return to table of content

I turned my open-source project into a full-time business

sgu999
37 replies
4h16m

I even went so far that when a founder of a major transactional email service sent me an email regarding Nodemailer and offered to make a donation to promote my efforts, I rejected it.

To all of you around here who do FOSS, please reconsider this kind of attitude. The ones offering can be employees, and they had to argue your case.

Just a couple weeks ago I asked a maintainer of one our Rust dependencies to give us a quote for fixing an issue. I had beforehand negotiated the deal with the CTO, it could have been anywhere up to $5k for roughly one day of work. No license involved, just money against some of their time to improve their open source code. To my dismay, they refused and did it "for free" while giving us a link for a donation.

Guess what? The donation never came. It doesn't make sense for the ones who think in ROI, even less for the CFO behind them. Now I'm too ashamed to even show up on the issue board so we're all at a loss.

pm215
26 replies
4h11m

One problem from the open source project side of things is that unless the project happens to be one where at least one regular contributor is a consultant who is already set up to do work-for-hire like that, it can be way too much hassle to deal with a single one-off $5K, let alone smaller amounts. There's a big chasm of "this isn't worth it administratively" before you get to "there is enough money coming in from this kind of thing that somebody could make it their job" (for instance for a developer who already has a full time job, doing work for money probably requires them to go through a lot of hassle clearing it with their employer). Some projects don't even have a setup where they could do anything useful with a donation.

packetlost
6 replies
3h36m

Yeah, there is a lot of hassle in some cases, it's really quite unfortunate that the laws don't protect individuals that want to do side work.

Propelloni
5 replies
3h0m

This must be a non-EU thing. Sometimes I'm amazed how much western democracies and esp. the EU have achieved in protecting the employee from their employer. It all seems so natural that I tend to forget how much the social democrats and worker unions struggled to get to this point.

vladvasiliu
3 replies
2h10m

I'm not sure I understand how your point relates to getting paid for side work as somebody who doesn't do that regularly.

For example, here in France, there's no such thing as "freelance". As an individual, you can't just invoice somebody. You need to set up some form of "enterprise". Sure, there are some forms which are supposed to be easier to set up, but you still have to go out of your way and do it. You can't just declare the income on your tax return. And now that you've created a company, you need to file tax returns every year, even if you don't do anything. It's also not free, an actual accountant has to sign them off (this may not be the case for the smallest forms of companies). Sending your taxes to the fiscal administration is also not free (fun fact: VAT is levied on that fee).

sgu999
2 replies
1h55m

IANAL but that's not entirely true. As long as it's exceptional, it's legal to earn money without having a company in France. It's the "revenu commerciaux non professionnels" box on your tax form.

As for being an "auto entrepreneur" (equivalent of a sole trader), you don't need an accountant at all and the paperwork is rather small. Definitely worth it as it means you have some recurring revenue already.

vladvasiliu
1 replies
1h51m

According to the taxman's website [0] you need to be a "liberal enterprise". Not sure what exactly that means, but I'd be surprised there's no form of bureaucracy involved. I think you need to have at least a "micro enterprise".

As for being an "auto entrepreneur" (equivalent of a sole trader), you don't need an accountant at all and the paperwork is rather small. Definitely worth it as it means you have some recurring revenue already.

Good to know, especially since, IIRC, they've removed the special social security you had to have for that kind of company.

[0] https://www.economie.gouv.fr/entreprises/impot-sur-revenu-bi...

sgu999
0 replies
43m

According to the taxman's website [0] you need to be a "liberal enterprise". Not sure what exactly that means, but I'd be surprised there's no form of bureaucracy involved. I think you need to have at least a "micro enterprise".

We are not referring to the same thing, I think. You're looking at the tax for corporates when I'm looking at individuals [0]. The key seems to be that it's has to be exceptional and not regular. I'd still double-check on a case by case basis with the tax bureau before going ahead, but I've found them to be helpful in the past.

It does make sense for niches like these to exist, otherwise you'd end up having to setup a legal entity before being on the receiving end of a transaction as an individual.

[0] https://www.impots.gouv.fr/sites/default/files/media/1_metie...

permanent
0 replies
2h47m

EU is very large. If I were to believe your posts, Germany has achieved good protection of employees from their employers. Simply not true in ... many non-Germany EU countries.

giovannibonetti
3 replies
3h32m

For those of us that are used to working as contractors that isn't an issue, as we already have accountants and are used to making invoices every month. But I understand it can be daunting if you don't have all of that in place, yet.

MrDarcy
2 replies
2h44m

An accountant isn’t necessary for something like this, plans like Zoho books free or harvest take care of the same things an accountant would take care of.

dboreham
1 replies
2h36m

Parent said "accountant AND...". You need the accountant to provide advice so you don't do illegal things or run afoul of tax authorities, not to generate an invoice.

vladvasiliu
0 replies
2h17m

This.

Aren't there subtleties, for example, when doing inter-state commerce (assuming the two parties are both US-based)? In the EU, VAT isn't charged the same way if you invoice an entity based in your country or one based outside of it.

ensignavenger
3 replies
2h55m

Unless one is setup as a nonprofit, in the US, there is very little difference between recieving 5000 from a donation link and recieving 5000 as a payment on an invoice. It is all taxed the same.

Some projects might not be setup for either, but it sounded to me like the above poster was dealing with some one who was willing to accept it as a donation, and it would likely have been trivial to send an invoice for 5000.

gryn
2 replies
2h20m

Not all open source devs are from the USA and in a lot of place outside it say the EU it can be quite the hassle. If you do it wrong it can very well be more than 5k worth of effort to fix it. When the taxman comes out 2 years later with a fine saying you didn't do X or Y.

mrighele
1 replies
2h5m

In those countries the taxman will come out anyway because it will say that it was not a donation and you are trying to avoid paying taxes. It would be better to speak with an accountant beforehand in either case

gryn
0 replies
1h40m

it not about avoiding paying them (you will anyway unless you're in very narrow class of orgs) its about being in the wrong legal structure and getting stuck in administrative hell because you don't fit in their tidy little classification boxes.

