At Tidelift, we care deeply for open source software.

For our founders and early employees, open source has long been both a personal preoccupation, as well as an actual occupation at organizations like Red Hat, Wikimedia, GitHub, Mozilla, and Google.

But even though we’ve seen open source accomplish so much over the last two decades, along with many of you, we’ve felt that its foundation is increasingly shaky. With compounding usage amplifying the demands placed on its creators, open source risks becoming a victim of its own success. If you use or contribute to open source, you’ve probably had this feeling, too.

And we also had the sense that there’s a better way.

But before we got too far ahead of ourselves, we decided to do our homework, by talking directly with users and creators of open source.

Here’s what we heard, and our first steps toward doing something about it.

What we heard

Over the last several months, we engaged with over 1000 professional users and maintainers of open source software through surveys and live conversations. We wanted to learn what’s working for them and what’s not.

Turns out, people had a lot on their minds.

From professional software teams building open source into their applications, we heard:

Open source components are everywhere . With few exceptions, almost every active commercial software project, across industries, incorporates libraries from open source repositories like JavaScript’s npm, Java’s Maven, Python’s PyPI, Ruby’s RubyGems, PHP’s Packagist, and the like. Our research found that 92% of projects contain open source components. And 68% reported that all of their software projects contain open source components.

Most teams lack visibility and process around their use of open source . While it’s clear that open source is everywhere, we found that the majority of organizations don't even have a complete list of the open source components they are incorporating into their applications, much less a rigorous process in place for managing those components throughout the lifecycle of their software.

Security, licensing, and maintenance are paramount . Open source, while it often feels ethereal, is ultimately still just software and thus subject to the earthly realities of security vulnerabilities, license compliance, and ongoing maintenance. Professional teams we spoke to understand the risks that come along with the opportunity, and were doing their best (without much help) to balance some of the potential downsides of open source with the fantastic upsides.

83% of organizations will pay for well-maintained open source software. Although it’s sometimes a matter of pride for technologists to self-maintain the open source projects they use, we found that a substantial percentage of professional teams already pay for commercial assurances around some of their open source (typically from companies like Red Hat or Cloudera). At the same time, we frequently heard the frustration that there’s simply no vendor to go to for most of the open source landscape, even when users have the appetite to pay.

Similarly, we had a wide-ranging set of conversations with open source project maintainers, contributors and supporters, who told us:

Building open source software is hard work . This should surprise nobody, but building rock-solid foundational technology that will work across platforms, deployment environments, and use cases is real work. Open source maintainers have multiple motivations that propel them forward—personal fascination, reputational rewards, and a sense of contribution and community, among others. But none of those make the burden lighter.

Today, open source contributions are mostly a side pursuit . More than three quarters of open source contributors have no formal financial support for their open source work. They contribute their own personal time or squeeze some work into their day job, as circumstances permit. Less than a quarter pursue direct business models to support their project work.

Many would like to work on open source as their full-time job . On the other hand, we found a huge appetite to work on open source software as a full-time profession, with about half of maintainers interested in working on open source full time.

Specifically, contributors are open to doing maintenance for pay. Assuming they would be fairly compensated for doing so, we found that many open source contributors are interested in tackling issues like security, license compliance, and ongoing maintenance for their projects (and others).

You can probably see where we’re going with this.

Raising Tidelift

Here's the win-win proposition we see.

Rather than having professional software teams cobble together solutions from multiple vendors and unsupported “free range” projects, what if we had one destination for professionalized open source; a single place to go for uniform assurances about the security, licensing, and maintenance of open source projects, regardless of the specific language, package manager, or ecosystem. On a paid subscription basis.

Given the breadth of open source, it would be impossible for one company to staff an engineering team large enough to fulfill that demand. Unless… one could enlist a subset of the vast existing community of open source contributors and maintainers to fulfill those professional assurances. Each maintaining their part, in exchange for a share of the paid subscriptions.

The role of Tidelift? We think we can help by providing many of the sales, marketing, finance, software development, and organizational aspects of making this happen.

That, in a nutshell, is the idea behind the Tidelift Subscription.

Introducing The Tidelift Subscription

And so today we’re launching the Tidelift Subscription.

We’re starting with support for three widely used front-end frameworks: React, Angular, and Vue.js.

The core idea of the Tidelift Subscription is to pay for “promises about the future” of your software components.

When you incorporate an open source library into your application, you need to know not just that you can use it as-is today, but that it will be kept secure, properly licensed, and well maintained in the future. The Tidelift Subscription creates a direct financial incentive for the individual maintainers of the software stacks you use to follow through on those commitments. Aligning everyone’s interests—professional development teams and maintainers alike.

Critically, the Tidelift Subscription covers not just core libraries, but the vast set of dependencies and libraries typically used in common stacks. For example, a basic React web application pulls in over 1,000 distinct npm packages as dependencies. The Tidelift Subscription covers that full depth of packages which originate from all parts of the open source community, beyond the handful of core packages published by the React engineering team itself.

Learn more about open source dependencies and the Tidelift Subscription in the definitive guide to professional open source.

Start with a free dependency analysis

Since we heard that many professional software teams struggle to know where to get started, we also built a free open source dependency analysis service—which also launches today.

Our analysis is powered by Libraries.io, Tidelift’s open data service that comprises the most comprehensive index of open source components ever assembled, and builds on the foundation of the earlier Dependency CI tool from the Libraries.io team.

With support for JavaScript, Java, Python, PHP, and 20 more languages and package managers, the free Tidelift dependency analysis will inspect your software application and give you a unified view of all open source components your organization is already using. It will highlight security, licensing, and maintenance issues in your dependencies, all in real-time. All free of charge.

Just sign in and link your GitHub.com account to get started. (If you’re not using GitHub.com, we’re working on support for additional platforms—get in touch if you’d like a preview.)

We’re continuing to add subscription coverage for more parts of the open source landscape all the time. When you use Tidelift to monitor your open source dependencies, you’ll be alerted to the availability of support that covers the packages you use.

Maintainers: consider becoming a lifter

Along with the launch of the Tidelift Subscription, we’re reaching out to maintainers and core teams—we call them lifters—interested in helping build a sustainable business around their own projects.

Tidelift provides a means for maintainers to band together in a scalable model that works—for everyone. Those who build and maintain open source software get compensated for their effort—and those who use their creations get more dependable software, delivered via a Tidelift subscription.

Bottom line: We connect the software development teams using open source with the maintainers creating it, in a win-win way.

We’re particularly interested in hearing from open source contributors in the React, Angular, and Vue.js communities, given our initial focus.

But our ambitions are broad, with Tidelift already supporting the following package manager communities: npm, Maven, RubyGems, Packagist, PyPI, NuGet, Bower, CPAN, CocoaPods, Clojars, Meteor, CRAN, Cargo, Hex, Swift, Pub, Carthage, Dub, Julia, Shards, Go, Haxelib, Elm, and Hackage.

If you are an open source maintainer or contributor, learn more about becoming a lifter on our web site, download our lifter guide and get in touch.

Conclusion

At Tidelift, we want to make open source work better—for everyone.

We’ve got a lot more on the way, but we’re excited to get started on this journey together.

If you’re like-minded: