I turned my open-source project into a full-time business

Yeah, there is a lot of hassle in some cases, it's really quite unfortunate that the laws don't protect individuals that want to do side work.

For those of us that are used to working as contractors that isn't an issue, as we already have accountants and are used to making invoices every month. But I understand it can be daunting if you don't have all of that in place, yet.

Unless one is setup as a nonprofit, in the US, there is very little difference between recieving 5000 from a donation link and recieving 5000 as a payment on an invoice. It is all taxed the same.

Some projects might not be setup for either, but it sounded to me like the above poster was dealing with some one who was willing to accept it as a donation, and it would likely have been trivial to send an invoice for 5000.

From my point of view there are two misconceptions in your post. 1) you need to be set up to work-for-hire to write an invoice. 2) you need to get clearance from their employer for things outside work hours.

ad 1) No, you don't need to. At least in Germany anybody who's legally competent can write invoices. If the invoices are secondary income, you will be taxed heavily (and declare it you must), but that's it. It has been some time since I last lived and worked in the USA, but I mean to recall that it was basically the same. Of course, invoiced money is your money now and you need to donate it to the FOSS project, which then needs some kind of treasury. But you said as much already.

ad 2) No, you don't need to. Your employer is your employer, not your owner. Now I don't know about the USA today (see above) but in European countries what you do outside working hours is your private affair -- discounting a few, very specific fringe cases. If you play soccer, dabble in explosives, or code for money doesn't matter. And frankly, your typical employer in most cases does not care anyway.

Yes I understand that but if you can accept donations, you can surely hack together a quote and state that the payment will go through your donation platform. In most country I believe you don't have anything to do at all bellow a certain threshold.

It's just a matter of not offering to work for free to a corporation that really doesn't need your generosity.

I remember the first time I sold code to a company for low 4 figure amount. The hassle of registering for a VAT-Id (in Germany) and writing an invoice wasn‘t the problem. I was afraid that there were any liabilities or other „rules“ I simply didn‘t know about like „what if something breaks and they sue me, because I didn‘t include a specific line of legalese in the contract?“.

You can also run into the opposite problem, where they license a commercial version of a dependency, and instead of paying ten grand or whatever, they pay a senior (way over six figures) to re-implement the same functionality, which wont be maintained anywhere as well, and it takes them over a year to reach parity. Totally never happened anywhere I worked.

It astounds me that companies would rather waste hundreds of thousands of dollars instead of just throwing a few thousand that will benefit them in the long haul.

I genuinely believe more companies should adopt a policy of just letting devs work half a day on fridays on whatever they want, whether it be technical debt, or even open source projects the company depends on. Maybe that would be more feasible, but even then lots of places would still not understand the value.

Crypto (as bad as it is) is a good way to take money. You can easily send and receive large amounts without worrying about laws and taxes. Might be unethical or illegal but just don’t get caught

I'm not deciding what the company can spend on, that's the point. That person isn't doing me a favour, they are doing a favour to a company.

Sounds like pure moral hair-splitting. If they didn't want money, cool. But if they were expecting money but needed it to be via a donation for some moral reason, then I'd wager they read too much "itsfoss"

I believe it has more to do with the feeling of "we are in charge of our code", so they don't let anyone pay for any changes/fixes in the code and there can't be any entitlement to more bugfixes should anything break. Donations don't have that moral obligation.

AGPL/proprietary dual licensed is a solution to this. Clients get two choices: give back as much as they take, or fuck you pay me. The former makes everyone happy, and the latter stops the developer making themselves homeless.

That's the nature of some humans. A corporation is not required to kill for profit.

Doctors would kill for profit. Politicians would. The same for engineers, cookers. Any profession, activity or line of business really.

That's human nature. But not all humans. Not even majority, I'd say certainly.

The problem is that this small minority gets 99% of the news. Very rarely one hears when a CEO avoids a decision that could endanger someone. Or when a Doctor is honest and preserves the patient's health above all.

It doesn't mean these good things aren't happening all the time. Look at your life and remember: how many people could have done harm to you for a profit? How many do you remember actually doing it?

This is why copyleft is necessary

How would copyleft* have prevented this?

AGPL might, but GPL (and therefore, copyleft) doesn't prevent the upthread outcome.

* - GPL is the prototypical/original [as far as I know] widely-used example of a copyleft license and the startup using nodemailer could have done that just as well (and for free) if nodemailer was GPL-licensed.

Not just anti GPL but anti BSL/Elastic license too.

This they told me at first lesson of economics at university, 1989

Why not release it as AGPL?

Pics or it didn’t happen.

I’ve been sitting on some code for about 15 years because it’s the key to disrupting a couple of entrenched players

I have a difficult time believing that any piece of code that can be "sat on for 15 years" would disrupt anything. 15 years, especially in tech, feels like a couple generations these days.

You're not running away with it either. You should just release it as a proprietary tool or SaaS if you think it will be useful for people.

Well, one of OP's initial mistakes was that he thought LGPL was anywhere near "copyleft." It isn't.

For SaaS companies who just want to use the software on their backend and are not interested in redistributing it in any way, there's no realistic difference between LGPL and more permissive licenses like MIT and BSD.