Propelloni
3 replies
3h5m

From my point of view there are two misconceptions in your post. 1) you need to be set up to work-for-hire to write an invoice. 2) you need to get clearance from their employer for things outside work hours.

ad 1) No, you don't need to. At least in Germany anybody who's legally competent can write invoices. If the invoices are secondary income, you will be taxed heavily (and declare it you must), but that's it. It has been some time since I last lived and worked in the USA, but I mean to recall that it was basically the same. Of course, invoiced money is your money now and you need to donate it to the FOSS project, which then needs some kind of treasury. But you said as much already.

ad 2) No, you don't need to. Your employer is your employer, not your owner. Now I don't know about the USA today (see above) but in European countries what you do outside working hours is your private affair -- discounting a few, very specific fringe cases. If you play soccer, dabble in explosives, or code for money doesn't matter. And frankly, your typical employer in most cases does not care anyway.

COM2323
1 replies
2h36m

In my country a lot of people in IT are contractors (not employees) and sometimes these contracts are wild (like not working on anything else during that time and stuff like that).

jen20
0 replies
2h4m

That kind of clause doesn’t fly in either the UK or US, since it is disguised employment. The definition of a contractor is someone who sets their own rate and hours, and works under their own direction.

permanent
0 replies
2h48m

1) That may be allowed in Germany. Definitely not in Poland and many other countries.

2) In my experience, not true. Most often an employee needs to get a pre-approval that often take too long. As a full time developer, there's difference between playing soccer and developing software.

sgu999
1 replies
3h17m

Yes I understand that but if you can accept donations, you can surely hack together a quote and state that the payment will go through your donation platform. In most country I believe you don't have anything to do at all bellow a certain threshold.

It's just a matter of not offering to work for free to a corporation that really doesn't need your generosity.

sdenton4
0 replies
2h2m

And sometimes a side project doesn't want to be a side hustle; dealing with payments and tax implications is time not being spent on the core project. It's an individual choice as to whether the time cost of accepting payment is worth it.

planb
1 replies
2h43m

I remember the first time I sold code to a company for low 4 figure amount. The hassle of registering for a VAT-Id (in Germany) and writing an invoice wasn‘t the problem. I was afraid that there were any liabilities or other „rules“ I simply didn‘t know about like „what if something breaks and they sue me, because I didn‘t include a specific line of legalese in the contract?“.

mgbmtl
0 replies
2h31m

This may be terrible advice, but as a freelancer, getting sued by a company will cost them a minimum of $20k in legal fees just to get started. Unless you really messed up in bad faith, I would assume that most people will attempt to resolve things amicably.

giancarlostoro
1 replies
2h4m

You can also run into the opposite problem, where they license a commercial version of a dependency, and instead of paying ten grand or whatever, they pay a senior (way over six figures) to re-implement the same functionality, which wont be maintained anywhere as well, and it takes them over a year to reach parity. Totally never happened anywhere I worked.

It astounds me that companies would rather waste hundreds of thousands of dollars instead of just throwing a few thousand that will benefit them in the long haul.

I genuinely believe more companies should adopt a policy of just letting devs work half a day on fridays on whatever they want, whether it be technical debt, or even open source projects the company depends on. Maybe that would be more feasible, but even then lots of places would still not understand the value.

lobocinza
0 replies
6m

[delayed]

yogorenapan
0 replies
2h27m

Crypto (as bad as it is) is a good way to take money. You can easily send and receive large amounts without worrying about laws and taxes. Might be unethical or illegal but just don’t get caught

VeninVidiaVicii
2 replies
2h27m

Make a donation now, then open an issue.

If it’s an ROI problem, the return is getting the issue resolved.

sgu999
1 replies
1h41m

I'm not deciding what the company can spend on, that's the point. That person isn't doing me a favour, they are doing a favour to a company.

VeninVidiaVicii
0 replies
41m

Sounds like you aren't trying to get the new issue resolved.

stronglikedan
1 replies
2h30m

You tried to do it your way, and they did it their way. Nothing to be ashamed about. But maybe don't always expect things to be done your way, since you make yourself uncomfortable when it doesn't happen.

Capricorn2481
0 replies
2h5m

Sounds like pure moral hair-splitting. If they didn't want money, cool. But if they were expecting money but needed it to be via a donation for some moral reason, then I'd wager they read too much "itsfoss"

Brajeshwar
1 replies
2h44m

I believe it has more to do with accounting discrepancies. Unless the company already has a set process for donating/payments to Open Source Projects, it is a whole process to get that type of payment set up, approved, and paid. Corporates need to answer the what, why, who was/were the payments for. For bigger companies, a non-standard category of $5,000 would be more of an irritation to deal with.

amelius
0 replies
2h32m

I believe it has more to do with the feeling of "we are in charge of our code", so they don't let anyone pay for any changes/fixes in the code and there can't be any entitlement to more bugfixes should anything break. Donations don't have that moral obligation.

kijin
0 replies
2h13m

Once upon a time, I ran an open source project that accepted both donations and paid subscriptions, with similar benefits offered for both (larger quotas on the hosted service). A small amount of donations trickled in from time to time, usually from individuals. But most companies, both corporations and sole proprietors, chose the paid subscription. Even at a higher cost. After a while, I scrapped the donation option entirely. I own a business, not a charity, after all.

Lesson: Unless you're registered as a 501(c), or an organization with similar status in your jurisdiction, don't even think of accepting "donations" from anyone who retains an accountant. It just doesn't work that way, open source or not.

halostatue
0 replies
5m

Some of us simply do not want the hassle of being paid for our efforts. We aren't working as contractors, and the meta-effort is far too high for any benefit.

This is one of the reasons I have never set up sponsorships on any of my GitHub accounts (my taxes are complicated enough).

didgetmaster
0 replies
1h55m

It's not just open source projects. I have a project that I am considering converting to open source but have not done that yet so it is still proprietary. It reached a point where it was ready for beta test so I created an open beta. It attracted a few customers and one wanted to buy a license. I thought a yearly license of $250 sounded fair and they agreed to pay it. But then I got to thinking about all the hassle to keep track of that and file taxes. It's just not worth it for just a few customers.

I told them to continue using it for free until it can attract at least 100 customers. Then it might be worth the hassle.

ergonaught
27 replies
6h11m

In any case, it changed years later when a startup using Nodemailer was acquired for half a billion dollars. I was financially not in a good place back then, and when I saw the news, I started to wonder – what did I get out of this?

This is the root of most things like the BSL. You create an open source project or product, and companies with billions in quarterly revenue build the core of their business on your software, and meanwhile won't contribute to your ongoing viability (nevermind actual success) even in amounts that are entirely trivial for them. Toss the cloud providers into it now and it's even uglier.

kerkeslager
16 replies
4h37m

This is why copyleft is necessary, and also why large companies have spread a lot of anti-GPL propaganda.

In a larger sense, we desperately need a societal shift in perspective from naively viewing companies as benevolent by default, to viewing companies as they actually are by default: they'll literally kill people if it's profitable.

immibis
7 replies
4h24m

AGPL/proprietary dual licensed is a solution to this. Clients get two choices: give back as much as they take, or fuck you pay me. The former makes everyone happy, and the latter stops the developer making themselves homeless.

rmbyrro
6 replies
3h51m

Author tried it and didn't work. He presumes small businesses don't care about the potential risks associated with LGPL, and those were the majority of his most promising market.

KingMob
2 replies
3h27m

The LGPL, which the author tried, is not the AGPL, which might have been a larger roadblock to the freeriding unicorn.

jonhohle
1 replies
2h28m

Any company big enough to have a legal department will tell their devs to say away from LGPL, GPLv3, etc. If a dev is using that as promo for their commercial offering, it will probably just be ignored.

sokoloff
0 replies
2h13m

My company is big enough to have a legal department. (I'm the tech counterpart/coordinator with legal for open-source topics, whether its us open-sourcing code we work on, contributing to existing open-source, or consuming open-source.) We license under Apachev2, and we readily use LGPL & GPL v2/v3 with a quick review, and have very specific and much more thorough review processes for AGPL.

I'm quite sure that I don't work for the only such company.

tormeh
1 replies
3h25m

And those small businesses were right. All the Apache/MIT-licensed software baffles me when LGPL for libraries and AGPL for applications seem clearly superior for promoting collaboration.

immibis
0 replies
1h49m

Big businesses convinced software developers they have the world's best intentions at heart, or at least, they are harmless and never need to be opposed.

sokoloff
0 replies
3h28m

The risk profile to a SaaS company from LGPL and AGPL licensed code are night and day.

Even GPL is pretty low risk for a hosting company, but LGPL's risk is strictly lower.

rmbyrro
4 replies
3h53m

That's the nature of some humans. A corporation is not required to kill for profit.

Doctors would kill for profit. Politicians would. The same for engineers, cookers. Any profession, activity or line of business really.

That's human nature. But not all humans. Not even majority, I'd say certainly.

The problem is that this small minority gets 99% of the news. Very rarely one hears when a CEO avoids a decision that could endanger someone. Or when a Doctor is honest and preserves the patient's health above all.

It doesn't mean these good things aren't happening all the time. Look at your life and remember: how many people could have done harm to you for a profit? How many do you remember actually doing it?

komali2
3 replies
3h13m

A corporation is not required to kill for profit.

Perhaps no, but a corporation has no compunctions about killing for profit. Let's take the direct approach, and list some that will take money and a target list, and make those people dead for you:

https://en.wikipedia.org/wiki/List_of_private_military_contr...

Here's a list of companies in the USA who will sell you the tools you need to kill people at scale:

https://en.wikipedia.org/wiki/List_of_United_States_defense_...

But I think that's not exactly what we're talking about, we're talking more about how the corporate entity under this current system shields organizations of people from the deaths their decisions cause.

GM knowingly let people die due to a defect in their vehicles that they were aware of: https://www.washingtonpost.com/business/economy/why-did-gm-t...

PG&E was found culpable for the pipeline rupture that killed 8 people and destroyed 38 homes in San Bruno in 2010, because they ignored inspection data.

An article came out a few weeks ago about how immigrant child laborers are being killed in shocking volumes in American factories https://www.theguardian.com/global-development/2024/feb/12/i...

Here's a fun that goes through a bit of the history of corporations killing people directly (murdering trade unionists) and indirectly (tobacco companies suppressing research). https://jacobin.com/2020/01/corporations-profit-values-murde...

There's something uniquely devilish about the corporation in our current legal and economic system.

joelfried
2 replies
2h43m

A corporation is a legal entity created on paper to allow people to do business more effectively.

Corporations don't do anything, the people in them do.

People working at GM didn't act to fix their vehicles and people died.

People at PG&E chose not to perform actions based upon inspection data, and people died when their infrastructure failed.

According to your Jacobin article, people at Coca Cola killed those trade unionists.

How about let's not let the legal wrapper for people protect those who murder others?

digging
0 replies
2h28m

"Prosecuting individual actors" and "treating corporations as hostile entities" are not mutually exclusive; indeed I'd say we should all strive to do both.

camgunz
0 replies
2h17m

A major point of establishing a corporation is the liability shield it grants. Sometimes it doesn't work (google piercing the corporate veil) but, the whole idea is to grant indemnity to people within a corporation for the corporation's actions.

sokoloff
0 replies
3h55m

This is why copyleft is necessary

How would copyleft* have prevented this?

