WEBVTT

00:00.000 --> 00:14.640
All right. I'm going to get started. Perfect timing. Hi, everyone. My name is Michael Winser.

00:14.640 --> 00:17.240
And I realize I should have looked at my slides and mirrored like the gentleman said because

00:17.240 --> 00:23.280
I'm not paying attention. Let me see if I can do that. I can't see where I am. With a volume.

00:23.280 --> 00:27.280
So one of the interesting things about package management is there are no packages to go

00:27.280 --> 00:31.760
away. The problem just gets accumulatively bigger. Layers of sedimentation to the end of time,

00:31.760 --> 00:36.240
new versions, new packages, and God help us with AI people writing out new packages even

00:36.240 --> 00:41.840
more is just going to get deeper and deeper and deeper. MPM of course is a special contributor

00:41.840 --> 00:48.320
to this universe. So just to put it in some concrete things, this is not the biggest registry.

00:49.360 --> 00:55.200
And if you look hard, you can figure out this registry rhymes with must or baits or something like that.

00:55.680 --> 01:02.640
There's a lot of data. It's going to be a number that stands out here as kind of like the

01:02.640 --> 01:10.000
odd number on this picture. Anyone? Seven. Seven human beings. Two of which are kind of paid

01:10.000 --> 01:14.320
because alpha mega. The rest are volunteers. Anybody feel comfortable about that?

01:16.880 --> 01:24.800
Right. This is on the order of Google. Do decade or so ago. Let's look at the math here.

01:24.800 --> 01:29.200
So one of the problems that people have is they actually conflate open source software

01:29.840 --> 01:34.720
and open source infrastructure. And package managers and registries are one kind of infrastructure.

01:35.280 --> 01:39.360
Ecosystems is another, right? So critical public good, get every get that freeze and beer,

01:39.360 --> 01:42.880
love it, freeze and speed. Yeah, freeze and poppies. Well, that's actually cost money. You have to

01:42.880 --> 01:48.720
take carry poppies and we have the problem in both cases. But the cost per use for open source

01:48.720 --> 01:53.360
software converges towards zero. The more people using it, it doesn't cost more, the effort to

01:54.240 --> 02:00.080
multiply. A cost per use on packages. It goes up towards infinity, especially as we start

02:00.080 --> 02:07.440
asking more of the package systems. So these are not good pictures. So like that, about per year,

02:07.440 --> 02:14.240
10 trillion dollars. Thank you for helping get the data. For perspective, I want to take a guess at

02:14.240 --> 02:18.960
a large, widely used service. Generally thought it was like one of the biggest things on the

02:18.960 --> 02:25.280
unit, what their traffic is pre year. Say Google is less. Now, this is aggregate across all the

02:25.280 --> 02:31.280
package registries. But I just thought, thank you Mike. This is run by, you know, on the order of

02:31.280 --> 02:36.960
25, 30 people across a bunch of disparate systems, each of which is an annoyingly different

02:38.320 --> 02:44.880
and reinventing the same wheels. So this was it. Like, okay, how many queries? 5.9 trillion.

02:45.760 --> 02:54.960
Okay, so we got some really scary things going on here. So let's play a game. Okay, this is when

02:54.960 --> 02:59.040
Michael remembers to go switch to the cool news slide and can't navigate a keyboard to say this

02:59.040 --> 03:06.880
life. Does anybody remember the game's family feud? All right, so shout out what do, what, what,

03:06.880 --> 03:10.720
what, what are the costs? Where, where does someone the cost come from? Anyone?

03:11.360 --> 03:14.240
Ben with, great. Okay, yeah. I'm going to pretend I can type.

03:19.200 --> 03:24.480
All right, I'm going to stop. Yay, wait a go. Okay. Storage. Storage. Okay, I'm going to save

03:24.480 --> 03:34.960
us time. Oh, wait, it was here. Storage costs. Anyone else? What? Not, they don't do that much, actually.

