Hacker News new | past | comments | ask | show | jobs | submit login

I want someone to build this:

SBOM (Software Bill of Materials) are slowly becoming ubiquitus around the world due to regulation.

I want to be able to aggregate all SBOMs within my company, have a small tool that scans my machine and creates a SBOM for all Open Source tools I use (e.g. Firefox, VLC etc.), uploads that to my corporate registry.

This data is then submitted to a donation aggregator which analyzes those SBOMs and distributes my monthly donation across all those projects.

It is so hard dealing with those individual donor portals and various forms to donate to foundations et. al.

If this whole project could be run as a non-profit foundation itself that'd be perfect.




I think the devil is in the details. As others have pointed out, this would drastically change the incentive structure of OSS. You would attract actors whose entire purpose would be to get listed on as many SBOMs as possible to maximize their revenue potential. I'm envisioning a world of `padLeft` controversies.

That is to say, I don't think a pure "frequency of use" metric is sufficient to fairly distribute such a pool. And if you have a large and growing pool of available money then the incentive to game the distribution scheme becomes more attractive than making truly awesome software. And I very much doubt that we have any reliable ways of aligning such a money distribution scheme with the goal of creating amazing software.


I wonder if it would be enough to just recursively pay out to each dependency.

You pick a % to keep and a % to pass along to each of your your dependencies, and then they split up that % that you passed along to them, so on and so forth.

Of course people could choose to pass 0% along to their dependencies. But that seems fine; people can adjust and just not send greedy projects a very big split.

Trying to enforce some fairness on the outside will probably just result in silly behavior from greedy people (ie, if every project gets an equal split out and somebody doesn’t want to hand any money down to their dependencies, then they can just create a bunch of tiny projects to dilute their out-split).


`padLeft` can't just inject itself into a software stack right? So there's an incentive to be valuable enough to be included.


Depends on how you do the accounting. "Well, you don't use padLeft, but 15 packages you depend on do, and 68 packages tjat those packages depend on do... Altogether you're looking at 348 instances of padLeft."


If there were a metric that would make each instance of padLeft worth a tiny amount of money (for such a tiny library), that sounds like a reasonable outcome to me.

EDIT: I may be missing part of the point


A trivial way to exploit this kind of system, I think, would be to write LegitimatelyUsefulLibrary, then write 1,000 PadLeft projects, and make LegitimatelyUsefulLibrary depend on all of them.

Since you are the one marking the dependency of LegitimatelyUsefulLibrary on your PadLeft projects, you can game the metrics however you’d like when making it.


But why would I, as a developer, use such a library? It would cut me out of profits unnecessarily. In fact when I’m picking my dependencies I will deliberately avoid those that take a larger slice of the pie than is worth it for me.


If I remember the story correctly the padLeft dev was actually pretty notorious for submitting patches to open source projects that 'coincidentally' added dependencies on his code.


Sources?


Only enumerate and pay for top-level tools and dependencies, none of which are probably padLeft. Those downstream recipients can further "pay it forward" to their top-level dependencies. Everyone has an incentive to not pull in superfluous bullshit so they can hold onto as much of their pitance as possible.

Trickle down economics? Ronald, is that you?


Everything you say is correct. I still want this. It's better than what we have today.

We can work on improving things later.


thanks.dev does this. I think I saw GitHub Sponsors also started (or will start?) doing something like this, but I'm not sure on the details off-hand.

But yeah, I've argued for this a long time as well: who is going to look up 100 to 2,000 dependencies and see if they accept donations and set that up and cancel when you stop using it, add new ones when you start using them (and many will be transitive deps, so you have to check if it changed every month or something), etc. etc.

You just want to give one organisation $500/month or whatever and let them sort it out. You don't even need SBOMs, just start by sending them your go.mod or package.json or Cargo.toml or Gemfile or whatever.

That the FSF and OSI are doing basically nothing in this regard is why I have trouble taking either organisation serious.


And I started https://bre.ad/ which does similar! I was trying to figure out a way to attract people slowly while I iron out issues...