AGPL might, but GPL (and therefore, copyleft) doesn't prevent the upthread outcome.

* - GPL is the prototypical/original [as far as I know] widely-used example of a copyleft license and the startup using nodemailer could have done that just as well (and for free) if nodemailer was GPL-licensed.

pydry
0 replies
4h32m

Not just anti GPL but anti BSL/Elastic license too.

eleumik
0 replies
4h33m

This they told me at first lesson of economics at university, 1989

le-mark
4 replies
5h29m

I’ve been sitting on some code for about 15 years because it’s the key to disrupting a couple of entrenched players and would enable cloud vendors to offer the functionality “as a service”. No way I want Amazon/google/MS to run away with it.

Edit down voters might ask themselves what is much older than 15 years that some companies pay a lot of money for?

wcedmisten
0 replies
5h21m

Why not release it as AGPL?

solumunus
0 replies
4h18m

Pics or it didn’t happen.

hn_throwaway_99
0 replies
4h56m

I’ve been sitting on some code for about 15 years because it’s the key to disrupting a couple of entrenched players

I have a difficult time believing that any piece of code that can be "sat on for 15 years" would disrupt anything. 15 years, especially in tech, feels like a couple generations these days.

abenga
0 replies
4h37m

You're not running away with it either. You should just release it as a proprietary tool or SaaS if you think it will be useful for people.

graemep
1 replies
5h35m

I get that, but the author did not try something like the BSL, just went to a fairly typical proprietary license.

Even the right open source license, such as the AGPL, would probably have worked well, with the proprietary license as an option (in the same way he tried LGPL + MIT).

kijin
0 replies
2h38m

Well, one of OP's initial mistakes was that he thought LGPL was anywhere near "copyleft." It isn't.

For SaaS companies who just want to use the software on their backend and are not interested in redistributing it in any way, there's no realistic difference between LGPL and more permissive licenses like MIT and BSD.

raffraffraff
0 replies
4h1m

More galling than the company getting acquired for half a billion dollars is the fact that they never even said "thanks"...

I searched my mailbox for emails related to that company and found a single complaint about a feature. No pull requests, no donations, no nothing.
leedrake5
0 replies
4h20m

Not billions, but I was in a similar position. What saved me was the GPL license on the open source code and hiring a lawyer that kept my ownership of any software I wrote (though at a reduced hourly for them) and patenting new ideas connected to the project. When it came time for the company to scale up, I couldn’t have been in a better position.

corentin88
0 replies
5h7m

Which startup/company was bought that price?

RcouF1uZ4gsC
17 replies
6h43m

I re-designed the UI of the app to look more professional and implemented a license key system. From that moment if you wanted to use EmailEngine (the new name for IMAP API), you needed a license key that was only available for paying subscribers. I also changed the license from LGPL to a commercial license. The source code is still published publicly on GitHub. It is no longer open-source by definition but source-available. This change of license was only possible due to requiring outside committers to sign a CLA from the start.

This is the key portion. The open source project was turned into a commercial source available library with a license key.

I am glad this has worked well for the developer who now has a decent income for all the hard work put into this library.

quaintdev
8 replies
6h32m

So what prevents someone from bypassing the license check and run the version of application locally?

evgpbfhnr
2 replies
6h27m

Honesty? (haha)

More seriously:

- you get support by paying, this is important for many businesses - $1k/year is cheap

- risk of getting sued if the word gets out you're using something against its license (and for network-facing code, I'd suspect it's easy enough to miss something)

For me the advantage of source-available is you can always shortcut the support if there's a business critical problem and you can't wait for the author to wake up, so I think it's a great model.

simmons
1 replies
5h39m

I'm curious how much time a solo dev spends on support for a project like this. I can imagine some companies asking for a tremendous amount of support, or even trying to somehow get free consultation on adjacent concerns that aren't totally related to the product. Maybe it's just a matter of setting clear boundaries and limiting time?

andris9
0 replies
5h5m

I do support once a day for about an hour. I do monitor notifications for support emails during the day to react faster for urgent issues but there rarely is anything urgent. I guess the self-hosting side keeps support demand lower - if you are already capable of installing and running that software you can probably figure most of your issues out yourself.

andris9
2 replies
6h19m

Most EmailEngine's customers are small-ish SaaS providers (different kinds of niche CRMs, etc), and in their position, it is not really an option to spend time / risk breaking copyright protections. Instead, they pay the subscription fee and get into building email integration features for their service.

TBH, I wouldn't dare to use such a model in the B2C market, though. Everyone would pirate it.

RyanHamilton
1 replies
5h39m

For niche applications, it's not that terrible. I've produced an SQL IDE for years with a license key that sold <=100 individual purchases per year. I've only spoken to one person I believed pirated it. I've now went the opposite direction and made it free.

MattJ100
0 replies
31m

What led you to making it free?

meigwilym
0 replies
5h58m

Updates, support and no losing developer time to updates and support. Sub $1k is a bargain for something so integral.

m12k
0 replies
6h29m

Probably fear that this is the kind of red flag that would show up in due diligence, and that having piracy as part of the foundation of the tech stack that you build your business on is not a worthwhile risk to take.

graemep
5 replies
5h33m

I am glad this has worked well for the developer who now has a decent income for all the hard work put into this library.

it is also why people are reluctant to sign CLAs.

KingMob
4 replies
3h6m

It's a sad irony that CLAs essentially put the project owner in the exact same position as the unicorn that screwed them over, by screwing over those downstream who make contributions, if/when they monetize the project.

I came across some Scheme/Racket/? library recently that attempts to quantify contribution levels and distribute any received funds fairly based on that. Unfortunately, I can't find it at the moment, but it was a cool idea.

andris9
3 replies
3h0m

You mean I screwed over those 0.1% of commits in EmailEngine (because the other 0.1% is from the Github Actions bot writing the changelog)? Everything else is my own code.

For over 14 years, I've been actively developing Nodemailer, a hugely popular project. There has been no CLA in place, and the main outside commits I get are typo fixes during Hacktoberfest. This is why I'm still the owner of 98% of the committed code in Nodemailer. Usually, if I do not fix or build something, no one else will either.

komali2
2 replies
2h48m

You mean I screwed over those 0.1% of commits in EmailEngine (because the other 0.1% is from the Github Actions bot writing the changelog)?

I mean... yeah? Correct me if I'm wrong but you profited off their labor without compensating them, right? Why should the number of people you did that to make it less wrong? Obviously a corpo making bajillions of dollars without paying you sucks, but by sheer number of people negatively affected, it's still the same lol, in this case you're just the one with the bag, instead of a corporation.

andris9
1 replies
2h40m

Well, I guess you're right in a way. While there are no meaningful outside commits in EmailEngine, there are _some_ commits, even if these have minimal impact, by people who do not get paid for it, while I do.

komali2
0 replies
2h10m

I'm not judging you for this, btw. I find it extremely difficult to meaningfully measure in a dollar amount someone's contribution to a FOSS project, once monetized. The whole thing is messy. Honestly in general I find it quite difficult to measure labor value at all, which is why I guess basically every corporation on earth just lets "the market" decide, but that feels too arbitrary to me, and "the market" doesn't seem real when it gets to arbitrarily pay someone differently based on whether their passport says "India" or "USA."

I've been experimenting with just throwing my hands up and doing flat profit share, but we haven't really had an opportunity to really try this at scale (for a bunch of boring reasons), but I'm curious how it'll look. I don't think we'll have the crazy huge ratios you do on your FOSS though so I can see why that wouldn't be feasible for someone in your position.

sam_goody
1 replies
43m

I am glad this has worked well for the developer who now has a decent income for all the hard work put into this library.

Isn't this a rug-pull?

Open source project which others havecontributed to, and whose reputation was earned by nature of being open source.

Than, after you have users, switch to proprietary. Sounds bad to me, but maybe I didn't fully understand?

BTW, Apple used to have a thing with Darwin server where you could disable the license check legally, but only a hacker would do that. Companies still paid for the software. That sounds like a better solution, IMO - at least for those that are two small to pay but growing by the seat of their pants can still use and promote the software.

MattJ100
0 replies
32m

The main reason CLAs exist is to facilitate this kind of "rug pull", so I think the lesson is to either accept that it will happen or never sign a CLA.

evgpbfhnr
10 replies
6h30m

For anyone else wondering about the license, it's standard signing with an ec (sect239k1) key https://github.com/postalsys/emailengine/blob/master/lib/too...

So the author can just write whatever validity date/license details (apparently hostname etc), sign it and give that to their customers.

evrimoztamur
4 replies
5h42m

Can't a user generate a fake license? Is there another layer of integrity checking, or can users simply patch in a fake checkLicense (which is apparently referred back to in four other spots in the code).

notpushkin
3 replies
5h34m

Well, you sure can patch it if you want :^) I think there isn't really a reason to add more than a simple license check though, as enterprise users are generally scared of using pirated software.

slashdev
2 replies
5h23m

Also keep in mind pirated software doesn't cost the author anything if the user wasn't going to buy it anyway. If a company is willing to risk all that effort and liability to crack and maintaining the patches across changes to avoid paying for your software, they were not likely to pay for it in the first place. Nothing lost.

alex_suzuki
1 replies
3h1m

This. Any licensing schema that protects locally running software can be circumvented by a reasonably crafty individual – but there is simply no overlap in the Venn diagram of Paying Customers /\ These Crafty Individuals.

klabb3
0 replies
2h20m

Yeah, or more specifically a company might have the competence but will not waste their engineers time, because the reason they’re using the service in the first place is to not have to focus on their core business. Not random accessories.

A lot of time, circumventing a license check would be more work than - say - implementing sending email on their own. Depending on what the service is.

Developers think they’re selling fancy tech. Most often, what we’re selling/providing is convenience - something boring that just works.

daemin
4 replies
6h23m

Could you elaborate on this, not necessarily the code itself, but about signing and "an ec". I'm new to this and will be wanting to provide licences for software in the future.

semireg
1 replies
4h17m

I use jwt for my app’s licensing. It works great.

victor106
0 replies
3h49m

Any resources you can provide that will help in understanding how this works?

scosman
0 replies
6h19m

Ecliptic curve signing. You can produce a message body like “valid_until=2025-02-25” then sign it and distribute it as an api key that’s body+sig. Client can verify signature using public key without a server call (sig validation).

EC beats other signatures because signature is muuuuuch shorter, so it can still look like an API key.

evgpbfhnr
0 replies
6h11m

"an ec key" (elliptic curve) is just a detail, this can be done with any crypto library or utility - for example directly with the openssl command: https://stackoverflow.com/questions/15686821/generate-ec-key...

embed the public part in your application and you can verify that something signed with the 'dgst' command and the private key really has been signed with the private key (which you obviously shouldn't publish)

(Note if using plain commands there is more friendly than openssl, minify/signify are much harder to get wrong, but I'm not sure they're as easy to use programmatically in as many languages there are for libcrypto/sodium/etc; this is really just an example)

zoogeny
8 replies
54m

I think a key takeaway from this story is that the author started getting subscriptions once he caused the software to stop working without a license.

If you did not provide a valid license key 15 minutes after the application started, the app just stopped working.

IMO, all of the shenanigans with license changes (MIT/LGPL/etc) are nothing to most users. On HN we are sensitive to these nuances . But in the "real world" of corporate worker bees just trying to get stuff done I doubt it even registers.

More likely what happens is someone searches for a solution to a problem, installs it and sees if it works and then moves on with their day. Except they can't move on if the software stops working after 15 minutes. Clearly it is doing what they need, so now they need to unblock themselves.

We might assume they'll read the code, find the license check and remove it. And I bet some percentage do exactly that. But some percentage of users would rather swipe a credit card for $X instead.

bityard
4 replies
27m

I don't have a problem with commercial software, and I don't have a problem with open source software, but I do have a problem with developers releasing their code as open source, building a community while banging on the open source drum and then doing a rug-pull by taking the software commercial once they decided they have captured a big enough audience to extract money from it.

All I'm asking is, if you want to eventually make money on your project, at least be up front about it in the beginning so that your users can make an informed decision when they decide whether to bake it into their stack.

The rug-pull approach is always a much worse look in the end.

kiba
0 replies
16m

You mean making the software proprietary. The definition of open source itself is neutral on whether it's a commercial effort or not, or whether it's a community effort or not, or whether it's both community and a commercial effort.

jowea
0 replies
0m

I don't think it counts as a rug pull if you're free to grab the last open version. Why should they continue updating the software?

cuu508
0 replies
7m

at least be up front about it in the beginning

Treat CLA as that: an upfront statement that the author may and probably will change the license in the future.

andris9
0 replies
10m

You can't take the entire software commercial, as everything previously released under the open-source license will stay under that license. In the case of EmailEngine, all versions ever released under the AGPL license are still in Github; you can fork and use these freely. It is only the path forward that gets closed when going commercial - users can start paying, can stay indefinitely on the already released free versions, or can take the initiative and fork the project.

logtempo
2 replies
34m

would've been fun to see if putting the 15min restriction with a hidden option in the code or similar to remove it would've lead to the same result.

I'm sure many people would've paid because the free version was not advertised.

theturtletalks
1 replies
27m

Isn't this what WinRAR did back in the days? It would be a 7 day trial and then asked you to pay, but the trial never expired.

accrual
0 replies
4m

I switched to 7-Zip and never looked back, but some cool kids did buy a WinRAR license (e.g. LGR on YouTube).

auggierose
7 replies
5h37m

I like it, but I wonder: In a case like this, what is the point of offering a source-available license on GitHub at all?

notpushkin
4 replies
5h32m

Transparency and maybe an occasional PR from your users.

auggierose
3 replies
5h20m

But if they have the source code, they could just switch off the license key check, right?

It seems to me he could just keep the license GPL then, wouldn't change a thing. The (small) businesses don't care about the license, but walk the path of least resistance.

andris9
1 replies
5h10m

This was my initial business model and it did not really work. As soon as there was the license key requirement, previously free users opted to the paid subscription to get the license key and get the upgrades. In fact all the old and free releases are still available under AGPL license from Github.

bachmeier
0 replies
4h14m

I suspect the reason this model works is because it's easy to say "We need X to do our work. It costs Y euros." and the company pays for it without thinking. It's probably a much tougher sell to say "We need to pay for this even though we can get it for free." Even harder is "We use this product so we should make a donation." It was never a matter of them wanting to avoid paying.

I see this all the time in universities. Underfunded open source projects won't get a $100 donation from a university using thousands of copies, but a company like Matlab can get massive payments just because that's the only way to get it. You have to figure out how to make it easy to justify paying for your software.

brap
0 replies
4h26m

But if they have the source code, they could just switch off the license key check, right?

That's basically piracy. Unlike individuals who pirate stuff all the time, for businesses there's a much greater risk for lawsuit which is usually not worth it, even for many smaller businesses. For a 1-2 person business that's not making any money, maybe they can get away with it. But they probably don't make a great customer anyway.

slashdev
0 replies
5h22m

It can help your user's answer questions about the software, debug issues involving the software, have transparency into security, etc.

MangoCoffee
0 replies
52m

what is the point of offering a source-available license

Long ago, I worked for a company that sold mortgage software. This is back when SOAP is all the rage. The software is not open source, but it is source-available, or rather, a law firm has the source code. My employer's customers are mostly banks or home builders that offer mortgage services. My employer is a very small one. Customers like banks want to know if you will stick around, if they buy into your software, and if you can't stick around. They need the source code.

ThePhysicist
6 replies
6h14m

Good for him! That's my experience with open-source software as well, if something is free, companies will almost never pay for it even if they get a ton of value out of it. On the other hand, if it's only a small amount e.g. 1,000 USD per year most companies let developers purchase that without much paperwork, so for these kind of tools such pricing is a sweetspot. If you go into enterprise sales territory things become way more complex and your sales cycles longer. For a solo founder that doesn't need to hyperscale this pricing scheme seems perfect.

alex_suzuki
5 replies
3h3m

Agree. Developers seriously underestimate the amount of paperwork and organizational gymnastics larger companies require to buy literally anything. They won't be not buying your product because it's too expensive, but because it's just too much of a hassle. At that point, price is less of a factor than some people think.

haolez
2 replies
1h57m

Does marketplaces like the one at AWS help with that? I can pay with my AWS billing account. Sounds like another type of sweet spot.

playingalong
0 replies
1h0m

In principle that should work great. In practice I don't think it's working. Not sure why.

playingalong
0 replies
1h0m

In principle that should work great. In practice I don't think it's working. Not sure why.

eschneider
0 replies
1h52m

This is a big reason why enterprise software pricing is the way it is.

dzikimarian
0 replies
45m

Also if it's $1000/year (or even better per version) flat and really useful it's actually kinda easy to get green light.

