 Thanks for joining my session. You probably saw on the schedule this is a non-core talk. I already gave the talk on Tuesday, and so many people apparently couldn't get in the room. It was already full and people were standing, and so they asked me if I could do it again, and I said, sure, be glad to. Now they gave me this big room and nobody showed up. Except you guys said, thanks for coming. Get a very exclusive presentation here. I feel like I should move closer to you because you're so far away, but we'll make do like this, okay? As Solona pointed out, you just get to ask more questions. There wasn't enough time. I mean, it was like 10 minutes, but we have more time. I would like you to meet Steve. This here is Steve. Steve is a real person. This is not his real picture, of course. Steve is a mathematician specializing in cryptography. He has a PhD in graph theory, and he is now 54 years old and lives in Staffordshire, England, which is near Birmingham. Steve works as a software developer, and because he's really good at his job, it's not exactly just a nine to five job, right? And because he enjoys his work, he also has a little site project of his own that he started in 2003, and something to do with secure online communication. This project became more and more popular. So first it was a few dozen downloads, and then a few hundred, a few thousand, and now it's well over the hundreds of million downloads. Steve, his full name is Dr. Steven Henson. Fortunately, after a while, Steve was joined by another Steve, by Steve Marquez. And Steve Marquez, the second Steve, he was more on the business side and concept and stuff, and Steve number one, he was still the only code reviewer and maintainer from that perspective, okay? So together they became known as the two Steves. Now, Steve and the other Steve, they worked a lot, put a lot of hours into this project and more and more, and I guess next to a regular daytime job, that can be very exhausting. So now in 2012, a German student from the University of Münster made a code contribution to Steve's code base. Steve reviewed it, deemed it good, and took it over into the code base. What they didn't know at the time was that this code contribution introduced a bug that was only two years later found out and exploited, and this bug became known to a greater public as the Heartbleed Bug, you probably, or you may have heard of it. This bug caused the single most severe security breach in the history of the human race, and it was a big problem at the time. It was only then that people started to look into who is actually behind this very popular project called OpenSSL, you've probably heard of OpenSSL as well. Virtually every online communication on the internet uses OpenSSL. So it was only then that people looked, who are these guys that are behind it, and they found out it was these two Steves, and it led to funny headlines like this here. The internet is being protected by two guys named Steve. It was spot on, right? The internet was protected by these two guys, and they only did this as a hobby, right? They were not being paid for this project, and just worked on it because they thought it was a good idea. It was a good idea, but so the bug put the spotlight on this thing that until then had worked nicely, right? So the two Steves, they did receive a lot of sympathy from a lot of people, but they also received a lot of harassment, a lot of abuse. People called them your stupid idiots, and what were you thinking, and this is irresponsible, and you should have better known better, and so forth. They were even accused of being spies, either for the NSA or for the Russians, introducing a backdoor that could be exploited. Same for that student. He also was accused of being an NSA or a Russian spy, or just a plain idiot, okay? So it was a really tough time for the two Steves. Now, you've all seen this picture, I assume. It's just such a good representation of the typical situation in software development. One component builds upon the other, and so forth and so forth, and then you end up in a situation like this, where you're all dependent on this one little building block at the bottom, and if a problem happens there, and if you take it away, it all comes crashing down, and we'll have a long period of scrambling as we try to reassemble civilization from the rubble. Sounds a bit dramatic, but it is. And another example is this here, log for shell, you probably have heard of that, because that's only very recent, less than a year ago. And the situation is very similar to the two Steves, except here it's three guys, and they don't have the first same name. They have their called Ralph, Matt, and Gary, but Ralph Gores, for example, who's the project lead for log for J, he also does this purely as a side job. He's not being paid for it, right? So we have a very typical situation. So open source runs the internet, right? And by extension, the economy, and yet a lot of time, even it's very common, even for core infrastructure projects that they depend, that they run and maintain and depend on a small team of maintainers, or even only one person who's not getting paid to do this. Okay, so it's actually a surprise that this doesn't happen much more often. I mean, a lot of problems occur, but very, very difficult, really crucial problems like this happen. There was a few others, I just picked those examples. It's actually kind of a surprise that it doesn't happen much more often. What can we do? What are ways to remedy the situation? So I mean, one suggestion, of course, was yeah, I told you so, just don't use open source, it's not safe, right? Kid, I don't think we need to discuss this idea here in this round, but another idea was, so we should have, in every company, we should have a central governing body that whitelists open source libraries and checks them if they're safe to use or not. Now, I do think that is a good idea to check the open source libraries that you use. I'm not sure if a central governing body is the right institution to do this, but it's an option, I mean, it's a viable way, but I think I have a few better ideas. So here we go. One is contribute, like go and make contributions to the open source project that you use, that you like, and that you probably depend on. Try to strive for high quality contributions, yeah? I mean, don't let this keep you from making any contribution, right? Everybody is a first-time contributor at some point, and first-time contributions a lot of time are welcome, but I should be a bit more careful with the microphone. Sorry. What I'm saying is when I say strive for high quality contributions, don't just throw something out there, some chunks, and tell the maintainer, well, you figure out the rest, okay? Don't do this. Try to be as good as possible with your contributions. Now, contributions was never a problem of the two steves. They had about 200 code contributions lying around at any given point in time, waiting to be reviewed by the Steve. So, but maintainer fatigue is still a problem, and when there's one or two maintainers only. So another idea is become a maintainer, take responsibility for an open source project, and be one of the maintainers, okay? Like as you get more and more engaged, maybe they'll ask you to join the maintainer group, okay? Obviously, you can't always be a maintainer for the projects that you use, because everybody's time is limited, but maybe, you know, one project, be a maintainer, the more maintainers there are, it's distributed, work distributed over more shoulders. Another idea is become a member in a foundation, you know, for example, the Linux Foundation, or the Eclipse Foundation. So we at Mercedes-Benz, we are members of Linux, we're members of Eclipse Foundation, also CloudNative, Hyperledger, and a few more. So the foundations, you know, they usually provide, for example, a legal infrastructure, or security infrastructure, and other things, you know, so that's usually a good idea. So I believe in foundations. And here is another idea, and that's sort of the point of this talk. Consider paying money to open source projects, reward them for their work, and if more and more people do this, then maybe at some point, people like the two steves can quit their daytime job and do this project that is their own as they're living, and make a decent salary, a competitive salary off of it as well. So according to one source, the Steve number one, he made, before the Open SSL Foundation was formed, he made about 20,000 US dollars a year. That's not very much for a 12 to 15 hour job, right? So give them the, yeah, reward, the monetary reward that they need and deserve, okay? So let's look into this a bit more. You know, it probably seems like a bit far-fetched that for-profit companies would spend money on something that they actually get for free, right? But I can tell you that we at Mercedes-Benz are doing exactly that. So as of about a year ago, we have started to financially pay money to open source projects that we use, that we need and that we like. So if you go to our GitHub sponsors, if you go to our GitHub profile, Mercedes-Benz group here, you can see currently we are sponsoring 34 organizations and developers. That it doesn't include the ones that the sponsorships that have expired, you know, you can choose if you do a one-time payment or if you pay per month for a period of time. And so the ones that we did that have expired, they're not mentioned here. Currently we have 34 and you can see some of our projects here. So Curl, Curl is a project that is actually not short of donors. So Daniel Stenberg, the maintainer, I think he's doing okay, you know? But still great work that he does and we're sponsoring. Then Fiber, you can see OpenSSL. I have an idea how that got in there. Yeah, because we just thought it was a worthy project, right? Cinder Sor, who is that? I don't know if you know this guy. He's one of the real open source heroes out there. I mean he has hundreds of projects that are used a lot all over the place. So he also makes a living off of it. And I think he's okay as well. But the majority of projects, the maintainers, they cannot live on it. How do we pick the projects is usually a question I get that we sponsor. So what we do is we ask our community, our developer community, and say, hey guys, we're gonna collect suggestions in the next few weeks, please make suggestions and tell us which project we should sponsor, which developer we should sponsor, and with how much money, and why, okay? Then after a deadline in our OSPO, we review the suggestions and then we allocate money to the projects and the developers. We pick, we look at the project, we look at the reasoning. Somebody says, please sponsor Curl because we use Curl all over the place. It's one of the projects we really would hurt if that wasn't there anymore tomorrow. So then we look, is it an active project? Because if it's not active, then yeah, we don't want to spend money on not active projects. We also look, is it a popular project? Is it, does it have 10 stars on GitHub or 10,000 stars? That plays a role, and so forth. And then when we have a good feeling, then it was like, okay, we'll sponsor this. All right, we have done this three times already, so three rounds of call for sponsorship suggestions. We are now very soon kicking off the fourth round. So we're collecting more suggestions and we hopefully will keep doing this from now on forever. Yeah, okay, we'll see, but that's the idea, all right? In case you think, that's