Discover more from GOSH
DAOs on GOSH: A New Release
Here at GOSH we hold values liberal, humorous, and, above all, open; be it in attitude, sense, or software. And with this in mind we would like to now present a brand new GOSH release we believe solves the governance problem faced by open source software today.
The main thesis behind open source software goes as follows: because it encourages more contribution and participation, this wider pool of talent will refine the code and make it more secure. The problem with this notion is that, much of the time, no such widespread contribution takes place, as the open source talent pool isn’t distributed linearly. Some repositories have more contributors than they, on paper, need; while a plethora of libraries and compilers are built by small teams, and often just by a single developer.
The fact is, open source security is mostly provided by enterprises, and, usually, only for the libraries they are using. This leads to open source software having a lot of hidden costs, most of which are for security. Enterprises spend a fortune on duplicated efforts securing the same repository over and over again.
The only alternative to direct enterprise participation is the Open Source Foundation. However, these too have a glaring issue: while they do the job of security guns blazing, they aren’t scalable enough to do it forever.
In order for open source to grow as a whole and capture value, it needs to provide security guarantees. So the question becomes: how do we ensure the real-world success of the open source thesis to provide these guarantees, in a cheap and scalable way?
We claim the starting point for achieving this is with governance.
GOSH solves the governance problem with DAOs.
Let’s use a theoretical Library X as an example. Today, a company looking to use Library X in its production environment must either hire its developers or designate internal development resources to maintain and secure it They can also pay for an audit, which needs to be done regardless of how many times such an audit has been done prior by someone else, meaning a lot more money is spent on Library X than the results show for. Enterprises can donate to a Foundation, meaning they indirectly participate in open source governance. But there simply aren’t enough Foundations to cover all of open source. Library X therefore exists in this middle ground which provides no certainty about how it's governed, who’s in control, or how building it will be rewarded. This creates uncertainty about the security of Library X.
However, at GOSH we found that our innovation — governing every open source repository as a DAO — encourages more direct participation and makes open source governance scalable.
In order to explain how, we will walk you through all the features of our latest DAO release.
Every repository on GOSH is already a DAO. You can log in with your GitHub account and claim your repository… as a DAO.
DAOs are accompanied by descriptions and hashtags. We are particularly excited about the addition of hashtags because in the future it will allow developers to easily find DAOs in which they wish to participate.
Your DAO token comes automatically together with your DAO and you can configure it while setting up your organization. Every important decision taken by a DAO on GOSH, including token creation, is subject to a vote by members of the DAO. When creating a DAO token proposal, users will be able to set their supply, as well as select an option to either allow or disallow these tokens to be minted further in the future.
Please note that checking this box is definitive; if a user does not check the ‘Allow Mint’ box when creating the token, the supply will be permanently fixed. This is an economic choice between limited or floating supply. A vote must be held in order to create the token; if minting is allowed, a vote must be held to mint tokens in the future, and how much to mint, etc.
Existing members of a DAO vote to accept a new member. Developers will be able to judge prospective members based on reputation, as shown using CFTs, and members will be able to write a note accompanying their membership request.
On GOSH, nobody can overwrite the rules of the DAO, not GOSH, not any owner — once a rule is set, it’s cryptographically guaranteed.
DAO voting on GOSH is done with DAO tokens by DAO members. Putting it another way, the result is not determined as one member equals one vote, but by the amount of DAO tokens a member votes with but subject to their voting allowance limit. A member of a DAO can earn tokens for contributing, reviewing, and other such tasks.
Another way a new, or even existing, member can receive voting tokens is by requesting an allowance from the DAO. This request indicates an amount and includes a description. This request goes to a vote, and only if it passes does the member receive more voting tokens.
A DAO can decide at any time through a vote whether to increase or decrease the allowance of one, several, or all of its members. But the amount of any member’s allowance cannot exceed their amount of DAO tokens.
If members of a DAO ever see that a single member or investor is behaving in a way that is detrimental to the DAO they can always vote to reduce his allowance or even kick him out. However, members of a DAO will not be able to strip a member of their tokens — decision making and financial value are here entirely separated.
In a recent blog post about meritocracy, we discussed our administering a separation of powers to the workflows of DAOs on GOSH. These are comparable to the separation, in traditional business, between shareholders, board members, and the management layer. One of our first aims in answering the questions of best practices and keeping open source, well, open, is to ensure that when developers govern their repository as a DAO on GOSH, their work isn’t controlled by, or at the mercy of, any single individual developer or separate class of investors. Separate DAO voting tokens is this separation of powers.
Every DAOs page on GOSH includes some familiar headers; ‘code,’ ‘merge,’ ‘pull request,’ and ‘upgrade’ are all very common terms for developers. But there is another header, one which sits more snugly in the ranks of Project Management tools, and that, indeed, is borrowed therefrom. We call them Tasks. Now, what sounds like a relatively banal feature is in fact a very central conduit for the planning and development that an open source repository can set up for itself. However, we have not created tasks to replace Project Management tools, but because we want to offer members the ability to have voting power adequately reflecting their contribution to a DAO, be it ‘product people’ who create tasks, developers who write code, and reviewers.
Members of a DAO can outline jobs they believe will positively impact the development of the open source project. Any member of the DAO can then complete them for tokens. The amount of tokens which are earned for each task is actually set by the person who created it at the time they do so. The task’s creator likewise sets up how the tokens allocated to the completion of a task will be distributed between code authors, code reviewers, and the task’s manager. This is done with a sliding scale. Tokens will be distributed automatically only after a pull request associated with the task gets accepted to the repository through a vote. However, all this is again subject to DAO voting — all tasks and their future remuneration in tokens are subject to consensus.
