> Value increases with # total downloads and LTM downloads on PyPI.

While I applaud the OP for the initiative, if this ever takes off it will cause people to exploit the system in the following ways:

1. Hammer the package registries with fake downloads, which will increase the financial burden on the registries both in terms of increased resource usage and in employing countermeasures to stop bad actors.

2. People spamming the repositories of popular packages with PRs that just so happen to add a dependency on their own personal package, so that they can pick up transitive downloads. This increases the burden on package authors who will need to spend time rejecting all of these.

So this approach carries the risk of possibly making things even worse for OSS maintainers.

If a metric can be gamed, and there is a financial incentive to game it, it will be gamed. I coin this the "this is why we can't have nice things" law.

Hey HN community, thanks a lot for your great feedback and actionable critique!

It was a simple MVP for personal OSS donations, and I have many considerations on how to evolve it and especially to prevent it from becoming a victim of Goodhart's Law at scale. Some of them:

1) Value and Risk scores shall include more metrics: dependencies, known funding, time since the last dev activity, active contributors, etc. A wider set of connected but relatively independent metrics is harder to fake. Also, it will help to exclude edge cases — for instance, I auto-donated to Pydantic (it's a great OSS), but such support is unlikely needed as they have raised $12.5M Series A from Sequoia this year.

2) Algorithmic does not mean automatic. While I see a strict, measurable, and ideally fully transparent methodology crucial for donating, it does not mean that all inputs shall be automatically generated. For instance, in the stock ETF world, one can generally rely on such metrics as "annual financials" for trading because they are annually audited (although it does not prevent fraud in 100% of cases). In the OSS world, data from trusted ecosystem actors can also be part of the equation.

3) Many guardrails are possible: limited budget per project, manual checks of top repos with the most anomalous changes in metrics. Also, if we target the sustainable maintenance of OSS the world relies on (I do!), then new projects (1-2 years) will unlikely get high scores - that adds another protection layer.

Given the interest in this topic, I am going to continue developing this algorithm further and expand it to other ecosystems (e.g. JS/TS and Rust). Your feedback here is very valuable to me, and those who would like to help make the algo better or donate through it are invited to the newly created gist:

https://gist.github.com/vinogradovkonst/27921217d25390f1bf5e...

It's a great idea; I have some similar thoughts. The looming problem, though, is that Goodheart's Law is likely to strike if this ever gets scaled up significantly.

I think this is a really interesting model for providing funding to open source software. There's something about the "Index Fund" approach that is really appealing. I also think it's interesting that the author was both balancing "value" and "risk". I do wonder, if this became a more dominant strategy for providing funding for open source how you would deal with a couple potentially adverse incentives:

1. Publishing the exact formula for funding is great for transparency, but then leads to an incentive to game the system to capture funding. Doing things like breaking your project up into many small packages, or reducing the number of maintainers are not good for the ecosystem but may lead to more funding. Also, there starts to be an incentive to juice download numbers.

2. In general, rewarding "risk" with additional funding seems like it creates an adverse incentive. This seems like a really tricky problem, because lack of funding is a major source of risk. It seems like there could be a pendulum effect here if you're not careful. Is there a way to structure the funding so it encourages long term "de-risking"?

This reminds me of when Redhat went public in the late 90s and did a generous thing with the friends and family round for the IPO. They included every open source contributor they could find in the Redhat sources. Including me, a grad student at the time. I made a few thousand dollars flipping the stock which probably doubled my salary for the year. (My contribution was an early HTML mode for emacs.) It was a really nice gesture.

Reddit did something similar last year in their IPO. I'd love to read an article on how people benefitted from it.

Ha, maybe there should be a tool that calculates your "bill" based on the OS stuff you are using and help you make a single payment that distributes it to the rightful owners. That bill thingy can be calculated as how much you actually used this stuff and how much donation they currently receive and then you pick how much you feel like paying thing month.

Distribution can favor projects that need funding to be sustained. Maybe you are using niche library than only 20 other people are using it but you are getting great value out of it, then maybe it can be reasonable to be billed $100(or not a strict sum but high coefficient to make your donation go mostly to this particular library).

Title is cut off; it is missing “… via GitHub Sponsors and PyPI data ”. My project, for instance, does not use GitHub, nor is it a Python library or even Python-only.

I suspect that a better measurement might be based on what software people actually have installed, perhaps using the Debian Popcon data.

I love the idea! Anyone here from MS/Github who could integrate this into Github sponsors? That way you could "Donate to Open Source" and see the allocation distribution without having to do all this work.

