I agree with your point. In the name of promoting basic numeracy:

"""

Sign up for GitHub Sponsorship and create the tiers: Small organization (< 20 people): $10/mo Medium organization (20-100 people): $40/mo Large organization (> 100 people): $60/mo

"""

You are beyond 'cash strapped' if $10/month for something as fundamental as this breaks the bank. The fully loaded cost of a single US software developer is already above $100/hour.

It’s $10/mo and then like 15min/$50/mo in everyone’s time in admin chasing down and filing receipts, reconciling to bank statements, etc.

If you’re a founder doing your own finances, well every additional little monthly charge even if it’s just $1 is quite annoying:

Filing and reconciling 12 receipts takes say 1 hour per year, what if you’re using 20 dependencies? That’s an extra 3-5 days per annum of admin.

One nice thing about GitHub sponsorship is that there is only one bill for the sponsor, and one can support NN projects/creators there. I think it is even bundled with the regular Github invoice?

Sure, but that also doesn't scale reasonably and is entirely a facile argument. My original comment supports organization paying this price instead of dealing with internal compliance burdens. Looking at one of the package lock files for a previous company I still occasionally contract for, there are 9400 dependencies referenced.

So in the name of promoting basic numeracy, and taking into account the realities of scale. Matching that cost for those dependencies (this is a >100 person company) would be $560k per month. That gets you minimal support, just a guarantee that you can submit issues. No guaranteed security maintenance, compliance, or governance of the project.

You can spin up a very strong developer team for forking and maintaining an internal copy of opensource projects at that cost and a lot of large companies do just that. Should they contribute those changes back? Sure if that made sense.

A lot of time in my experience that internal copy is stripped to the bones of functionality to remove the surface area of vulnerabilities if the useful piece isn't extracted into the larger body of code directly. It's less functional with major changes specific to that environment. Would the upstream accept that massive gutting? Probably not. Could the company publish their minimal version? Sure but there are costs there as well and you DO have to justify that time and cost.

Would a company in-house the support and development of a tool over $40/month? Absolutely not, for a one-off case that's probably fine. If you want to meaningfully address the compensation issue from enterprises, opensource single-project subscriptions aren't going to be the answer.

I would LOVE to see more developer incentive programs, but one-by-one options aren't scalable and most projects don't want to provide the table-stakes level of support required of any vendor they work with. It's not optional for those organizations, its law and private contracts.

Note that the package.lock file is not the place to look for your OSMF dependencies. That file will list your project's dependencies and all of their dependencies and so on and so on. You want to look at the list of packages in your package.json file. That will almost certainly be an order of magnitude (or two) smaller.

For example, IIRC, GitHub (all of GitHub) calculated they had 660 direct dependencies. That's still a lot but it's not 9400. :)

OSMF could got name like WiX Toolset Maintenance Fee. Similar to how the Apache License got its name.

Why? It's not specific to the WiX Toolset at all. Other projects can (and some have) adopt the Open Source Maintenance Fee with no changes (or they can change if if they want).

WiX is just the first project to use the OSMF because I need a project to "debug" an issues in OSMF system. As we get all the issues resolved, we may see the OSMF be adopted widely... or not.

> The fully loaded cost of a single US software developer is already above $100/hour.

To be pedantic, it can be $0 if the developer is you yourself, or your friends, wives, husbands and other relatives.

The only object is that monthly fees are super annoying. I'd much prefer an annual :shrug:

You can pay annually. GitHub Sponsors allows that.

Yes, just a couple of minutes setting up a Github action on a fork, and you're good to go.

You can always just merge in the latest changes from the upstream project with a click or too. No need to maintain it on your own.

They actually provide the github action they use to build the releases in their repo already, so you could likely get this done in under 5 minutes.

And that's what a number of organizations have set up since March.

No. Not really. There are 406 forks, and ~10 were created in the last 5 months. The other people on this thread are more correct.

The number of publicly visible forks does not represent the number of organizations compiling their own binaries and internally mandating the use of such binaries.

Mind you, I never implied that there are thousands or hundreds of such cases. But there are some.

Oh, sure there are some. There were some before. It's Open Source after all. That's kinda' the point. :)

If more consumers choose to take on the work of maintaining their own fork because of the OSMF, that's okay too. I believe we are more likely to get contributions if more developers are in the code instead of just consuming binary builds. That's another small reason why I believe the OSMF can work.