The Changelog: Software Development, Open Source - There will be bleeps (Friends)
Episode Date: October 17, 2025Mike McQuaid and Justin Searls join Jerod in the wake of the RubyGems debacle to discuss what happened, what it says about money in open source, what sustainability really means for our community, mak...ing a career out of open source (or not), and more. Bleep!
Transcript
Discussion (0)
Welcome to ChangeLog and Friends, a weekly talk show about Gen Z career aspirations.
Thanks as always to our partners at Fly to IO, the public cloud built for developers who ship.
We love Fly.
You might too.
Learn all about it at fly.io.
Okay, let's talk.
Well, friends, the news is out.
Our friends over at CodeRabbit, coderbid.aI.
They've raised a massive series B,
and they've launched their CLI reviews tool.
It is now out there.
I've been playing with it.
It's cool.
The bottleneck is not code.
The bottleneck is code review.
With so much code happening,
so many people coding now, so much code being generated,
and so many things competing for developers' time and attention to maximize.
Code review still remains a bottleneck.
But not anymore.
CodeRabbit, CLA code reviews, code reviews in your pool requests,
code reviews in your VS code, and more.
Teams now have a true answer to what it means to code review at scale.
Code review at the speed of AI, and CodeRabbit is right there for you.
You'll learn more at coderabbit.aI.A.I.
We'll link up their latest blog announcing their series B and their announcement of their
CLI review tool. Again, coderabbit.aI.
While we are here with a breaking change log, Justin asked me to do that pun.
A crossover episode, we are publishing shows to both change log and friends.
and to Justin's breaking change, hot fix, merge conflict, I don't know what this is on his pod,
but it'll be there.
The explicit version will be over on Justin's side.
On our side, there will be bleeps because we also have not just Justin, but also
Mike McQuaid with us.
What's up, Mike?
Thanks for having me.
I hope to make heavy use of your bleep counter today, as is my Scottish self-employed
tradition.
Well, Mike's only requirement was that there would be.
come a non-bleeped version of his voice out there on the internet talking about this.
And so Justin will happily oblige.
Yes, and I'm not going to make it a contest or anything, but I've got a feeling I'm not going
to go bleep free for what we're about to talk about.
And the reason for the bleeps is because we've got trouble right here at Ruby Central.
Yes, that's an old music man.
What is that?
I don't know.
Trouble.
Right here in River City.
Right here.
Where the capital T and that rhymes with P and that stands for pool.
For a new problem, maybe not a new problem, an old problem, an issue that's been going on with Ruby Gems, with Ruby Central, with Ruby together, with Ruby, the community, more so than the programming language.
Language is doing just fine, isn't it, Mike?
Seems to be. I wrote some today. It still works.
Did you install any gems?
I did. They installed okay. It seems to be fine.
Yeah, I was actually doing an iOS project when all this stuff broke, but then I was worried that, like, you know, Ruby would stop working. So I dropped that switched gears and I've been working on my posse party project and earn us to try to get it done before the servers turn off. Just in case. Just in case. Well, there's a lot of ins, a lot of outs, a lot of what have used, as the dude would say, to this particular story. More probably, and then I can summarize, which is why I've mostly ignored this in Change Dog News, because there's just so much going on. And every once in a while, I just link.
over to Justin, who's been commentating and color commentating, but we're going to let Mike
try to set the table for us, just some of the events that's going on. For those who are
uninitiated with some of the Ruby drama that's been percolating and coming to a head
recently with an actual route access event published on Rubyjems.org. So Mike, help everybody
understand exactly what's been going down. Yeah, so I guess things kicked off probably what
we're at October 15th at the time of recording. So this time a month ago, things seemed to all
be fairly normal and stable and whatever. No one seemed to really know much. Like, I guess
my first personal involvement was there was like a governance PR on Ruby Gems that was based
on the homebrew one. I was pulled in and asked to kind of give my thoughts on that. And then a few
people started messaging me and whatever. But essentially what went down is,
Ruby Central for the main parties involved here is the non-profit organization that controls RubyGems.org.
And they had as employees and contractors at various points, various maintainers of RubyGems, the open source projects, and those people were involved with RubyGems.org, kind of on-call rotations and whatever.
So essentially kind of, I guess, last month, you know, we're talking, I think, September.
the 18th or whatever. From then onwards over the kind of following few weeks, Ruby Central
notified Ruby Gems maintainers, including, I guess, Andre Arco. Like I guess if you want to read
the two differences of accounts, I guess the starkest extremes here are Andre has written a few
things on his blog. Ruby Gems have written a few things on their blog. And basically from
September the 8th onwards, Andre and some other Ruby Gems maintainers were removed from
the uncall rotation, they were removed from their GitHub access, and various bits and pieces
went down. There's kind of back and forward in arguments and disputes about what was communicated
exactly by who and when and what happened and what didn't happen and whatever. But essentially
we're at the point today where almost no one who is involved with Ruby Gem's open source
project has access to be involved with it today. Andrei and
And a bunch of the other Ruby Gems maintainers have created their own thing called gem.coop,
which right now is essentially like a modified version fork, whatever you want to call it, of RubyGems.org.
It's run as like separate infrastructure.
Andrei has personally been involved with kind of some competitors to like Bundler and Ruby Gems and whatever.
I think there's a tool called RV.
And what seems to be now public knowledge is that both parties are,
writing various blog posts targeting the other and it sounds like there's some kind of lawsuits
in action between various parties as well so that'll provide the overview you're looking for
jared or do you want a bit more color on the particular bits i think that's a good overview i think
that brings us to what seems to be the biggest milestone or moment which was published just
last week by shan kyrton executive director at ruby central
of this AWS Root Access event that happened in September.
Justin, you want to hop in here on that, or do you want a mic to continue?
Yeah, so if you're, if you, if you had been following along, the thing that everybody had
been clamoring for, kind of regardless, like, people are taking sides.
There's a lot of, even though we're not public figures, we're not famous people, it's like
Ruby's been a smallish pond for a long time.
A lot of these people have been there for 20 plus years.
And everybody kind of knows everybody.
If you go to the conferences and we've all seen each other and people talk and
there's different clicks and there's different groups.
And so like regardless of like kind of like where your allegiances fall in terms of
what friend group is sort of thinking this way or that way and and and where things line up,
in general, that's like I'm talking about a universe of like 200 people,
mats and way more people in the world use Ruby and also read the internet. And so they've been
operating under this complete lack of complete just information of like, what's the whole
story? Like something isn't adding up here. Uh, you know, some people have been happy to fill
the void with like sort of conspiratorial thinking throughout like this is all a takeover
from Shopify because they're trying to get after this one guy. And it's like, okay, so why? And
then no one's got an answer for that. Right. Like, uh, and other people are just very,
honestly and earnestly being like Ruby Central saying that they just removed everyone for supply
chain reasons like why and Ruby Central's not talking right like and so that and all you get is
like kind of hand wavy oh well because the lawyer is telling us we can't or something like that
if you ask people this blog post which what was it was it the 30th no it was more recently
it was about the event on the third it was published October 9th October 9th thanks sorry the event might
have been the 30th and not yes the event no on the 30th was the blog post that raised concerns that's
right so part of why this is confusing is the post is a timeline but the timeline is like three
timelines in reverse order to to first talk about like the last thing that happened and in what
order things happened when the last thing happened and then the next section explains like the
why that the why behind that and then the next last section is the why behind that and if you
where to like, and I, and this is why as soon as I read it, I put up my own blog post,
I kind of tried to unspool it to explain like, what are the stakes.
What this reads like to me when you go through it.
So I'll first try to like summarize that it's characterized as a post-mortem of security
incident response.
We're on September 30th, a person named Joel Drapper or Draper post a blog post that says,
yo, Andre Arco still has all these systems accesses,
like the only person who, he's the only owner of a particular GitHub organization.
He's still got these AWS accesses.
And I think that the, if not expressly stated, implication of the post is this is how incompetent Ruby Central is that like here we are weeks after supposedly having these accesses removed, he actually still has this access.
And so look at how insecure this is.
like, you know, this is, this is Ruby Central not having their act together.
Right, because they had taken access away from Andre as well as other RubyGems.org maintainers prior.
However, Andre still had access according to Joel Draper's draper draper.
It's two peas.
It's two peas, but Joel Draper just sounds more natural, so I don't know.
Yeah, and my wife and I are rewatching Mad Men coincidentally.
Don Draper.
Yes, and so it's just like, it's really hard to separate.
I agree.
I haven't seen it for years, but I'm not.
I'm still saying Draper.
Anywho, this poster, he says, on September 30th, is that they're so, I mean, the
implication is that the incompetence of Ruby Central, who is it a foundation?
Is it a nonprofit?
Help us understand some of the entities here.
Ruby Central, is it a for-profit?
My understanding is it's a 501C3, which I, frankly, I really wish I didn't know about
U.S. nonprofit organizations, considering I don't live there and I never will.
but yet I've been involved with like open source non-profit stuff long enough that I'm sadly intimately aware.
So a five months or three, they're they're somewhat hard to establish nowadays because various government agencies have decided that like open source software is a bit too easy to look businessy, right?
So basically it's an organization that exists to own the assets of Ruby gems.
it merged previously with Ruby together,
which was started by Andre.
I don't know who started Ruby Central personally,
but basically it exists as an entity
to provide legal ownership of the service,
to provide the ability to receive tax-free donations
from individuals and companies,
and then redistribute those to whatever nonprofit appropriate areas
that they do,
been Ruby Jams maintenance, Ruby Jams on call, some conferences, et cetera.
And there's a lot of moving parts which makes us hard to track.
There's like the repos on GitHub.
There's the servers that are actually running said code.
There's the access to the servers.
There's databases.
There's other things that make this just really hard to track.
But back to, so that's Ruby Central, the entity.
Back to where Justin was, they published this post about Joel Draper's post saying that Andre still had access or implying
that there was still access.
Right. Yeah. So, so, so before the post post, don't worry. Like, like, they actually were
notified of, of this permission's, uh, uh, exposure. So it wasn't a zero day announcement.
