Open Source ain’t Charity

We’re spending real money on open source. Since hapi has been almost exclusively developed by the mobile team at Walmart, we had to justify the significant expense in open source the same way we justify any other expenditures. We had to develop success parameters that enable us to demonstrate the value and to make on-going investment sustainable.

The formula we constructed produced an adoption menu where the size of the company using our framework translated to “free” engineering resources. For example, every five startups using hapi translated to the value of one full time developer, while every ten large companies translated to one full time senior developer. We measure adoption primarily through engagement on issues, not just logos on the website.

These number change a couple times a year as the nature of contributions evolve, but they provide a solid baseline for progressive comparison. By having a clear way to measure ROI, we can justify more resources. It allows us to clearly show that by paying developers to work on hapi full time, we get back twice (or more) that much in engineering value. Same goes for sponsoring conferences. It all has to translate back to measurable engagement.

Of course, not everything is just numbers. Since Walmart tends to adopt hapi features about six months after they have been introduced, the value of external early adopters means significant quality and stability boost. We are also among the top work destinations for node developers. We have been getting about a dozen qualified candidates for every node opening we advertise. But while these benefits are important, they are very hard to quantify and we rarely rely on them to justify investments.

When we’re asked to sponsor an event we look at the community the event is serving and the impact a sponsorship can have on our adoption benchmarks. Unlike many other companies, we don’t have an evangelism budget. We sell goods, not APIs or services and our current interaction with the developers community is limited to hiring.

If this all sounds very cold and calculated, it’s because it is. Looking for clear ROI isn’t anti-community but pro-sustainability. It’s easy to get your boss to sponsor a community event or a conference, to print shirt and stickers for your open source project, or throw a release party for a new framework. What’s hard is to get the same level of investment a year, two years, or three years later.

What is even harder is to justify hiring a full time node contributor and other resources dedicated solely to external efforts. But with a strong, proven foundation of open source investments, even that becomes an obviously smart move – by the numbers.


I’ve been asked by a few people for my thoughts regarding the ‘gendered pronoun’ incident that’s occupying the node community this week. I am purposely not linking to that thread. I appreciate Ben Noordhuis contribution to node, and I think that contribution merits a more nuanced response from me than a Twitter one-liner.

First, because it is worth saying, there is no argument that Ben is a very smart guy, has made a significant contribution to node and libuv, and has been tremendously generous with his time and talent. I do not believe the node community is “better off without him”. I hope he comes back.

To me, this is the core of the issue: Ben has an established history of dickishness. This attitude has been tolerated by the node community longer than anyone else’s inappropriate behavior because of Ben’s clear talent and contribution. But this is never sustainable and at some point, one more slip is enough to cause an uproar, and this is what happened here.

If the response from individuals and companies feel exaggerated and over the top, it is because for many insiders, this is not a single incident but the last straw. Whether that is fair or not is a matter of opinion.

I witnessed this behavior in a response to a node issue a member of my team opened a few months ago. I sent a private letter to Ben’s company explaining why I felt it was inappropriate and offensive. The response I received suggested that this was simply a result of Ben’s work load and his need to sort through many issues quickly. I was unsatisfied and expressed that. Shortly after, Ben corrected his behavior on that particular issue and provided thoughtful and patient feedback.

There wasn’t an apology or an acknowledgement of wrongdoing, and that stuck with me. Ignoring all the ‘gendered pronoun’ debate, what is really at the core of this incident is lack of empathy. It’s failing to say a simple ‘sorry’. It might sound trivial or petty but the incident a few months ago left enough bad taste in my mouth not to want to engage Ben further. I’ve actively directed my inquiries to other members of the node core team.

Ben is by no means unique in his attitude. I am sure half the people I interacted with when I was working on that “awful 2.0 security protocol” feel the same way about me. But when I offend people unintentionally, I immediately apologize publicly and privately, and when I choose not to, it is done with the clear understanding of the repercussions. When I quit that working group, the negative reaction I received was very much earned by my actions.

Every community has to decide what is acceptable behavior within its boundaries and especially what it allows its leaders to do. Whether it is an open source project or the workplace, there is always a balance between someone’s attitude and contribution. One often does counter-balance the other, but only to a point.