03:34.960 --> 03:44.000
Okay. But let's go with abuse. Okay. Or Mike's favorite. Sorry, right? Or shall we talk about

03:44.000 --> 03:49.600
malware? Yeah. There we go. We got that. Okay. Um, I'll just work our way down this list. You're

03:49.600 --> 03:52.960
publish support. You know, when people publish, what do they do? Mike, what's the first thing

03:52.960 --> 04:01.520
to do? Lose their goddamn accounts, right? You actually do fix bugs on this stuff, right? Do

04:01.600 --> 04:05.920
you occasionally add features? You do. What comes last? Anyone want to guess what comes

04:05.920 --> 04:15.040
last on this list? What's that? Doc, you don't even know this. Come on. No, that's a

04:16.240 --> 04:21.520
little payment here. What? No, no, that was sort of in the bug fixes. How about we talk about

04:21.520 --> 04:30.000
security? Oh, no, no, no. All right, I think I've made my point. Um, try to go back to this.

04:30.720 --> 04:36.800
Okay. So, um, when we start talking about how we're going to pay for all this, right?

04:36.800 --> 04:41.120
Everybody breaks into ban with jail. We should charge for downloads, right?

04:41.120 --> 04:44.320
Charge for bandwidth. It's costing all that money, right? Some of the graphs show a screen like that.

04:44.320 --> 04:46.880
It'd be great, right? What happens if you start charging for bandwidth?

04:48.160 --> 04:51.840
Everyone's going to cash, right? Not bad. Mike's going to get you.

04:51.840 --> 04:55.840
Sorry, yeah, right? But from my perspective, the gap here is not just a balance problem,

04:55.920 --> 05:00.560
because in fact, Mike, how much do you spend your money from PIPI on bandwidth each year?

05:01.120 --> 05:04.960
It's donate. It's zero. Yeah. Thank you very much to Fastly. Back, let's just have a little

05:04.960 --> 05:10.400
moment of applause to Fastly, right? And Brian here running sonotypes,

05:10.400 --> 05:14.000
Nathan Central doesn't get a penny from Fastly. In fact, he's the other way around. He's actually

05:14.000 --> 05:19.200
subsidizing PIPI with the money he spends on, uh, that he's not really well. It's a circle.

05:19.200 --> 05:23.360
Foundation membership. So, if you donate to the PIPI, Python software foundation or the

05:23.520 --> 05:26.880
REST foundation or become a member of some of these things like that, some of their budget

05:26.880 --> 05:33.040
goes towards this, right? A disturbing large amount of the work that actually keeps these things going

05:33.040 --> 05:41.280
and moving us towards security comes from Alpha Omega and STF, right? Pause rate there. That is

05:41.280 --> 05:48.240
discretionary. Year by year, we're hoping keep going, not built into the model. And so, if I lose the

05:48.320 --> 05:57.680
optics war is one year, Mike is screwed. So, we're point, all right? And then a lot of incondonations

05:57.680 --> 06:02.880
fastly, WS like that, keep the infrastructure going, all right? Tokensia, good luck with that.

06:02.880 --> 06:07.440
So, let's talk about money. Money is awkward, right? In open source, we start charging for this

06:07.440 --> 06:10.080
stop and I'm like, well, it's free. We're supposed to be here for free. We got it this for free.

06:10.480 --> 06:14.880
Great. Good luck with that. It's not ending well, right? Uh, there's some links in this deck to,

06:15.440 --> 06:19.200
a deeper report with all kinds of analysis that Claude produced some incredible charts for and

06:19.200 --> 06:25.680
like that. But the curves look like this, costs income, right? We've already crossed the line,

06:25.680 --> 06:30.000
we're living on borrowed time. So, one of the awkward things is people like, well, we're

06:30.000 --> 06:34.400
a charity. We're not supposed to charge for things. This is a list of charities that charge for things.

06:34.400 --> 06:37.440
Is it reasonable to go to university? Well, some countries here in Europe, I acknowledge,

06:37.440 --> 06:42.160
you can go to university for free. Thank you. It's awesome, right? So, I realize that that message

06:42.240 --> 06:46.160
doesn't always work as well here as it might elsewhere. But at the other day, it is entirely

06:46.160 --> 06:50.320
reasonable to charge for services. In fact, if you don't, people tend to abuse them. Isn't that

06:50.320 --> 06:54.480
what's happening right now? Brian lives a particular joy with some companies that felt that

06:54.480 --> 06:58.240
may even central is a perfect way to publish every single thing that ever happened to your package

06:58.240 --> 07:04.800
a thousand times a day until Brian calls you up and says, what the fuck? So, this is normal.