We are using thanks.dev (to donate) and they are doing a tiny bit of it, but I have not seen much happening there in the past few months.

Just sending go.mod etc. only looks at the software in the build process which doesn't go far enough.

But I think we're on the same page!


See also https://stackaid.us as another platform doing similar


Isn’t this kinda what Tidelift is trying to do?


I tried to sign up (as a maintainer) and I never heard back from them. Tidelift also does a lot of other stuff; my impression is they want to have a "curated list" of packages (Or something? I find Tidelift confusing) which is fine I guess, but not really a general solution.


I have made a simple CLI utility[0] with this purpose in mind. It scans your entire filesystem for README.md and FUNDING.yml files for a set of donation/sponsor links and tag it with the associated repo (No HTTP calls, just the assumption that most repos link their support URL in either of these files). The output is a CSV sheet containing the open-source dependencies/libraries you use in your system that accepts donations.

I have plans to expand/plug this into a donation aggregator platform like you mentioned if time permits. But if there is an existing effort for the same, I am happy to contribute. :)

[0] - https://github.com/mufeedvh/paydept


Hey this is pretty great, and the code is so simple. I guess it only works if you have the sources checked out somewhere, which isn't the case for all build tooling and package managers, but I could see an extended version of this that hooks into the standard package managers to fetch the required information to complete the report.

If you can also hook into an accounting system (eg plaintextaccounting.org) then you could also calculate the whole dollar amounts to donate as some percentage of income from the product.


Don't take this the wrong way but corporate are such prima donnas!

I got flashbacks from my tiny startup days when corporate went to procurement companies which wanted specific terms and mode of payment. And after all the infrastructure was in place... they basically spent no money!

The SBOM idea exists in various forms. Few need it and few use it.

If somebody wants to pay money, they will figure out a way. If they want to invent an excuse they will find one.


> If somebody wants to pay money, they will figure out a way. If they want to invent an excuse they will find one.

I think this is just not true. Reducing friction will increase participation.

I make donations to many organizations currently. I would donate to more, but it's a hassle to identify them and determine what/how I want to donate. It's just not a top priority for me, for better or worse. But if I could click a button right now and 5x my donations with the trust that they were supporting what I wanted them to, I'd do it!

edit: Also, this is a reminder to me that everything is a choice and I could be spending my time setting up donations instead of commenting on HN...


> Don't take this the wrong way but corporate are such prima donnas!

Not taking it the wrong way, you're right :)

> I got flashbacks from my tiny startup days when corporate went to procurement companies which wanted specific terms and mode of payment. And after all the infrastructure was in place... they basically spent no money!

Yep, that's painful but I count it as the cost of doing business. If I jump through these hoops and my competition doesn't it sets me apart. If only 1 in 10 then spent money so be it.

> The SBOM idea exists in various forms. Few need it and few use it.

True today. Not true tomorrow. Software development will become a highly regulated industry. This is my prediction at least.

> If somebody wants to pay money, they will figure out a way. If they want to invent an excuse they will find one.

I want to give them fewer excuses.


I would settle for something much simpler.

All of your engineers get 5,10 votes for important libraries they use. The vote history is aggregated, and voting is twice a year. For every N votes we send $100 to that project. That way you’re not cutting little checks, and you have a finite number of projects you have to hunt down funding contacts and charitable status for.

Due to aggregation across votes, all the projects that perpetually come in 10th to 20th place get paid every year or two, and first place is likely to see a little more money each year. $300 in June and $400 in December for instance.


This is https://tidelift.com/ ! Others too, I think.


No, that's something different.

They used to be simple to understand, looking at their homepage today I have no idea what they are doing today but not what I'm looking for.


"Contact us for a quote"

Any idea how much that is?


No pricing info, no easily accessible demo, government agency logos on the landing page.

This is setting off all of my "enterprise trash software" alarms. And if there is one thing those all have in common, it's being way too expensive.


Not just in billing, but also in implementation cost and general overhead. I actively avoid buying anything which requires talking to a salesperson to get basic service info; ideally one has something like the Cloudflare self-service model with enterprise upgrades. I know someone currently paying >$800k/yr to Cloudflare who started out a couple years ago with a $200/mo plan.