a great idea, I want to do this at my company as well. I want to give you some insights, how you can do it and how you can set it up, okay? So we at Mercedes currently just use GitHub sponsors to pay money. GitHub is our partner. We have our corporate IT develop software on GitHub. We also use GitLab in our research and development unit, but GitHub sponsors, maybe you've seen it, there's a, if you're on a project site and a developer, you can click on the heart, it's a sponsor, and then you can make the selection how much you want to sponsor for our loan and so forth. Okay, so it's fairly easy. They are still in a, it's not a pilot anymore, but they introduced this two years ago at the GitHub universe in 2020, yep, which was in, what was it, December 2020. And they're not taking any fees yet, but they will do so probably soon and they don't know yet exactly how much fees they're going to take, but it will be around seven, eight percent is what GitHub tells me. And they don't want to make any money off of that, so it will just cover their costs, the costs on their end for the sponsors program. There's also a very, another popular platform that is Open Collective or Open Source Collective. They collect 10% on the incoming fees. I have that number verified, my first talk on Tuesday, somebody from Open Source Collective was there and he said, yes, the number is correct. There are other options as well. I want at Mercedes, I want to add other options like Open Source Collective, but just haven't gotten around to doing it yet, but these two seem to be the most popular options, I think. There's also, this is probably also very popular still, the Linux Foundation crowdfunding. They don't take any fees for the first $10 million and then 5% after that. And then there's a few smaller options. You're like LiberPay, Bownisaurus, takes those tight lift issue on the access code. I haven't tried them, to be honest, but I just for completeness purposes wanted to list them here as well, okay? So, now it sounds easy, right? If you go back to your company and say, I want to do this and if you work at a big company, then it's not that easy. So, let me give you some of my experience, what you may run into when you try to set some of your company, all right? So, right now the way it works is we give money to GitHub and then we tell GitHub via the sponsor button which developers or project they should give the money to. It didn't used to be the button because it was still sort of in a piloting stage up until like three weeks ago. The process was slightly different, like I gave them an Excel sheet here and I put in the numbers and the URLs and everything and then they used this Excel sheet and paid the money. So, it wasn't automated yet, but now it is, okay? As of like literally three weeks ago, now I can go and push the button, which is something that individuals could do before even but for corporations now, the button is active only as of three weeks ago. So, but the question is when you give money to GitHub that they give it on to somebody's sponsor, it's not that easy because as a company, when you pay money to someone, usually there are two ways to give money to someone. The first one is you buy something, so it's a purchase. And the second option is you sponsor someone, traditional sponsorship, yeah? So, for example at Mercedes, you know we would pay a famous athlete that they wear our logo on their sleeve or chest or wherever, yeah? They're famous, they're brand ambassadors for Mercedes, something like that, yeah? Now, what's open source sponsorship? Is it a purchase or is it sponsoring? You know, it sounds like sponsoring, but is it really because they're not actually carrying our logo on their sleeve and sort of making advertisement for Mercedes-Benz cars, right? So, it took me a long time to figure this out or because it was a new case, you know? So, first I went to the purchasing people and I said, I would like to pay money to GitHub so they can give it to other people. Is that a purchase? And they said, well, are you buying something? And I said, well, not really. I just kind of want them to be around, you know, they can do their own thing. And I mean, what the first recommendation is, well, okay, you pay the money and then you tell them, hey, for this kind of money, can you please implement a few issues for me? Okay, that's possible, but that's not the spirit of open source sponsorship, right? They know best what is best for the project. They have known this project and what's best for the project for many years, so I'm not the one to say this, so I don't want to, hey, we give you $5,000 and then you implement two issues. I mean, that's, okay, as I said, that's not the spirit of open source sponsorship. So, I told purchasing people, no, I'm not buying something, I just kind of like to give them money. Well, okay, then it must be sponsoring. I'm like, okay, so I go to the sponsoring people. I said, hey, I want to sponsor this open source project. You know, and then they say, okay, here are our sponsoring rules. Do they apply? You know, do they wear the logo on the sleeves? Are they famous? Blah, it's over there, I'm like, not really. Well, then it's a purchase order, go back to them. So, I went back to them and I said, you know, this is not helping. So, got everybody together and there was discussion and they said, it's sponsoring, it's purchasing, it's, you know, so I'm back and forth. And you have arguments for both side, but it's not completely, it's not completely, so it's sort of in the middle. It's open source sponsorship, it's not something that fits the processes of big corporation, okay? So, at some point we just made a decision and said, okay, let's treat it as purchasing, even though we're not actually