still had these accesses and that this was the only disclosure.
12:09 Gotcha.
12:10 Joel post goes up, uh, uh, you know, at five 30 UTC, uh, you know, and now this is Justin, the guy just reading a blog post or forgive me if my characterizations are at all inaccurate.
12:22 Uh, you know, at that point, Ruby central has to treat it like a security incident.
12:27 So they go into emergency mode, try to lock down all these systems, uh, initiate password reset, uh, and then begin a, a relatively long, you know, investigation of all these other knock on systems first over the next few hours.
12:40 And then the next few days, uh, when, let's see the, the, when they backtrack, right?
12:47 So that's September 30th.
12:48 Then there's an analysis of events that goes back and says, Hey, look on, on September 18th, Ruby central notified Mr. Arco via email that he was going to have his access removed or that it had been removed.
12:59 Uh, and while they removed his particular IAM, I assume like AWS account that presumably would be tied to his email.
13:10 address, uh, they, they did not rotate the password on the AWS route account.
13:16 So, you know, like if you're familiar with AWS, there's typically an email address and a root password, uh, or an email address that is effectively the root account.
13:24 And it's bad practice to use that thing.
13:27 Right.
13:28 And log in as it, because you don't have any of the sort of like, you know, policies and procedures available to you.
13:33 But because Andre was like kind of the core, one of the, one of, if not the core operator of Ruby, uh, gems.org for so long, uh, it appears that even though that he was removed from whatever their password vault system was, presumably like a one password.
13:49 Uh, he had a separate copy of, of that password or that login item somewhere.
13:55 Uh, because even though his, you know, email was his, his individual AWS account was apparently according to Ruby central disabled.
14:04 Uh, it looks like roughly eight hours, uh, after that notice sent, uh, they state that an unauthorized actor from San Francisco logged into that AWS account into the root AWS account and then proceeded to change the password.
14:19 Uh, and as far as they know, didn't do anything else, I don't, I'm not an expert in, you know, cloud forensics.
14:27 So I have no idea if that's a thing that like Ruby said, it's like the absence of evidence is what's leading them to say that, or whether they have any sort of like, you know, dispositive proof that nothing.
14:35 I think I read somewhere that they did have some, like, there's like some sort of immutable time-based log and they confirmed from the log, like what had happened, what hadn't happened.
14:44 I read both sides of that and I think Mike's, what Mike just stated seemed like it was more informed than the ulterior, which is once you have root access, you can change everything.
14:53 I don't know AWS well enough to confirm or deny a side, but I, that does, that did at the time of my reading seem to be the most reasonable stance that they could confirm it.
15:03 That being said, I also don't know for sure.
15:06 Yeah.
15:07 I, I, I, I pride myself in my ignorance when it comes to DevOps stuff.
15:11 So I'll take your word for it.
15:13 AWS stuff.
15:14 I, I think the thing that jumps out at me with a lot of this stuff is you, you, you can plausibly see why both sides thought they were doing the right thing a lot of times in, in this, right?
15:27 So like from, I guess, Andre's perspective, what's been published is he says like, well, I thought this was, I didn't have enough information to go on that.
15:37 This wasn't, was a legitimate event and it wasn't like someone at Ruby central's email or GitHub account or whatever had been hacked.
15:44 So I was trying to do what I could to preserve the integrity of the service.
15:47 But I think like what is hard for me with the communication of both sides, right?
15:53 Is I think particularly unsurprisingly now that maybe some lawyers are involved is that I would love to, maybe it's the, just cause I'm British.
16:02 I would love like a bit more from both sides and saying like, Hey, turns out in hindsight, I didn't do the best thing here.
16:10 Right.
16:11 And going forward, if you find yourself in the situation I was in, my advice to you is to do X instead of Y and I did Y, right?
16:20 And I think that's the hard thing with all this is that it, we're now at a point where there seems to be like some degree of stability and it doesn't seem like Ruby central is going to be inviting the folks who've left, including Andre back into the fold anytime soon.
16:37 It doesn't seem that like, you know, Andre and co are going to take control over Ruby gems, GitHub org or whatever, anytime soon.
16:46 Like, but I feel like the main parties who have suffered through this are people in the Ruby community who, of which I include myself, who are just have a lot of uncertainty of like what's going on.
17:00 And I can't remember if I said this publicly or privately, but like essentially the person I feel the most for is anyone in the last month.
17:07 Who is trying to pitch a new Ruby project at work with, to a management or leadership team who looks at Hacker News even once a week, right?
17:17 Like good luck, right?
17:18 Because a whole lot of fear, uncertainty and doubt has come into this.
17:22 And also like, I think both sides, I see, you know, I'm, I'm a strong proponent of, you know, I wrote a post a few years ago, which some people hate.
17:31 Some people love called open source maintainers.
17:34 Are you nothing, which points out from like a legal liability perspective, essentially every open source license says like, if you don't like the terms of that I'm providing you here, you can go fuck yourself.
17:46 And just take what you're given and like it, you know, and from that perspective, like I am sympathetic and I, I tend towards my sympathy being towards the maintainers.
17:56 But at the same time, we have like a critical part of the Ruby ecosystem, which essentially had no governance process, no public governance process whatsoever, right?
18:06 That had, and still has to some degree, very little beyond the legal required levels of financial transparency of required of like a 501c3.
18:17 And a lot of figures making decisions and making statements where most people like, I don't know who this person is, right?
18:25 I don't know who this person is, how they got access, who's right, who's wrong.
18:29 Are my Ruby gems safe or unsafe or whatever, right?
18:33 And I think that's the part about this, what I find really frustrating is that like a whole lot of people are still in the Ruby because we're still being disrupted by this.
18:44 And it doesn't seem like it's going to get solved anytime soon, maybe ever, right?
18:50 Because right now, both parties are now just in damage control.
18:55 Because both, again, like both sides on, I had someone that was Blue Sky or Mastodon, whatever, who was basically, oh, blah, blah, blah, you seem to have switched sides on this.
19:03 And I'm like, well, I don't think, I mean, rarely in life is there a situation where what side A is 100% right, side B is 100% wrong.
19:12 But like, this is definitely a situation where that's not the case.
19:14 Both sides have made mistakes.
19:16 You may well be inclined more towards one side than the other.
19:19 But like, both sides have to do things to repair trust and fix things and improve things moving forward, right?
19:24 I'm going to just jump in real quick.
19:27 Sorry, Mike.
19:28 Because I want to do point out like two of the things from this timeline, then we can move on to the bigger conversation.
19:33 Like, open source maintainers who have an MIT license indeed owe you nothing.
19:39 However, part of the complexity here is like what's under dispute.
19:43 And this is just like a natural, like, and I wrote about this in my first post on the topic.
19:46 Like, the fact that Ruby itself is 30 years old, mostly maintained by a committer group that's mostly based in Japan.
19:54 The Ruby Gems as a tool was created in America by Americans initially and then hosted in America, has a separate lineage.
20:03 And there's a three-legged stool between, like, custody of the code for Ruby Gems and then later Bundler and then later they merge, custody and management of Ruby the language, and then, like, RubyGems.org, which is like a going concern and operational, you know, system that is running in the cloud.
20:19 And so, from a just accesses perspective, like, we're not talking about, like, who's got commit bit necessarily.
20:27 So, when they say that he logged in with the rude email eight hours after getting noticed that his personal access had been revoked, and then he changes the password, and that's on September 18th, you know, you scroll down, and it also says on the 28th, he logged in again while he was in Tokyo at Kaigi on Rails, another conference event.
20:47 And then it's only on September 30th, seven minutes before our blog post, that there's any disclosure whatsoever, right?
20:55 So, like, if he was concerned about the security, their implication in this post is if he was supposedly concerned about the security, had there been a, you know, had this exposure been leaked out to other maintainers or if it was out in the wild or something, like, 12 days is an awful long fucking time to sit on that information and not disclose it.
21:15 Additionally, when you go back and ask, like, so why did we get to that point?
21:18 Like, what actually happened?
21:19 You scroll down, and the precipitating event to why are we getting serious about supply chain security was apparently, and this is an event that, you know, predates August 3rd.
21:34 So, presumably, you know, when, and I haven't met her, Shan, the new executive director at Ruby Central, doesn't have a lot of technical technology experience, but does have nonprofit experience.
21:47 I imagine, you know, Mike, if it's as dire as you're saying in terms of, like, lack of governance, lack of policies and procedures, my understanding is they didn't even have, like, terms of service and privacy policy up at the website until earlier this year.
21:59 I suspect she probably came in and she's like, we got to, like, get serious, right?
22:04 We got to run this thing better.
22:05 We got to introduce the, you know, standard operating procedure, you know, make sure that we're buttoned up from a regulatory perspective.
22:13 And then we got to, you know, understanding Ruby Central has been extremely budget constrained since, since RailsConf and RailsWorld turned into the schism, also get the budget under control.
22:25 And so, I knew, and I talked to Marty about this, I think, like, maybe late last year, early this year, when he was taking on the role at Ruby Central, that they were trying to get more, you know, serious about controlling the finances and getting the budget managed well.
22:41 And so, like, when you, when you go through the timeline, apparently they cut the budget for secondary on-call rotation for rubygems.org, which had previously apparently been $50,000 annually, and that all of that had, or that, that amount anyway, had gone to Andre Arco's, you know, consultancy to provide that service, even though it was rarely invoked.
23:03 When he was informed that they were removing that budget, he sent an email to Marty that was, you know, kind of spitballing an idea, it looks like, to say, well, in lieu of getting paid in dollars, if, if, if I could be permitted to have access to the HTTP logs, that could then be used for, presumably by a company to do some sort of analysis for some sort of marketable purpose.
23:27 Uh, and there, you can debate whether there's any sort of like PII implication, or if that could be discerned from the logs.
23:35 And, and Mike, my understanding is you probably have, being the homebrew guy, probably been approached by similar companies in the past, uh, regardless of the actual mechanics and what the, what, what that would look like.
23:46 It was pretty clearly not something in the privacy policy currently, or the terms of service.
23:50 And so this, that email is received on August 3rd, and then it looks like the board and leadership team, and I'm imagining now, and this is just speculation on my part, Shan is executive director, who's not, you know, still trying to get her bearings and trying to button the stuff up, probably sees that as like, and this is the person who has all of the access to all these systems and could just take it anyway.
24:08 And it's upset that, you know, we're cutting the budget, like that's probably the precipitating event.