07:07.600 --> 07:11.680
So, let's talk about how we might start charging for revenue streams. And let's see what could

07:11.680 --> 07:16.560
possibly go wrong. So, let's say we start like the pricing unit was bandwidth. What will happen?

07:16.560 --> 07:20.720
Well, we already established that one. I stole my own words. We'll cash. What if things

07:20.720 --> 07:25.520
are going to happen if you start charging consumers like the iTunes model? You pay per package.

07:26.240 --> 07:31.360
Do the 99 cents per package and you get to use it to the end of time. How's that going to play out?

07:31.360 --> 07:34.400
Well, first of all, the package reviews are going to hear from the package maintainer saying,

07:34.400 --> 07:39.200
well, I get 50% or 70% of that. So, now that and the cost of dealing with all those

07:39.200 --> 07:43.280
customers and paying money like that, who asked Apple about how much money they spend keeping their

07:43.280 --> 07:47.920
customers happy at some level and advertising? It gets weird, right? But more importantly,

07:47.920 --> 07:52.960
there's no DRM here. This stuff is free. So, here, can I copy your left pad, please, right?

07:52.960 --> 07:57.520
That will happen all the time. Let's say we charge, oh, I type it. I apologize. I'll fix this

07:57.520 --> 08:02.080
if they don't. This is producers. So, now you're a publisher of package. We should charge you for the

08:02.080 --> 08:05.840
fact that we're giving you a jump bandwidth and things like that, right? This will go great, right?

08:06.800 --> 08:10.640
Oh, sorry. This is, I'm sorry. I got it right. This is consumer's redo subscription model, right?

08:10.640 --> 08:13.680
Mike, can I borrow your Netflix account? I need to download them, build my new package, right?

08:14.640 --> 08:19.760
Charge publishers? Great. Announcing shitty ass company over here now has their own dedicated

08:19.760 --> 08:23.120
package registry for the packages from them. You as a consumer will now have to know that whole

08:23.120 --> 08:27.840
space and of course they're going to run it really well and really securely it's going to be awesome,

08:27.840 --> 08:34.320
right? No. Right, exactly. Fragmentation, bulk organization, whatever phrase you want, right?

08:35.040 --> 08:38.640
One of the popular concepts and we are working to is because there are legs here

08:38.640 --> 08:44.080
is to do things like enterprise features, enterprises care about their namespace, a lot.

08:44.080 --> 08:49.840
They care about the fact that when Bob or Mary could use a package working at food corp,

08:49.840 --> 08:53.760
right, that when they leave food corp, they don't keep the keys to the package with them

08:53.760 --> 08:58.480
at belongs to the company. It's a reasonable thing, but not actually universally available today.

08:58.480 --> 09:01.360
So that's great. We could do that, right? It'll be great, right? Yeah, it'll be awesome.

09:02.000 --> 09:05.040
They're not really dying over this. Nobody's paying for it today. They're not like beating

09:05.040 --> 09:09.920
a path to Mike's door saying, if you do this, we'll give you a $10,000 a month, said nobody ever.

09:11.280 --> 09:21.200
So, anybody got better ideas? Great. The mitochondria of our ecosystem, right?

09:23.280 --> 09:30.880
Think it through. You'll hate the ads there, right? So looking ahead, right, we have

09:30.960 --> 09:34.960
AlphaMega has been running a set of conversations with package registry folks for the past year.

09:35.920 --> 09:40.640
Honestly, half of it is just getting ourselves used to the concepts, this talk summarizes a lot of things

09:40.640 --> 09:44.800
that they actually contributed to the conversation, how we reasoned about it, think about it,

09:44.800 --> 09:49.760
and more diverse models, specifically so that as the Evan Flow of how it works out and how people react

09:49.760 --> 09:53.520
to it changes, we're not waking up one day going, whoopsie, that model didn't work as well. They've

09:53.520 --> 09:59.600
worked around us and now we have no money, right? When AlphaMega funds in particular staffing roles

09:59.680 --> 10:03.600
like Mike, we have a hand here, Mike, and if any of us were funding here, please hear your hands.