buying something that we can hold in our hands, but okay, fine. So, done. Now, the next thing is compliance. That's very important always, but it can be difficult to figure out as well. So, so here's the thing. When a company pays money to somebody, you have to check their background. You have to do sanction list checks because as a company, you're not, you don't want to pay money to somebody who is, you know, going to spend it on the dark web or funds dubious things with it, right? And then this, you know, makes the news and then you're in a Mercedes sponsors, well, I'm like, oh my God, that's the worst that can happen. You don't want this, right? So you need to put them into a sanction list check. Every company does this. I'm pretty sure every company does this. And so, what you do is, you know, they're automated systems and you put in their name and residential address and then it comes back green or it comes back, not green. If it's not green, then you have to usually make a manual check. And in 99.99% of cases, you know, everything's good, 0.0001, you know, there's a problem then don't give that guy or don't give that person money. All right, so I need the name and the residential address of the person. So I go to GitHub and I say GitHub, I went to sponsor this guy, but I don't have his name. Some GitHub profiles have their real name. Some have their email address as well. Sometimes the email address is in the commit message but it doesn't have to be there. And their residential address is usually not available, right? I mean, I wouldn't put my, why would I put my residential address in my GitHub profile? So I say, the ones that have an email address, fine. I can ask them, the ones that don't, I go to GitHub and I say, GitHub, can you please give me this person's email address? And then GitHub says, sorry, can't do it, you know, data protection laws. So I'm like, okay, because GitHub promises their users we will not give your information to third parties. We're a third party, even though we want to give them money, but we're a third party. So I had to go and find a way to contact this person. So some I found on LinkedIn, some I found on other social media, some, what was another thing? I Googled, you know, found them and so, but I had to do this for every project, right? Right, so now I have an email address. And then I send them an email and I say, hey, can I please have your residential address? Because I want to give you money. And so, I don't know, all of a sudden I'm this guy on the internet that writes emails to people saying, hey, I would like to give you free money, can I please have some information from you? And you can trust me, right? And I'm like, how did this happen? Okay, they actually did reply, like all of them replied in the end. And some right away, some after a reminder and some after a couple of weeks. But I guess, you know, my email address and my sender address and my footer and everything seemed authentic enough that they actually did reply. But imagine the situation, it was really weird, all right? And now, once that back, before I could even send this email, I had to align with our compliance people on that. I said, compliance people, I'm gonna send them an email to ask for their information, is that fine? And they said, whoa, hold your horses, you can't do that. Like, why not? I want to give them money. And then they said, yes, but you have to tell them all about data protection laws, you have to give them a reason why you need it. You have to tell them where you're going to store that information and for how long and that at any point in time, they can revoke their consent, you know, blah, blah, blah. They gave me like a two-page document. Here, this is the email you can send them to. And I said, no way. If I do that, you know, this was two pages in perfect legalese, yeah? I said, I want to send them an email that normal people can understand. At which point, our lawyer said that he actually did consider himself to be a normal person. But so, legal people are a normal person as well. Anyway, so I really shortened that text down, you know, to understandable English and I had to say, can I word it like this and then that was fine, you know? But it took a while until we got there. So, okay, then I had to text, then I sent them an email, then I got back the information, then we had to put it in this action list check and then we could give them money. So, the point is, it's not that easy. These are all the things that you might run into in your company as well. It took me months to set this up and it was not because I was procrastinating. I was, of course I have a lot of other things to do as well, but this was just, you know, talk to these and them and back and around and so forth. So, it was an interesting process. In the end, we made it and, you know, the first round took a long time, the second and third round were much easier. And so, GitHub and their payment provider Stripe, they also do these sanctionless checks. So, at some point we said, okay, they do it because they also don't have any interest in being in the news with funding, you know, nefarious causes. So, we don't have to do this anymore on our own. Again, a third time, right? Two times is enough. Okay, that's that. Now, once you have done it, here's some of the feedback that we got from the people that we sponsored. So, I don't know if you can read it back. I'm humbled by the fact that people found out about my project and actually use it. Thanks, it really gave me the kick I needed to continue working and that good feeling one gets from contributing to something. This helps the team to be even more motivated to increase the quality of the project. Thank you again for the recognition. I am also receiving a lot of