[indymike]

> I feel this is a problem of companies being cheapskates, not of OSS maintainers. So do not make it their problem. I do not make OSS for companies, but for enthusiasts, contributing to building cool stuff, students and researchers.

I'm starting to do something different at my company. I'm finding the package maintainers for the non-commercial stuff we use in our product and making a donation. I'm also going to start asking the maintainers to invoice my company for support where that is possible to do.

[ttyprintk]

What do you think of hiring maintainers to audit? Answer specific questions about usage and security, with some visibility into your codebase? We’ve talked this over and hit risks concerning access to code where we’d like an NDA that a consultant may dislike.

[F6F6FA]

Consultants sometimes dislike NDA, because as a consultant, you are already expected not to disclose. It is strongly implied, like patient-confidentiality. Airing dirty laundry or competitive advantage as someone visiting many companies a year, is like a doctor amputating the wrong leg. You do this once, then you are out of a job and reputation.

Risk is on your end, so you pay for it. A 10k contract becomes a 12k contract. You clarify your risks, your mitigation method (NDA), and that the extra money is for the legal liability the consultant takes on.

[F6F6FA]

If this becomes a cultural thing, part of OSS, then more employees inside big companies will start to advocate for funding the OSS they rely on. Companies found to be profiting of OSS, while keeping a closed wall, complaining, but not contributing patches or funding, will lose market mind share, and a percentage of the best developers.

Seems doable, but still hard without centralized control and PR.