10:03.600 --> 10:08.480
Thank you very much, Marty. When we fund those people, we budget for two years, which isn't

10:08.480 --> 10:14.400
a very long time in OPEX world, specifically so that if we don't win the OPEX wars in our particular

10:14.400 --> 10:18.480
funding organizations and they decide not to fund us this year, that we don't have to pull the rug out

10:18.480 --> 10:25.680
from Mike and Marty and others like that, right? That's a big deal. So, oh, that did something wrong.

10:25.680 --> 10:34.480
I've locked my laptop. So, I would invite you again, this QR code will get you this

10:34.480 --> 10:39.760
deck, it's also published on the Faustem site now. I did a bunch of deeper stuff, literally just

10:39.760 --> 10:43.120
firing up with Claude and having a good time asking it to produce ridiculously cool looking

10:43.120 --> 10:48.080
charts that I never would have bothered to do. But go take a look at the data, dig in,

10:48.080 --> 10:52.560
understand it yourself, and then by all means, come and join us. We'd love to have you in the

10:52.560 --> 10:57.680
conversation here. It's not a private club of conversation, but this is a topic that has historically

10:57.680 --> 11:03.520
been taboo a few years ago. I even said, like, I talked about this and remember the thing in D.C.

11:04.080 --> 11:07.680
And awesome person. I like very much, God, I'm saying, this cannot be.

11:08.720 --> 11:13.040
This changes too a little bit now, right? But I mean, this is part of the change that we all have to

11:13.040 --> 11:16.560
think about. And I'm here to start that conversation, and hopefully others will help figure it out

11:16.640 --> 11:20.640
finish it. So with that, thank you very much. Here's the promise QR code.

11:22.960 --> 11:27.920
My time. I think I have time for questions, too. I do. I'm not from Philippe. Sorry.

11:27.920 --> 11:32.960
Philippe is verboten. Mirrors. Right. That's just that you broke it into bandwidth jail.

11:32.960 --> 11:36.800
Way to go. If you do mirrors, you solve the bandwidth problem, but you haven't solved the revenue

11:36.800 --> 11:42.720
problem. Is going to revenue when you have mirrors? No, you're literally you're missing the

11:42.720 --> 11:47.520
most important point. It is not about the bandwidth. They're not spending any money on bandwidth

11:47.520 --> 11:51.360
today, but the problem is they don't have enough money to spend on a very security features that

11:51.360 --> 11:54.960
we all desperately need to stop being a bunch of idiots in PLM installing food when it's malware

11:54.960 --> 11:58.720
intensive or whatever. It is not, repeat after me. It's not about the bandwidth.

12:00.720 --> 12:04.640
Okay. Mirrors would be great. You should all be caching. If you're bringing stuff into your

12:04.640 --> 12:07.600
supply chain today, and you don't have an in-house cash for all the stuff you're using,

12:07.680 --> 12:13.360
you're a goddamn idiot. You're begging to be screwed by the next colors.js or whatever,

12:13.360 --> 12:16.400
somebody throwing a tantrum. So if you're not running a cash and you're developing organizations

12:16.400 --> 12:20.000
today, go home and fix that now. All right. All right. Over there.

12:23.600 --> 12:25.600
Like I said, you should be caching and mirroring.

12:38.560 --> 12:45.760
I'm all in favor of caching and mirroring to reduce the bandwidth load. It does not solve the problem I'm here to solve.

12:49.280 --> 12:54.080
They're not spending any money on this capacity structure. I can count it on one finger.

12:58.480 --> 13:00.480
Right here.

13:07.600 --> 13:19.680
So the question was, enterprises tend to pay for security related features and capabilities.

13:20.720 --> 13:23.760
There's some interesting ethical credit challenges in terms of charging for security that

13:23.760 --> 13:28.240
everybody would benefit from having. And there's also the problem that the enterprises that

13:28.240 --> 13:34.400
have woken up to this need today are currently buying it from some vendor. That's not a bad thing,

13:34.480 --> 13:40.640
but putting the public road utility in competition with the private towing service on the road,

13:40.640 --> 13:46.960
metaphorically, creates some other person's sense as well. These are the right questions.

