Subject: Re: Bug Bounties. Making $ from bugzilla.
From: burton@openprivacy.org (Kevin A. Burton)
Date: 25 Nov 2001 19:59:30 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Stephen J. Turnbull" <stephen@xemacs.org> writes:

> >>>>> "Kevin" == Kevin A Burton <burton@openprivacy.org> writes:
> 
>     Kevin> The system supports microscopic issues as opposed to
>     Kevin> macroscopic issues.  SXC really tried to fix HUGE problems
>     Kevin> (port XEmacs to GTK, etc).
> 
> But that wasn't a huge problem in an economic sense; it would have been done
> anyway (within a year or two, which is "soon" by the standards of Emacs
> release cycles).  That was a _business_ problem, Bob Weiner needed that port
> yesterday, and perhaps paid with his company for lack of timeliness.

The GTK port still hasn't made it into a stable XEmacs :).  (last I checked it
was in CVS and slated for the next release)

This was a big issue...  IMO.

Most of the other SXC projects were right along this line.

> I think the scale of sXc was forced not by the desire to fix big problems, but
> by the fact that to generate enough revenue per contract to be
> self-supporting, ie, cover the transaction costs, it needed to generate big
> contracts.

True.  But not all good ideas are profitable.

I haven't said that the Bug Bounty system would be profitable.  I think that it
is needed to make profit for some independent developers though.

> I don't see how this system gets around that.

For starters... SXC doesn't exist anymore.

Second a decent and OPEN site that didn't require human intervention would
really take off.

>     Kevin> We fix bugs AND RFEs.
> 
> Getting bugs fixed, now that's a _huge_ problem.  "Herding cats," "pulling
> teeth."  As an XEmacs maintainer, I can confirm that I see very few
> high-quality fixes as one-offs.  And I don't get paid for the fixes; I'm not
> about to give a bad patch an easy time because somebody else might get paid
> for it!

I agree.  

> But it's hard to get good patches even from the regulars if it's not on what
> _they_ perceive as the critical path.

It might be the critical path to pay the bills...

> It seems that for a project like XEmacs, this would just result in (a) beer
> money for some of the regulars and (b) even more scarcity of talent willing to
> work to the long term plan.

Maybe it would be just beer money.  Of course anything > $0.0 would be great
for some people.

I mean I fix things for good of it but it would be nice to see some economic
appreciation.

> This points to another real incentive problem, too.  I don't deliberately
> introduce bugs into XEmacs.

... :)

> I don't think that's a problem in any OSS project.  But there's no need to.
> There are enough "bugs" (as perceived by the user base) that I can demote a
> few thousand to "fix by 2100" status, even though I know how to fix them.  I
> think others are more important, important enough to spend time on diagnosis
> and design etc rather than fixing what I know how to deal with.

Maybe important to *you* but user could speak with their wallet.  A $100 bounty
on a bug might convince you to work on it.

> However, it would be easy to pull a few of those minor bugs off the
> shelf in time for Christmas.  But this would not be good for the
> project.  IMO, as maintainer, anyway.
> 
>     Kevin> ... etc.
> 
> Now that, I agree with wholeheartedly.
> 
> Your proposal _can_ work.  But only if somebody works _hard_ on mediating
> between would-be fixers and overworked maintainers.

Perhaps one of the responsibilities would be to deliver the fix into a STABLE
version of a product.  In some cases just a *fix* wouldn't count and before
getting paid you would have to talk to the maintainer about getting it
integrated and into the next release.

> It's not something that can be addressed with a pile of software and a few
> rules of payment.  It's _people_ work.  And it's _technical_ too, so the
> principal has to be multi-talented.  And it's _retail_, so I doubt it will be
> very profitable.

I obvously don't know anything about profit. :)

....

- -- 
Kevin A. Burton ( burton@apache.org, burton@openprivacy.org, burtonator@acm.org
             ) Location - San Francisco, CA, Cell - 415.595.9965 Jabber -
             burtonator@jabber.org, Web - http://relativity.yi.org/

,@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$b=73;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=($t=255)&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9
,$_=(map{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t
^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271))
[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;eval

 -- Perl version of DeCSS.  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: http://relativity.yi.org/pgpkey.txt

iD8DBQE8Ab4bAwM6xb2dfE0RAsxVAJ97RicrLaYz3zBG3idX6BfazXwPEgCgzZ69
VnrNaPFaH12qkSot61L1qkg=
=jqoH
-----END PGP SIGNATURE-----