According to web.archive.org they had their 'starter' subscription priced at $30,000/year for 50 developers as of December 18th, 2022.


Whoa, that's very likely way more than what these organizations spend supporting OSS, lol.


Well this is designed for enumerating supply chains in a strict compliance focused environment, not necessarily for giving back to said supply chain.


About 10-20 minutes of your time, if you include the task-switching cost.


No, but I bet if you contact them that they can give you one.


But then you have to waste a salesguy's time generating a quote for a product that I'm not likely to purchase. I hate doing that. I'm basically stealing from them just because I'm trying to shop around for the best product. I'm calling salesguys and giving all of them my information and getting several different quotes, but I'm only going to execute on one of them. And now they're spamming my inbox every time their company does something even though I've never bought anything from them.


The reason they make you do this is because different companies pay orders of magnitude different amounts for services like this.


1) Use a throwaway email for that quote

2) Write up what you want, and email ALL the companies you want a quote from... CCing them all in the same email.

Make sure to indicate a close date for them "and all other possible bidders" to submit by.

Now they all know who their competitors are, AND, they know there could be other, extra competitors, AND they know to price as competitively as possible.

The sales people at the other end, and the company, will know if they want to "waste their time or not".

This works well with car dealers too. If you want the best price on a specific make and model with specific options, send to the 10 dealers in a 2 hour drive radius.


I wonder if this is one reason many companies have web forms to request the quote. So you can't mass email for them.


So you'd rather someone else subject themselves to that for your own benefit than do it yourself?

Seems kind of selfish, does it not?


I'm sorry I don't understand. The alternative was to have a basic price for the product or service on their website that a person could look up.

Maybe if I'm some big bulk buyer and think I can get a better deal by talking to the salesguy then I'll do that. But if I'm some small fry buying like 1 or 2 of the things I know they aren't going to give me a break, but I still have to go through the "contact the sales person, they call you back, you explain what you want, they generate a quote within 5-7 business days that is good for 30 days after being generated, you end up not buying the thing for whatever reason" rigamarole.

Sidenote: I've never had a vendor balk at me using an "expired" quote to buy something. Our purchasing process never proceeds within 30 days, but turns out the prices don't change either. It is very common to be executing on a quote that's 6 months old.


First: I also need that. It is a pain right now. Second: it would be a good way to rationalize to your managers on how shaky grounds they stand.


Say more about this SBOM regulation. Do you have an EN standard or something you can point me to?


It's mostly a recommendation from what I've seen so far, but it's not hard to read this as a future requirement.

CISA has been pushing it, which his my why it's on my radar: https://www.cisa.gov/sbom


FDA wants electronic SBOM for future device approvals.

https://www.fda.gov/medical-devices/digital-health-center-ex...


As others have already commented:

The US government has added SBOMs to a proposed rule to update the Federal Acquisition Regulation. So if you want to sell to the US Government you'll have to provide SBOMs: https://www.federalregister.gov/documents/2023/10/03/2023-21...

Lots of large companies require SBOMs from their supplier.

In the EU we will get the Cyber Resilience Act which will make them mandatory as well in certain cases: https://data.consilium.europa.eu/doc/document/ST-12536-2023-...

And yes, there's bascially two technical standards to provide them: SPDX and CycloneDX: https://cyclonedx.org/



> I want to be able to aggregate all SBOMs within my company, have a small tool that scans my machine and creates a SBOM for all Open Source tools I use (e.g. Firefox, VLC etc.), uploads that to my corporate registry.

Then your boss will come and ask WTF do you use VLC for when all the videos are on the web, also some default media player comes with your OS and by the way, you are not supposed to watch videos during your work day.


Wild, I should be more appreciative that I have Steam on my work laptop and have played Slay The Spire during deploys with management on the call commenting on my game.


You don't need Steam for this. It's available on GOG[1] without DRM.

[1] https://www.gog.com/game/Slay_the_Spire


Slay the spire seems like time be a great game to play in the gaps between tasks.