My behavior within the node community is in sharp contrast to that of my behavior in other communities. It’s not because I’ve changed, matured, or evolved. It is simply because it is the only acceptable behavior within the node community. Context matters.

Ben had multiple opportunities to back out of the corner he put himself in – and he still does. It really doesn’t take much. At least not in word count. People are just looking for some empathy, for acknowledgement that their feelings were hurt, and that the offender understands and regrets their actions, especially now that they know how offensive it was to people.

I hope Ben comes back from his break and continues to contribute. And when he does, it will be our turn to show empathy and move on.

Realtime Conference, the Imagination Platform

Last year, if you recall, I was a bit upset about some specification I participated in… I wrote a blog post, followed by another post, then went silent. I felt very strongly that everything I had to say was right there in the posts and that an ongoing online feud will only weaken the points I was trying to make. For a couple of months I received weekly requests to come speak at conferences about it. These were all security, platform, or API conferences where this topic would be a perfect match. I turned them all down.

What bothered me was the feeling that if I were to do a talk about it, it has to be to a completely different audience. I would have to break out of the echo chamber and turn a very technical and procedural set of arguments into something more culturally and emotionally meaningful. And it must be funny, which none of the people my posts were aimed at found amusing.

So when the invitation from the Realtime Conference team showed up in my inbox, my first reaction was to turn it down like all the others. But then when I read it, something clicked. For the first time, I wasn’t invited to explain why the protocol sucked. I was asked if I was interested in “sharing some of what [I] feel are [my] ‘lessons learned’ from that experience”. Here was an invitation to engage in a meaningful, emotional exercise that wasn’t trying to recreate my posts. It was about moving on. I immediately replied “sure!”. Continue reading

OAuth 2.0 and the Road to Hell

They say the road to hell is paved with good intentions. Well, that’s OAuth 2.0.

Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing. Continue reading

(All these Brilliant People at) Facebook Make Me Sad

This is not a post about open, about standards, about privacy, or really any criticism of Facebook in any way. In fact, the problem is just how unbelievable the Facebook team is (in a good way). The sheer strength of their talent is almost unmatched in our industry, past and present. The problem is, all that talent is building something I just don’t care about, and no one is left for anything else.

Facebook doesn’t provide me with anything useful. Continue reading

The Growing Web Identity Crisis, Courtesy of Facebook

A concerning trend is showing up in recent TV and print advertisements of companies using their Facebook profile pages as their web identity instead of their own domains. Most of these companies are big corporations with a well-established web presence. Using social networks to connect with consumers and promote brands is not new, but using these identities as the primary corporate web identity is new. Continue reading

Goodbye Open (and Why I’m Staying at Yahoo!)

It’s that time again, to move on. The past three years have been a roller-coaster. Coming from a small startup after a decade in financial services technology, I got to learn, contribute, lead, and provoke open web development. My standards participation landed me a great job, relocated my family to the West coast, and introduced me to a lot of amazing people. It has been awesome.

Over the past couple of months I have been steadily phasing out my open specifications and standards involvement. The OAuth 2.0 core specification is the only thing I am still working on (OAuth is a keeper). Everything else has either fizzled away or lost its interest to me. This should not come as a surprise to anyone who talked to me or read my posts over the past few months.
Continue reading

OAuth 2.0 (without Signatures) is Bad for the Web

OAuth 2.0 drops signatures and cryptography in favor of bearer tokens, similar to how cookies work. As the OAuth 2.0 editor, I’m associated with the OAuth 2.0 protocol more than most, and the assumption is that I agree with the decisions and directions the protocol is taking. While being an editor gives you a certain degree of temporary control over the specification, at the end decisions are made by the group as a whole (as they should).

And as a whole, the OAuth community has made a big mistake about the future direction of the protocol. A mistake that is going to make OAuth 2.0 a much less significant agent of change on the web. Continue reading

How to Enter a Standards Working Group

As the OAuth specification editor, I am approached daily with comments, questions, ideas, and some very odd solicitations. It is quite fun. It seems that most people joining the work are determined to undermine their contribution by doing their best to alienate or insult the community, and often the editor.

This is not unique to OAuth – I have seen the same mistakes in many other places. Since working on an early draft of the OAuth 2.0 specification, I started collecting tips for newcomers. Here are some that would make your entrance into a standards working group much smoother and productive. Continue reading