No, yeah. They had, it looks like seven minutes where Andre emailed them that he still had
these accesses and that this was the only disclosure. Gotcha. Joel post goes up, uh, uh,
you know, at 530 UTC, uh, you know, and now this is just in the guy, just,
reading a blog post or forgive me if my characterizations are at all inaccurate uh you know at that
point ruby central has to treat it like a security incident so they go into emergency mode try to lock down
all these systems uh initiate password reset and then begin a a relatively long you know
investigation of all these other knock on systems first over the next few hours and then the
next few days uh when let's see the the when they backtrack right so that's september 30th then
there's an analysis of events that goes back and says, hey, look, on, on September 18th,
Ruby Central notified Mr. Arco via email that he was going to have his access removed or that it
had been removed. And while they removed his particular IAM, I assume, like, AWS account that
presumably would be tied to his email address. Uh, they, they did not rotate the password on the
AWS route account. So, you know, like if you're familiar with AWS, there's typically an
email address and a root password or an email address that is effectively the root account
and it's bad practice to use that thing right and log in as it because you don't have any of
the sort of like you know policies and procedures available to you but because Andre was like kind
of one of one of if not the core operator of ruby gems.org for so long it appears that even
though that he was removed from whatever their password vault system was presumably like a
one password. He had a separate copy of, of that password or that login item somewhere,
because even though his, you know, email was, his individual AWS account was apparently,
according to Ruby Central, disabled, looks like roughly eight hours after that notice sent,
they state that an unauthorized actor from San Francisco logged into that AWS account,
into the root AWS account, and then proceeded to change the password.
And as far as they know, didn't do anything else.
I'm not an expert in, you know, cloud forensics.
So I have no idea if that's the thing that, like, Ruby sent.
It's just the absence of evidence is what's leading them to say that
or whether they have any sort of like, you know, dispositive proof that nothing bad happened.
I think I read somewhere that they did have some, like, there's like some sort of immutable time-based log
and they confirmed from the log, like what had happened, what hadn't happened.
Yeah.
I read both sides of that.
And I think Mike's, what Mike just stated, seemed like it was more.
informed than the ulterior, which is once you have root access, you can change everything.
I don't know AWS well enough to confirm or deny a side, but that does, that did at the time
of my reading seem to be the most reasonable stance that they could confirm it.
That being said, I also don't know for sure.
Yeah, I pride myself in my ignorance when it comes to DevOps stuff.
So I'll take your word for it.
Especially AWS stuff.
I think the thing that jumps out of me with a lot of this stuff is you can plausibly see
why both sides
thought they were doing the right thing
at a lot of times in this, right?
So, like, from
I guess Andre's perspective, what's been published
is he says, like, well, I
thought this was, I didn't have
enough information to go on
that this wasn't, was a legitimate
event, and it wasn't like someone at
Ruby Central's email or GitHub
or whatever had been hacked, so I was trying to
do what I could to preserve the integrity of the service.
But I think, like,
what is hard for me,
with the communication of both sides, right, is I think particularly unsurprisingly now that
maybe some lawyers are involved, is that I would love to, maybe it's the, just because I'm British,
I would love like a bit more from both sides and saying like, hey, turns out, in hindsight,
I didn't do the best thing here, right? And going forward, if you find yourself in the situation
I was in, my advice to you is to do X instead of Y and I did Y, right?
And I think that's the hard thing with all this, is that we're now at a point where there seems to be like some degree of stability, and it doesn't seem like Ruby Central is going to be inviting the folks who have left, including Andre, back into the fold anytime soon.
It doesn't seem that, like, you know, Andrea and co are going to take control over Ruby Jem's GitHub org or whatever any time soon.
like, but I feel like the main parties who have suffered through this are people in the Ruby
community who, of which I include myself, who are just have a lot of uncertainty of like what's
going on, right? And I can't remember what I said this publicly or privately, but like essentially
the person I feel the most for is anyone in the last month who is trying to pitch a new
Ruby project at work with, to a management or leadership team who looks at hacker news even
once a week, right? Like, good luck, right? Because a whole lot of fear and certainty and doubt
has come into this. And also, like, I think both sides I see, you know, I'm a strong proponent of,
you know, I wrote a post a few years ago, which some people hate, some people love, called
open source maintainers, are you nothing? Which points out from like a legal liability perspective,
essentially every open source license says, like, if you don't like the terms that I'm providing
you here, you can go for yourself.
and just take what you're given and like it, you know.
And from that perspective, like, I am sympathetic
and I tend towards my sympathy being towards the maintainers.
But at the same time, we have like a critical part of the Ruby ecosystem,
which essentially had no governance process,
no public governance process whatsoever, right,
that had and still has, to some degree,
very little beyond the legal required levels of financial transparency
of required of like a 5-1c3
and a lot of figures
making decisions and making statements
where most people
like I don't know who this person is
right I don't know who this person is
how they got access
who's right who's wrong
are my Ruby gems safe or unsafe or whatever
right and I think that's the part about this
all I find really frustrating
is that like a whole lot of people
are still in the Ruby because
are still being disrupted by this
and it doesn't seem like it's going to get solved
anytime soon, maybe ever, right?
Because right now both parties are now just in damage control
and both, again, like both sides on,
I had someone I come up with blue sky or massive on whatever
who was basically, oh, blah, blah, blah,
you seem to have switched sides on this.
And I'm like, well, I don't think,
I mean, rarely in life is there a situation
where side A is 100% right, side B is 100% wrong,
but like this is definitely a situation
where that's not the case.
Both sides have made mistakes.
You may well be inclined more towards one side than the other,
but like both sides have to do things to repair trust and fix things
and improve things moving forward, right?
I'm just jump in real quick.
Sorry, Mike, because I want to do point out like two of the things
from this timeline, then we can move on to the bigger conversation.
Yeah.
Like open source maintainers who have an MIT license indeed owe you nothing.
However, part of the complexity here is like what's under dispute.
And this is just like a natural, like, and I wrote about this in my first post on the topic, like the fact that Ruby, Ruby itself is 30 years old, mostly maintained by a committer group that's mostly based in Japan.
The Ruby Gems as a tool was created in America, by Americans initially, and then hosted in America, has a separate lineage.
And there's a three-legged stool between, like, custody of the code for Ruby Gems, and then later bundler and then later they merge, custody of and management of Ruby the language.
like Ruby gems.org, which is like a going concern and operational, you know, system, uh, that is
running in the cloud. And so from a, from a, from a, uh, accesses perspective, like, we're not
talking about like who's got commit bit necessarily. So when they say that he logged in with
the rude email eight hours after getting noticed that his, his act, his personal access had
been revoked, and then he changes the password. And that's on September 18th. You know,
you scroll down and, and it's, it also says on the 28th, he logged in again while he was in Tokyo.
at Kaigi on Rails, another conference event.
And then it's only on September 30th, seven minutes before our blog post that there's any
disclosure whatsoever, right?
So like if he was concerned about the security, their implication in this post,
if he was supposedly concerned about the security, had there been a, you know, had this
exposure been leaked out to other maintainers or if it was out in the wild or something, like
12 days is an awful long time to sit on that information and not.
disclose it. Additionally, when you go back and ask, like, so why did we get to that point?
Like, what actually happened? You scroll down and the precipitating event to why are we getting
serious about supply chain security was apparently, and this is an event that, you know, predates
August 3rd. So presumably, you know, when, and I haven't met her, Shan, the new executive director
at Ruby Central doesn't have a lot of technical technology experience, but does have
non-profit experience.
I imagine, you know, Mike, if it's as dire as you're saying in terms of like lack of
governance, lack of policies and procedures, my understanding is they didn't even have like
terms of service and privacy policy up at the website until earlier this year.
I suspect she probably came in and she's like, we got to like get serious, right?
We got to run this thing better.
We got to introduce the, you know, standard operating procedure, you know, make
that we're buttoned up from a regulatory perspective.
And then we got to, you know, understanding Ruby Central has been extremely budget
constrained since, since Rails Conf and Rails World turned into the schism, also get the budget
under control.
And so I knew, and I'd talk to Marty about this, I think, like maybe late last year, early
this year when he was taking on the role at Ruby Central, that they were trying to get more,
you know, serious about controlling the finances and getting the budget.
managed well. And so, like, when you, when you go through the timeline, apparently they cut the
budget for secondary on-call rotation for RubyGems.org, which had previously apparently been
$50,000 annually and that all of that had, or that amount anyway had gone to Andre Arco's,
you know, consultancy to provide that service, even though it was rarely invoked. When he was
informed that they were removing that budget, he sent an email to Marty that was, you know,
kind of spitballing an idea it looks like to say, well, in lieu of getting paid in dollars,
if I could be permitted to have access to the HTTP logs that could then be used for
presumably by a company to do some sort of analysis for some sort of marketable purpose.
And you can debate whether there's any sort of like PII implication or if that could be
discerned from the logs. And Mike, my understanding is you probably have being the homebrew guy,
probably been approached by similar companies in the past, regardless of the actual mechanics
and what the, what that would look like, it was pretty clearly not something in the privacy
policy currently or the terms of service. And so that's that email's received on August 3rd.
And then it looks like the board and leadership team. And I'm imagining now, and this is just
speculation on my part. Shan is executive director who's not, you know, still trying to get her
bearings and trying to button this stuff up, probably sees that as like, and this is the person
who has all of the access to all these systems and could just take it anyway and is upset that
you know we're cutting the budget like that's probably the precipitating event and that's how
they characterize in this email of the thing that leads to we got to tighten up the security and
these accesses and get to we don't have an operator agreement signed for all these people who have
the you know operational access and we don't have commit or license agreements for all the people
who are committing to this code base and it could cause you know disputes later and so we got to
get those in place so like first cut everyone's access get the agreements in place and then we can
start to rebuild on a, you know, firmer footing is my understanding of the timeline.
Now, like, that's, that that's what I read reading this, right?
It's like, and it sure, it boils up to unauthorized access, ultimately accused against
Andre and changing the password and not disclosing it.
But, but do I have anything there based on your, because Mike, you've been in a lot of
the same discussions that I have and with some of the principles.