24:13 And that's how they characterize it in this email of the thing that leads to, we got to tighten up the security and these accesses and get to, we don't have an operator agreement signed for all these people who have the, you know, operational access.
24:26 And we don't have committer license agreements for all the people who are committing to this code base and could cause, you know, disputes later.
24:32 And so we got to get those in place.
24:34 So like first cut everyone's access, get the agreements in place, and then we can start to rebuild on a, you know, firmer footing is my understanding of the timeline.
24:43 Now, like that's, that, that's what I read reading this, right.
24:47 It is like, and it sure, it boils up to unauthorized access, ultimately acute alleged against Andre and changing the password and not disclosing it.
24:55 But, but do I have anything there based on your, cause Mike, you've been in a lot of the same discussions that I have.
25:01 And with some of the principles did, is anything that I just characterized wrong or is anything you'd want to add to that?
25:06 Yeah.
25:07 I don't think there's anything massively incorrect or whatever there, I guess for me, it's kind of an emphasis thing.
25:13 And I, I, just to jump back, like, I guess maybe a bit of context that might be helpful for folks of where I fit into this party, right.
25:20 So I'm a homebrew maintainer, homebrew being a macOS package manager.
25:24 If you've not used it before, you can use it on Linux now as well.
25:27 Yeah, I've worked on that for 16 years.
25:29 I've essentially been probably the main person since the creator left, who's kind of stepped into leadership stuff and have kind of led us through various levels of financing and fiscal hosting and all the kind of,
25:42 a lot of the kind of boring non-profit-esque stuff.
25:45 But notably, homebrew does not have a dedicated non-profit.
25:49 We do not have any dedicated employees or anything like that.
25:53 But we have an open collective, which essentially, if you've never used open collective before, is like a online banking app, but is in the spirit of open source public, right.
26:04 So you can go and see two homebrew maintainers went out for lunch about a month and a half ago in Singapore together, as our expenses, public docs say that they can do.
26:14 And they had lunch, they talked about homebrew, and they expensed that to the project, and I approved that expense, right.
26:20 So, like, essentially, all the money coming in and out of the project, you can just go and look, right, without even logging in and see, like, what's going on here.
26:28 You can't see people's specific receipts with their credit card numbers for hopefully obvious reasons.
26:33 But the thing I struggle with with a lot of this stuff is, like, like, okay, homebrew and RubyGems will be going for about the same amount of time.
26:40 RubyGems has definitely received dramatically more money in that time, I would bet, than homebrew.
26:47 It would surprise me if it was as little as 10x more than homebrew.
26:51 But yet, we, a group of volunteers scattered around the world, have been able to have transparent governance, transparent finances for, like, five plus years.
27:03 And, you know, I appreciate, like, this is all part of a kind of tightening process and whatever.
27:07 But the thing that, to me, that all of these kind of blog posts and a lot of the discussion is missing is, like, okay, who got what money from who and when, right?
27:18 Like, that goes as far as Ruby Central employees, Ruby Central board members, Ruby Central contractors.
27:23 It goes, like, you know, there's been a lot of conspiracy about, like, how much Mike Purim, like, has provided or removed funding.
27:32 DHH has provided or removed funding.
27:33 Shopify has provided or removed funding, right?
27:35 And I don't even want to speculate on one of those because I don't know what's true or not true.
27:40 But the thing I find slightly depressing about it all is, like, it would be very easy to have all that information be at least semi-public, right?
27:48 But it's not.
27:49 So it becomes, like, an exercise.
27:52 And I do think, again, like, with the, like, what access Andre had to what and when and how and whatever, I also think, again, what I said earlier about the open source maintainers owe you nothing thing.
28:02 It's like, at that point, is he an unpaid volunteer working on a service, right?
28:09 And providing that to the best of his abilities.
28:11 Like, if I certainly think from the accounts we're looking at, had Andre never received a cent from Ruby Central ever, I think you would read his narrative and be like, that is 100% defensible, like what he did.
28:25 And Ruby Central are 100% of the wrong because they are a well-funded organization with full-time employees who, like, sorry, the bar is just much, much higher for them than it is for unpaid volunteers.
28:36 But if volunteers are paid, how much are they employees?
28:41 Are they contractors?
28:42 Like, what's their contract say or not say or whatever?
28:44 And I think that stuff is where it just all gets very murky.
28:48 And that stuff is where, personally, it makes me not happy that this is happening.
28:54 But I've been sort of saying, sometimes privately, sometimes a bit more diplomatically publicly for years, that like, hey, look, it seems like a lot of people have decided that open source sustainability is a problem we solve by just throwing more money at things, right?
29:09 And this is the type of thing that happens when we do that, right?
29:14 It's not to say that we shouldn't, no one should have been getting paid, or we shouldn't have had money or whatever.
29:19 But like, once you start getting a lot of money involved in these things, things get very complicated, right?
29:24 And you need to have significant levels of like, maturity and governance and transparency and experience in open source and experience in nonprofits to not fuck it up.
29:35 And then maybe even if you have all those things, you still fuck it up, right?
29:38 But like, I think that's where this stuff gets interesting for me is I'm like, well, you know, in some ways, if you were to look at homebrew and look at RubyGems, you would say like, well, you know, homebrews all this in this precarious, silly situation, because they don't have a dedicated nonprofit, they don't have significant corporate backing, whatever.
29:58 But in a funny way, we are immune to a lot of the problems that have happened here, because we have not gone in so hard on like, we now have significant dependencies on paying significant numbers of people, like their monthly wage, right?
30:14 And again, not to say we're doing it better, they're doing it worse, whatever.
30:18 But I think there's a lot of the open source, I guess I sometimes call it like big open source, right, that is trying to push a lot of people in this direction, that like, we all need to just get maintainers to be paid full time employees, right, and contract everything out and whatever.
30:37 And I think what gets lost is like, well, what happens if we do that, what are the pros and cons, and to what extent that events like this happen, or at least get a lot more messy and complicated than they could have been otherwise, if there was not the same degree of money involved.
30:51 So if I were to just jump to the end of this, and I'm going to jump right back where you are, Mike, but if I were to jump to the end, it's a guy who just types gem install every once in a while, or bundle, right?
31:05 I know you two, I've interviewed DHH, I've interviewed Shopify people, I've never met Andre myself, I'm tangentially related to the Ruby community, as a regular old Ruby user.
31:17 And to speak to Mike's point from earlier, at the end of this is a rubygems.org AWS root access event.
31:27 Like, if that's what I hear, and I find out it was days or hours, or however long it was, and was it Andre, was it somebody else, were they malicious, were they not, can we verify it?
31:38 Like, that's a five alarm fire, isn't it?
31:41 I mean, I install my gems, just like anybody else does, unless you've switched over to gem.coop, from rubygems.org, and somebody had root access to their AWS account for some amount of time.
31:55 And that's probably all that I'm hearing, maybe a little bit more about other things.
31:59 And so this, the end result is a disaster.
32:01 I mean, this has been disastrous.
32:02 And now we're in, like you said, Mike, damage control.
32:06 And so that's just incredibly unfortunate, and a fact of history now that I think comes from whether he said, she said, they did this, they did that, who's to blame, etc.
32:18 It comes down to, like, money has just muddied and created no end of trouble.
32:27 And it's just really, really murky now, like, how you navigate money and open source.
32:33 I mean, just combining those two things together, which has been a desire and something I've preached for many years, is, like, we need more money in open source.
32:39 We need to fund these people.
32:40 We need to sustain these people.
32:41 We need to help these people because they're giving things away for free, and then other people are using them and taking advantage and applying pressure, etc., etc.
32:49 But we've gotten some money now.
32:52 I mean, I'm not talking about now this year, but, like, over the last 15, 10, 15 years, money's come in in certain amounts.
32:59 You know, it's not evenly distributed by any means.
33:02 And it seems like, I don't know if I can say it's caused more trouble than it's solved problems.
33:09 Maybe it's been better than, maybe it's a net positive.
33:12 But, man, it sure made things even more complicated.
33:15 And I'm not sure how we navigate this.
33:18 I'm not sure how we navigate this going forward.
33:22 Maybe the answer is complete transparency, and maybe the answer is, I don't know.
33:29 I can't even imagine an answer that makes sense.
33:31 But, Mike, your stance is, like, you can't do it.
33:34 You can't do full-time open source maintainer as, you know, free to work on the project however they like.
33:43 Like, whatever we all imagine would be the perfect life of an open source maintainer, like, there is no such thing.
33:49 Is that your stance?
33:51 Pretty much.
33:52 I mean, Justin's, like, you know, hotfix podcast thing was, like, okay, come with, like, a pithy quote that's, like, a controversial statement.
34:02 And I think the shortest, pithiest version I got was, like, open source is not a career, right?
34:07 Like, and what I mean from that is that I think there's plenty of ways to be an open source maintainer and make a load of money, right?
34:18 Like, I've done fairly well for myself financially.
34:20 I have had some doors open for me that would not have been opened otherwise were it not for my open source work, for sure, right?
34:28 Like, I mean, arguably, maybe bar my first job out of university, college, whatever.
34:33 Like, I think every other job, my open source maintenance has influenced me getting that job.
34:39 But also, every other job has never has my paid main work been working on open source, right?
34:48 Like, that, and particularly working on homebrew, right?
34:51 Like, I've had, when I was at GitHub, I was at GitHub for 10 years, I had, like, a couple of months in which I was, you know, given permission to help migrate us urgently from bin tray to GitHub packages, right?
35:04 And I worked on a bunch of internal code for that.
35:08 I worked on a bunch of external code for that in homebrew.
35:10 But, like, bar that, like, that was not my job.
35:12 I did homebrew stuff in bits of spare time, in evenings and weekends, in time between meetings, whatever it may be, right?
35:20 And that was not what I was paid for or promoted for or whatever, right?
35:25 I built stuff internally, right?
35:27 I guess not unrelatedly, I was, you know, one of the first people to, first four engineers to build, like, GitHub sponsors, right?
35:34 So I, you know, that was an interesting thing for me because it was being on the front line of, like, well, what happens if we put a bunch more money into open source?
35:43 And I think, like, GitHub sponsors, again, it was telling because if you looked, and a lot of this is all public knowledge, right?
35:50 If you look at the people who have made the most money out of GitHub sponsors, they are not the best open source maintainers.
35:56 And they would not be offended in me stating that they are not the best open source maintainers.
36:01 They are the people who have done the best job selling themselves and selling something which other people value through GitHub sponsors as, like, a payment provider, essentially, right?
36:11 And good on them.
36:13 That's great that they do that.
36:15 But there's a lot of people, myself included, who just slap up at GitHub sponsors, right?
36:19 Like, I do a lot of homebrew stuff, and I have done for 16 years.
36:23 My monthly GitHub sponsors payment is $22 a month, right?
36:27 That's not me going and saying, I want to get a bunch more.
36:29 I get, you know, a bit more than that.
36:31 I get $300 a month from homebrew as, like, our kind of maintainer stipend.
36:35 But, you know, the reason why I don't get a load of money that way is because I have not dedicated time and energy into building, essentially, a sales process for my sponsorship pipeline.
36:48 And that's how it works, right?
36:50 If you want to be an open source maintainer that gets funded primarily through sponsorships and money and whatever, it doesn't look like a tip jar.
36:57 It looks like you are now running, essentially, like, you know, in the same way that other influencers might have an influencer economy or whatever.
37:04 And there's various routes of making that money and paying those bills and getting that open source work, right?
37:10 But there's not a single easily trended path that is not without compromises.
37:14 And it makes me very cross to see a bunch of particularly younger maintainers being told, like, no, this is the way.
37:22 If you follow this, you will both be rich and you can work on whatever source you ever want, whenever you want, right?
37:28 That's just a lie.
37:29 That's just bullshit, right?
37:30 Yeah.
37:32 Well, hold on, Justin.
37:34 For those who are putting them through the pain of watching us on video, the fringe benefit of doing the video version of this is for the last 10 minutes, you can watch Justin sit there and chomp at the bit for his opportunity.
37:52 Because we've said so many things that I'm sure he wants to address.
37:55 So much so that at one point he was literally holding his mouth shut because he has so many things to say right now.
38:00 This guy talks for three hours uninterrupted and he hasn't had a chance to say anything for the last 10 minutes.
38:06 So, Justin, just turning the floor over to you, my friend, which of these many points would you like to address first?
38:12 Got to admit to anyone watching the video, I did get distracted at one point because my pen ran out of ink and I had to write down.
38:18 He literally left at one point.
38:20 He literally left and then came back.
38:21 So that was distraction number two.
38:25 Distraction number one was I saw somebody texted me that the Vision Pro with M5 was announced.
38:34 Oh.
38:35 Well, there's a fire alarm fire right there.
38:37 Yeah.
38:38 Just to tell you, my priority is as one of the five remaining daily driver Vision Pro users who I use the Mac virtual display every day, like we've discussed several times on the show even.
38:53 So I will not be buying it because because it's just basically I'm using it as a monitor.
38:59 But and I'd much rather just talk about that now.
39:03 But to try to honor what Mike just said, when we say open source is not a career, it's kind of running a consultancy.
39:12 It's helping co-found, help start whatever, like a consulting company speaking at conferences, doing some amount of open source.
39:20 You know, none of I was very fortunate in life and that none of my open source was super successful.
39:25 It seems like a huge pain in the ass when it when that happens for the most part in terms of the burden of issues and pull requests and yada yada.
39:36 But I was visible enough that people would come up to me, younger folks, less experienced people, people trying to succeed in this industry.
39:44 And they would whether it was about speaking or whether it was about blogging or whether it was about doing open source, a lot of the activities that people saw me do, they'd look at that and they'd confuse the means with the ends.
39:58 So they'd say, hey, how do I break into open source?
40:02 And I'm like, that's a real weird goal because like I do open source because I'm trying to get something done that makes me money, like working for a client.
40:12 And like we got a you know, the first real project I did was like I was a Java client.
40:18 And like we had a whole lot of JavaScript and no way to run tests against it in CI.
40:22 And I was like, that won't do.
40:24 And so like we started unit testing our JavaScript with Jasmine, like locally.
40:28 Well, how do you get that running in CI?
40:30 I was like, oh, I had to figure out a you know, this is back in 2010 or whatever, like run a pseudo HTML and JavaScript like fake environment in a Java runtime.
40:42 And and then make a Maven plug in that we could incorporate into the build like and I did that on my own time on a weekend or, you know, late at night or something.
40:50 And then I just plugged it into the client code the next day.
40:53 Right.
40:54 Now, here you go, a gift free of charge because it makes my life easier at work and we're going to ship your code better.
40:59 Right.
41:00 And almost every one of my open source projects was that it was I have a job that pays me money that that job would be massively improved in terms of the outcomes or my life at that job.
41:11 By writing some open source.
41:12 So I'm going to solve my problem and I'm going to make it open because that's that's easier than getting approval to make it closed internally.
41:22 Like if I if I have some like, you know, asinine idea for how I can make things a little bit better.
41:27 Forgiveness is way better than permission.
41:29 Maybe it won't work.
41:30 Like why?
41:31 Why would I fight for like budget and time to go on some, you know, escapade to like, hey, I can vaguely improve things in a way that you don't understand when I could just go on my own GitHub, publish something.
41:41 Publicly and then go and consume that at work.
41:44 And if it turns out that it's useful, then work is happy to like, let me spend some hours building it because then I've got a virtuous, you know, I've got at least one person depending on it.
41:53 And that's the person paying me.
41:55 So then I can keep working on it a little bit and make it a little bit better, respond to issues and feedback.
41:59 And that's typically how I've done open source.
42:01 Right.
42:02 I guess one way to do it.
42:03 And in a very, very small sense that at least has like incentives aligned where it's like, I make this thing better because it's built for purpose for somebody who needs it.
42:16 So that's not that's not breaking into open source.
42:19 That's not saying like, OK, so what I want to do is I want to work on this open source project.
42:23 And I've seen this play out lots of times, whether it's through the sponsorship deal or, you know, what Ruby together and later Ruby central did was they actually paid hourly for people to work on bundler and Ruby gems code bases.
42:37 And when you're like talking about like a high one hundred fifty dollar an hour or whatever it is, hourly rate to work on an open source tool, then a lot of questions arise.
42:46 Like, what do you work on?
42:48 Who chooses the priority of that work?
42:51 Like it's a you know, if you're talking about one hundred fifty bucks an hour or zero dollars an hour with most of the people contributing, making zero dollars an hour.
42:59 Like suddenly there's a perverse incentive there to be like, all right, well, either, you know, what if there's nothing else to do?
43:07 Like what if bundler is a solved problem and basically does everything it needs?
43:10 Like now you've got a perverse incentive to create make work to justify more hours to get more money.
43:16 And and if the goal at the end of the ends is I want to get make make a, you know, replacement level tech career doing open source activities.
43:27 I think like the places that leads you in terms of the amount of complexity and machinations in terms of like how that funding gets to you and the amount of singing and dancing.
43:36 And and and and and glad handing and arm twisting that you need to do to like, you know, extract those dollars from people who might not necessarily see a direct value or benefit or ROI for giving you that money.
43:49 It leads to places like this that are as goddamn confusing as the situation that we're in now.
43:55 And that's that's, you know, I guess maybe a twisted knife version of the picture that Mike's painting is like this is just all about at the end of the day.
44:05 It's like incentives were not aligned because people wanted to get paid.
44:10 And this is where this leads you.
44:12 And yes, it's really sad that a lot of people do open source for free, but like a lot of people have hobbies for free.
44:18 And if they choose to keep doing them, it's kind of their their task.
44:21 I don't know what to tell you.
44:22 And that's the thing.
44:23 Like for me, genuinely, open source for free as a hobby is a beautiful thing.
44:30 Like we should think very carefully before we decide to kill that by either paying everyone, which won't happen, or by making people who aren't being paid feel like they are being exploited.
44:45 Right.
44:46 Like I again, it really fucks me off.
44:48 No end.
44:49 When you have people often with minimal involvement in open source themselves going around telling open source maintainers big companies are exploiting your labor.
44:57 And I said, well, if only there was a way to get a big company to pay me to write software for them.
45:03 Oh, wait, we have lots of that.
45:05 But the reason why lots of people, including me, enjoy open source software and have continued to work on it for a very long time is it's like I don't have a engineering manager or product manager or technical project manager being like, please sign your TPS reports.
45:20 When will this be done?
45:21 Is this a yellow T-shirt or a green T-shirt size project?
45:25 Like being able to just opt out from all of that bureaucracy is, you know, that bureaucracy is important and necessary sometimes, but it's also nice to not have to do that.
45:35 And when you don't have to do that, you can operate in a different way and work in a different way.
45:40 And that's fine.
45:41 And again, we go back to the open source maintainers owe you nothing, where it's like if someone doesn't like it.
45:45 Like, I mean, there's legitimately issues on homebrew that people file and it's like, this is a legit issue, but you're being a dickhead about it.
45:52 So I'm just going to close your issue.
45:54 And when they're like, oh, but then I'm like, well, fuck you.
45:56 Tough, tough luck.
45:57 I can do what I want.
45:58 Right.
45:59 But if I'm a paid employee and if that person is a paid customer, right, in some companies you can do that.
46:07 Right.
46:08 But that's not terribly advisable.
46:10 And I think this goes back to what we were saying about perverse incentives and like who gets paid and who doesn't get paid.
46:16 It's like, well, open source maintainers owe you nothing.
46:18 Sure.
46:19 People who are being paid to do something owe someone something.
46:23 Right.
46:24 And it might.
46:25 And again, in homebrew's case, we specifically do.
46:27 We have like all open tooling and open documentation and blah, blah, blah.
46:30 And we pay maintainers that hit a certain threshold, $300 a month.
46:36 We call it a stipend.
46:37 There are people for whom I'm sure the average, you know, American child delivering newspapers, if that's still a thing that happens.
46:46 Like is making significantly better hourly wage than some of these open source maintainers are.
46:51 But it's fine because that's just a token amount for appreciation for them.
46:55 And we're not like, but even then we have had, it's not, we've not done anything publicly or whatever because we try and in homebrew do a reasonable job at keeping some of our drama behind closed doors.
47:06 But even in that case, for a very small amount of money, we had a person with a very well-paid day job who was doing the wrong thing essentially because they wanted to hit a threshold to get an extra $300 a month.
47:20 And that made us reconsider how we do this stuff.
47:24 But to go way back to something that Justin said right at the beginning, right?
47:26 Like about, you know, he did open source to solve his own problems, right?
47:31 Back when I got involved first with open source in the heady days of the Linux desktop back in like 2007 when I did my first Google Summer of Code and met a lot of these KDE people and I was like a Linux guy.
47:43 Like the thing that people used to say all the time then that I never hear anyone saying now is open source is about scratching your own itch, right?
47:49 And what people meant by that back then was like open source is primarily about solving your own problems and then releasing it in a way that other people can benefit from you doing that, right?