Honesty? (haha)

More seriously:

- you get support by paying, this is important for many businesses - $1k/year is cheap

- risk of getting sued if the word gets out you're using something against its license (and for network-facing code, I'd suspect it's easy enough to miss something)

For me the advantage of source-available is you can always shortcut the support if there's a business critical problem and you can't wait for the author to wake up, so I think it's a great model.

Most EmailEngine's customers are small-ish SaaS providers (different kinds of niche CRMs, etc), and in their position, it is not really an option to spend time / risk breaking copyright protections. Instead, they pay the subscription fee and get into building email integration features for their service.

TBH, I wouldn't dare to use such a model in the B2C market, though. Everyone would pirate it.

Updates, support and no losing developer time to updates and support. Sub $1k is a bargain for something so integral.

Probably fear that this is the kind of red flag that would show up in due diligence, and that having piracy as part of the foundation of the tech stack that you build your business on is not a worthwhile risk to take.

It's a sad irony that CLAs essentially put the project owner in the exact same position as the unicorn that screwed them over, by screwing over those downstream who make contributions, if/when they monetize the project.

I came across some Scheme/Racket/? library recently that attempts to quantify contribution levels and distribute any received funds fairly based on that. Unfortunately, I can't find it at the moment, but it was a cool idea.

The main reason CLAs exist is to facilitate this kind of "rug pull", so I think the lesson is to either accept that it will happen or never sign a CLA.

Well, you sure can patch it if you want :^) I think there isn't really a reason to add more than a simple license check though, as enterprise users are generally scared of using pirated software.

I use jwt for my app’s licensing. It works great.

Ecliptic curve signing. You can produce a message body like “valid_until=2025-02-25” then sign it and distribute it as an api key that’s body+sig. Client can verify signature using public key without a server call (sig validation).

EC beats other signatures because signature is muuuuuch shorter, so it can still look like an API key.

"an ec key" (elliptic curve) is just a detail, this can be done with any crypto library or utility - for example directly with the openssl command: https://stackoverflow.com/questions/15686821/generate-ec-key...

embed the public part in your application and you can verify that something signed with the 'dgst' command and the private key really has been signed with the private key (which you obviously shouldn't publish)

(Note if using plain commands there is more friendly than openssl, minify/signify are much harder to get wrong, but I'm not sure they're as easy to use programmatically in as many languages there are for libcrypto/sodium/etc; this is really just an example)

You mean making the software proprietary. The definition of open source itself is neutral on whether it's a commercial effort or not, or whether it's a community effort or not, or whether it's both community and a commercial effort.

I don't think it counts as a rug pull if you're free to grab the last open version. Why should they continue updating the software?

at least be up front about it in the beginning

Treat CLA as that: an upfront statement that the author may and probably will change the license in the future.

You can't take the entire software commercial, as everything previously released under the open-source license will stay under that license. In the case of EmailEngine, all versions ever released under the AGPL license are still in Github; you can fork and use these freely. It is only the path forward that gets closed when going commercial - users can start paying, can stay indefinitely on the already released free versions, or can take the initiative and fork the project.

Isn't this what WinRAR did back in the days? It would be a 7 day trial and then asked you to pay, but the trial never expired.

But if they have the source code, they could just switch off the license key check, right?

It seems to me he could just keep the license GPL then, wouldn't change a thing. The (small) businesses don't care about the license, but walk the path of least resistance.

Does marketplaces like the one at AWS help with that? I can pay with my AWS billing account. Sounds like another type of sweet spot.

This is a big reason why enterprise software pricing is the way it is.

Also if it's $1000/year (or even better per version) flat and really useful it's actually kinda easy to get green light.

If it's $5/user/month, with 3 plans, with add-ons and it's unclear how many people you have to on board (just devs? Maybe business too? Does security team need access?) it's much harder discussion as nobody knows final cost (apart from the fact that we're not gonna like it in the long run).

Exactly, before you go to open source, take a hard look at

* why I am doing that

* plethora of burned-out maintainers and their posts

* how I am going to deal with the issues/PRs, toxic entitlement

* what's my exit strategy

The first thing before you go into open source (provided it's actually used open source) is to answer these questions honestly for yourself. Because it's massive time sink with no money and *there will never be money* (unless you go open core or your employer pays you, in that case that's just a job just like any other).

As you point out, I am assuming malicious intent and you have every right to assume the same of me! I should have put that other part in.

It just didn't jibe with me and still feels like it is an easy and obvious upgrade.

But, you are right, they did justify it, it seems like an overstatement to say it would be a huge investment. I should review the code myself to verify, but a statement like that the lazy programmer in me shy away from even doing that.

That's not how that works:

Derivatives works (including modifications or anything statically linked to the library) can only be redistributed under LGPL

Consider the OP's headline. They didn't even describe what their project was. All they said, all they think they needed to say, was that it is Open Source.

And on HN, it's actually true. Open Source projects get lots of kudos here.

The problem is, others may see what is essentially a marketing strategy aimed at a niche audience and conclude that Open Source is an essential, in fact they most essential, part of the business. Hence the need to remind people that Open Source is not a business model.