Is anything that I just characterized wrong or is anything you'd want to add to that?
Yeah, I don't think there's anything.
massively incorrect or whatever there.
I guess for me, it's kind of an emphasis thing.
Just to jump back, like, I guess maybe a bit of context
that might be helpful for folks of where I fit into this party, right?
So I'm a homebrough maintainer,
Humbrough being a macOS package manager.
If you've not used it before, you can use it on Linux now as well, fun fact.
Yeah, I've worked on that for 16 years.
I've essentially been probably the main person
since the creator left who's kind of stepped into leadership stuff
and have kind of led us through various levels of financing
and fiscal hosting and all the kind of a lot of the kind of boring non-profit-esque stuff.
But notably, Humber does not have a dedicated non-profit.
We do not have any dedicated employees or anything like that.
But we have an Open Collective, which essentially, if you've never used Open Collective
before, is like a online banking app, but is in the spirit of open source public.
So you can go and see two Humber maintainers went out for lunch about a month and a half ago,
in Singapore together, as our expenses, public docs say that they can do, and they had lunch,
they talked about HomeBrew and they expense that to the project and I approved that expense,
right? So, like, essentially, all the money coming in and out of the project, you can just go
and look, right, without even logging in and see, like, what's going on here. You can't see
people's specific receipts with their credit card numbers for hopefully obvious reasons. But the thing
I struggle with, with a lot of this stuff is, like, okay, like, Homebrew and Ruby Jems will be going for
about the same amount of time. Ruby Gems has definitely received dramatically more money in
that time, I would bet, than Humbru. It would surprise me if it was as little as 10x more than
homebrew. But yet, we, a group of volunteers scattered around the world, have been able to have
transparent governance, transparent finances for like five plus years. And, you know, I appreciate
like this is all part of a kind of tightening process and whatever. But I, the thing that, to me,
all of these kind of blog posts and a lot of the discussion is missing. It's like,
okay, who got what money from who and when, right? Like, that goes as far as Ruby Central
employees, Ruby Central board members, Ruby Central contractors. It goes, like, you know,
there's been a lot of conspiracy about, like, how much Mike Purham, like, has provided or
removed funding. DHS has provided or removed funding. Shopify has provided or removed funding, right?
And I don't even want to speculate on one of those because I don't know what's true or not true.
But the thing I find slightly depressing about it all is, like, it would be very easy to have all that information be at least semi-public, right?
But it's not. So it becomes like an exercise. And I do think, again, like with the like what access Andre had to what and when and how and whatever, I also think, again, what I said earlier about the open source maintainers or you nothing thing. It's like at that point, is he an unpaid volunteer working on a service, right, and providing.
that to the best of his abilities.
Like, if I certainly think from the accounts we're looking at,
had Andre never received a cent from Ruby Central ever,
I think he would read his narrative and be like,
that is 100% defensible, like what he did.
And Ruby Central are 100% of the wrong
because they are a well-funded organization with full-time employees
who, like, sorry, the bar is just much, much higher for them
than it is for unpaid volunteers.
But if volunteers are paid,
how much are they employees? Are they contractors? Like, what's their contracts say or not say it or whatever?
And I think that stuff is where it just all gets very murky. And that stuff is where, personally, it makes me not happy that this is happening. But I've been sort of saying sometimes privately, sometimes a bit more diplomatically publicly for years that like, hey, look, it seems like a lot of people have decided that open source sustainability is a problem we solved by just throwing more money at things.
right and this is the type of thing that happens when we do that right it's not to say that we shouldn't
no one should have been getting paid or we shouldn't have had money or whatever but like once you start
getting a lot of money involved in these things things get very complicated right and you need to have
significant levels of like maturity and governance and transparency and experience in open source and
experience in non-profits to not f*** up and then maybe even if you have all those things you still
thing up, right? But, like, I think that's where this stuff gets interesting for me is I'm like,
well, you know, in some ways, if you were to look at homebrew and look at Ruby Gems, you would
say, like, well, you know, homebrews all this, in this precarious, silly situation because
they don't have a dedicated non-profit, they don't have significant corporate backing, whatever,
but in a funny way, we are immune to a lot of the problems that have happened here, because
we have not gone in so hard on like we now have significant dependencies on paying
significant numbers of people like their monthly wage right and again not to say we're
doing it better they're doing it worse whatever but I think there's a lot of the open source
I guess I sometimes call like big open source right that is trying to push a lot of people
in this direction that like we all need to just get maintainers to be paid full time employees
right and contract everything out and whatever and I think what gets lost is like well
what happens if we do that what are the pros and cons and to what extent that events like
this happen or at least get a lot more messy and complicated than it could have been
otherwise if there was not the same degree of money involved
What if AI agents could work together just like developers do?
That's exactly what agency is making possible.
Spelled AGN, TCI, Agency is now an open source collective under the Linux Foundation, building the internet of agents.
This is a global collaboration layer where the AI agents can discover each other, connect, and execute multi-agent work.
flows across any framework.
Everything engineers need to build and deploy multi-agent software is now available to anyone
building on agency, including trusted identity and access management, open standards for
agent discovery, agent-to-agent communication protocols, and modular pieces you can remix
for scalable systems.
This is a true collaboration from Cisco, Dell, Google Cloud, Red Hat, Oracle, and more than 75
other companies all contributing to the next gen AI stack.
The code, the specs, the services, they're dropping, no strings attached.
Visit agency.org.
That's agn-t-c-y-c-org to learn more and get involved.
Again, that's agency, agn-t-c-y-c-y-org.
So if I were to just jump to the end of this, and then I'm going to jump right back
where you are, Mike.
But if I've ever just jumped again, it's a guy who just types gem install every once in a while or bundle, right?
I know you two.
I've interviewed DHHH.
I've interviewed Shopify people.
I've never met Andre myself.
I'm tangentially related to the Ruby community as a regular old Ruby user.
And to speak to Mike's point from earlier, at the end of this is a RubyGems.org
AWS root access event.
Like if that's what I hear and I find out,
It was days or hours or however long it was.
And was it Andre?
Was it somebody else?
Were they malicious?
Were they not?
Can we verify it?
Like that's a five alarm fire, isn't it?
I mean, I install my gems just like anybody else does, unless you switch over to gem.
com.
From ruby gems.org.
And somebody had root access to their AWS account for some amount of time.
And that's probably all that I'm hearing, maybe a little bit more about other things.
And so the end result is a disaster.
I mean, this has been disaster.
and now we're in, like you said, my damage control.
And so that's just incredibly unfortunate and a fact of history now that I think comes
from whether he said, she said, they did this, they did that, who's to blame, etc.
It comes down to like money has just muddied and created no end of trouble.
And it's just really, really murky now, like how you navigate.
money and open source. I mean, just combining those two things together, which has been a desire
and something I preach for many years, like we need more money in open source. We need to fund these
people. We need to sustain these people. We need to help these people because they're giving
things away for free and then other people are using them and taking advantage and applying pressure
and et cetera, et cetera. But we've gotten some money now. I mean, I'm not talking about it now this year,
but like over the last 10, 10, 15 years, money's come in in certain amounts. You know, it's not
evenly distributed by any means.
And it seems like, I don't know if I can say it's caused more trouble than it's solved
problems.
Maybe it's been better than, maybe it's a net positive.
But man, it sure made things even more complicated.
And I'm not sure how we navigate this.
I'm not sure how we navigate this going forward.
Maybe the answer's complete transparency and maybe the answer is, I don't know, I can't even
imagine an answer that makes sense.
But, Mike, your stance is like, you can't, you can't do it.
You can't do full-time open-source maintainer as, you know, free to work on the project, however they like.
Like, whatever we all imagine would be the perfect life of an open-source maintainer.
Like, there is no such thing.
Is that your stance?
Pretty much.
I mean, Justin's, like, you know, Hot Fix podcast thing was like, okay, come with, like,
a pithy quote that's like a controversial statement. And I think the shortest, pithiest version I got
was like open source is not a career, right? Like, and what I mean from that is that I think there's
plenty of ways to be an open source maintainer and make a lot of money, right? Like I've done fairly
well for myself financially. I have had some doors open for me that would not have been opened otherwise
were it not for my open source work for sure, right? I mean,
arguably, maybe bar my first job out of university, college, whatever, like, I think every other
job, my open source maintenance has influenced me getting that job. But also, every other job
has never has my paid main work been working on open source, right? Like that, I'm particularly
working on homebrew, right? Like, I've, right? When I was at GitHub, I was a GitHub for 10 years.
I had like a couple of months in which I was, you know, given permission to help migrate us
urgently from Bintray to get help packages, right? And I worked on a bunch of internal code
for that. I went on a bunch of external code for that in HomeBrew. But like, bar that,
like, that was not my job. I did homebrew stuff in bits of spare time, in evenings and weekends,
in time between meetings, whatever it may be, right? And that was not what I was paid for or promoted
for or whatever, right? I built stuff internally, right? I guess not unrelatedly. I was,
you know, the first people to, first four engineers to build like GitHub sponsors, right?
So I, you know, that was an interesting thing for me because it was being on the front line
of like, well, what happens that we put a bunch more money into open source? And I think,
like, GitHub sponsors again, it was telling because if you looked, and a lot of this is all
public knowledge, right? If you look at the people who have made the most money out of GitHub sponsors,
they are not the best open source maintainers
and they would not be offended
in me stating that they are not the best
open source maintainers. They are the people
who have done the best job selling themselves
and selling something which other people value
through GitHub sponsors as like
a payment provider essentially, right?
And good on them. That's great that they do.
Right. But there's a lot of people, myself included,
who just slap up a GitHub sponsors, right?
Like I do a lot of Humberg stuff
and I have done for 16 years.
my monthly GitHub sponsors payment is $22 a month, right?
That's not me going and saying, I want to get a bunch more.
I get, you know, a bit more than that.
I get $300 a month from Homebrew as like our kind of maintainer stipend.
But, you know, the reason why I don't get a load of money that way is because I have not
dedicated time and energy into building essentially a sales process for my sponsorship
pipeline.
And that's how it works, right?