47:59 And that's why I did it.
48:02 And it's why I do it.
48:03 Because when I work on homebrew and I make homebrew a little bit better, it's usually because something in homebrew annoys me and I use homebrew, therefore I make it better.
48:11 And that's completely the opposite from the attitude Justin was saying of like, how do I break it into open source?
48:17 It's like, well, whenever anyone's asked me that, I'm like, well, find a tool that you use, find something annoying with that tool and then go fix it, right?
48:25 And they're like, oh, but, you know, I don't know JavaScript yet or I don't know this or I haven't contributed to that code base or I can't find a mentor or whatever.
48:31 And like, again, as we're being a bit more spicy on this podcast, it's like, well, congratulations, you lose.
48:37 You're never going to be a successful open source maintainer, right?
48:39 Like, I've never seen someone who's been a good open source maintainer who has been taught into being so, right?
48:45 Or encouraged or given enough money that they kind of finally get over a line or whatever, right?
48:49 That helps people contribute and it's great.
48:52 And we shouldn't discount that as being a thing that we do for some people sometimes.
48:55 But like most of the time, most of those people, it's intrinsic internal motivation that gets them to do this stuff, right?
49:02 And that doesn't come from, I want money, I want clout, I want my resume or CV to look better.
49:09 It has to come from like, I just want to do it because it's interesting and fun for me, right?
49:13 Yeah.
49:15 I think this goes beyond open source software because the pattern is very generic.
49:19 It's like, I love doing X, so I do it for fun.
49:24 I would love to do X more.
49:26 If I could only make money doing X, I could do it more and then X becomes not fun anymore if that's successful.
49:31 Like, basically, that's the pattern.
49:33 So it's not just software but creation of all kinds.
49:35 Anytime you can parlay your hobby or your passion into a job, your passion is now your job.
49:42 And your job's a job and jobs aren't fun.
49:45 Even if it's the exact same activity.
49:46 Yeah, and you can add to that, Jared, because then you can take all your friends you have good relationships with.
49:52 And I tried this one.
49:53 And then you hire your friends.
49:55 And then your friends aren't your friends either.
49:57 That's right.
49:58 And you live in a basement in Ohio and you're like, oh my God, what have I done with my life?
50:01 I've destroyed my hobby and my friends.
50:03 But I got money in exchange, you know, or just train it all in for money.
50:07 Yeah, that's the unsolvable problem, I think, right there.
50:13 And, you know, for years and years, we've been looking for more paths to funding, more ways because there's so many different kinds of open source.
50:24 And there's ones that have an easy time making money because they are right there staring you in the face like they're like end user applications.
50:31 And then there's the dependency, the dependency, the dependency, who only has a GitHub account and is not on any social networks and is never going to make a dollar on their GitHub sponsors because nobody even knows that they're transitively installing, you know, XZ, for instance, just naming one that was exploited.
50:49 And so maybe I just thought there was different models.
50:51 We need to just explore all these different models.
50:53 And I remember going back years to Nadia Ekbal's Lemonade Stand repo, which she published back when she was doing her open source funding, writing.
51:03 And she documented like, here's all the different ways, bounty programs, open core, blah, blah, blah, blah.
51:09 And it's like, pick one that helps you.
51:11 And we've explored on this show over the course of, you know, a decade now, different people doing these different models and with more or less success.
51:21 At the end of the day, the happiest people that we've ever talked about, talked to about their work are the ones that are like, yeah, I do this for fun.
51:28 I'm not going to monetize.
51:29 And it's like, that's, that ends up being the healthiest relationship to your open source code is I do this for fun.
51:37 I'm not trying to monetize it because every one of these models, we can go through them all and they all produce at some point the perverse incentives that have happened in the Ruby community.
51:49 To me, it's not even monetization versus not, it's like direct monetization versus indirect monetization, right?
51:56 And I can't remember who it was.
51:58 I'm sure it's some much wise and old philosopher or whatever who said this.
52:02 I'm going to paraphrase it and butcher it horribly.
52:04 But basically, like the idea of like the best things in life are achieved indirectly, right?
52:10 So like, let's not be overly crude.
52:14 I'll try and be relatively diplomatic.
52:16 But basically, you know, for example, if your goal is romantic companionship, right?
52:22 There's ways of getting elements of that very quickly in exchange for money, right?
52:27 But most people would say that actually, that's probably not the most fulfilling long term option.
52:33 And the most fulfilling long term option, you know, I've been with my now wife for 23 years, like we have a perfect marriage and relationship.
52:40 I'm very, very happy.
52:41 That takes a lot of time and effort, right?
52:44 And again, I have almost like a pending blog post brewing about just being patient feels like it pays a lot of dividends on this stuff.
52:55 Like, I was at GitHub for 10 years.
52:57 I've been with my wife for 23.
52:59 My best friend who comes around to my house, we're currently watching Alien Earth.
53:03 It's very good.
53:04 Right now you're watching it?
53:05 Well, I mean, not right now because I'm on a podcast.
53:07 Okay, well, you said your best friend coming over and you're currently watching Alien Earth.
53:11 I'm like, dang, this guy can multitask.
53:12 I'll do my best to multitask.
53:14 But yeah, I mean, we've been friends for like 30 years, right?
53:16 And most of, and homebrew for 16 years.
53:18 Like most of the good things in my life are things that I have done for more than 10 years, right?
53:24 And there has been ups and downs in those times.
53:26 And there's been times where if you were to look at some tiny microcosm of like the first, you know, months or weeks or whatever, or a particular segment, you'd be like, oh, well, this isn't worth it.
53:36 I'm going to quit.
53:37 But again, like all of these things are things that I've got and I have made me very, very happy and I'm delighted with, not because I wanted to make as much money as possible or have as much whatever as possible, human relationship, interaction, whatever.
53:57 But just because like I enjoy the process going along and I still enjoy the process going along and that tends to get you to a very good place.
54:05 If every day you enjoy your life and you keep doing that and keep enjoying your life and at the same time, you know, stuff like money, you're like, okay, well, I need to pay the bills.
54:15 I need to make sure that I make enough money to provide for me and my family and whatever.
54:20 But you're also really excited about what you're doing, then that tends to work pretty well.
54:25 And if you go and chase like maximum financial return for anything, right, on a short-term basis, like, okay, you might make a bunch of money, like often you don't, but you're probably going to be miserable in the longer term.
54:38 And you're going to be like, why am I doing this?
54:40 And I need to quit and whatever, right?
54:42 And that's the definition of sustainability, right?
54:46 Like when we're not talking about open source sustainability, when we talk about anything being sustainable, the idea is how do we get people to be able to do this for a long period of time?
54:55 And without being a, you know, a cheese ball, like open source sustainability comes from within, right?
55:01 The reason why I have been able to do it for a long time and not burn out and literally in that 16-year window, I don't think I've gone a month without working on homebrew.
55:10 I've maybe not even gone three weeks without working on homebrew.
55:12 And the reason why is because I enjoyed it then and I enjoy it now.
55:16 And I know what I'm willing to do and what I'm not willing to do.
55:19 And for me, it has to stay enjoyable or I'm going to quit.
55:22 And I built a group of maintainers where I'm very protective over them because I know that's the same for them, right?
55:27 And to me, just almost looking at yourself in the mirror and be like, am I enjoying this?
55:32 Is this good?
55:33 Like, and if it is, great, do more of that.
55:35 And if it's not, then just stop, right?
55:37 And that terrifies a lot of people because it's like, oh, well, open source will collapse if we have all these maintainers who walk away.
55:42 And it's like, well, actually, no, because someone will step up and do what needs to be done if what you're doing is really important.
55:49 And that's maybe the hardest part of it all.
55:52 It's like, maybe that open source project you've spent a huge amount of time and energy into, maybe it's not that important.
55:57 Maybe it is replaceable.
55:58 And maybe your role is replaceable.
56:01 And that fucking sucks to look in the mirror and think that.
56:04 But maybe that's true.
56:05 Maybe you need to do that.
56:10 Look, if you're watching this video, you're going to be probably noticing that, like, we're three white men, you know, the collective noun for white middle-aged men is podcast.
56:26 I get it.
56:29 But it's true.
56:32 And one thing that a piece of context, right, about like that 2015 to 2021 era, especially in the US and politically, is like this conversation about like, you know, just being tut tutted by older guys who were already successful in their careers.
56:48 Like, oh, just do it as a hobby.
56:49 Just do open source in your free time or something.
56:51 When that comes into contact with this motivation that, like, open source isn't ends, not a means.
56:56 It's a way to get, because highly visible people are doing it, people rightly assume, you know, for whatever reason you're doing it, if I were to do that at the same stage or at the same level of impact or in the same high profile project, then I too would be highly visible.
57:12 And therefore, I could parlay that into, you know, more marketability, right, as an employee.
57:18 I'd be hired in at the staff level or the principal level, or I'd have better employment prospects.
57:25 And so there's a, you know, even though I started doing open source to scratch my own itch, to Mike's point, and that's still the reason I'm ever motivated to do it, it created a virtuous cycle, not just for my employer to be able to benefit from my hobby work, but for me to be able to parlay those projects into new relationships and credibility.
57:47 Because your, you know, GitHub profile kind of redounds to like at least some kind of proof that this guy can write working software and this is what it solves, right?
57:54 And mixed in with all of that is like, well, what if you don't have the free time, or if you've got family responsibilities, or there's some other, you know, systemic reason why you aren't able to just work for free and make this time possible.
58:15 It's creating an avenue for more privileged people who do have that luxury of time to pursue that hobby.
58:22 And then, and then even though it's just a hobby, it's not like, I definitely made more, more money out of my like, programming habit, then out of my Japanese language acquisition habit, you know, like, in terms of a hobby.
58:37 So, so, so like, that's not, that's not lost on me here.
58:40 It's just kind of a fact of life, and I don't know how to solve it.
58:45 Because when you try to solve this through the lens of, and that's why we got, like, when the conclusion, and I heard this a lot in the late 2010s was, and that's why we have to pay people to write open source.
58:55 I was like, that's, there's just so many, like, you know, the number of circles and loops necessary to kind of connect these dots together in a way that's actually going to get the outcome that you want, is so convoluted, that this is probably just going to make things worse.
59:14 I can't say we're in a much better place, you know, in all of these experiments where people are, and to, to, to, again, to Mike's point, where people are being directly compensated for their open source efforts, especially in an ad hoc or, or a, you know, semi-directed pseudo employment manner, like through, you know, contracting and through kind of, you know, like an amalgamation of funds and sponsors and donors.
