Sustainability - Tag - görn.namehttps://g%C3%B6rn.name/tags/sustainability/Sustainability - Tag - görn.nameHugo -- gohugo.ioenchristoph@goern.name (Christoph Görn)christoph@goern.name (Christoph Görn)2025 Christoph GörnTue, 28 Apr 2026 00:00:00 +0000The missing rung in the FOSS assurance ladder is cost sharinghttps://g%C3%B6rn.name/posts/foss-cost-sharing-standard-blog-2026-04-28/Tue, 28 Apr 2026 00:00:00 +0000Christoph Görnhttps://g%C3%B6rn.name/posts/foss-cost-sharing-standard-blog-2026-04-28/I spent a couple of evenings researching the b4mad.industries proposal for a Standard and Criteria Catalog for Fair, Transparent, and Sustainable Cost Sharing in FOSS Components and Dependencies. Going in, I assumed the hard part would be choosing between competing definitions of “fair.” Coming out, I’m convinced the more interesting finding is something else entirely: the FOSS assurance stack has a missing rung, and nobody is standing on it.

What I Found

We already have a tall stack of FOSS standards. SPDX/REUSE tell you what is in the software. ISO/IEC 5230 and 18974 (OpenChain) tell you whether the consuming organisation has a credible compliance and security program. CHAOSS measures project health. OpenSSF Criticality Score and Census II rank how important a dependency is. Tidelift, Open Collective, GitHub Sponsors, Sovereign Tech Fund, NLnet, Drips, Gitcoin Quadratic Funding, Optimism RetroPGF, ecosyste.ms Funds, Open Source Pledge all move money. Across all of these, not one defines a fair share, a disclosure schema, or a binding between dependency identifiers and funding flows [Source 1, 6, 7]. CHAOSS is closest — they have a Funding Working Group with a 2025 Practitioner Guide — but the guide explicitly states that “no single universal framework exists” and recommends customised approaches per funder.

]]>