If you want to be an open source maintainer that gets funded primarily.
through sponsorships and money and whatever, it doesn't look like a tip jar. It looks like
you are now running essentially like, you know, in the same way that other influencers might
have an influencer economy or whatever. And there's various routes of making that money and paying
those bills and getting that open source work, right? But there's not a single easily trended
path that is not without compromises. And it makes me very cross to see a bunch of particularly
younger main terrorists being told like, no, this is the way. If you follow a
this, you will both be rich and you can work on whatever resource you
want whenever you want, right? That's just a lie. That's just
right. Yeah. Well, hold on, Justin. Let me just say this. For those
who are putting them through the pain of watching us on video, the fringe
benefit of doing the video version of this is for the last 10 minutes,
you can watch Justin sit there and chomp at the bit for his opportunity
because we've said so many things that I'm sure he wants to address so much
know that at one point he was literally holding his mouth shut because he has so many things
to say right now. This guy talks for three hours uninterrupted and he hasn't had a chance
to say anything for the last 10 minutes. So Justin, just turning the floor over to you, my friend,
which of these many points are you would you like to address first? Got to admit to anyone watching
the video, I did get distracted at one point because my pen ran out of ink and I had to write down
because he literally left. At one point, he literally left and then came back. So that was
distraction number two. Distraction number one was I saw somebody texted me that the
Vision Pro with M5 was announced. Oh.
So.
Well, there's a five alarm fire right there. Yeah. If I don't, yeah, just to tell you my
priorities, as one of the five remaining daily driver vision pro users who I use the Mac
virtual display every day, like we've discussed several times on the show even. So I will not
be buying it because it's just basically I'm using it as a monitor. And I'd much rather
just talk about that now. But to try to honor what Mike just said, when we say open source is
not a career, it's kind of running a consultancy, it's helping co-found, help start whatever,
like a consulting company, speaking at conferences, doing some amount of open source, you know,
I was very fortunate in life in that none of my open source was super successful.
It seems like a huge pain in the ass when that happens for the most part in terms of the burden of issues and pull requests and yada, yada.
But I was visible enough that people would come up to me.
Younger folks, less experienced people, people trying to succeed in this industry.
And they would, whether it was about speaking or whether it was about blogging or whether it was about doing open source, a lot of the activities that people saw me do, they'd look at that.
And they'd confuse the means with the ends.
So they'd say, hey, how do I break into open source?
And I'm like, that's a real weird goal.
Because like, I do open source because I'm trying to get something done that makes me money, like working for a client.
And like, we got a, you know, the first real project I did was like, I was a Java client.
And like, we had a whole lot of JavaScript and no way to run tests against it in CI.
And I was like, that won't do.
and so like we started unit testing our JavaScript with the Jasmine like locally well how do you get that running in CI I was like I had to figure out a you know this is back in 2010 or whatever like run a pseudo HTML and JavaScript like fake environment in a Java runtime and and then make a maven plug in that we could incorporate into the build like and I did that on my own time on a weekend or you know late at night or something and then I just plugged it into the client code the next day right and I like
here you go, a gift free of charge because it makes my life easier at work and we're going
to ship your code better, right? And almost every one of my open source projects was that.
It was, I have a job, it pays me money. That job would be massively improved in terms of
the outcomes or my life at that job by writing some open source. So I'm going to solve my problem
and I'm going to make it open because that's, that's easier than getting approval to make
get closed internally, right? Like, if I, if I have some, like, you know, assing an idea for,
heck, how I can make things a little bit better, forgiveness is way better than permission.
Maybe it won't work. Like, why, why would I fight for, like, budget and time to go on some,
you know, escapade to like, hey, I can vaguely improve things in a way that you don't understand
when I could just go on my own GitHub, publish something publicly and then go and consume that
at work. And if it turns out that it's useful, then work is happy to, like, let me spend
some hours building it because then I've got a virtuous, you know, I've got at least one person
depending on it. And that's the person paying me. So then I can keep working on it a little bit and
make it a little bit better, respond to issues and feedback. And that's typically how I've done
open source, right? Like that's one way to do it. And in a very, very small sense that at least
has like incentives aligned where it's like, I make this thing better because it's built for
purpose for somebody who needs it and that's not that's not breaking into open source that's not
saying like okay so what I want to do is I want to work on this open source project and I've seen
this play out lots of times whether it's through the sponsorship deal or you know what um
Ruby together and later Ruby Central did was they actually paid hourly for people to work on
bundler and Ruby gems code bases and when you're like talking about like a high $150 an hour
or whatever it is hourly rate to work on an open source tool,
then a lot of questions arise.
Like, what do you work on?
Who chooses the priority of that work?
Like, it's a, you know, if you're talking about 150 bucks an hour or $0 an hour
with most of the people contributing making $0 an hour,
like, suddenly there's a perverse incentive there to be like,
all right, well, either, you know, what if there's nothing else to do?
Like, what if bundler is a solved problem and basically does everything it needs?
Like, now you've got a perverse incentive to create make work to justify more hours to get more money.
And if the goal at the end of the, if the ends is I want to make a, you know, replacement level tech career doing open source activities, I think like the places that leaves you in terms of the amount of complexity and machinations in terms of like how that funding gets to you and the amount of singing and dancing and and glad handing and arm twisting that you.
need to do to like, you know, extract those dollars from people who might not necessarily see
a direct value or benefit or ROI for giving you that money, it leads to places like this
that are as goddamn confusing as the situation that we're in now. And that's, that's, you know,
I guess maybe a twisted knife version of the picture that Mike's painting is like, this is just
all about at the end of the day. It's like, incentives were not aligned because people wanted to get
paid. And this is where this leads you. And yes, it's really sad that a lot of people do
open source for free, but like a lot of people have hobbies for free. And if they choose to
keep doing them, it's kind of their task. I don't know what to tell you. And that's the thing.
Like, for me, genuinely, open source for free as a hobby is a beautiful thing. Like, and we should
think very carefully before we decide to kill that by either paying everyone, which won't
happen, or by making people who aren't being paid feel like they are being exploited,
right? Like, again, it really f***ed me off, no end, when you have people often with minimal
involvement in open source themselves, going around telling open source maintainers, big
companies are exploiting your labor. And I said, well, if only there was a way to get a big
company to pay me to write software for them, oh, wait, we have lots of that. But the reason
why lots of people, including me, enjoy open source software and have continued,
to work on it for a very long time, is it's like I don't have an engineering manager or product
manager or technical project manager being like, please sign your TPS reports, when will this
be done? Is this a yellow T-shirt or a green T-shirt sized project? Right. Like being able to just
opt out from all of that bureaucracy is, you know, that bureaucracy is important and necessary sometimes,
but it's also nice to not have to do that, right? And when you don't have to do that, you can
operate in a different way and work in a different way and that's fine and again we go back to
the open source maintainers are you nothing where it's like if someone doesn't like it like I mean
there's legitimately issues on homebrew that people file and it's like this is a legit issue but you're
being a head about it so I'm just going to close your issue and when they're like oh but then I'm like
well tough tough luck I can do what I want right but if I'm a paid employee and if that person is
a paid customer right in some companies you can do that right sure
Right. But that's not terribly advisable. And I think this goes back to what we were saying about
perverse incentives and who gets paid and who doesn't get paid. It's like, well, open source maintainers
owe you nothing. Sure. People who are being paid to do something owe someone something, right?
Right. And it might, and again, in Homebrews case, we specifically do. We have like all open tooling
and open documentation and blah blah, blah, and we pay maintainers that hit a certain threshold,
$300 a month. We call it a stipend.
There are people for whom I'm sure the average, you know, American child delivering newspapers,
if that's still a thing that happens, like is making significantly better hourly wage
than some of these open source maintainers are.
But it's fine because that's just a token amount for appreciation for them, right?
And we're not like, but even then we have had, it's not, we've not done anything publicly or whatever
because we try and in homebrew do a reasonable job at keeping some of our drama behind closed doors.
But even in that case, for a very small amount of money, we had a person with a very well-paid day job who was doing the wrong thing, essentially because they wanted to hit a threshold to get an extra 300 bucks a month.
And that made us reconsider how we do this stuff.
But to go way back to something that Justin said right at the beginning, right, like about, you know, he did open source to solve his own problems.
Right. Back when I got involved first with open source in the heady days of the Linux desktop,
back in 2007 when I did my first Google Summer of Code and met a lot of these KDE people
and I was like a Linux guy.
The thing that people used to say all the time then that I never hear anyone saying now
is open source is about scratching your own itch, right?
And what people meant by that back then was like open source is primarily about solving
your own problems and then releasing it in a way that other people can benefit from you doing
that, right?
And that's why I did it and it's why I do it because when I work on HomeBrew and I make HomeBrew
a little bit better, it's usually because something in home brew annoys me, and I use
home brew, therefore I make it better. And that's completely the opposite from the attitude
that Justin was saying of like, how do I break it into open source? It's like, well, whenever
anyone's asking me that, I'm like, well, find a tool that you use, find something annoying
with that tool, and then go fix it, right? And they're like, oh, but, you know, I don't know
JavaScript yet, or I don't know this, or I haven't contributed to that codebase or I can't
find a mentor or whatever. And like, again, as we're being a bit more spicy on this podcast,
it's like, well, congratulations, you lose.
You're never going to be a successful open source maintainer, right?
Like, I've never seen someone who's been an good open source maintainer who has been
taught into being so, right?
Or encouraged or given enough money that they kind of finally get over a line or whatever,
right?
That helps people contribute and it's great and we shouldn't discount that as being a thing
that we do for some people sometimes.
But like most of the time, most of those people, it's intrinsic internal motivation
that gets them to do this stuff, right?
And it's, that doesn't come from, I want,
money, I want clout, I want my resume or CV to look better. It has to come from like,
I just want to do it because it's interesting and fun for me, right? I think this goes beyond
open source software because the pattern is very generic. It's like, I love doing X, so I do it
for fun. I would love to do X more. If I could only make money doing X, I could do it more.
And then X becomes not fun anymore if that's successful. Like basically that's the pattern.