59:39 Like, it, I don't know what to do, I just want, I just want to put it out there so we don't get emails about privilege, I'll be honest, that's why I said those things.
59:48 I think, I think it's a good point, and I think it's well made, and I'm glad you made that.
59:54 I think for me, my take is, like, should we try and improve the diversity of open source, et cetera?
1:00:00 Like, yeah, we should, I do, like, hopefully all of us would agree with that to some degree.
1:00:06 But I also think not everyone having the free time, again, it's one of those things where if, sometimes I think the people pushing a certain narrative haven't done the five whys on, like, the reason why they're often doing that is because they themselves come from a position of, like, you need to do open source to have a really great career, right?
1:00:26 And I'm like, well, no, I've worked with plenty of, like, staff plus engineers at GitHub who are phenomenal engineers who've literally never done a single open source commit ever, right?
1:00:36 And I would not tell those people that they should or shouldn't, right?
1:00:40 Like, considering the number of open source related emails I've had that have fascinating things to say about the size or presence of my penis, and whatever may relate to that, and various interactions with my mother, et cetera.
1:00:56 So, like, I don't encourage anyone who, like, doesn't have a current interest in open source to sign up to receive those types of emails, right?
1:01:06 And I don't think we're going to solve that problem anytime soon.
1:01:09 But I think that's the thing.
1:01:11 It's like, do we see open source as, like, an essential on-ramp that we have to use to, like, get people to be successful in the software industry?
1:01:18 And if you start from that, like, prior, then it's like, yeah, of course you're going to start thinking, like, we have to improve diversity and pay people to encourage people in, because otherwise you're just going to, you know, really fuck up the software industry by not, like, solving that.
1:01:33 But I don't think that is a problem.
1:01:35 And ironically, I think that is a problem that is exacerbated by people saying we have to pay and we need to put more money in rather than it being solved by that, right?
1:01:45 Because no one has to write open source, right?
1:01:48 Like, that's, I think that's the fundamental thing.
1:01:51 If I can say anything to any person who listened to this, it's like, literally, if you have a job where you write open source, even if you're a paid employee or contractor or whatever, like, I'm sure you can find something else where you don't have to do that, right?
1:02:02 Like, everyone writing open source, in some degree, has some element of choice.
1:02:09 Maybe not short term, maybe this month's mortgage payment relies on you, you know, writing open source and whatever, right?
1:02:16 But, like, long term in the career.
1:02:18 And also something, Justin, you said, you pointed this out on your podcast a lot about how there was this golden age of, you know, the three of us, again, are probably similar sort of age.
1:02:27 There was this golden age of programming, like, the early 2000s, where, you know, if you came out and you're interested in open source, like, chances are that was going to help you into a reasonable tech job and you could probably make a decent amount of money.
1:02:38 And then now we're seeing, you know, like, things are completely horrific for a lot of juniors trying to get into the industry.
1:02:44 And I think that's the thing.
1:02:46 It's like, I don't like that.
1:02:47 I don't think anyone in this call likes that.
1:02:50 But you can't, we can't just magically go backwards and undo that and fix that.
1:02:56 And I think often the people I hear advocating this type of stuff around open source just have wishful thinking of, like, no, if we can go back, we'll do it right this time and we'll, like, reinvent it and whatever.
1:03:07 And so, well, that's not how it's been.
1:03:09 And I loved your point, Jared, about how this is just universal for hobbies, right?
1:03:13 Like, we could probably have had exactly the same conversation we had right now about, like, music or whatever, right?
1:03:20 Like, and money and whatever.
1:03:23 Like, I remember when I was at GitHub and there was, I can't remember the name of the band.
1:03:26 There was some, like, top 10 indie rock band and one, like, GitHub conference, like, GitHub had paid for this band to come play.
1:03:33 And the band came out on stage.
1:03:34 Was that when Cold War Kids played at a...
1:03:37 That's, yeah, that's the name of the band.
1:03:39 But, like, having been there in the room, and I think there was a Silicon Valley episode that was loosely based on this, like, they came out and started playing.
1:03:46 Hold on, I got to interrupt you.
1:03:47 Like, if you don't know this, like, most Silicon Valley episodes were based on interviews with Chris Wonstreth and people.
1:03:53 I re-watched it all recently with my wife, and it's aged well.
1:03:57 But anyway, so, like, they came on stage, they started playing, and, like, 75% of the people immediately left the room because they were like, I don't want to be here, right?
1:04:05 And I'm going to confess something to the, you know, the two of you here.
1:04:09 Hopefully no one else hears this.
1:04:11 But, you know, like, I used to be an aspiring musician.
1:04:13 I have anyone on video who can see my mostly now unplayed guitars behind me, right?
1:04:18 And I immediately thought to myself, what a bunch of fucking sellouts, right?
1:04:22 Like, I would hope to myself that I would never be at a level where I would take any amount of money to go play to a room of nerds, myself included, like, who don't want you to be here and would just immediately leave the room as soon as you start playing, right?
1:04:36 Like, and, and again, like, you could say, we can have the same conversation, money and music, right?
1:04:42 Like, was that bad that they had that money or took that money or whatever, right?
1:04:47 Like, I'm not a musician.
1:04:48 I'm sure lots of musicians are very angry at me for, based on what I've said, and I'm being a massive hypocrite.
1:04:53 But, like, yeah, it's, I'm sure there's another podcast having an identical conversation about this.
1:04:57 And I think, like, we're not special in software open source.
1:05:00 And this is not the first industry to have this problem, nor will it be the last.
1:05:04 No, I think that's a great point.
1:05:07 And I think that I've said this before, that people, by and large, people don't make music in order to make money.
1:05:14 They make money so that they can make music, right?
1:05:18 And I think that there are people who've done both, and they're called rich and famous rock stars or whatever.
1:05:24 And, of course, people idolize those because wouldn't it be the dream to be able to be rich and famous and make music?
1:05:30 Like, that's, yeah, that's a lot of people's dream, which is why it's really hard to do.
1:05:34 And we draw that across to open source.
1:05:36 And we have had some people who've made livings, who've made really good livings, publishing open source code and creating a following and becoming whatever you have to be in order to get that done.
1:05:48 You can go to the top of GitHub sponsors and see a few of those people there.
1:05:52 It's an entirely different skill set, just like being a rich and famous rock star requires more than being able to play the guitar.
1:05:58 Because lots of people can play the guitar, but there's more to it than just that.
1:06:01 One of those major factors, in fact, is timing and luck.
1:06:05 And it has nothing to do with who you are, your skill set.
1:06:09 Another major factor is what you look like, unfortunately, but that's the case.
1:06:13 And so open source as career might follow the exact same trajectory as music as career.
1:06:22 It's like, yeah, a few lucky, very privileged people find a way to make that work and they live a great life.
1:06:31 And the rest of us, it's like you got to decide if you want to do it or not.
1:06:33 At the end of the day, open source is a gift to the world.
1:06:36 It's you giving back.
1:06:38 A lot of the motivations for doing it is people saying, well, I got so much for free that I felt like I should just give back.
1:06:45 And so that's what I do.
1:06:47 And so that's a gift.
1:06:49 And a gift comes from a place of privilege.
1:06:52 You have excess.
1:06:53 And so you give it.
1:06:55 And one of the beautiful things about the digital economy is that we can give it to everybody, whereas if I was going to go out and buy a new Vision Pro M5, I could just give it to Justin.
1:07:07 I couldn't give it to the entire world.
1:07:09 It's an amazing thing to be able to do your work once and gift it to the entire world.
1:07:13 And sometimes it just has to stay that.
1:07:16 You got my address, right, for that?
1:07:19 I figure you already have it on order, so I'm probably just.
1:07:22 No, no, no, not yet.
1:07:24 You need the phone.
1:07:25 You got to scan your face.
1:07:26 I buy you the new one.
1:07:27 So you send me your original, maybe sign in.
1:07:29 I got Justin Searle's original Vision Pro.
1:07:32 There's a thing here, right?
1:07:36 Because we're kind of conflating programming and making a living programming and open source as like a hobby activity or whatever.
1:07:42 And just like music, there's a difference between like being able to play music as a skill.
1:07:49 Being able to program a computer is a skill.
1:07:52 And being a songwriter who puts love and craft and passion and creativity and something of themselves into the music that they create is a passion, a craft.
1:08:06 You know, it's an individual pursuit.
1:08:09 And yes, if you do that, you are lucky to get paid.
1:08:12 And if it does all work out and the stars align, then that's a goddamn miracle and good for you.
1:08:17 Like, but at the same time, getting paid as a musician with that skill to go play gigs.
1:08:22 Like, there's a guy who, you know, sings at the lobby bar at a hotel next to my house every Tuesday.
1:08:27 And he's mostly playing, you know, Wonderwall and, you know, the old country road.
1:08:33 And like, he's not there for his health, but like there's a transaction happening and I don't begrudge him at all.
1:08:39 It's like, that's, you know, there's ambience and there's music.
1:08:42 And so like, hell, you know, the Cold War kids made me laugh, Mike, because across the street, there's a new hotel that opened.
1:08:48 I live in Orlando and it's just all resorts and stuff and pools and whatnot.
1:08:51 The new hotel opened earlier this year or late last year and they had the Goo Goo Dolls play.
1:08:56 And I was like, hell yeah, I'm going to go over for a free Goo Goo Dolls concert and free food and drinks.
1:09:01 And yeah, right.
1:09:03 I don't begrudge them at all because that was like, that was them applying their skill for, for, for money in that, in, in that sense.
1:09:10 You know, um, I mean, the songs were written all 20 years ago and everyone's really old and they look suspiciously good.
1:09:16 And that made me wonder about how they're maintaining that.
1:09:19 But like when I, when I, when a programmer is applying that skill to make money at the, at the end of the day, somebody, whoever's paying that money is going to be looking for some kind of value out of it.
1:09:33 And if you, and if, and if you're, whether you're, you're, you're working, uh, for somebody and they're, you know, why do we have planning sessions?
1:09:43 Why do we have product owners?
1:09:44 Why do we have requirements handed to us?
1:09:46 It's because the things that we're typically being asked to build as programmers are at the behest of somebody else who, who wants to see that software built or, or continue to operate or to be refined or whatever in order for them to extract some kind of value out of it.
1:09:59 And just like with the singer songwriter who can like eventually get to the point where they get to open new hotels and, and, and get paid to sing their own songs.
1:10:07 Like every now and then you get really, really lucky.
1:10:10 Like you, you, I worked on Ruby and, and rails for years and years and years.
1:10:14 And now there's a Ruby and rails team at a company like Shopify and they hired me and I get to continue doing the stuff.
1:10:20 You know, I talked to, with Aaron Patterson's a good friend with me, uh, of mine and, and, uh, yes, that's part of my bias and my allegiances is I talked to like that crowd of people more than the maintainer side of people who are involved in this particular dispute and fully own that.
1:10:38 But like, Oh, I'll talk to him about his job and it's confusing.
1:10:42 Sometimes I'm like, well, he has work stresses here and there and stuff, but like at the end of the day, he, he, he makes good money doing, doing that for Shopify.
1:10:50 Shopify gets a lot of benefit out of that.
1:10:53 Um, but like if he were to quit, he would basically be doing the same fucking thing every day for free, you know?
1:11:01 Like, so that is the stars completely aligning.
1:11:03 And you know what?
1:11:04 Like I know half a dozen people for whom that is true out of how many thousands of people that I've interacted with.
1:11:10 And so it's just an unrealistic thing.
1:11:13 And now this is back to Mike and this, our original kind of hot fix premise.
1:11:17 It's an unrealistic thing to just plan on your career being that it's way too high of a bar.
1:11:27 It's way too skinny of a bottleneck to hope that you're going to like with any level of confidence squeeze through.
1:11:34 Cause so few people do and not for lack of trying.
1:11:37 Well, it's like all the youth right now, they all want to be YouTubers or, or TikTokers.
1:11:43 And it's like, that's the, it's the new version of, I want to be a rock star.
1:11:47 It's like, you know how many rock stars there are?
1:11:49 There's like seven of them, you know?
1:11:50 But the influence of your economy, I think that's, it's similar.
1:11:54 And I think, again, it's been democratized to a certain degree.
1:11:56 Yeah.
1:11:57 And we're, I guess, as again, like, you know, three white men in our forties, like we're
1:12:01 probably like, if we had like some Gen Z guest on, yes, it's Gen Z because I'm British.
1:12:09 And then if we, I'm sure they would have a very different perspective here.
1:12:12 But again, I sort of wonder whether some of this comes from like the, the concept of like
1:12:17 the side hustle, right?
1:12:18 Where like the side hustle is often the, like, I have a hobby and I am going to, on top of
1:12:25 my job, I am going to monetize my hobby.
1:12:27 And hopefully I can get to a point, like you said earlier, Jared, like where my hobby can
1:12:32 become my job because I fully monetize it and I can pay the bills and whatever.
1:12:35 And I think, again, music is an obvious example, right?
1:12:38 Where there are people for whom music is their career, right?
1:12:41 And they, I know some of them for whom they then go home and they are not interested in
1:12:47 playing or producing music in their spare time at all anymore.
1:12:49 Like it's, I would just do it for money.
1:12:51 There's people for whom they are not interested in ever making any money from their career
1:12:55 ever, right?
1:12:56 In which if we wanted to have a horrific open source metaphor, you know, some like, I was
1:13:03 going to say man or woman, it's probably like a dude with long hair playing their guitar
1:13:06 around a fire while their friends, some of them might want to listen, probably most of them
1:13:11 You know, someone could go up to them and be, you're being exploited for your labor.
1:13:14 Like you should be paid the same as Taylor Swift for this, right?
1:13:17 Like, and it's like, well, actually no one wants to pay that person because they're not
1:13:21 very good and they don't want that job, right?
1:13:23 That person is doing it entirely as a hobby.
1:13:25 And then there's the people where there's like a blend between the two.
1:13:28 Maybe it's their hobby and it's their job, right?
1:13:31 And I think that's the thing.
1:13:32 It's like career, hobby, both, right?
1:13:35 And all of those are acceptable options, but it feels like this stuff often gets conflated.
1:13:39 And even someone like Aaron Patterson, right?
1:13:41 Good example, right?
1:13:42 He's written a absolute boatload of open source code in the years.
1:13:45 It would be interesting if you went back and somehow did accounting of like, okay, well,
1:13:50 what's that?
1:13:51 That's almost take the amount of money you've been paid to write open source.
1:13:55 And then the amount of hours you have spent doing open source and hobby related things,
1:14:00 say any work on a public repo on GitHub in your entire history as a programmer.
1:14:05 And that's figure out like what your hourly rate is.
1:14:09 And my guess would be like, it's obviously getting better each year that he is employed
1:14:13 by Shopify.
1:14:14 But my guess would be, it's actually a lot worse than you think it is because he, again,
1:14:19 like musicians, right?
1:14:20 Like musicians are not getting paid to play their scales, right?
1:14:23 People are just sitting, when I used to actually be a half decent musician, a lot of it was
1:14:27 just sitting and spending two hours playing the same riff again and again and again and
1:14:31 again, slightly faster, slightly faster, slightly faster, slightly faster.
1:14:33 And like, you know, no one's going to pay you to do that really boring stuff, right?
1:14:38 And it's, I don't think open source is dissimilar.
1:14:41 And like what I worry about is, again, I'm from an era of which it wasn't clear that open
1:14:47 source was going to win, right?
1:14:48 When I was at university, there was still all the kind of like Linux and like, I can't
1:14:53 remember the name of the company that basically there was this big lawsuit and, you know,
1:14:57 Steve Ballmer, Linux is a cancer, all this type of stuff, right?
1:15:00 And it looked, it was like a battle between proprietary software and open source software.
1:15:04 And some reason, the only reason we're even having this conversation is because open source
1:15:07 software so clearly and unambiguously won.
1:15:10 And I, maybe I'm being paranoid here, but I worry for a world in which we say, okay, any
1:15:16 big company that uses any open source software in any capacity is extractive.
1:15:20 And unless you are paying all those maintainers a Bay Area, like living wage, then you're an
1:15:26 evil company, right?
1:15:27 Like what happens if we actually go all in that viewpoint?
1:15:30 Like, do we make those companies be like, well, you know what?
1:15:33 I'm actually not going to touch open source anymore.
1:15:35 I'm just going to pay a team internally to build this stuff, right?
1:15:38 And for a lot of people like me, like that would be a very sad thing, right?
1:15:42 And it would, that would be the end in some ways of a lot of the non-hobbyists like open
1:15:49 source, right?
1:15:50 And I just think, where does the money come from to pay every single open source maintainer
1:15:55 with 10 stars on GitHub, like a living Bay Area salary, right?
1:15:59 Particularly if, as Justin said, we say to them, hey, we just give you that money unconditionally.
1:16:03 You don't need to have a product manager or whatever.
1:16:06 You just build whatever you think is best, however you think is best, right?
1:16:08 Like that's, I mean, it seems ridiculous to me.
1:16:11 Maybe that's just me, but like, I think that's the logical conclusion we get of the like peak
1:16:18 we should pay everyone because otherwise it's unethical argument here, right?
1:16:21 Yeah.
1:16:22 To that point, we just did a show recently with Feras, a book of DJ about NPM security in
1:16:27 light of the, just the onslaught of NPM hacks, which have been going on and continue.
1:16:32 I think after he published that there's even some newer ones and one of the things, and
1:16:36 he runs, you know, he owns and operates a secure socket security company.
1:16:40 And so he's very much in the infosec world and talking with, you know, CTOs and CEOs of
1:16:46 larger corporations.
1:16:48 And they're saying things like, well, this is not because of open source sustainability,
1:16:54 but it's because of open source security and this, you can't trust a network thing.
1:16:59 They're starting to have those conversations, especially because of the, you know, first
1:17:04 time to say it on the episode, I'm glad we're over an hour in because of the new enthusiasm
1:17:09 around AI code gen tools, they're saying things like, you know, do we need NPM?
1:17:14 Should we have, should we use, this is not, should we contribute?
1:17:17 This is, should we even use Ruby gems?
1:17:20 Why don't we just write everything in house?
1:17:23 And like that is starting to percolate amongst leadership in, you know, Silicon Valley companies.
1:17:29 And you add to that an open source tax, so to speak of whatever, whatever it would be, Mike,
1:17:34 when you talk about every maintainer has to get this much money, therefore every user has
1:17:38 to pay in according to their dependencies or whatever, however you'd actually work out
1:17:41 the impossible logistics of all that, it would just be one more reason why people will start
1:17:47 to opt out of the economy altogether and say, yeah, because I, I look at a world, I don't
1:17:54 know if we're going to get there guys, where my code gen tools can reproduce for me instead
1:18:01 of a vendoring a gem, why don't you just reproduce a gem?
1:18:03 And now I don't think we're going to be there myself anytime real soon, especially with gems
1:18:09 such as a large, you know, rails for instance, which is not a gem, it's a meta gem of many
1:18:13 gems, but the smaller ones, it's like, why would I even have, why would I care about open
1:18:18 I can just generate everything.
1:18:19 And I'm, it's, uh, we, we, it's Jared, it's funny.
1:18:25 You mentioned this because it's not just your fever dream, but it's like increasingly a thing
1:18:30 that I am also hearing.
1:18:32 In fact, I, I'm living it, but I, I, my brother, uh, Jeremy, he works for cars.com.
1:18:40 He's Elixir and Elixir programmer.
1:18:42 And you, he gave a talk at Elixir Conf last month, uh, which the, I don't know if it was
1:18:50 the title, but like, basically like the, the, the thrust is zero dependency software, like
1:18:54 instead of pulling in these dependencies, and it's not from a security perspective, although
1:18:59 that's when you're talking about open source tax, most people aren't thinking about how
1:19:02 this stuff gets funded.
1:19:03 They're thinking in terms of the, the, yes, maybe the security concerns that like, I don't
1:19:09 trust the software necessarily, especially if you're in a regulated industry and you got
1:19:13 to go and you have, or have lawyers go and check licenses and verify all that stuff there.
1:19:18 There's that tax for sure.
1:19:19 Right.
1:19:20 But more so like I now, you know, I am running code that I don't control or understand, and
1:19:27 it's going to have its own update schedule.
1:19:29 And I have to keep all of these dependencies up to date.
1:19:31 And of course, of course, the NPM community is famous for like really, really tiny modules.
1:19:36 And that's lots and lots of things that you have to keep up to date.
1:19:39 Uh, and so that upgrade burden is really high.
1:19:41 And right now you, you, you take cloud code, you take codec CLI, you pointed at a readme and
1:19:47 you say, all right, go clone this repo.
1:19:50 And I just want this section from the readme.