13:46.960 --> 13:51.280
And the end of the day, finding a way to get to the point where enterprise can look at this as

13:51.280 --> 13:55.760
a normal cost of doing business and have it show up in their opx, as opposed to their

13:55.760 --> 14:00.080
Ospo donation budget, is the goal of this process. Question of here.

14:00.400 --> 14:05.600
What about like how copy left really help open source, like creating a new license, where if you're

14:05.600 --> 14:10.640
only money with the package registry, a certain percentage has to go through. Basically,

14:10.640 --> 14:15.600
the licensing. So can we achieve some sort of licensing model here tied to the distribution

14:15.600 --> 14:20.240
of the packages in some way? You're actually closer to the target than you think, but you're

14:20.240 --> 14:25.600
also smoking something spectacularly good because if your solution is to change everybody's licensing

14:25.680 --> 14:29.760
model, the stuff that is currently available for free, right? And also if you just imagine Matt

14:29.760 --> 14:32.720
Swozo with the Osis reveal the fine, we'll just build that ourselves because that's what Michael

14:32.720 --> 14:37.680
says to do in his other talks, which is stop pulling down other people's bills. And so you get again

14:37.680 --> 14:42.800
perverse incentives. But licensing and interpretive models of like the other day, let's face it.

14:42.800 --> 14:47.920
The registries are effective monopolies. They own the namespace. You could put cashing and mirroring

14:47.920 --> 14:52.880
in there and you can even have licensing terms to that, right? But here's the thing. The cost

14:52.880 --> 14:58.000
of spinning up an alternative crappy registry, as Andrew has identified in so many cases,

14:58.000 --> 15:03.520
is almost zero. So the moment somebody says, great, my monopoly is awesome. I'm going to monetize

15:03.520 --> 15:07.440
my monopolies, right? People will route around you. They have done this over and over again. So

15:08.000 --> 15:14.000
you have to find the, make it not worth their effort to go somewhere else, making not worth their effort

15:14.000 --> 15:18.480
to try and build up popularity by building a free one that's really shitty, but somehow doesn't

15:19.120 --> 15:25.840
have to get, like, because you keep finding all the data that points us to all of the problems,

15:25.840 --> 15:31.360
right? How am I doing in time? I got a few more? Yeah, okay. I went fast so I would have questions,

15:31.360 --> 15:34.720
because the questions are actually the most interesting part of the conversation. But if you run

15:34.720 --> 15:44.240
out of questions, we can give people more time. In your stats, yes. So the question was, did we have any

15:44.240 --> 15:51.360
data about how much GitHub consumes Google started some simple Google cool hosting? Like 20 years ago,

15:52.080 --> 15:59.040
because they felt that so sport was too big. Right. So we, we, we've, we've given. Yeah,

15:59.040 --> 16:05.040
of course, our way past, way past, way past that point. Yeah, it's, so, you know, we all get addicted to,

16:05.040 --> 16:09.760
you know, various times of socially interactive engagements that happen, cause more addictive behaviors

16:09.840 --> 16:15.200
in other places. It's not the biggest problem we have, right? This is one of the bigger problems

16:15.200 --> 16:23.120
that we have. So I'll take one more question then we'll go from there. I love your questions.

16:23.120 --> 16:28.320
If we get the money, how do we do it? So part of the effective model that we have to come up with is

16:28.320 --> 16:34.480
one that allows us to measure the usage, the, the load, the impact on ecosystem so that we're not

16:34.480 --> 16:39.200
propping up ones that are probably dying or maybe need to die, right? And that we're not,

16:40.000 --> 16:43.600
you know, depriving those that are carrying more load from appropriate revenue, right?

16:44.400 --> 16:48.480
I don't have the answers to those questions. We are talking about them. I love your questions are

16:48.480 --> 16:53.600
great. With that, I think, we just have a mic. What between all of the maintainers is it?

16:53.600 --> 16:56.880
I prefer to think of it as a, but the Netherlands dictator somewhere, but, you know, you

16:57.280 --> 17:01.840
potato potato, it's, it doesn't end well no matter what, right? How am I doing on time?

17:02.320 --> 17:05.280
Yeah, I think that's about it. All right. I haven't seen, is Mike McQuay here?

17:06.560 --> 17:12.400
Oh, I could give his talk. Well, I want to thank you all for answering my questions,

17:12.400 --> 17:25.360
before.