contributions from the team, which I greatly appreciate. So, I like this comment especially because, you know, we're not only giving them money, we're also giving them code contributions. And then here, we're very happy to get a sponsor and hope it will open up all sorts of new avenues for collaboration. Now, everybody's, most people tend to be very happy when you give them money, but this here, it shows that actually what seemed to matter more to a lot of people was the recognition, you know, the pad on the shoulder, the thank you for your good work, yeah. Also, by the way, so when we sponsor a project, as I said, right now, we still only do get up sponsors, plan to add the other options in the future. But so, if a suggestion from our developer community comes and they don't have get up sponsors enabled on their profile, we send them a message, an email, or an issue saying, hey, have you considered get up sponsors, could you please add it because we want to give you money. And then some projects do it, some is like, well, I can't, or we'll do later, something like that. But one project in particular gave us the feedback, like they enabled get up sponsors, set it up on their side. And then a couple months later, they said, hey, you know what, Mercedes, thanks again actually for asking us to do this, because after we set it up, we received money not only from you, but we have gotten 20 other sponsors since then. And that's a particularly great feedback, because that's actually sort of really the point of doing this. You know, we can't finance everybody on our own, but if many people, many companies do this, then it will add up to amounts where maintainers can actually maybe live off of it. Right? Now, moving on and sort of round and round, I'm going to stop here. Here's our open source landing page, opensourcemercedesbands.com. You can find our projects, our open source projects, some articles, some news articles. There's not that much there yet, because it's still fairly new. And there are also not that many open source projects yet. There's quite a few, but not that many, but we're adding more and more as we go along as we move on in open source. You can, also I want to point this out, here in the top right, you can find the manifesto. This is, go there, this is our FOS manifesto, the Mercedes-Benz FOS manifesto. And it states that we believe in open source, we ask our developers to be active in open source and in our source. We ask them to contribute, to become active members of the open and in our source communities. And they can do this in their working time, of course, right, because we ask them to do this. This is really important, because like 10 years ago, even like six years ago, actually, some of our developers, they weren't really allowed to do open source yet. And so they still use open source libraries, and so sometimes we'd have the case that some developer would go home in the evening, contribute a bug fix to the project that he was using in his work, so he could the next day have that bug fix available, right? And that's really stupid. So we, none of that anymore, right? We're now open source, is part of our Mercedes corporate IT strategy. Oh yeah, here's the 10 seconds of advertisement. If you like to join Mercedes-Benz, we are hiring, okay? And so come find us, you know, you can see it's maybe a logo here, two more colleagues from Mercedes, and there's a few more. So if you're interested, we are hiring. And yeah, I know everybody's hiring, but we're a really cool company, yeah? So, and we have nice cars, okay? All right, so thank you for being here, and listening, I hope I've inspired you, and I hope that you can think about it maybe, then you and your company can be sponsors for open source as well, because if more and more companies do this, then we can really change the world, we can really make a difference, yeah? Because it supports and fosters open source, because it will help to ensure that the projects that we need and like, that they will still be around tomorrow. And because it's the right thing to do, yeah? So thank you very much, we have time for a few questions for, well, we have quite a few minutes, thanks so far. Thanks, do we have any questions? Any questions? Yeah, do we have a microphone for? No, okay, it's just maybe, I'll repeat the question for tips. Yeah. Yeah, okay. Check it out. I'll do that. The other thing. Let me repeat this for, because I think we're recording, so that the internet listeners, so the tip was from French accounting, maybe check if the accounting code in France, it's the same for tips in restaurants and for donations like this, so maybe that could help, thanks. My experience is I'm doing donations directly and the difficulty I have is that a company needs to get an invoice. For everything that is donated. And it means that there needs to be an organization that can do an invoice on the other end and my difficulty has been for some, even organization existing open source, that it was difficult to get an actual invoice, for some cases it took just months to just get the confirmation that made accounting a little bit nervous. Yeah, okay, thanks. So in this case, that was actually not the problem because the invoice would come from GitHub, because we sort of park the money in GitHub and then they distribute it. So we got the invoice, not from the projects, but from GitHub. Still took a while, but I think that was mostly on our end. Yeah, okay, thank you, thanks. Okay, do you have any more questions or remarks or? Okay, good. I mean, I'm gonna be here until tomorrow. So if you have any questions that you think of later, you can always approach me. And once again, thanks for coming. You had a lot of space, that's also nice, right? Thanks guys, see you later.