1:19:53 I just need this kind of a couple of features right here.
1:19:56 Just go clean room, implement that for me, if you don't mind.
1:19:59 And like, it'll do it.
1:20:00 And you can just vendor that in to your point.
1:20:03 You vendor that into your project.
1:20:04 And so like, I'm working on this posse party rails app.
1:20:07 And, and since going with agents, I'm trying to think now I started working with agents in
1:20:12 April, you know, started with, you know, the GitHub copilot stuff, moved on to cursor,
1:20:17 moved on to cloud code.
1:20:18 Now I'm in the heart of drugs and, uh, the, the, the, I think that I may have added zero
1:20:27 new gems, like zero new dependencies.
1:20:30 You're doing like OAuth stuff.
1:20:32 You're, you're talking to APIs.
1:20:33 I mean, this is like.
1:20:35 It's almost all integration work.
1:20:36 That would be, you know, this would be for me to, as a starting point, it'd be all gems.
1:20:40 I'd be like, I get the, the blue sky gem.
1:20:43 I get the Instagram gem, right?
1:20:45 I OAuth gem.
1:20:46 And then I just like tie those things together.
1:20:48 Cause it's just posting, you know, across different social networks.
1:20:51 I won't say just to belittle it, but my point is like, I would expect that to be mostly
1:20:55 third-party code.
1:20:56 And 10 years ago, that's how I would have done it too.
1:20:59 But I, you know, it's not just because of AI enabling this.
1:21:02 It's like, I learned the hard way that if you're writing code, that's basically glue
1:21:05 code of like eight other different things.
1:21:07 Like, it's kind of like you're on one train and trying to jump onto another moving train,
1:21:12 you know, like in real time is to try to keep everything in line and you're just holding
1:21:15 the stuff together.
1:21:16 And so, no, I've got, I've, I've written, in fact, this week I'm rewriting my LinkedIn
1:21:22 integration that, you know, it's not just a whole bunch of HTTP requests to post stuff.
1:21:27 You got to like, wait for it to download.
1:21:29 So you need another whole series of, you know, self-enqueuing tasks to go check to see if
1:21:34 the download's done.
1:21:35 And then my wife, Becky is like, well, if it doesn't support stories, I'm not going to
1:21:38 use it.
1:21:39 So I'm adding story support, which I think has like supported by, as far as I know, no,
1:21:43 definitely no Ruby gems, but I don't know if any dependencies are doing this much.
1:21:47 And so, so the nice thing is that, you know, when you own the code, you can build on top
1:21:52 And when it's inside the code base and it's part of the context of whatever your agents
1:21:55 And like, there's a lot to be said for as the cost of code, and this is how we tie back
1:22:01 to this conversation as the cost of code, basically craters to zero asymptotically here.
1:22:06 Like the, the, the writing of the code is not the part that is necessarily making is worth
1:22:12 So if I'm a maintainer and I want to get paid to write open source code, like that, the market
1:22:17 dynamics for that are also flatlining, uh, right now.
1:22:21 And so this could have, what we could be experiencing this conflict being a flashpoint and you know,
1:22:29 where did, where did it all start?
1:22:30 According to Ruby central, it started with them cutting budgets, right?
1:22:33 And why were they cutting budgets?
1:22:35 Because sponsorships declining, why is sponsors declining apart from the macro stuff and apart
1:22:40 from the conference stuff that, that Ruby central also runs.
1:22:42 I think a part of it is like a general sense that, uh, we've, we've already hit peak open
1:22:48 source, right?
1:22:49 Like in the sense of the, like people's unpaid labor is the way that we're going to get all
1:22:55 of this stuff built, not in the sense that things are going to be necessarily open or built
1:22:59 on open protocols and platforms.
1:23:00 If anything, that's probably going in the opposite direction, but the, the value of an individual
1:23:04 programmer going and hacking out a particular issue or a PR is going to go down.
1:23:08 If like, now you can just at codex something or at Claude something.
1:23:12 And, and Mike, you've been working with this too, like using copilot agent and finding
1:23:16 it, you tell me how you found it.
1:23:18 So, I mean, it's funny cause a lot, there's a lot of copilot related stuff.
1:23:23 I was one of the first people to test an internal beta of that alpha technically.
1:23:28 Um, and the reason why lots of people inside GitHub would like me to test things is because
1:23:33 I seem to be allergic to telling people that things were good when I thought they were a
1:23:39 heap of shit, even when it was strategically and politically advisable for me to say like
1:23:43 this person's pet project is wonderful.
1:23:45 Um, so yeah, my feedback on copilot pretty early on was like, wow, this is surprisingly
1:23:50 not a piece of shit.
1:23:51 Like when you describe, I mean, you have to remember like when copilot came out before
1:23:55 chat GPT and stuff, right.
1:23:56 Or at least it was, it was being alpha'd before that.
1:24:00 So this sounded like ridiculous, right.
1:24:02 That we would like use AI, whatever.
1:24:04 And I was like, wow, this is a better auto completion for Ruby than I've ever seen using
1:24:08 any, any ID or indexing or whatever.
1:24:10 Right.
1:24:11 And it immediately made me more productive.
1:24:12 So fast forward to the kind of copilot coding agent stuff.
1:24:15 Again, I saw the kind of memes on how I can use of like Microsoft employees being encouraged
1:24:21 or forced to use this publicly and it just being an absolute disaster.
1:24:23 And I was like, well, I'm going to try this out.
1:24:25 And again, like maybe because Umbrue has borderline fascistic issue templates that demand everything
1:24:33 of you and essentially like force you into Mike McQuaid's opinionated way of how you file
1:24:41 a bug, right.
1:24:42 But if you follow that template properly, it's actually really great context for an LM, particularly
1:24:48 when it has all the comments of us discussing it, right.
1:24:51 And I, I basically just, I think a couple of months ago, I signed every bug in the home
1:24:56 brew package manager to copilot agents.
1:24:58 And then, you know, it took a couple of weeks.
1:25:00 Some of them got there 99% their first time.
1:25:03 Some of them got 50% of the way and I finished off a lot of this stuff.
1:25:06 But like essentially in two weeks, those were all fixed.
1:25:09 Right.
1:25:10 And you can go and look at the public record and see how well that went or didn't go or
1:25:14 But like anyone who says like this stuff is not productivity boost is like in any circumstance
1:25:20 is massively kidding themselves.
1:25:22 And the awkward reality of it, again, back to the conversation is, I would say, is copilot
1:25:27 agent great?
1:25:28 Does it avoid handholding?
1:25:31 No, definitely not.
1:25:32 Is it better than the standards drive by a homebrew contributor?
1:25:36 Jury's out, right.
1:25:38 It's certainly comparable.
1:25:39 And I definitely think at this point, like the first iteration of PR, I would struggle to
1:25:45 tell them there's an issue between copilot and a first time contributor.
1:25:49 A homebrew maintainer and indeed myself who's worked on homebrew longer than anyone else will
1:25:57 do a much better job.
1:25:58 But even then, like I find myself leaning on it because sometimes it's like there's 10
1:26:04 Copilot, go fucking pick one.
1:26:06 Right.
1:26:07 And whatever mess you make, I will clean that off and get out of the line.
1:26:10 But it's that like empty page problem.
1:26:11 And yeah, I think this, I'm probably not quite as, not like pro AI, but like I don't maybe
1:26:21 buy stuff quite as heavily as Justin says about like the cost going to zero.
1:26:25 But I definitely think it's impacting stuff pretty heavily.
1:26:28 And I think we're in some ways seeing like a reversion in the tech industry of like back
1:26:34 to what skills are valuable, who's valuable, whatever.
1:26:37 Right.
1:26:38 And back perhaps to being like, maybe tech is just a slightly less fun place to work.
1:26:43 Right.
1:26:44 Like going way back for me, like back in 2009, I got a job on like the third application or
1:26:49 whatever to a company called KDAB, who I knew about them because they employed more than
1:26:54 anyone else of KDE maintainers in the KDE ecosystem.
1:26:58 And I was like a big Linux on the desktop guy and being contributing to KDE.
1:27:02 I was like, woohoo, I'm going to go work for this company and I can get paid to write
1:27:04 open source.
1:27:05 I discovered pretty quickly on my first like 100% open source project that it's like, ah,
1:27:10 actually getting paid to work on open source as a consultancy looks like very tedious,
1:27:16 boring work.
1:27:17 And I can probably say specifically now, considering it's been that long ago.
1:27:20 So KOffice, which was like KDE's like open office alternative, essentially like a corporate
1:27:25 sponsor was like, we want KOffice to be good.
1:27:27 Here's a spreadsheet with 5,000 regressions compared to Microsoft Word in KOffice.
1:27:34 Go for these particular import documents, go through and just fix these line by line, one
1:27:39 Incredibly tedious work.
1:27:41 No volunteer wanted to spend their spare time doing it.
1:27:44 So a company paid people to do it.
1:27:46 And again, this kind of comes back to a lot of the stuff in the early conversation, all
1:27:50 the fun, enjoyable parts of open source.
1:27:53 I don't think you're ever going to struggle to find people to do those, at least not until
1:27:57 you tell them all they're being horribly exploited by capitalism by doing so.
1:28:00 But like, there's going to always be a bunch of really boring, shitty, tedious work in open
1:28:05 Maybe it's supply chain security stuff.
1:28:07 Maybe it's whatever.
1:28:08 That's the stuff we need to get the money towards and fund the stuff that people don't
1:28:12 And I think that's going to be there.
1:28:16 And again, it's one of those things where the jury's out with all the supply chain security
1:28:20 stuff, whether the costs of that balloon beyond what people are willing to pay.
1:28:25 Right.
1:28:26 Like if we have a team internally or we have LLMs that mean that we don't have to pay this
1:28:31 tax, then maybe that's what we do now.
1:28:38 One thing I'll add, I, I've seen some people on the internet be critical of like in way back
1:28:46 to Ruby central, that organization we're talking about at the beginning of this conversation
1:28:50 and kind of incited this back and forth that Shan, the new executive director is not technical
1:28:57 and not from technical communities, but rather is like more there for her nonprofit experience.
1:29:02 You know, I, I remember when, uh, uh, Ruby central was just Ben and Evan and then they
1:29:08 added Marty like in 2012 or whatever.
1:29:11 And it was just the three of them as, as the chair people, I guess.
1:29:15 Uh, and all previous, all programmers.
1:29:18 And that felt right.