So it's not just software, but creation of all kinds. Anytime you can
parlay your hobby or your passion into a job your passion is now your job and your job's a job
and jobs aren't fun even if you can you can add to that jared because then you can you can take all
your friends you have good relationships with and i tried this one it was a lot of fun and then you
hire your friends and then your friends aren't your friends either that's right and you live in a
basement in oh my god what have i done with my life i've destroyed my hobby and my friends
but I got money in exchange, you know,
we're just training it all in for money.
Yeah, that's the unsolvable problem, I think, right there.
And I, you know, for years and years,
we've been looking for more paths to funding,
more ways because there's so many different kinds of open source.
And there's ones that have an easy time making money
because they are right there staring you in the face,
like they're like end user applications.
And then there's the dependency,
the dependency, the dependency,
only has a GitHub account and is not on any social networks and it's never going to make a dollar
on their GitHub sponsors because nobody even knows that they're transitively installing,
you know, XZ, for instance, just naming one that was exploited.
And so maybe I just thought there was different models.
We need to just to explore all these different models.
And I remember going back years to Nadia Ekbal's Lemonade Stand repo, which she published
back when she was doing her open source funding, writing.
And she documented like, here's all the different ways.
programs, OpenCore, blah, blah, blah, blah.
And it's like, pick one that helps you.
And we've explored on this show over the course of, you know, a decade now, different
people doing these different models.
And with more or less success, at the end of the day, the happiest people that we've
ever talked about, talked to about their work are the ones that are like, yeah, I'd do
this for fun.
I'm not going to monetize.
And it's like, that's, that ends up being the healthiest relationship to your open
source code is I do this for fun. I'm not trying to monetize it because every one of these
models, we can go through them all and they all produce at some point the perverse incentives
that have happened in the Ruby community. To me, it's not even monetization versus not. It's like
direct monetization versus indirect monetization, right? And I can't remember what it was. I'm sure
it's some much wizened old philosopher or whatever who said this. I'm going to paraphrase it
and butcher it horribly. But basically like the idea of like the best things in life,
are achieved indirectly, right? So, like, let's not be overly crude or try and be relatively
diplomatic. But basically, you know, for example, if your goal is romantic companionship, right,
there's ways of getting elements of that very quickly in exchange for money, right? But most people
would say that actually, that's probably not the most fulfilling long-term option. And the most
fulfilling long-term option, you know, I've been with my now wife for 23 years. Like we have a
perfect marriage and relationship. I'm very, very happy. That takes a lot of time and effort, right? And
again, I have almost like a pending blog post brewing about just being patient feels like it
pays a lot of dividends on this stuff. Like I was at GitHub for 10 years. I've been with my wife for
23, my best friend who comes around to my house, but currently watching Alien Earth is very
good we've been friends right now you're watching it well i mean not right now because i'm on a podcast
okay well you said there your best friend coming over and you're currently watching alien earth
i'm like dang this guy can multitask i'll do my i'll do my best to multitask but yeah i mean we've been
friends for like 30 years right and most of i'm homebrew for 16 years like most of the good
things in my life are things that i have done for more than 10 years right and there has been
ups and downs in those times and there's been times where if you were to look at some tiny
microcosm of like the first you know months or weeks or whatever or particular segment you'd be like
oh well this isn't worth i'm going to bail i'm going to quit i'm going to move on right but again like
all of these things are things that i've got and i have made me very very happy and i'm delighted with
not because i wanted to make as much money as possible or have as much whatever as possible
human relationship interaction whatever but just because like i enjoy the process
going along and I still enjoy the process going along and that tends to get you to a very
good place. If every day you enjoy your life and you keep doing that and keep enjoying your life
and at the same time, you know, stuff like money, you're like, okay, well, I need to pay the bills,
I need to make sure that I make enough money to provide for me and my family and whatever,
but you're also really excited about what you're doing, then that tends to work pretty well.
and if you go and chase like maximum financial return for anything right on the short-term basis
like okay you might make a bunch of money like often you don't but you're probably going to be
miserable in the longer term and you're going to be like why am I doing this and I need to quit
and whatever right and that's i mean almost that's the definition of sustainability right like
when we're not talking about open source sustainability when we talk about anything being sustainable
the idea is how do we get people to be able to do this for a long period of time
and without being a, you know, a cheeseball, like open source sustainability comes from within,
like the reason why I have been able to do it for a long time and not burn out. And literally
in that 16 year window, I don't think I've gone a month without working on home brew.
I've maybe not even gone three weeks without working on home brew. And the reason why is
because I enjoyed it then and I enjoy it now. And I know what I'm willing to do and what I'm
not willing to do. And for me, it has to stay enjoyable or I'm going to quit. And I built a group of
maintainers where I'm very protective over them because I know that's the same for them, right? And
to me, just almost looking at yourself in the mirror and be like, am I enjoying this? Is this
good? Like, and if it is, great, do more of that. And if it's not, then just stop, right? And that
terrifies a lot of people because it's like, oh, well, open source will collapse and we have all
these maintainers who walk away. And it's like, well, actually no, because someone will step up and
do what needs to be done if what you're doing is really important. And that's, that's maybe the
hardest part of it all is like maybe that open source project you've spent a huge amount of time
and energy into maybe it's not that important maybe it is replaceable and maybe your role is
replaceable and that sucks to look in the mirror and think that but maybe that's true maybe you need to
do that look if you're watching this video you're going to be probably noticing that like
we're three white men you know the the collective noun for white middle age men is podcast I
I get it.
But it's true.
And one thing that a piece of context, right,
about like that 2015 to 2021 era,
especially in the U.S.
politically is like this conversation about like,
you know,
just being tutted by older guys who were already successful in their careers.
Oh, just do it as a hobby.
Just do open source in your free time or something.
When that comes into contact with this motivation that like open sources and ends,
not a means.
It's a way to get because highly visible.
people are doing it, people rightly assume, you know, for whatever reason you're doing it,
if I were to do that at the same stage or at the same level of impact or in the same high profile
project, then I too would be highly visible. And therefore, I could parlay that into,
you know, more marketability, right? As an employee, I'd be hired in at the staff level or the
principal level or I'd have better employment prospects. And so there's a, you know, even though I started
doing open source to scratch my own itch to Mike's point. And that's still the reason I'm
ever motivated to do it. It created a virtuous cycle, not just for my employer to be able to
benefit from my hobby work, but for me to be able to parlay those projects into new relationships
and credibility because your GitHub profile kind of redounds to like at least some kind of proof that
this guy can write working software. And this is what it solves. Right. And mixed in with all of that is
like, well, what if you don't have the free time or if you've got family responsibilities
or there's some other, you know, systemic reason why you aren't able to just work for free
and make this time possible. It's creating an avenue for more privileged people who do have
that luxury of time to pursue that hobby. And then, and then even though it's just a hobby,
It's not like, I definitely made more, more money out of my, like, programming habit than out of my Japanese language acquisition habit, you know, like, in terms of a hobby.
So, so, like, that's not, that's not lost on me here.
It's just kind of a fact of life and I don't know how to solve it because when you try to solve this through the lens of, and that's why we got, like, when the conclusion, and I heard this a lot in the late 20 tons was, and that's why we have to pay people to write open source.
I was like, that's, there's just so many, like, you know, the number of circles and loops necessary to kind of connect these dots together in a way that's actually going to get the outcome that you want is so convoluted that this is probably just going to make things worse.
I can't say we're in a much better place in all of these experiments where people are, and to again, to Mike's point, where people are being directly compensated for their open source efforts, especially in an ad hoc or a, or a.
you know, semi-directed pseudo-employment manner, like through, you know, contracting and through
kind of, you know, like an amalgamation of funds and sponsors and donors, like, I don't know
what to do. I just want to, I just want to put it out there so we don't get emails about
privilege. I'll be honest. That's why I said those things. I think that's a good point. And I think
it's well made and I'm glad you made that. I think for me, my take is like, should we try and
improve the diversity of open source, et cetera.
Like, yeah, we should.
I do, like, hopefully all of us would agree with that to some degree.
But I also think not everyone having the free time.
Again, it's one of those things where if sometimes I think the people pushing a certain
narrative haven't done the five wise on like the reason why they're often doing that
is because they themselves come from a position of like, you need to do open source to
have a really great career, right?
And I'm like, well, no, I've worked with plenty of like staff plus engineers at GitHub who are phenomenal engineers who've literally never done a single open source commit ever, right?
And I would not tell those people that they should or shouldn't, right?
Like, considering the number of open source related emails I've had that have fascinating things to say about the size or presence of my and whatever may relate to that and various interactions with my mother, et cetera,
Like, I don't encourage anyone who, like, doesn't have a current interest in open source to sign up to receive those types of emails, right?
And I don't think we're going to solve that problem anytime soon.
But I think that's the thing.
It's like, do we see open source as, like, an essential on-ramp that we have to use to, like, get people to be successful in the software industry?
And if you start from that, like, prior, then it's like, yeah, of course you're going to start thinking, like, we have to improve diversity and pay people to,
to encourage people in because otherwise
you're just going to really
fuck up the software industry by not
like solving that but I don't think that is a problem
and ironically I think that is a problem that is
exacerbated by people saying
we have to pay and we need to put more money in
rather than it being solved by that
right because
no one has to write open source
right like that's I think that's the
fundamental thing if I can say anything to any
person listen to this it's like literally
if you have a job where you write open source
even if you're a paid employee or contractor or whatever like I'm sure you can find something
else where you don't have to do that right like everyone writing open source in some degree has
some element of choice maybe not short term maybe this month mortgage payment relies on you
you know writing open source and whatever right but like long term in the career and also something
just you said you pointed this out on your podcast a lot about how there was this golden age of you know
the three of us, again, are probably similar sort of age.
There was this golden age of programming, like the early 2000s where, you know, if you came
out and you were interested in open source, like, chances are, that was going to help you
into a reasonable tech job, and you could probably make a decent amount of money.
And then now we're seeing, you know, like things are completely horrific for a lot of juniors
trying to get into the industry.
And I think that's the thing.
It's like, I don't like that.
