GitHub is almost everything when it comes to open source, and it’s now making a ‘Sponsor Me’ button available to repo owners (and others who invest in open source) who want to be paid for their work.
The button is optional; repo managers don’t need to add it to their profile or work. GitHub tells Dice a repo manager can even use it to add stretch-funding goals for projects.
You can also use sponsorships to monetize employment; per GitHub's example, a developer could offer X hours of debugging to a sponsor who gave a certain high-dollar amount monthly.
And sponsorships happen on a reoccurring monthly basis. You can donate as little as $1 per month, or as much as $6,000 every 30 days. GitHub is using Stripe as its payment processor, and is matching sponsorships for the next 12 months. If you were earning $500 per month via sponsorships, GitHub will match it to total $1,000 for the next year.
GitHub carefully frames this as a tool that those working diligently in open source can take advantage of. But the ‘sponsor me’ button is not unique to developers. As GitHub notes, “maintainers, designers, programmers, researchers, teachers, and writers” can all take advantage of this feature.
Unfortunately, GitHub doesn’t say (yet) if there are limitations on how its sponsorship model can be used. I asked what might happen if a repo was cloned and monetized. Apparently, GitHub would stop attempts at impersonation; but I could clone a repo and add a ‘sponsor me’ button to it, and so long as I didn’t pretend to be the person who created the original, GitHub would (theoretically) take a hands-off approach.
We say “theoretically” because GitHub is offering this feature as an invite-only beta with a waitlist. In other words, it’s treading these waters carefully, and hasn’t yet imagined the depths of darkness that monetization can bring. It will rely on its "platform health" team to police bad actors when they arrive, and tells Dice it will definitely freeze assets if money came from a sanctioned country or was otherwise suspect (GitHub Sponsorships will be available everywhere GitHub operates, globally).
GitHub Sponsorship is a direct attack on Patreon, right down to the hands-off approach GitHub is taking on governance and fraud. It’s also important to note that users can sponsor other users via their profile or unique repos. A ‘sponsor me’ button on a profile funds your overall efforts, and is probably the best place to ask people to pay for your work (such as debugging code). For 12 months, you can even offer it at half-price and let GitHub match what you’d normally charge.
Sponsoring a repo is where we see the most vulnerability to bad acting, and where the environment is most likely to be charged (pun intended). The ability to fork a repo, leave it largely untouched, and then monetize it is poor form; it’s akin (in some ways) to the clones of popular apps (such as Flappy Bird and Candy Crush) that periodically erupt in the App Store and Google Play. Expect more rules to roll out as GitHub sources feedback while this program is in beta.
We'll be curious to see how this pans out. A Dice Insights Survey shows most developers believe open source managers should be allowed to monetize their efforts, though most feel that should only come when a paid app or service utilizes open-source work.
GitHub Expands Package Management & Security Features
In other news, GitHub is announcing it has acquired Dependabot, a repo add-on that manages updates and security for packages, which builds on its new Package Registry feature. It’s also partnering with Whitesource to deepen its dataset for known vulnerabilities in open source components (via something it’s calling Dependency Insights).
Dependency Insights allows you to see who is using your packages, where the code comes from, and how it’s being used outside your scope. This all dovetails into Licensed, which GitHub launched last year. Licensed automates license checks for developers, and Developer Insights automates security and vulnerability checks, so you’re not using bad code or including a bitcoin miner in your package.
For companies, GitHub Enterprise now allows repository permissions to include every employee. You can also add outside sources, such as contractors – but allow them varying degrees of control, from read-only access on up.