If it's $5/user/month, with 3 plans, with add-ons and it's unclear how many people you have to on board (just devs? Maybe business too? Does security team need access?) it's much harder discussion as nobody knows final cost (apart from the fact that we're not gonna like it in the long run).

rossy
4 replies
4h53m

In any case, it changed years later when a startup using Nodemailer was acquired for half a billion dollars. I was financially not in a good place back then, and when I saw the news, I started to wonder – what did I get out of this?

This is really what you should expect when you work to improve the commons in the same world where there are entities that are hyper-optimized to make the most short-term profit out of anything they can exploit. Of course they're not going to give anything back. It could happen to any FOSS dev. It sucks, and it's definitely human to look at all the money they're making and feel like you deserve some of it. You do deserve it! Everyone deserves to make a living. But the world is still a better place with FOSS in it. It's a shame for this to happen to someone and for them to decide that improving the commons was a mistake and instead they should have been making projects that FOSS orgs can't use and individuals and small orgs are priced out of (but is still "peanuts" for big businesses.) If you make best-in-class software that's FOSS, everyone benefits, and you can feel proud that individuals have access to the same resources as big corps because of what you've done.

I'm also tentatively in favour of the idea of scaring away big corps with GPLv3 or AGPL licensed software.

ZaoLahma
3 replies
4h8m

This is just the thing - there needs to be a very clear reason for you to partake in FOSS, something that you want to gain from it that has a bigger value to you than the cost of allowing your time and effort to be used by others for free, and money can not be it.

mnau
2 replies
1h47m

Exactly, before you go to open source, take a hard look at

* why I am doing that

* plethora of burned-out maintainers and their posts

* how I am going to deal with the issues/PRs, toxic entitlement

* what's my exit strategy

The first thing before you go into open source (provided it's actually used open source) is to answer these questions honestly for yourself. Because it's massive time sink with no money and *there will never be money* (unless you go open core or your employer pays you, in that case that's just a job just like any other).

xiphias2
1 replies
55m

One important thing the author got from working on open source is free feedback (issues).

I don't view people taking the time to open issues as entitled people, but people offering their free time providing invaluable feedback.

Those issues are quite often different from what I expect, and they represent of how people are using the software.

The only mistake the author did was waiting too much monetizing, not doing open source software in the first place.

andris9
0 replies
1m

TBH, I get way better feedback from paying users than previously from free users. Free users like to tinker and think in terms of "what if," so they bring up all kinds of features the software should also have because it can or it would be cool. The paying users only need actual features that help their business case, and they do not care at all about these "what if" features.

xrd
3 replies
4h43m

I was curious about the automated CLA process. It is interesting to me to read the answer about not supporting GitLab:

https://github.com/cla-assistant/cla-assistant/issues/534

Very terse answer that says:

  As you noticed, this would mean a completely different line of code
I believe the author is not a native speaker, and means to say that this would require different code for each platform. Sure, that must be true, but the GitLab and GitHub APIs are not that dissimilar.

I felt like this was a very strange response to a legitimate question and it makes me feel like there must be something more there.

fastasucan
2 replies
4h38m

Sure, that must be true, but the GitLab and GitHub APIs are not that dissimilar.

Which they address in the later part of their answer which you leave out:

Surely most parts of the project could be reused, but this development would still mean a huge investment, which we can't afford. Nevertheless all kinds of contribution are still welcome and we would try to provide our support as good as we can.

xrd
1 replies
4h13m

As you point out, I am assuming malicious intent and you have every right to assume the same of me! I should have put that other part in.

It just didn't jibe with me and still feels like it is an easy and obvious upgrade.

But, you are right, they did justify it, it seems like an overstatement to say it would be a huge investment. I should review the code myself to verify, but a statement like that the lazy programmer in me shy away from even doing that.

hmillison
0 replies
27m

I'd guess "huge investment" in this case is relative. The maintainer is not spending a ton of time building features for the CLA tool since it's mostly "done" and so investing more time to build support for Gitlab would require many more hours of development than they're probably dedicating right now.

And i can imagine that maybe they didn't abstract communication with Github enough and would need to refactor the system to handle that as well.

Generally, i think it's not totally reasonable to expect them to do more free work to support use cases that the maintainer does not need. Since it's open source, we're all welcome to contribute back.

mogoh
2 replies
5h44m

How I turned my open-source project into a business

I also changed the license from LGPL to a commercial license.

OK ...

StevenXC
1 replies
5h16m

They didn't make a business using an open source project; they turned their open source project into a monetized non open source project.

zepolen
0 replies
23m

That's not how that works:

Derivatives works (including modifications or anything statically linked to the library) can only be redistributed under LGPL
jraph
1 replies
5h15m

What should we take away from your comment?

Sure, open source is not a business model, it defines a set of software programs that respect some rules: the OSD [1].

But you can certainly have a business model around open source software.

[1] https://opensource.org/osd

Veuxdo
0 replies
2h43m

Consider the OP's headline. They didn't even describe what their project was. All they said, all they think they needed to say, was that it is Open Source.

And on HN, it's actually true. Open Source projects get lots of kudos here.

The problem is, others may see what is essentially a marketing strategy aimed at a niche audience and conclude that Open Source is an essential, in fact they most essential, part of the business. Hence the need to remind people that Open Source is not a business model.

Havoc
2 replies
5h49m

What sort of billing platform do people use for this sort of stuff?

andris9
0 replies
5h7m

I use a self-built web page (a simple Express.js app), that uses Stripe and Stripe’s customer portal for the subscription management.

alex_suzuki
0 replies
2h58m

Paddle, Lemon Squeezy and Fastspring are popular choices for Merchants of Record. These are basically distributors that sell your software in their name and take on the liability of filing taxes correctly.

