free2wait / composer-free2wait Goto Github PK

I am going raise my voice here, because this is without doubt the most horrifying idea I have seen in a while. Your basically adding DRM or Net-neutrality slowdowns to open-source for no gain what so ever.

The idea of someone adding a plug-in (which btw is incredible easy to bypass with --no-plugins or by adding a replace section in your root composer.json file) to generate money for open-source projects by delaying the installation process? REALLY?!

The great thing about open-source is that we (the users) are in full control of what the software does; adding a slowdown unless I pay for a proper speed? takes away this freedom and only creates separation within in the community (as some issues suggest). It doesn't encourage us to help people, we are forced to pay even though the project's we develop are free and even for charity organizations! This whole concept undermines the very foundation of Free software.

Yes, we need to make money like anyone else, but does that mean we should force this burden on our users? What if they can contribute in other ways, it's not all about money for a project. Most developers are actually working for a company and making money. Only a small group struggles with a project because of financial reasons, but they are better ways to ask for help rather forcing this!
Premium support, exclusive extensions, voluntary donations (does actually happen for some projects), sponsoring, you name it.

And if donations are actually needed but not provided, the project dies. Sad but true, maybe someone will fork the project and they will make money of it? If this is really a concern choose a proper license like (L)GPL or MPLv2.0 (which I am using for a big project) so anyone always needs to contribute back the community.

Instead of adding a slow-down feature, why not show a banner that the listed projects accepts financial donations? This could even be added Composer itself 👍

And finally, please stop spamming (almost) every project. It's better to ask feedback from the community using Twitters, Slack channels or something but not by opening pull requests with something that slows down Composer. You will only receive the rage from the community, I love the idea of helping other open-source projects, but not like this, not like this...

First appeared in salsify/jsonstreamingparser#63 (comment) .

Problem

The issue is that package developers could feel ucomfortable collaborating, prefering to create own repos in order to get additional funding.

Solution

In my view it should be solved this way: we should enhance the way how payouts are distributed - I think, the better way is to split payouts automatically beside package developers proportionally to their contribution to the package source code. I think, it should be something average between share of actual source code and number of authored commits.

It would turn each open-source package into "joint-stock company", where each contributor becomes a shareholder. Looks fair in my view.

First appeared in ddeboer/imap#277 (comment) . Also seems relevant salsify/jsonstreamingparser#63 (comment) .

Problem

According a license any package has, it could be copied by someone without the pay-or-wait limitation.

Solution

The only solution I could imagine for now - is to change licensing for packages that want to adopt this monetization scheme to more restricitve: it should permit linking and forbid changing. I guess, #1 (comment) could be the option.

First appeared in aidantwoods/SecureHeaders#69 (comment) .

10 seconds and $5 are default values to make things started - in the future I think we should be gathering analytics to be able to replace the values accordingly.

In my view the best way to do it is to perform A/B-testing all the time by several values of price and delay in order to maximize the revenue (which is price multiplied by conversion). It means that the algorithm should select the values of price and delay, which make users willing to pay more. If the price or delay set too high (turning it into "nightmare"), the conversion will decrease - and the algorithm should understand that it's time to low values.

The suggestion first appeared in aidantwoods/SecureHeaders#69 (comment) .

Choose license - and attach license file to the repository.

First appeared in salsify/jsonstreamingparser#63 (comment) .

The issue is that any company big enough to find it worth paying the fee for immediate download would have the expertise to create their own workaround to avoid having a dependency on composer-free2wait.

Threats

I see these opportunities to workaround the forced awaiting (if you see more - please let me know in comments):

• Apply the patch, replacing awaiting with dummy, regularly at each install/update (e.g., by cweagans/composer-patches)
• (from #6 (comment)) Usage of --no-plugins command option.
• (from #6 (comment)) Adding a replace section in your root composer.json file.

Creating own repo is not an option - as it would miss updates from original repo.

Protection

1. Active (which makes it harder to apply any workaround):

• Distribution as phar (in order to harden patching).
• Check signature SHA-2.

2. Passive (which makes it harder to have any workaround):

• Select appropriate licensing (in order to prevent usage of modified (patched) version). See #1 as relevant.