I think the idea here is more like “donate $1000/mo, have it distributed across the projects” rather than, say, “donate $10 to each project in the list.”


It's my company. Apart from that: VLC was just one example. But it's a tool that a chunk of employed people actually need for work.


Not quite the same thing, but the Optimism Collective runs a program called Retroactive Public Goods Funding that sort of works like this: https://www.optimism.io/retropgf

A round is currently active and dependencies are encouraged to sign up. Quite literally millions worth of crypto up for grabs for the ecosystem's dependencies on a recurring basis. Frequency is about twice per year right now but I think the goal is to get to at least once per quarter.

(Disclaimer: I work for a company called OP Labs which does work for the Optimism Collective)

(And yes, it's a crypto project, but I'm hoping the common goal of constructing systems that can sustainably fund open source software might bridge the HN gap)


A "clearing house" for donations would be pretty neat


I've been toying with an idea of some kind of "Spotify for OSS" kinda thing - where software authors can make their binaries available, provided you have an active subscription (with the Spotify for OSS service).

Funds are then distributed based on usage (trackable at the package registry).

The idea being corporates buy a single license per head, rather than dealing with lots of donations etc.

Probably lots of reasons it wouldn't work, but it's a fun thought experiment.


This seems like an easy way for people to accidentally change the nature of their projects from a personal hobby/community type thing to something more like a customer service type relationship, which brings a bunch of expectations regarding fitness and merchantability.


It's a good idea but that would mean companies now have to pay. And they don't like it. (unless is for useless shit nobody cares about that doesnt make your job easier, they got loads for that)


I'm hoping "cargo vet"'s approach to supply chain security becomes standard practice:

https://mozilla.github.io/cargo-vet/

Adding a "pay upstream" feature to it would probably be minimal incremental effort. Someone is already supposed to pay the third-party auditors, after all.


You need to audit the places it’s being donated to. Do they actually spend it on making the software you depend on better and paying the people making the software. Or is it a Processing Foundation situation https://news.ycombinator.com/item?id=37760363


I was also disappointed to see them using a KDE account for donations. I like KDE but i'm pretty sure there's tons of krita users who do not use kde, me included.

Found that there is a Krita on liberapay, which i much prefer as platform, but who knows if that's official or not, since it's not linked on this thread's link.


KDE is a community of developers that makes various software products, including Krita - that's why there's a KDE account involved here, since KDE makes Krita :-)

Many of those software projects available even for commercial systems like Windows and Mac OS, and of course the various free software environments. Those users are all equally important, so there's no conflict there.


I haven't used Windows in ages, but when I did, kate worked very well on it.


If you're using Krita, you're a KDE user because Krita is a KDE project. The Plasma desktop environment is just another KDE project.


I read this several times and I have no idea what benefit this would serve or anything about it.


Let's say I want to make sure to donate to ALL open source projects I use in my company. Those in my builds as well as those used on our computers that are not build dependencies (e.g. Firefox, vim, Linux, ...).

How do I do that today? I collect a list of that software and contact hundreds of individual people and organizations, figure out the donation processes, fill out forms, transfer money etc.

I want this to be automated. I want this automation to build upon existing standards.

Does that help?


This proposal would lead (I suspect) to "enshittification" of the supply chain as people wrangled to be larger portions of the dependency/payment tree, eh?

Part of what makes FOSS work at all is that the motivation is not profit but benefit.


This ties in with the other thread about aircraft parts and the chain of custody. "Who has touched and signed off on each piece of code"


This is not ready to go idea, but definitely, good start point to think, how to do it.

Thank You!


You get this upstream as part of the system inventory and manage the delta with your change management


The more infrastructure built to fund a cause, the lower the percentage of the money actually funding people on the ground doing the work. This is often true of charities. OTOH there will be more money, and maybe some of the people actually doing the work can actually make a living doing so.


same for news and blogs ... pay $10 per month, get paywall access, browser tracks what you read and distributes to authors. open source version of Apple news that actually supports local news and indies without extracting a giant additional vig.


Love that idea!




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: