Closed chadwhitacre closed 1 year ago
Alright, slogging through the thick fog of confusion, hopefully emerging?
I've decided not to use StackAid this year, not seeing enough momentum and I need to focus my efforts. ๐ญ
I really like what I see at Thanks.dev. It's basically a productization of the spreadsheet I've been using and the team has been super-responsive, basically building it to spec for me. โค๏ธ ๐
GitHub Sponsors is making gradual progress but is still quite cumbersome for a program at our scale, no-where near as useful as Thanks.dev.
OpenCollective is approximately as useful as GHS and the fees are higher, 10% vs. 3%.
Two years ago I wrote deps and did allocations manually. Last year I reran deps but also put a little through TD and SA as pilots. I didn't try to reconcile recipients and amounts between them, I just let the TD/SA money be free bonus extra cash dollar dough bucks. This year I would like to flip it:
getsentry
, codecov
, and syntaxfm
, but with a limited dollar amount, basically just buying logo placement.Needs from TD:
tag-production
]())Needs for TD:
For GitHub:
I have $50k locked up in GHS right now, I should be able to use for PSF and DSF, not sure I'll be able to transfer to other orgs though.
Engaging with Thanks.dev. Sent in email:
- Thanks.dev (TD) administers Sentry's Open Source funding program for the year.
- $25k fee
- $475k to be allocated and disbursed via one-time or monthly recurring payouts
- $50k is already located in GitHub Sponsors (GHS), remainder ($425k) will be transferredย to TD, OC, GHS, or direct to project as necessary
- Recipients determined via automated dependency analysis in three GitHub orgs + additional lists (survey results, SDKs, prior year).
- Allocations weighted according to Sentry's priorities (orgs, repos, ecosystems, projects, recipients)
- Payout mechanisms include TD (0% additional fee), OC (10%), GitHub Sponsors (3%), and direct payments (0%) to a limited number of projects (~10).
- All funds disbursed (for one-time payouts) or configured (for monthly payouts) by Oct 10.
Let me know if we need to align further on details. Do you have an order form that we can start with? If not [we] can provide. I am seeing terms on your site, not sure if we can start there or what, will let [legal] drive from here.
Internal procurement ticket: https://getsentry.atlassian.net/servicedesk/customer/portal/15/PSD-294
@nehzata Can we use this ticket to coordinate the rest of our work together this year?
I believe the contract is in your hands to docusign. Once that is inked we are ready to run!
The the thanks-dev app is installed on getsentry
, codecov
, and syntaxfm
. However, the @getsentry-funding account is not a member of the latter two orgs. I have a request in to @jeffrey-sentry to help out with that. I also seem to be having some trouble getting the account through our new SCIM workflow on the getsentry
org as well, so I think we may be fully blocked on this.
I had a call with GitHub about transfering funds between the three orgs, I added a sheet to the spreadsheet ("GHS") with details, tl;dr targeting $4/maintainer/month across all three orgs. Need to investigate minimums in our set of maintainers and decide on our approach (easiest is to drop any maintainer with a minimum > $4/mo, but we have some flex if needed).
I also added contact emails for the foundations on the "Summary" tab. Feel free to start reaching out to folks and let me know if any of the target amounts do not line up with levels/expectations for this year. For Outreachy they work in 6-month intervals so the 20k will need to be 2 x 10k I think.
Thanks @chadwhitacre! Contract is signed now. Exciting!
On our side we've nearly finished the manual inclusions process to support survey + sdk deps. We'll get the GH sponsors script sorted next and @anehzat will be starting with the foundations.
Sounds good. I am traveling today and all next week but I have my laptop, we're so async with timezones in the best of times that I doubt you'll notice much anyway, but in particular I will watch for email threads with foundations that @anehzat starts and chime in as needed. Thanks, @nehzata @anehzat! Good luck! ๐ โ๏ธ ๐
lol should've checked my email first ... love you guys! ๐
Hi @jeffrey-sentry! Hope you're well.
Following @chadwhitacre's previous message re the app installation, we can confirm access to syntaxfm
on our side but not getsentry
& codecov
.
Please let me know if there's anything we can do on our side to assist. ๐
@nehzata I do not have access to the codecov
org, but I just checked the thanks.dev app permission setting for getsentry
and it does have Read
access to all repos. Is there anything else we need to do on our side beyond that?
Thanks!
Here are the repos I see when I login to thanks.dev using @getsentry-funding. I guess we need to do the dance to see codecov
and getsentry
there.
All three (plus mine and ... Isaac's!?) are associated with my personal GitHub account. ๐ค
Here's what I see when I try to configure the app using @getsentry-funding from the thanks.dev UI:
When I configure using my account I see that it is installed on all repos (for all three orgs).
@nehzata Was there a manual step last year on your side to get this wired up? I forget but have a vague recollection. Any thoughts on how to proceed?
@chadwhitacre looks like for the Sentry org it expects us to manually select the repos individually. Last year we had a script running that would populate everything without requiring the app installation. That worked as all the repos we were interested in were public. If I understood correctly, this year there are private repos as well? If not shall we revert to the previous process?
Just to clarify it seems we have the following options atm:
@nehzata I do not have access to the
codecov
org, but I just checked the thanks.dev app permission setting forgetsentry
and it does haveRead
access to all repos. Is there anything else we need to do on our side beyond that?Thanks!
Thanks for checking it out @jeffrey-sentry!
@chadwhitacre We submitted a bug report with GitHub regarding the issacs entry and got the following response.
@chadwhitacre First version of GH mass sponsorship app is ready to test here! :)
We submitted a bug report with GitHub regarding the issacs entry and got the following response.
What org am I a collaborator in that results in isaacs showing up in the list? I don't see isaacs
on the list of orgs on https://github.com/apps/thanks-dev/installations/select_target, e.g. Feel free to cc me on the support ticket and I can connect with GH support directly.
First version of GH mass sponsorship app is ready to test here! :)
Dope! Looks like it's designed to run continuously, yes? Can I run it once to set up recurring monthly donations?
for the Sentry org it expects us to manually select the repos individually
Is it some config specific to the getsentry
org that requires this? How about codecov
? I have the app set to "all repos" in both orgs (as well as syntaxfm
) so I am wondering where specifically we are tripped up here.
What org am I a collaborator in that results in isaacs showing up in the list? I don't see
isaacs
on the list of orgs on https://github.com/apps/thanks-dev/installations/select_target, e.g. Feel free to cc me on the support ticket and I can connect with GH support directly.
The original ticket is closed as it's from Nov last year. I did some further digging into this and looks like the following is happening:
github.com/isaacs/github
;We've come across many such disconnects between token scopes in the App installation API & GraphQL API unfortunately...
curl -s -H 'authorization: bearer <TOKEN>' https://api.github.com/repos/isaacs/github/collaborators | jq '. | map(.login)'
[
"schacon",
"wfarr",
"clarkbw",
"holman",
"isaacs",
"haacked",
"aspiers",
**"chadwhitacre"**,
"tjfontaine",
"TPS",
"dreww",
"broccolini",
"joernhees",
"jlord",
"cirosantilli",
"yoannchaudet",
"michellemerrill"
]
First version of GH mass sponsorship app is ready to test here! :)
Dope! Looks like it's designed to run continuously, yes? Can I run it once to set up recurring monthly donations?
Yes it currently runs continuously to cater for network failures + GH access token rate limiting. Recurring donations may be possible but we don't know if it works yet as the corresponding monthly/yearly setting are not present in the API. We've asked in GH community forums. Should be a one or two line change.
Let's do a quick code review + test to confirm once you're back online please?
for the Sentry org it expects us to manually select the repos individually
Is it some config specific to the
getsentry
org that requires this? How aboutcodecov
? I have the app set to "all repos" in both orgs (as well assyntaxfm
) so I am wondering where specifically we are tripped up here.
Not really sure. Let's go over it on a call when you're back to see if anything sticks out please? In the meantime we've started working based on the @chadwhitacre account that has correct access to unblock ourselves for now.
