Why Libraries.io and Dependency CI are joining Tidelift
Today we have some pretty big news. Ben and I are joining Tidelift, a new company focused on making open source software work better for developers and users, and we’re bringing Libraries.io and Dependency CI into the fold as well. For more details check out the Tidelift blog post and Ben’s blog post.
This post is a little more about how we got here and why I think this is the right next step.
I started working on Libraries.io in my spare time back in 2014, a couple of months after I left GitHub. I knew that open source discovery was an important problem to solve, and I wanted to concentrate my efforts on it.
Based on what I’d learnt building 24 Pull Requests and my analysis of the open source landscape while at GitHub, I knew that I’d need better usage data than just download and star counts, so Libraries.io started at the package manager level and started to index the network of interconnected dependencies across all of open source, in the same way that Google does for the web with PageRank.
The site was a hit, and quickly grew in size. Ever-increasing hosting costs and time requirements started to take their toll. I needed to find a way to make Libraries.io sustainable, whilst keeping the principles of the free and open communities that it supported.
Dependency CI was my first real attempt at building a business on top of the Libraries.io data set, allowing projects and companies to codify policies on their open source usage, making sure they didn’t add any bad dependencies to their apps, while integrating directly into their workflow rather than as an afterthought when it was time to do some due diligence.
The problem I quickly ran into there was that I didn’t have anywhere near the resources to provide support for the big, paying customers who need on-premise enterprise deployments and round-the-clock support.
It was around that time that I met Ben, who’d been investigating ways of finding potentially vulnerable, high-profile projects in the wake of the OpenSSL Heartbleed fallout. Libraries.io was the perfect tool for highlighting high-risk projects because of the connected network of usage data. Together we started planning how we could use that data to help with the wider issue of sustainability in open source.
Thanks in part to an introduction from Nadia Eghbal, we managed to secure a joint grant between the Ford Foundation and The Alfred P. Sloan Foundation, the first of its kind. This gave us a one-year runway.
The high-level plan we put together was broken out into three sections:
- Discovery: Helping developers make faster, more informed decisions about the software that they use.
- Maintainability: Helping maintainers understand more about the software they depend upon and the consumers of their software.
- Sustainability: Supporting undervalued software by highlighting shortfalls in contribution and funneling support to them.
Libraries.io already had Discovery covered and Dependency CI focused on Maintainability. As we reached the end of the grant, after completing our funding commitments, we started thinking about the third goal, Sustainability, and how to ensure that Libraries.io could continue to operate a free and open service that the wider open source community has come to depend upon.
Once again, an introduction from Nadia, this time to Tidelift, helped us take the next step towards supporting sustainability in open source.
Over the past few years we’d spoken to a number of companies who were interested in employing us based on the work we’d done on Libraries.io, but none of them felt quite right. There are quite a few companies building tools to help companies manage their open source usage but they almost always sell a band-aid over the underlying problem.
Problems like poor security, conflicting licensing, lack of backwards compatibility and support often stem from the fact that the majority of open source maintainers are working as unpaid volunteers.
Rather than just selling products that try to shield companies from open source projects, Tidelift is aiming to solve the root causes and give maintainers the resources they need to strengthen the foundations of our digital infrastructure and enable all kinds of new innovation at the same time.
So what’s going to happen to Libraries.io and Dependency CI now?
We’re going to continue working on Libraries.io in the open, under an open source license and releasing open data as before, now with more resources to make it even faster and more stable.
Dependency CI may take on a different form in the future as part of Tidelift, though we intend to continue providing tools to help companies and open source projects with their usage of open source.
I’m looking forward to sharing more of what we’re working on at Tidelift over the next few months and working with a great team to make all of open source even better and stronger.