I don't think anyone in this school likes that, but you can't, we can't just magically go
backwards and undo that and fix that. And I think often the people I hear advocating this type
of stuff around open source just have wishful thinking of like, no, if we can go back, we'll do it
right this time and we'll like reinvent it and whatever. And so, well, that's not how it's been.
And I loved your point, Jared, about how this is just universal for hobbies, right? Like,
we could probably have had exactly the same conversation we had right now about like music or
whatever, right? Like, and money and whatever. Like, I remember when I was at GitHub and there
was, I can't remember them the name of the band. It was some like top 10 indie rock band and one
like GitHub conference like GitHub had paid for this band to come and play. And the band came out on
stage. Was that when Cold War kids played at a summer? Yeah, that's the name of the band.
But like having been there in the room and I think there was a Silicon Valley episode that was
loosely based on this, like they came out and started playing. Hold on. I got to interrupt you.
Like if you don't know this, like most Silicon.
Valley episodes were based on interviews with Chris Wonstrith and people.
I've rewatched it all recently with my wife and it's aged well.
But anyway, so they came on stage.
They started playing and like 75% of the people immediately left the room because they
were like, I don't want to be here, right?
And I'm going to confess something to the, you know, the two of you here.
Hopefully no one else hears this.
But, you know, like I used to be an aspiring musician.
I have anyone in video can see my mostly now unplayed guitars behind me, right?
And I immediately thought to myself, what a bunch of sellouts, right?
Like, I would hope to myself that I would never be at a level where I would take any amount
of money to go play to a room of nerds, myself included, like, who don't want you to be here
and would just immediately leave the room as soon as you start playing, right?
Like, and again, like, you could say, we can have the same conversation, money and music,
right?
Like, was that bad that they had that money or took that money or whatever?
right like I'm not a musician
I'm sure lots of musicians are very angry at me
based on what I've said and I'm being a massive
hypocrite but like yeah it's
I'm sure there's another podcast I'm an identical
conversation about this and I think like
we're not special in software open source
and this is not the first industry to have this
problem no will be the last
no I think that's a great point and I think
that I've said this before that people
by and large people don't
make music in order
to make money they make money
so that they can make music
right? And I think that there are people who've done both. And they're called rich and famous rock stars or whatever. And of course, people idolize those because wouldn't it be the dream to be able to be rich and famous and make music? Like that's, yeah, that's a lot of people's dream, which is why it's really hard to do. And we draw that across to open source. And we have had some people who've made livings, who've made really good livings, publishing open source code and creating a following and becoming whatever you have to be.
in order to get that done, you can go to the top of GitHub sponsors and see a few of those people
there. It's an entirely different skill set, just like being a rich and famous, you know,
rock star requires more than being able to play the guitar, because lots of people can play the
guitar, but there's more to it than just that. One of those major factors, in fact, is timing and
luck and has nothing to do with who you are, your skill set. Another major factor is what you
look like, unfortunately, but that's the case. And so open source as career,
might follow the exact same trajectory as music as career. It's like, yeah, a few lucky,
very privileged people find a way to make that work and they live a great life. And the rest of us,
it's like you got to decide if you want to do it or not. At the end of the day, open source is a gift to
the world. It's you giving back. A lot of the motivations for doing it is people saying, well,
I got so much for free that I felt like I should just give back. And so that's what I do. And so
that's a gift and a gift comes from a place of privilege. You have excess and so you give it. And one of
the beautiful things about the digital economy is that we can give it to everybody, whereas if I was
going to go out and buy a new Vision Pro M5, I could just give it to Justin. I couldn't give it to the
entire world. It's an amazing thing to be able to do your work once and gift it to the entire
world and sometimes it just has to stay that you got my address right for that i figured you already
have it on order so i'm probably just no no no not not yet you you need the phone you got to scan your
face again i'd buy you the new ones so you send me your your original maybe you got it i got jess and
sirrell's original vision pro there's a thing here right because we're kind of conflating programming
and making a living programming and open source as like a hobby activity or whatever and just like
music, there's a difference between being able to play music as a skill.
Being able to program a computer is a skill.
Right.
And being a songwriter who puts love and craft and passion and creativity and
something of themselves into the music that they create is a passion, a craft, you know,
it's an individual pursuit.
And yes, if you do that, you are lucky to get paid.
And if it does all work out in the stars aligned, then that's a guy.
miracle and good for you like but at the same time getting paid as a musician with that skill
to go play gigs like there's a guy who you know sings at the lobby bar at a hotel next to my
house every tuesday yeah and he's mostly playing you know wonder wall and and you know
the country road and yeah and like he's not there for his health but like there's a transaction
happening and i don't begrudge him at all right it's like that's you know there's ambience
and there's music and so like hell you know the cold where kids made me
laugh, Mike, because across the street, there's a new hotel that opened. I live in Orlando,
and it's just all resorts and stuff and pools and whatnot. The new hotel opened earlier this
year, late last year, and they had the Google Dolls play. And I was like, hell yeah, I'm going
to go over for a free Google Dolls concert and free food and drinks. And, uh, yeah, right? And it was
great. I don't regret them at all because that was like, that was them applying their skill for,
for money in that, in that sense. You know, I mean, the songs were written all 20 years ago and
everyone's really old and they look suspiciously good and that made me wonder about how they're
maintaining that but like when a programmer is applying that skill to make money at the at the end of
the day somebody whoever's paying that money is going to be looking for some kind of value
out of it and if you and if and if you're whether you're you're working uh for somebody and
they're you know why do we have planning sessions why do we have product owners
why do we have requirements handed to us?
It's because the things that we're typically being asked to build as programmers
are at the behest of somebody else who wants to see that software built
or continue to operate or to be refined or whatever
in order for them to extract some kind of value out of it.
And just like with the singer-songwriter who can like eventually get to the point
where they get to open new hotels and get paid to sing their own songs,
like every now and then you get really, really lucky.
Like you, I worked on Ruby and Rails for years and years
years and now there's a Ruby and Rails team at a company like Shopify and they hired me and I
get to continue doing the stuff. I talked with Aaron Patterson's a good friend with me of mine and
yes, that's part of my bias and my allegiances as I talk to like that crowd of people more than
the maintainer side of people who are involved in this particular dispute and fully own that.
But like, oh, I'll talk to him about his job and it's confusing sometimes. I'm like, well, he has
work stresses here and there and stuff. But like at the end of the day,
he makes good money doing doing that for Shopify.
Shopify gets a lot of benefit out of that.
But like if he were to quit,
he would basically be doing the same thing every day for free.
You know,
like so that is the stars completely aligning.
And you know what?
Like I know half a dozen people for whom that is true out of how many thousands of people
that I've interacted with.
And so it's just an unrealistic thing.
And now this is back to Mike and this our original kind of hot fix.
premise it's an unrealistic thing to just plan on your career being that it's way too high of a
bar it's way too skinny of a bottleneck to hope that you're going to like with any level of
confidence squeeze through because so few people do and not for lack of trying well it's like all
the youth right now they all want to be YouTubers or or TikTokers and it's like that's the it's the new
version of I want to be a rock star. It's like, do you know how many rock stars there are? There's like
seven of them. Yeah, but the influence your economy, I think that's, it's similar. And I think
it's been democratized to a certain degree. Yeah. And we're, I guess, as again, like, you know,
three white men in our 40s, like we're probably like, if we had like some Gen Z guest on,
yes, it's Gen Z because I'm British. And then we, I'm sure they would have a very different
perspective here. But again, I sort of wonder whether some of this comes from like the
the concept of like the side hustle right where like the side hustle is often the like I have a
hobby and I am going to on top of my job I am going to monetize my hobby and hopefully I can get
to a point like you said earlier Jared like where my hobby can become my job because I fully
monetize it and I can pay the bills and whatever right and I think again music is an obvious
example right where there are people for whom music is their career right and they I know some of them
for whom they then go home
and they are not interested in playing
or producing music in their spare time at all anymore.
Like, I would just do it for money.
There's people for whom they are not interested
in ever making any money from their career ever, right?
In which, if we wanted to have a horrific open source metaphor,
you know, some, like, I was going to say, man or woman,
it's probably like a dude with long hair
playing their guitar around a fire while their friends,
some of them might want to listen, probably most of them don't.
You know, someone could go up to them,
you're being exploited for your labour,
like you should be paid the same as Taylor Swift for this, right?
And it's like, well, actually, no one wants to pay that person
because they're not very good and they don't want that job, right?
That person is doing it entirely as a hobby.
And then there's the people where there's like a blend between the two.
Maybe it's their hobby and it's their job, right?
And I think that's the thing.
It's like career, hobby, both, right?
And all of those are acceptable options, but it feels like this stuff often gets conflated.
And even someone like Aaron Patterson, right?
Good example, right?
he's written a absolute boatload of open source code of the years.
It would be interesting if you went back and somehow did accounting of like,
okay, well, what's, that's almost take the amount of money you've been paid to write open source.
And then the amount of hours you have spent doing open source and hobby related things,
say any work on a public repo on GitHub in your entire history as a programmer,
and let's figure out what your hourly rate is.
And my guess would be like it's obviously,
getting better each year that he is employed by Shopify.
But my guess would be it's actually a lot worse than you think it is
because he, again, like musicians, right?
Like, musicians are not going to pay to play their scales, right?
People are just sitting.
When I used to actually be a half decent musician,
a lot of it was just sitting and spending two hours
playing the same riff again and again and again and again,
slightly faster, slightly faster, slightly faster, slightly faster, slightly faster.
And like, you know, no one's going to pay you to do that really boring stuff, right?
And it's, I don't think open source is dissimilar.
And, like, what I worry about is, again, I'm from an era of which it wasn't clear that open source was going to win, right?
When I was at university, there was still all the kind of, like, Linux and, like, I can't be the name of the company, that basically there was this big lawsuit and, you know, Steve Ballmore, Linux is the cancer, all this type of stuff, right?
And it looked, it was like a battle between proprietary software and open source software.
In some reason, the only reason we're even having this conversation is because open source software so clearly and unambiguously won.
And I, maybe I'm being paranoid here, but I worry for a world in which we say, okay, any big company that uses any open source software in any capacity is extractive.