Finally, looks like @anehzat has the foundations mostly covered. We plan to have a first draft of distributions for your review next week.
You're a collaborator on
github.com/isaacs/github
Thanks for digging, I've opened a new support ticket๐ with GitHub to be removed as a collaborator from that repo. It is now archived, and I can't find in the UI where to remove myself.
We've asked in GH community forums.
Gotcha. I've asked my contact at GitHub Sponsors in email to see if we can get an answer here.
Let's do a quick code review + test to confirm once you're back online please? Not really sure. Let's go over it on a call
Sounds good, let's aim for the first part of next week, will drop to email to schedule. ๐
Awesome! First invoice has been emailed btw.
Hope you're having a great time!
@chadwhitacre as discussed, these are the only installations currently present for getsentry-funding
user.
curl -s -H 'authorization: bearer <TOKEN>' https://api.github.com/user/installations | jq '.installations | map(.account.login)'
[
"getsentry-funding",
"syntaxfm"
]
getsentry
and codecov
?Invoice is approved and should get paid tomorrow. ๐
utils (formerly wkr-gh-sponsor) is now updated. Doesn't need the csv file. It instead scrapes all the dependencies from GH API.
To run locally (donation disabled):
. bin/activate-hermit
GH_CLASSIC_ACCESS_TOKEN=<TOKEN> ./scripts/wkr-gh-sponsor --config example.config.json
these are the only installations currently present for
getsentry-funding
user.curl -s -H 'authorization: bearer <TOKEN>' https://api.github.com/user/installations | jq '.installations | map(.account.login)' [ "getsentry-funding", "syntaxfm" ]
@jeffrey-sentry Any ideas on this one? The user/installations endpoint returns syntaxfm
for the @getsentry-funding account, but in order to use that account (rather than, e.g., my own account) we need it to also return getsentry
and codecov
. Nothing obvious is jumping out at me when I compare:
Do both codecov
and getsentry
use SCIM? Something to do with that, maybe? ๐ค
A clue! There is a "Member privileges" settings page, and I find a "Base permissions" knob at the top:
โ๏ธ That's for syntaxfm
. For getsentry
and codecov
this option is set to "No permission". ๐ฑ
Does this maybe interact with the user/installations API endpoint? ๐ค I don't want to change the setting permanently, but maybe we could toggle it off temporarily in syntaxfm
to see if it impacts the endpoint?
@nehzata Let's do this on a call. I've uninstalled the thanks-dev
app from syntaxfm
, but it's still showing up in the settings page for @getsentry-funding. My hunch is that you can do something on your end to remove that connection in Thanks.dev, then I can re-add with the base permission turned off in syntaxfm
to test my hypothesis. That'll probably be most efficient in realtime, so I've sent an invite for later today/tomorrow. In the mean time I've opened a support request๐ with GitHub, since if this is true we'll need some workaround since we shouldn't set base perms in codecov
and getsentry
.
@chadwhitacre meeting confirmed.
GH is still returning syntaxfm
:
curl -s -H 'authorization: bearer <TOKEN>' https://api.github.com/user | jq .login
"getsentry-funding"
curl -s -H 'authorization: bearer <TOKEN>' https://api.github.com/user/installations | jq '.installations | map({id:.id, login:.account.login})'
[
{
"id": 32259457,
"login": "getsentry-funding"
},
{
"id": 42286928,
"login": "syntaxfm"
}
]
curl -s -H 'authorization: bearer <TOKEN>' https://api.github.com/user/installations/42286928/repositories | jq '.repositories | map(.name)'
[
".github",
"brand",
"giveaway",
"hackweek-md-multiplayer-editor",
"meta",
"vscode-theme",
"website"
]
We confirmed in real time that the hypothesis is correct: we need either "Owner" role on the user account or "Read" base perms for the org in order for the user/installations API to include a given org. We also confirmed that installing the app for only some repos vs. all repos does not make a difference. Assuming GitHub does not get back with a workaround on my support request, our options seem to be:
getsentry
and codecov
.Thoughts on how to proceed @jeffrey-sentry @mdtro? Since the thanks-dev app only has read permissions, iirc using a separate low-privilege account was really a defense-in-depth, yes? I think option (1) may be the least disruptive/risky path forward, assuming no workaround. Can we live with this?