Stripe for people who don't care about taxes or are large enough to have an accountant do it for them.

zakariassoul
1 replies
1h50m

Love the story. I am curious on how your initial customers reacted to you increasing the prices?

andris9
0 replies
1h26m

I locked prices for existing customers. So someone who signed up 2 years ago is still paying 250€ per year, while customers signing up today will pay 895€ per year.

andrewmcwatters
1 replies
2h41m

I’m convinced that the MIT license and other public domain-like licenses are the worst licenses to actually use if you’re not a FOSS ideologue. So, most people. It works against your own interests in just a subtle enough way that also works against the interests of those who use your software.

At a bare minimum, you should probably at least use the GNU General Public License version 2.

kijin
0 replies
2h30m

Exactly. Everything I've released over the last several years is GPLv2 or higher. If you don't like that, don't worry, I won't tell you to fuck off or give you a lecture on free software. You just need to pay me. Business is business. :)

aglione
1 replies
4h30m

Hey, I follow your project since I think 12 - 13 years and it has always inspired me to build something on it.

At the end I didn't, but I'm really happy you found a way to live with it.

Congratz!

andris9
0 replies
3h38m

Thanks!

727564797069706
1 replies
6h32m

This is great stuff, thank you for sharing and congratulations!

Looking to do something similar in terms of offering better, paid alternatives to the existing solutions out there in a source-available fashion.

Anyone here experiencing trouble with tools you'd terribly want someone to improve?

ponector
0 replies
5h39m

We are struggling with TestRail. Barely usable expensive crap. Enterprise business love such things.

satvikpendem
0 replies
6h0m

Interesting, I actually was making a competitor to Email Engine but also open source, similar to Nylas, because I didn't like the latter's opaque pricing and I didn't like the former's self-hosting, I wanted it to be in the cloud.

I even got a YC interview based on this idea for last summer's batch (rejected primarily for being a solo founder, they seem to like solo founders only if they had a previous exit), but ultimately I gave up on the project because I realized I didn't actually like the problem space, it seemed too boring for me after a while and I wanted to concentrate on building things I thought were interesting.

mvkel
0 replies
2h32m

I like this story.

Shipping OSS is a donation of one's time, money, and expertise. Volunteering is a rewarding way to participate in a community.

Usually in any community, you meet someone who opens a door to an opportunity that you never would have found otherwise.

komali2
0 replies
2h50m

I've always felt like FOSS as a philosophy has been tangled up in trying to participate effectively in capitalism, when that was never really the point, nor really very possible unless you're lucky, nor really worth it. The origin of FOSS as I understand it from reading books like "Hackers" is from people that were mad that access was being restricted to systems and code from people that really wanted to use these systems and code, and hack them, and learn from them. I recall that one of the things Stallman likes to brag about from that time is not related to FOSS at all, but instead successfully decrypting a bunch of passwords, emailing the decrypted passwords to people, and recommending they instead set the password to an empty string instead. It was about keeping access to the system Free as in Beer.

I suppose some have argued that FOSS represents a Public Commons in the way that fields and wells and physical marketplaces used to, but none of those things survived capitalism, so I don't see why a technological commons should be expected to either.

For me I've been thinking lately that perhaps those interested in FOSS should instead consider how we can use FOSS to detach ourselves from needing to participate in global capitalism at all. Is there FOSS technology we can use to liberate people from things they need to spend money on right now? An example could be the Global Village Construction Set: https://www.opensourceecology.org/gvcs/ a set of open source designs for things like hydraulic motors or microcombines or steam engines that you can build on your own, usually not for cheap, but for far, far cheaper than you could buy from John Deere. Here's another cool project, some guy has just been building things like solar panels and basic circuit boards on his property from very base components for years: https://simplifier.neocities.org/

Some other FOSS liberation examples:

Combining a tool like Jellyfin with Sonarr, Radarr, and etc, can liberate people from their 5 different media subscriptions. Or at least they can still buy DVDs and put them on Jellyfin to have the convenience of streaming with the media library of their own choosing.

Deploying Matrix or another FOSS communication tool can let organizations have enterprise-level communication software without paying HUGE seat-based license fees to corporations like Slack.

In fact there's many ways to liberate yourself from paid SaaS in this list: https://github.com/awesome-selfhosted/awesome-selfhosted at my co-op we self-host and deploy all our services for this reason, it saves us a TON of money.

I don't have many other examples to mind because this is something I'm actively still researching. Friends in Venezuela though especially tell me how FOSS technology can liberate in ways I wouldn't expect here with my 64gb RAM machine with the latest processor, that I can easily replace components on on a whim. Such as how they can keep all their broken down machines pieced together from junkyards running pretty ok on various linux distros, and how they can sell creative work using free tools like gimp (no, really) or darktable. Like as not they'll just pirate software, though, but apparently FOSS often runs better on shitty hardware.

Anyway my long term plan is to find or build more and more things that let people just not spend money on things anymore. That could be by making it easier to not have to throw things away anymore, or building tools to replace proprietary ones, or, idk, other ways I haven't thought of.

hyperthesis
0 replies
6h12m

  Next, I started to increase the pricing; 250€ became 495€, then 695€ and 795€, and finally 895€. To my surprise, it did not mean getting fewer customers. I guess any sub-$1k amount for businesses is peanuts, so the only thing these price increases changed was improving the revenue.
Open sourcers identify with users, but businesses getting a ROI are unlike consumers.

htsh
0 replies
5h4m

As a longtime user of nodemailer, thank you.

I am gonna check out emailengine for future work.

gramakri2
0 replies
5h43m

We still use andris9's mailtrain even though the project has long died. Thanks andris9 for so many of email related node.js projects! Invaluable.

carlossouza
0 replies
5h57m

The only regret I have is that I did not start selling my software earlier and only published free, open-source software.

Well… better late than never. Congrats!