And unless you are paying all those maintainers, a Bay Area, like, living wage, then you're an evil company.
Like, what happens if we actually go older than that viewpoint?
Like, do we make those companies be like, well, you know what?
I'm actually not going to touch open source anymore.
I'm just going to pay a team internally to build this stuff, right?
And for a lot of people like me, that would be a very sad thing, right?
And that would be the end in some ways of a lot of the non-hobbies, like, open source, right?
And I just think where does the money come from to pay every single open source maintainer with 10 stars on GitHub, like a living Bay Area salary, right?
Particularly, as Justin said, we say to them, hey, we just give you that money unconditionally.
You don't need to have a product manager or whatever.
you just build whatever you think is best, however you think is best, right?
Like that's, I mean, it seems ridiculous to me.
Maybe that's just me, but, like, I think that's the logical conclusion we get of the, like,
peak we should pay everyone because otherwise it's an ethical argument here, right?
Right.
Yeah, to that point, we just did a show recently with Farras, Abukadija,
about NPM security in light of the, just the onslaught of NPM hacks,
which have been going on and continue.
I think after we published that, there's even some newer ones.
And one of the things, and he runs, you know, he owns and operates a socket security company.
And so he's very much in the infosec world and talking with, you know, CETOs and CEOs of larger corporations.
And they're saying things like, well, this is not because of open source sustainability, but it's because of open source security and this, you can't trust a network thing.
They're starting to have those conversations, especially because the, you know, first time to say it on the.
episode. I'm glad we're over an hour in. Because of the new enthusiasm around AI code gen tools,
they're saying things like, you know, do we need MPM? Should we have, should we, this is not
should we contribute? This is, should we even use Ruby gems? Why don't we just write everything in
house? And like that is starting to percolate amongst leadership in, you know, Silicon Valley
companies. And you add to that an open source tax, so to speak, of whatever, whatever it would be,
Mike, when you talk about every maintainer has to get this much money there for, every user has to pay in according to their dependencies or however you'd actually work out the impossible logistics of all that, it would just be one more reason why people would start to opt out of the economy altogether and say, yeah, because I look at a world, I don't know if we're going to get there, guys, where my co-gen tools can reproduce for me, instead of vendoring a gem, why don't you just reproduce a gym?
And now I don't think we're going to be there myself anytime real soon, especially with gems such as large, you know, rails, for instance, which is not a gem.
It's a meta gem of many gems.
But the smaller ones, it's like, why would I even have, why would I care about open source?
I can just generate everything.
Jared, it's funny you mentioned this because it's not just your fever dream, but it's like increasingly a thing that I am also hearing.
In fact, I, I'm living it, but I, okay.
My brother, Jeremy, he works for Cars.com.
He's an elixir programmer.
And he gave a talk at ElixirConf last month, which I don't know if it was the title,
but basically the thrust is zero dependency software.
Like instead of pulling in these dependencies,
and it's not from a security perspective,
although that's when you're talking about open source tax,
most people aren't thinking about how this stuff gets funded.
They're thinking in terms of the, yes, maybe the security.
concerns that like I don't trust the software necessarily, especially if you're in a regulated
industry and you got to go and have or have lawyers go and check licenses and verify all that
stuff. There's that tax for sure. But more so like I now, you know, I am running code that I don't
control or understand and it's going to have its own update schedule and I have to keep all of these
dependencies up to date. And of course, of course the NPM community is famous for like really, really
tiny modules, and that's lots and lots of things that you have to keep up to date.
And so that upgrade burden is really high.
And right now, you take ClaudeC-C-L-I, you point it at a read-me, and you say, all right,
go clone this repo.
And I just want this section from the read-me.
I just need this kind of a couple of features right here.
Just go clean room implement that for me, if you don't mind.
And like, it'll do it.
And you can just vendor that into your point, you vendor that into your project.
And so, like, I'm working on this podcast.
party Rails app. And since going with agents, I'm trying to think now, I started working with
agents in April, you know, started with, you know, the GitHub co-pilot stuff, moved on to Cursor,
moved on to Claudecode. Now I'm in the heart of drugs. And I think that I may have added
zero new gems, like zero new dependencies, definitely zero JavaScript. And you're doing like
OAuth stuff. You're talking to APIs. It's almost all integration work. Yes.
I would be, you know, this would be for me to, as a starting point, it would be all gems.
I'd be like, I get the, the blue sky gym, I get the Instagram gem, right?
I owe off gem and then I just like tie those things together because it's just posting, you know, across different social networks.
I don't say just to be a little it.
But my point is like, I would expect that to be mostly third party code.
And 10 years ago, that's how I would have done it too.
But, you know, it's not just because of AI enabling this.
It's like I learned the hard way that if you're writing code that's basically glue code of like eight other.
different things like it's kind of like you're on one train and trying to jump onto another
moving train, you know, like in real time is to try to keep everything in line and you're
just holding the stuff together. And so, no, I've written, in fact, this week I'm rewriting
my LinkedIn integration that, you know, it's not just a whole bunch of HTTP request to post
stuff. You've got to like wait for it to download. So you need another whole series of, you know,
self-in-kewing tasks to go check to see if the download's done. And then my wife, Becky, is
well, if it doesn't support stories, I'm not going to use it.
So I'm adding story support, which I think has like supported by as far as I know, no,
definitely no Ruby gems, but I don't know if any dependencies are doing this much.
And so, so the nice thing is that, you know, when you own the code, you can build on top of it.
And when it's inside the code basin, it's part of the context of whatever your agent's doing.
Like, there's a lot to be said for as the cost of code, and this is how we tie back to this conversation,
as the cost of code basically craters to zero asymptotically here.
like the writing of the code is not the part that is necessarily making is worth money anymore.
So if I'm a maintainer and I want to get paid to write open source code, like that, the market dynamics for that are also flatlining right now.
And so what we could be experiencing, this conflict being a flashpoint.
And, you know, where did it all start?
According to Ruby Central, it started with them cutting budgets, right?
And why were they cutting budgets?
Because sponsorship's declining.
Why is sponsors are declining?
Apart from the macro stuff and apart from the conference stuff that that Ruby Central also runs,
I think a part of it is like a general sense that we've already hit peak open source, right?
Like in the sense of the like people's unpaid labor is the way that we're going to get all of this stuff built,
not in the sense that things are going to be necessarily open or built on open protocols and platforms,
if anything that's probably going in the opposite direction.
But the value of an individual programmer going and hacking out a particular,
issue or our PR is going to go down if like now you can just at codex something or at
clod something. And Mike, you've been working with this too, like using copilot agent and finding
it. You tell me how you found it. Yeah. So I mean, it's funny because a lot there's a lot of
co-pilot related stuff. I was one of the first people to test an internal beta of that as alpha
technically. And the reason why lots of people in so like GitHub would like me to test things is
because they seemed to be allergic to telling people that things were good when I thought
they were a heap of shit, even when it was strategically and politically advisable for me to
say, like, this person's pet project is wonderful.
And so, yeah, my feedback on co-pilot pretty early on was like, wow, this is surprisingly not
a piece of shit.
Like, when you describe, I mean, you have to remember, like, when co-pilot came out before
ChachyPT and stuff, right?
Or at least it was being Alphid before that.
So this sounded like ridiculous, right, that we would like use AI whatever.
And I was like, wow, this is a better auto completion for Ruby than I've ever seen
using any ID or indexing or whatever, right?
And it immediately made me more productive.
So fast forward to the kind of co-pilot coding agent stuff.
Again, I saw the kind of memes on how can use of like Microsoft employees being
encouraged or forced to use this publicly and just being an absolute disaster.
And I was like, lo, I'm going to try this out.
And again, like maybe because Brumbreu has borderline fascist.
issue templates that demand everything of you and essentially like force you into
Mike McQuaid's opinionated way of how you file a bug right but if you follow that
template properly it's actually really great context for an LM particularly when it has all
the comments of us discussing it right and I basically just I think a couple months ago
assigned every bug in the Homebrew Package Manager to copilot agents and then you know it's
took a couple of weeks. Some of them got their 99%
their first time. Some of them got
50% in the way and I finished off a lot of the stuff.
But essentially, in two
weeks, those were all fixed, right?
And you can go and look at the public
record and see how well that went or didn't go
or whatever. But anyone who says
this stuff is not a productivity boost
is, like, in any
circumstance, is massively kidding
themselves. And the awkward reality
of it, again, back to the conversation is
I would say, is copilot agent
great? Does it avoid
avoid handholding? No, definitely not. Is it better than the standards drive by a
home brew contributor? Jury's out, right? It's certainly comparable. And I definitely think
at this point, like the first iteration of PR, I would struggle to tell me those reasons
between co-pilot and a first-time contributor, right? A homebrew maintainer, and indeed myself,
who's worked on homebrew longer than anyone else, will do a much better job. But even then,
like I find myself leading on it because sometimes it's like there's 10 ways of fixing this
copilot a good pick one right and whatever mess you make I will clean that off and get it over
the line but it's that like empty page problem and yeah I think this I'm probably not quite as
not like pro AI but like I don't maybe buy stuff quite as heavily as Justin says about like
the cost going to zero but I definitely think it's impacting stuff pretty heavily and I
think we're in some ways seeing like a reversion in the tech industry of like back to what
skills are valuable who's valuable whatever right and back perhaps to being like maybe tech is
just a slightly less fun place to work right like going way back for me like back in 2009
I got a job on like the third application or whatever to a company called KDAB who I knew
about them because they employed more than anyone else of KDE maintainers in the KDE ecosystem and
I was like a big Linux on the desktop guy and been contributing to KD.
I was like, woohoo, I'm going to go work for this company and I get paid to write
open source, right?
I discovered pretty quickly on my first like 100% open source project that it's like,
ah, actually getting paid to work on open source as a consultancy looks like very tedious
boring work, right?
And I can probably say specifically now, considering it's been that long ago.