Just saw this come through! ๐
The payment for invoice 0120 was initiated on Sep 27, 2023. We notified Thanks Dev Pty Ltd of the payment initiation. The payment should reach the vendorโs bank account in 4-5 business days from the day of this email.
Excellent!
auto-boost
added to utils
as well.
Inclusions have been uploaded to both @chadwhitacre & @getsentry-funding accounts
Okay so in my court:
mass-gh-sponsor
auto-boost
~ letting @nehzata handle this for nowI've pinged our security team internally on the first one.
if we can differentiate activities from thanks.dev and activities that's performed by you in logs, then I think it's fine to use option 1
Independently, we're in the process of rolling our GH orgs up into a GH enterprise(!). The timing is fortuitous, since it interacts with sponsor accounts. tl;dr I'll have a little dancing to do in their UI before I am ready to configure our new sponsorships.
Similarly, if the request triggers a corresponding entry in the audit logs and security logs, the logs will list the user as the actor but will state that the "programmatic_access_type" is "GitHub App user-to-server token".
Looks like we can't filter on programmatic_access_type
in the audit UI. I've kicked off an export to see if this key shows up in our existing audit log at all.
With help from my Security team, I was able to inspect the audit logs. The programmatic_access_type
key is present as documented, and additionally there is a "name" field that seems to list the app in question. This gives us what we need to detect any unexpected behavior from the app.
@nehzata I'm sure you've already addressed this ... Could the Thanks.dev GH App use installation auth instead of user auth?
@nehzata , ๐ I'm a part of the Sentry security team. @chadwhitacre Sorry for all the telephone and having you play mediator. ๐
I was reading the ToS to try and get some more detail about how thanks.dev works and is possibly architected. I fully understand you'll need to pull down our code to analyze it, but is it possible to get more clarification as to what is stored long-term on your systems? Questions below.
From the ToS:
The data we collect from your during the course of providing our Service will be stored according to industry standards. We perform routine backups of our systems and data, however we do not warrant these backups and you should not rely on them for your business continuity.
Hi @mdtro ! Thanks for looking into this. Response to questions are below. Please let me know if any other parts need clarification.
The data we collect from your during the course of providing our Service will be stored according to industry standards. We perform routine backups of our systems and data, however we do not warrant these backups and you should not rely on them for your business continuity.
- What data is stored? Everything from the repository or just package manifest files?
We only read the manifest files listed here.
- How is the data stored? ie. is the data stored on cloud storage and is the data encrypted?
It is stored in our DB backed by an encrypted EBS in a private EKS cluster. The EKS cluster is configured with role based permissions via IAM roles.
- Are backups encrypted and how long are they retained?
Backups are encrypted on S3. The manifest files + dependency trees are not stored in backups though. We only backup the following DBs:
Everything else will automatically get reanimated in the case of DR. Storage costs would be prohibitive otherwise.
We retain last 30 days via S3 lifecycle policies.
- If the Thanks.dev app is ever deauthorized from the organization, is associated data deleted including backups?
We're not presently deleting any data automatically. In the event of a deauthorization we just detect access has been revoked and stop trying to read the manifest files + updating the dependency tree.
However, we do have the ability to manually handle CCPA and equivalent data deletion requests should there be a need.
@nehzata I'm sure you've already addressed this ... Could the Thanks.dev GH App use installation auth instead of user auth?
@chadwhitacre We don't currently obtain an installation token. Let us look into it and get back to you please.
If I've understood correctly, this would be to differentiate thanks.dev activity from your own activity in the audit logs right?
@chadwhitacre Can we jump on a quick call please to confirm which repos will be included in the dep tree? We'll then be able to do the final export for onboarding. Same time as usual if it's ok with you? ๐
If I've understood correctly, this would be to differentiate thanks.dev activity from your own activity in the audit logs right?