1:29:21 And back then in that era that we kind of keep hearkening back to the writing of the code,
1:29:28 the building of the tool that like, you know, the brilliant API and the, just the
1:29:32 the, the, the blood, sweat and tears to get it over the finish line at a high enough level
1:29:36 of quality, whether it's a CLI or whatever it is, a library.
1:29:39 And then to publish it, that was like where all the action was.
1:29:42 That was the work.
1:29:43 That was the thing that required brilliance.
1:29:44 And that's what the market was, you know, rewarding so handsomely in terms of great tech
1:29:49 If it's the case that it is now no longer, you know, uh, an incredibly rare thing to have
1:29:59 capacity for writing replacement level, decent code.
1:30:03 That means everything else now is more valuable.
1:30:06 And so to Mike's point, if I'm run, if I'm operating a service and, you know, Jared was scared
1:30:13 shitless.
1:30:14 He said, he said shitless, he bleeped it out.
1:30:16 No, I'm kidding.
1:30:17 I, I, I want to add more, I want to more bleeps, uh, uh, more bleeps for a minute.
1:30:23 I want to be Mike.
1:30:24 I was lying earlier.
1:30:25 Oh gosh, he's got you down.
1:30:26 Uh, he, he does.
1:30:28 Uh, but like if I, if I'm running a service and I'm going to be scared, you know, bleepless
1:30:35 to have, uh, uh, a root level security event occur at the place that I'm downloading all
1:30:41 of my gems, which could then be root kidding my computer for all of, I know for, I don't
1:30:46 know what it, what it was 12 days.
1:30:47 Like I'm actually really glad that the executive director has a, like the hat on now to finally
1:30:56 like shore up the governance, make sure that like their regulatory and their, their finances
1:31:01 and their tax situation is all buttoned up.
1:31:03 And probably, I think at the end of the day, we'll probably end up being much more transparent
1:31:07 than they've been in the past, which was just the result of negligence, I'm sure.
1:31:11 And not malevolence up to this point.
1:31:14 Uh, like those are actually the skills that are more valuable because you can't just easily
1:31:18 replace them.
1:31:19 It requires good judgment and diligence and like experience and oversight.
1:31:24 Um, so like, you know, part of this is a story of just an organization maturing, but I think
1:31:29 part of it is also like a reflection of like the change in what's, what's valuable and important
1:31:35 And as you look at open source or your conversation with frost, which I thought was excellent, you
1:31:39 know, frost is a real smart guy.
1:31:40 Like it's, it's, this is where the new locus of, of, of, of control goes when, when the
1:31:48 writing of the code is no longer the most important thing.
1:31:50 Yeah.
1:31:53 Now I'm out of things to say, so I'll just say a cliche, the times they are a change in,
1:32:00 are they not?
1:32:01 As a musical cliche for Mike's on Mike's behalf.
1:32:06 You like that one, Bob Dylan, right?
1:32:08 Yeah.
1:32:09 I love it.
1:32:10 I don't know that Bob Dylan song.
1:32:12 You don't know Bob Dylan?
1:32:13 Come on, man.
1:32:14 Unless it's like Northern, Northern European power metal.
1:32:17 I'm pretty, uh, lacking right now.
1:32:21 I don't, I don't, I don't know if they got Dylan in Scotland.
1:32:23 They still have newspaper boys and children.
1:32:26 I, I, do you have milk men still up there, Mike?
1:32:28 Is that we until recently had our milk delivered to our house by.
1:32:32 That's amazing.
1:32:34 That's so idyllic.
1:32:35 That is idyllic.
1:32:36 Living a dream over here.
1:32:37 Well, you knew so much about American culture.
1:32:39 I figure Bob Dylan would be right in your wheelhouse, but you know, that only extends so far,
1:32:43 I guess.
1:32:44 Yeah.
1:32:45 I, I only do the parts of American culture, I guess, to echo this conversation that I'm
1:32:50 paid in order to, forced to learn in order to maintain and sustain employment.
1:32:56 Right.
1:32:57 And that hasn't yet gone as far as Bob Dylan.
1:32:59 Well, I'll send you a $10 donation and a Bob Dylan album.
1:33:02 You can just get to work on that.
1:33:03 I feel like this is my, I, the moment when the American should make some sort of sports
1:33:08 metaphor and I, I nod along as if I understand what baseballs, fourth strike, third innings,
1:33:15 catch, MLB championship Fridays means.
1:33:20 Well, this is a, this is a nerdier podcast, but the joke I was going to make was going to
1:33:24 say, no, when do you like alien earth so much because it takes place in a world where America
1:33:28 doesn't exist anymore.
1:33:29 You can finally relax.
1:33:30 It's just five corporations.
1:33:32 You just get a continent.
1:33:35 Just like how it should be.
1:33:36 All right, Justin, this is as much your podcast as it is mine.
1:33:41 If it were mine, I would say thanks and end it.
1:33:43 But do you have more things you want to talk about?
1:33:45 Well, since this is going to show up on my feed as a hot fix, we try to end every single
1:33:50 interview with some sort of pithy one liner that, that, that represents what is the fix to
1:33:58 the problem statement.
1:33:59 And it's the guest who I guess in this case is Mike being double hosted by us.
1:34:03 Hey, I'm just trying to, I'm trying to beat the bleep filter.
1:34:12 You can't, you got to keep it in.
1:34:13 That stays in.
1:34:14 Mike, Mike, it's your job now to like help us land the plane and find a title for this
1:34:21 thing, at least on my feed.
1:34:22 Like what is, so if the problem statement is, you know, open source is not a career.
1:34:27 Like, what's the fix?
1:34:29 Like how do, what, what do you tell people instead?
1:34:33 Like, like, like, like how should they, how should they, what's the takeaway for them in
1:34:38 terms of like, where should their attention be?
1:34:39 Or, or, or you tell me.
1:34:42 Well, I guess in some ways I would divide the statement in two, right?
1:34:45 So from the open source side of things, do open source if you want to do open source,
1:34:50 If you don't want to do it anymore, don't do it anymore.
1:34:53 This is when like, when this podcast gets published and like 99% of open source maintainers
1:34:57 quit and we have a world crisis and I'm like, oh well.
1:35:01 But like genuinely, like, and we, I very strongly encourage people in Homebrew to be like, hey,
1:35:08 the day you're not using Homebrew anymore, thanks for all your work.
1:35:12 Stop using it.
1:35:13 Move on.
1:35:14 There's been people kicked out of Homebrew who are doing a good job, but clearly Homebrew
1:35:19 has been very bad for their mental health, so we kicked them out of Homebrew, right?
1:35:23 Like ultimately this stuff needs to be fun and it needs to be something that you enjoy.
1:35:28 And if you care about sustainability and burnout and open source, you want that stuff to be
1:35:32 Like go, you know, if you're an open source maintainer, go get some therapy, right?
1:35:36 You probably have some shit you need to deal with, like chances are.
1:35:40 And then the career side of things is like, again, same deal, like, right?
1:35:44 If you work in tech, chances are you have a career, which is nice, right?
1:35:51 It's harder right now than it used to be.
1:35:53 I'm lucky enough to have a lot of friends with careers outside of tech.
1:35:57 You know, people who are personal trainers who are opening up the gym at like five o'clock
1:36:02 in the morning, working like a 60-hour week with a split shift, right?
1:36:06 Like that's fucking hard.
1:36:08 Those people do not get paid a lot of money.
1:36:10 They work really hard and they make a really big difference in people's lives, right?
1:36:14 If you're in a situation where you're getting paid good money to sit in your ass in your
1:36:18 home office nine to five Monday to Friday, like, you know, again, maybe it's about figuring
1:36:23 out a way to be happy with that or your life.
1:36:26 And if you don't like that, then quit, go do something else.
1:36:28 But like, same deal, right?
1:36:29 Find a career that has some happy medium point between paying your bills, getting what you
1:36:35 need out of life, and that you can actually enjoy and not hate, right?
1:36:39 And do that, right?
1:36:41 Just in both camps, do what makes you happy, right?
1:36:44 Because that's, at the end of the day, that's probably what is going to give you a better life
1:36:49 and also give those around you a better life and even give like other people that work
1:36:54 with you at your work where you're open source or whatever.
1:36:56 If you're fucking miserable doing what you're doing, like, you're probably not very nice
1:37:00 So let's just, it'll be happy kids.
1:37:03 That's going to make some people cross, I think.
1:37:10 All right.
1:37:12 So I started with don't do open source if you don't want to, which is a little bit long
1:37:15 for a podcast title.
1:37:16 Then I said, do open source for you.
1:37:18 And then I just flipped your problem statement and said, open source is a hobby.
1:37:21 Yeah, that works.
1:37:24 Works for you?
1:37:25 Or just unhappy maintainers should quit?
1:37:28 If you don't like it, quit.
1:37:31 Yeah, pretty much.
1:37:32 All right.
1:37:33 Love it.
1:37:34 Well, on that note, I'll pretend I'm going to hit my button that plays my music now.
1:37:40 And then I'll have my call out and I'll say, hey, Jared, thanks a lot for, we're playing
1:37:45 at Jared's house right now because we're in his Riverside account.
1:37:48 Instead of Mike's Riverside account or my squad cast account.
1:37:51 Just really, we're, we're all broken, but we're glad that you're listening.
1:37:58 Hello.
1:37:59 If you're still listening at this point, especially nobody's paying me.
1:38:04 I've got no sponsors.
1:38:05 That's why I get to skip the bleeps.
1:38:07 That's right.
1:38:08 Our sponsors pay us extra to bleep things out, you know.
1:38:11 So we're going to make lots of money off this episode.
1:38:14 I hope it was sufficiently brand safe for you.
1:38:17 That's a new business model.
1:38:19 Pay per bleep.
1:38:20 Think about it.
1:38:21 There's some, there's some words I decided in advance I wasn't going to say.
1:38:24 So you should be glad for those.
1:38:26 I appreciate it.
1:38:27 That's a sign of a good friend, Mike.
1:38:29 All right.
1:38:32 Well, we'll just hit the button on both sides.
1:38:34 I'm not going to end it.
1:38:35 I'm going to let Justin's be the end.
1:38:36 I'm going to hit the music when he said he's going to hit his music.
1:38:39 So the show's over at this point.
1:38:41 Well, all right.
1:38:43 Okay.
1:38:45 I'm going to keep this stuff in.
1:38:46 So am I then.
1:38:48 All right.
1:38:49 Well, gosh, maybe I should just sing.
1:38:51 If you're going to ruin your show, I'm going to ruin mine.
1:38:53 Yeah, that's mutually assured content.