So K Office, which was like KD's like open office alternative, essentially like a corporate
sponsor was like, we want K Office to be good.
here's a spreadsheet with 5,000 regressions
compared to Microsoft Word in K-Office
go for these particular import documents
go through and just fix these line by line one by one
incredibly tedious work
no volunteer wanted to spend their spare time doing it
so a company paid people to do it
right and again this kind of comes back
to a lot of the stuff in the early conversation
all the fun enjoyable parts of urban source
I don't think you're ever going to struggle to find people to do those
at least not until you tell them all
they're being horribly exploited by capitalism
by doing so. But, like, there's
going to always be a bunch of really
boring shi-deas work in open source.
Maybe it's supply chain security stuff.
Maybe it's whatever. That's the stuff
we need to get the money towards and fund. The stuff that people
don't want to do. And
I think that's going to be there.
And again, it's one of those things where
the jury's out with all the supply chain security stuff,
whether the costs of that balloon
beyond what people are willing to pay, right?
Like if we have a team internally or we have LMs that mean that we don't have to pay this tax, then maybe that's what we do now.
I've seen some people on the internet be critical of like in way back to this Ruby Central, that organization we're talking about at the beginning of this conversation, it kind of incited this back and forth.
That Chan, the new executive director, is not technical and not from technical communities, but rather is like more there for her nonprofit experience.
You know, I remember when Ruby Central was just Ben and Evan, and then they added Marty, like in 2012 or whatever.
And it was just the three of them as the chair people, I guess.
And all Rubyists, all programmers, and that felt right.
And back then, in that era that we kind of keep hearkening back to, the writing of the code, the building of the tool that, like, you know, the brilliant API.
and just the blood, sweat and tears to get it over the finish line at a high enough level of
quality, whether it's a CLI or whatever it is, a library, and then to publish it, that was
like where all the action was, that was the work, that was the thing that required brilliance
and that's what the market was, you know, rewarding so handsomely in terms of great tech salaries.
If it's the case that it is now no longer, you know, an incredibly rare thing to have capacity
for writing replacement level decent code,
that means everything else now is more valuable.
And so to Mike's point,
if I'm running,
if I'm operating a service and,
you know,
Jared was scared,
he said.
He bleeped it out.
No,
I'm kidding.
I believe the whole,
I must have bleep the whole sentence out,
because I don't remember saying that.
I want a more bleeps,
more bleeps for a minute.
I want to beat Mike.
I was lying earlier.
I do want to be there.
Oh, gosh.
He's got you down.
He does.
But like,
if I,
if I'm running.
a service and I'm going to be scared, you know, bleepless to have a root-level security event
occur at the place that I'm downloading all of my gems, which could then be root-kitting
my computer for all of I know for, I don't know what it was, 12 days. Like, I'm actually really
glad that the executive director has a, like, the hat on now to finally, like, shore up the
governance. Make sure that, like, their regulatory and their, their finances and their
situation is all buttoned up and probably, I think at the end of the day, we'll probably end up
being much more transparent than they've been in the past, which was just the result of negligence,
I'm sure, and not malevolence up to this point.
Like, those are actually the skills that are more valuable because you can't just easily
replace them.
It requires good judgment and diligence and, like, experience and oversight.
So, like, you know, part of this is a story of just an organization maturing, but I think
part of it is also like a reflection of like the change in what's what's valuable and important
right now.
And as you look at open source or your conversation with Farras, which I thought was excellent,
you know, for us is a real smart guy.
This is where the new locus of control goes when the writing of the code is no longer
the most important thing.
I'm out of things to say.
So I'll just say a cliche.
The times they are a change in.
Are they not as a musical cliche for Mike's on Mike's behalf?
Like that one, Mike?
Bob Dylan, right?
Yeah, I love it.
I don't know that Bob Dylan song.
Sorry.
You don't know about Dylan?
Come on.
Unless it's like Northern European Power Metal, I'm pretty lacking right now.
Yeah, I don't know if they got Dylan in Scotland.
They still have newspaper boys and children.
Do you have milkmen still up there, Mike?
Is that?
We until recently had our milk delivered to our house by.
Jesus.
That's amazing.
That's so idyllic.
Living the dream of it.
here. Well, you knew so much about American culture. I figure Bob Dylan would be right in your
wheelhouse, but, you know, that only extends so far, I guess. Yeah, I only do the parts of American
culture. I guess to echo this conversation that I'm paid in order to... You're forced to.
You're forced to learn in order to maintain and sustain employment, right? And that hasn't yet
gone as far as Bob Dylan. Well, I'll send you a $10 donation and a Bob Dylan album. You can just get to
work on that. The moment when the American should make some sort of sports metaphor, and I nod
the long as if I understand what baseball's, fourth strike, third innings, catch MLB
championship, Friday's means.
Well, this is a nerdy your podcast.
The joke I was going to make was going to say, no wonder you like alien Earth so much
because it takes place in a world where America doesn't exist anymore.
You can finally relax.
It's just five corporations, each get a continent, just like how it should be, right?
All right, Justin, this is as much your podcast as it is mine.
If it were mine, I would say thanks and end it.
But do you have more things you want to talk about?
Well, since this is going to show up on my feet as a hot fix, we try to end every single interview with some sort of pithy one-liner that represents what is the fix to the problem statement.
And it's the guest, who I guess in this case is Mike, being double hosted by us.
Hey, I'm just trying to.
Can I bleep that?
I'm trying to beat the bleep filter.
you can't you got to keep it in that stays in uh mike uh mike it's your job now to like help
us land the plane and and find a title for this thing at least on my feed like what is so if
the problem statement is you know open source is not a career like what's the fix like how
do what what do you tell people instead like like like like how should they how should they
what's the takeaway for them in terms of like where should their attention be or or you tell
me. Well, I guess in some ways I would divide the statement in two, right? So from the open source side
of things, do open source if you want to do open source, right? If you don't want to do it
anymore, don't do it anymore. This is when like when this podcast gets published and like 99%
of open source maintains quit and we have a world crisis. I'm like, oh well, but like genuinely,
like we, I very strongly encourage people in home brew to be like, hey, the day you're not
using home brew anymore. Thanks for all your work. Stop using it. Move on. Get on with your life.
There's been people kicked out at Humbrough who are doing a good job, but clearly Humbrough has been
very bad for their mental health. So we take them out of homebrew, right? Like, ultimately,
this stuff needs to be fun and it needs to be something that you enjoy. And if you care about
sustainability and burnout and open source, you want that stuff to be better. Like go, you know,
if you're an appassource maintainer, go get some therapy, right? You probably have some shit you need to deal with.
Like, chances are. And then the career side of things is like, again, same deal. Like, right,
if you work in tech, chances are you have a career, which is nice, right? It's harder right now
than it used to be. I'm lucky enough to have a lot of friends with careers outside of tech.
You know, people who are personal trainers who are opening up the gym at like five o'clock in the
morning, working like a six year a week with a split shift, right? Like, that's fucking hard.
those people do not get paid a lot of money they work really hard and they make a really big
difference in people's lives right if you're in a situation where you're getting paid good money
to sit in your ass in your home office 9 to 5 Monday to Friday like you know again maybe it's
about figuring out a way to be happy with that or your life and if you don't like that then quit
go do something else but like same deal right find a career that has some happy medium point
between paying your bills getting what you need out of life and that you can actually enjoy
and not hate, right? And do that, right? Just in both camps, do what makes you happy, right? Because
that's, at the end of the day, that's probably what is going to give you a better life and also
give those around you a better life. And even give, like, other people that work with you at your
work where you're open source or whatever. If you're fucking miserable doing what you're doing,
like, you're probably not very nice to work with. So it's just all be happy, kids.
That's going to make some people cross, I think.
I think. All right. So I started with don't do open source if you don't want to, which is a little bit long for a podcast title. Then I said, do open source for you. And then I just flipped to your problem statement. I said, open source is a hobby.
Yeah, that works. Works for you? All right. Unhappy maintainers should quit. If you don't like it, quit. Yeah, pretty much. All right. Well, on that note, I'll pretend I'm going to hit my button that plays my music now. And then I'll have my call out. And I'll say, hey, Jared, thanks a lot for.
we're playing at Jared's house right now because we're in his Riverside account instead of Mike's Riverside account or my squadcast account just really we're all broken but we're glad that you're listening hello hi but it makes us happy especially listening if you're still listening at this point nobody's paying me I've got no sponsors that's why I get to skip the bleeps that's right our sponsors pay us extra to bleep things out you know so I'm going to make lots of money off this episode yes I hope it was
sufficiently brand safe for you.
That's a new business model.
Pay per bleep.
Here's some good news for us.
This morning, as I'm prepared to shift this episode,
that's October 17th, 2025, Ruby creator, Mattz, posted on rubylang.org about ruby gems.org
saying, quote, Ruby gems and bundler are essential official clients for RubyGems.org
and the Ruby ecosystem, bundled with the Ruby language for many years and functioning as part
of the standard library. Despite this crucial role, Ruby gems and Bunler have historically been
developed outside the Ruby organization on GitHub, unlike other major components of the Ruby
ecosystem. To provide the community with long-term stability and continuity, the Ruby
Corps team, led by Matt's, has decided to assume stewardship of these projects from Ruby Central,
end quote. He goes on from there. Lots of details. Link in the show notes. Thanks again to our partners
at Fly.io and to our sponsors of this episode,
codrabbit.ai and agency.org.
That's agn-tc-y.org.
And thanks also to the best beat freak in the biz
breakmaster cylinder.
Next week on the pod, news on Monday,
Ellie Huxable talking Atuin desktop on Wednesday,
and Kaizen-21 with Gerhard Lazu on Friday.
Have yourself a great weekend.
Give someone a compliment if you find the opportunity.
And let's talk again real soon.
There's some words I decided in advance I wasn't going to say, so you should be glad for those.
I appreciate it.
That's sign of a good friend, Mike.
Appreciate that.
hit the button on both sides. I'm not going to end it. I'm going to let Justin's be the end.
I'm going to hit the music when he said he's going to hit his music. So the show's over at this
point. Justin got the outro. Well, all right. Okay. Okay. I'm going to keep this stuff in.
So am I then. All right.
Well, maybe I should just sing your music. If you're going to ruin your show, I'm going to ruin mine.
Yeah, that's mutually assured content.
Change log plus plus. It's better.