On Tuesday I had a chance to give a talk at Open Source 101 titled “How do open source companies make money?”, and played around with this concept of the “monetization helix”. The amount of value a developer gets from the fact that your product is open source quickly drops as they go from the “Build” to the “Scale” phase. Reliability becomes more and more important, and that can be offered by the maintainers of the open source project through a managed version of the product, as well as an enterprise version of it. This model has been proven out by a lot of companies like Databricks with Spark, Confluent with Kafka, MongoDB Atlas with MongoDB, Redis Labs with Redis, etc. You can see some more detailed examples from my talk slides.

While this model has been proven out for large companies, maintainers of smaller but critical projects haven’t really found a way to monetize. For example `brew`, the package manager for MacOS, is used by probably millions of developers, but they only have ~1,500 supporters between GitHub and Patreon. I previously wrote about how we can help open source maintainers be more productive, but haven’t really spent too much time thinking about enabling easier monetization triggers. Excited to spend more time on this over the next few months!

Fun Reads

• “How Ben Horowitz’s Twitter Got Hacked”: A podcast covering the recent wave of Twitter hacks and how they happened, hosted by Joel de la Garza (a16z, former CISO of Box) and Geoff Belknap (CISO of LinkedIn).

• “Redefining Threat Modeling: Security team goes on vacation”: Great blog post by Jeevan Saini and the Segment on how they shifted the threat modeling closer to the developer workflow, and actually let engineering run threat modeling without having the security team involved!

• “How Pinterest fights misinformation, hate speech, and self-harm content with machine learning”: There’s a lot of talking about the evil of algorithmic curation by social media platforms, so it’s always good to take a more technical lens and really see how these feedback loops work. Lots to improve in this area, which will hopefully happen faster by companies being more upfront about their systems.

• “Font size is useless; let’s fix it”: I’ve always worked as a full-stack developer, but backend has always been my favorite side of it. It’s good to see someone stand up against `font-size`! Pixel is supposed to be an absolute unit, but two fonts with the same font-size can be very different sizes.

Founder Bolt ⚡

Today’s Founder Bolt is with Jai Pradeesh, co-founder of DeepSource, a new static code analysis platform that uses “Autofix” and “Transformers” to automatically fix bugs and improve the quality of your code. I’ve actually been using it for a little over a year now and have been loving it!

What’s one productivity hack that you really love?

Whenever I can, I try to follow Marc Andreessen’s approach to personal productivity: Before wrapping up the day, write down three to five things to be accomplished the next day. If these tasks are done, it is a successful day. Consciously avoid checking emails more than three times a day. In almost all cases, an email reply can wait six to eight hours. Additionally, keep the calendar closed for any external meetings on Tuesdays and Thursdays. I believe this is a necessity in the remote-first world.

What’s the latest product your engineering team has adopted at work?

• We adopted Vanta around a year ago. Honestly, we went ahead with Vanta just to check all boxes for SOC 2 compliance. But, over the course of time, Vanta has helped us define and enforce numerous security practices across the org in a systematic way. Compliance is just the end result.

• Amongst others, Linear deserves a mention here. It’s a beautiful product. For task management, we had tried using Trello, GitHub Issues, JIRA amongst others but couldn’t have been happier with Linear. Give it a try and you’ll know what I’m talking about.

What technology/architecture are you the most excited about trying? What about getting rid of?

• There are quite a few of them. From the top of my mind, HashiCorp Boundary is something we would like to adopt in the near future. It kind of eliminates most of the problems faced by traditional setups like jump host and VPN.

• We’ve been using Consul as a storage backend for Vault. To ensure high availability, we manage a Consul cluster -- which is an overkill. We’re planning to get rid of this.

What’s one side project you started but never finished?

Trusted Execution Environments. At the moment, things like CI builds, DeepSource analysis, etc. run on centralized environment on proprietary resources. The idea behind Trusted Execution Environments is to decentralize the execution of these jobs in a way that no information about the job can be tampered with. Anyone who has idle compute resource can rent the resource on a decentralized market just by running a TEE node. Fingers crossed!