This is cool: good, reasonable methodology (I like the value x risk idea).

Two requests: 1) could you easily add the projects to the CSV file (maybe one column left of the user: "projectA;projectB;...") 2) could you share the code (understanding that it's rough and lots of hand-curation)

I've long given to EFF, FSF, and other projects sporadically, but this method seems excellent and expandable and customizable, maybe something like: 1) identify the packages on your machine (or used by your team) 2) score them 3 donate based on score

I was 18th on the list, thanks for the donation!

There's also the approach to funding that looks at things from another angle, and says we should have a basic income, or negative income tax, for everyone.

Comparing to index funds is neat. What Flattr.com offered was to set a monthly budget and then not allocate according to an index but according to your preferences (value per flatter = monthly budget divided by number of flatters).

Flattr is no more. But I could see that work out for open source projects: Allocate a fixed monetary amount per unit of time you want to donate. Record "intent to donate" during that period. This could be done via a browser extension or a CLI. At the end of one period, distribute.

Had to modify the title slightly to pass validation. Also "How [I algo...]" got removed, did not know that happens automatically.

Open-source maintainers are the base that holds the entire industry! It is such a nice noble and generous act, I honestly wouldn't dedicate my skills and time to work in something that is not going to help me to pay the bills. (pretty selfish, I know xD). it's great to have you guys around!

I think someone should make an ETF that donates 1-2% of profits to the open source packages that the companies use. Tie profit directly to payback to the community.

Undisclosed use would be a bad idea - your package could be receiving free funding!

As soon as money is in play, greedy people will start gaming the system. The anonymous guy in Nebraska won't have a chance, even if he is interested.

tl;dr: well intentioned, but it isn't gonna work.

Oh what a coincidence. I wrote pypular (https://codeberg.org/ltworf/pypular) to artificially increase download counts on PyPI (talked about it at a MiniDebConf).

I was claiming that there are important incentives to play this sort of games.

Seems OP proved me right!

Great post! I wish all companies would recognize their dependency on open source and compensate accordingly.

I feel like there is a big risk here, which others have already mentioned, but in fact this risk has already been realized w.r.t npm packages.https://news.ycombinator.com/item?id=41178258

I wanted to see if chatGPT will be able to understand the meaning of this comic, and i think it did.

*Gpt message:*

This comic humorously highlights a critical issue in the tech world: the dependency of massive modern digital infrastructure on small, often overlooked, and underfunded components maintained by individual contributors. The large stack in the illustration represents the complex and sprawling "modern digital infrastructure," while the tiny piece at the bottom, maintained by a "random person in Nebraska," symbolizes open-source software or obscure tools that are crucial for the functioning of this entire system.

The key message is that large systems often rely on foundational work done by unsung heroes who may not receive the recognition, support, or resources they deserve, despite the critical nature of their contributions. This comic resonates particularly with the tech community, where dependencies on small open-source projects are common.

Building something for fun with others seems underrated outside software. I sometimes look with jelousy at pictures of amish barn raising. Who benefits is rather different tho.

Does anyone know of a non profit that routes money directly to open source projects? I'm wondering what's the best way to support open source via 501c3 dollars

Wow! I was surprised to see myself on the list. Sure enough, I see a donation and it will take 90 days to pay out the first time.

Interesting project

By the way, a lot of money goes to open-source projects via donations in exchange for an SEO backlink. A lot of stuff going down there.

I tried to fix software funding - I think people can sell licenses to their software, we can introduce new licenses that allow free usage for individuals and nonprofits and charge the companies. I am the worst marketer/seller ever and failed with getting the publicity. I still think that’s a worthwhile idea and have all the source code for this platform

I think someone should also donate to the person who created that open source meme.

My concern is that the value a project brings isn't always objectively measurable. You can try to approximate it, sure, using # of downloads and whatever else, but then those metrics can also be easily gamed if the incentives are large enough. For example if you applied this same logic to the npm ecosystem then the creator of is-odd would retire a billionaire.

Regardless, donating something is always better than donating nothing, so kudos.

Great initiative!

Yeah, doing open source is very unthankful even outside of that money consideration. I have a 5k+ star GitHub project for like 9 years, 200-300 bug requests via GitHub/personal email, and maybe I got maybe 1 genuine thanks email without a request.

One thing I want to try is looking at all the packages on a minimum install of a Linux distro. How many of those are just a dude?

[flagged]

Must be nice to have $5k to burn. Probably means you have too much money.

5000 is not that much anymore, especially in the US. would have been better to split into $1000 chunks instead of $200