Yes, and in general to decouple app activity from my user account.
Can we jump on a quick call please [...] Same time as usual if it's ok with you? ๐
Of course, sent for your Thursday AM.
to confirm which repos will be included in the dep tree? We'll then be able to do the final export for onboarding.
My intention is to include all repos for all three orgs (weighted differently, of course). Is this enough to unblock?
Ftr looks like we found time to meet today/tonight.
Also, our orgs are now consolidated into an enterprise, ready to proceed with mass-gh-sponsor
. ๐
Hi @mdtro ! Thanks for looking into this. Response to questions are below. Please let me know if any other parts need clarification.
The data we collect from your during the course of providing our Service will be stored according to industry standards. We perform routine backups of our systems and data, however we do not warrant these backups and you should not rely on them for your business continuity.
- What data is stored? Everything from the repository or just package manifest files?
We only read the manifest files listed here.
- How is the data stored? ie. is the data stored on cloud storage and is the data encrypted?
It is stored in our DB backed by an encrypted EBS in a private EKS cluster. The EKS cluster is configured with role based permissions via IAM roles.
- Are backups encrypted and how long are they retained?
Backups are encrypted on S3. The manifest files + dependency trees are not stored in backups though. We only backup the following DBs:
- users db
- settings db
- accounting db (donations, balances etc)
Everything else will automatically get reanimated in the case of DR. Storage costs would be prohibitive otherwise.
We retain last 30 days via S3 lifecycle policies.
- If the Thanks.dev app is ever deauthorized from the organization, is associated data deleted including backups?
We're not presently deleting any data automatically. In the event of a deauthorization we just detect access has been revoked and stop trying to read the manifest files + updating the dependency tree.
However, we do have the ability to manually handle CCPA and equivalent data deletion requests should there be a need.
@nehzata Thank you for the answers! When you say "you only read manifest files", does that mean that's all that is stored? Or is the entire repo stored, just only those particular files are searched for and read?
@mdtro Apologies for not being clear. We only download and store the manifest files. More specifically we:
โ 2022 | Notion๐ | Sheet๐ใปSheet 2๐ | 2024 โ
Greetings!
Welcome to Sentry's annual Open Source Fund Fest for 2023! This program takes a lot of work to run and this issue is the central source of truth for coordinating all of the moving parts. This year our budget is $500,000, which is almost double last year. There are two key components to this year's edition:
GitHub SponsorsโWe are continuing our partnership with GitHub, and this year our goal is to become the first company to approach 100% coverage of all of our dependencies on Sponsors, across three orgs (
gesentry
,codecov
, andsyntaxfm
). We are dedicating 10% of our budget to this, so these will be small amounts but lots of them and will show as coming directly from us. We expect a number of these to be the first sponsorship that people ever receive.Thanks.devโWe were a launch partner for this new platform last year, and our pilot project went so well that we have contracted with Thanks.dev to manage the bulk of our budget this year. The size and scope of our program is quite significant, and the product Thanks.dev is building and the level of expertise they are developing in this field make them an excellent partner for us. We're inventing the future together!
Thanks.dev offers payouts through Stripe (0% additional fee) and Open Collective (10%) and is adding payouts through GitHub Sponsors for us (targeting the 3% fee tier). You will need to sign up on Thanks.dev if you want to receive more than the small amounts we're sending to everyone directly through GitHub Sponsors.
We're aiming to publish our wrap-up blog post on October 24. In the mean time, feel free to comment on this issue or reach out on ๐ with questions. Thank you to all of the maintainers who build the software Sentry depends on. ๐
FOSS Funders
While it is fun and exciting to run arguably the most comprehensive and robust program in the industry for really truly funding Open Source, the only way we're going to solve Open Source sustainability once and for all is for every company to step up and participate. Sentry is part of the FOSS Funders working group to drive this change. If your company has an Open Source funding story to tell, please join us!
To Do
getsentry
codecov
andsyntaxfm
codecov
syntaxfm
codecov
andsyntaxfm
orgsPress
GitHub Sponsorships
Announcement