The tokens that members earn are usually locked and vested over time. The creator of a task will set up this lock and vesting duration. He will likewise be able to set formulas for vesting. While in the earliest DAO releases we will only have a linear vesting curve, other formulas (e.g. fibonacci, progressive) will be added later on.
GOSH hopes to allow open source to be fully transparent both in technical matters as well as financial. While the first point applies to questions of software development itself, the second is reflective of the reality in which, in order to unlock the value of open source, repositories’ information of membership, financials, and token distribution must be as open as its code. This may sound counterintuitive as a statement because this information doesn’t, and most of the time cannot, exist in the current open source landscape. And, it is certainly true that even DAOs on GOSH are yet to reach that stage.
But in the very short future, GOSH will offer financial information instruments to DAOs. Allowance allocation, the amount of tokens a DAO has locked, quantitative information on aspects of token distribution (how, when, and how much was earned, etc.), and patterns of remunerated contributions will be shown.
Following the recent Security and Exchange Commission actions against different cryptocurrency projects many developers have expressed concerns about the legality of DAOs in particular and of tokens in general. Obviously we must address these concerns here. We should naturally mention that this is not legal advice, but as you will see below such advice is hardly needed. At least not yet.
As a developer you might think: why do I need all these complications? All I want is just to write my code and not be concerned with tokens, securities, legal battles, and cryptocurrencies. Just leave me alone.
And you would be entirely correct! It is perfectly fine if you could do just that — continue to develop your code without ever looking at any of these issues. Not all people are born entrepreneurs and risk takers.
And this is precisely why we have designed GOSH DAOs in line with the most current US regulations in respect to the tokens and cryptocurrencies. So when you are creating a repository on GOSH and issue your DAO Token, these tokens will not be deemed securities by regulators.
But while we have created the DAO instruments in such a way that prevents most of such unintentional use, there are, of course, some things you, as a DAO creator, should not do in order not to run a risk of wrongdoing. So what are they?
Do not sell your DAO Tokens.
In the future GOSH may consider providing you with monetary tools (or you could of course program them yourselves at any time) but:
a) it is not now
b) you may choose not to use them
c) they will be separately explained
d) they will provide a separate legal framework
Do not promise to absolutely anyone that these tokens are worth something or may be worth something in the future. They do not hold any value apart from being used in DAO Voting to govern and provide security to your repositories
We from our end make it absolutely clear everywhere on GOSH website, applications etc., that DAO Tokens are not tradable, and do not possess monetary value.
We will write a separate in depth article about the legal aspects of DAOs but for now please follow our guidelines on GOSH and use your DAO tokens within instruments provided only by GOSH.
According to a report (updated daily) by Comparitech, based on research done by the European Union Agency for Cybersecurity, almost half of software supply chain attacks target open source software, and almost two thirds of attacks are carried out through social engineering.
GOSH secures software supply chains by providing a variety of different tools to developers, and enterprises alike. One of these is the decentralized management of code through DAOs. This ensures that vulnerable open source repositories are protected against the thing they are most vulnerable to: social engineering attacks.
This latest DAO release makes good on our promise to developers that you can now build consensus around your code, mitigating most ways source code can be exploited today.
How To Upgrade Your DAO
Upgrading your DAO on GOSH is a quick and easy process. Users who have created organizations in the previous version of GOSH will now, when they log in to their GOSH account, have an announcement that an upgrade is ready, and just click the button. So don’t wait around.
Users who are new to GOSH will now automatically start using the latest version.
DAOs on GOSH allow open source developers to take control of their work using tools they never before had at their disposal. While DAOs as a concept come from crypto, this is no cryptocurrency product. Upon carefully studying best practices in companies who prefer proprietary software we say: there is no reason open source should be less attractive. In fact, we said: how do we ensure open source is the most attractive software development landscape both to those using it, and to those building it.
There are two main reasons why quite a few companies still choose for their software to be proprietary: First, it allows them to, using a favorite phrase of ours, capture value; and, they can keep the question of security in-house and make sure it meets their standards. It’s easier for them to hire developers directly to their organization, rather than running after someone neither privy to their needs nor claimant to their trust. And a large reason for this is that there is no transparency in the processes by which open source is built. Indeed, the fact that there is virtually no recourse or accountability in open source is the reason why those that could pay for it, don’t want to. No token changes this. If a developer makes a mistake, the mechanisms for that mistake’s control and mitigation are absent.
Likewise, this impacts the way developers work… enormously.
Such issues discourage developers from participating more in ‘other people’s’ work. Many developers will build an open source project and not even expect other people to make a contribution, or for the project to grow. Thus they often remain as just passion projects. One look at a list of repositories built by small teams is a look at a list of unfulfilled potential.
The proliferation of open source today depends on security, which also depends on governance. Allowing developers to take back control of their work means more secure libraries, compilers, operating systems, and everything in between. Without this open source becomes just a hobby. And yet it can all of a sudden help build a spaceship or an industry-changing product — so no, open source is much more than just a hobby, and it shouldn’t be treated as such (and even if it were it would still need to be secure for anyone else using it professionally).
Today, even if work on Library X is open to all contributors, there is no efficient, formal process by which this work is managed. Some repositories try to fix this issue, but they inevitably need to resort to many separate tools for each case, and so have many separate resources to manage.
We claim that all open source repositories will be DAOs sooner or later.
We all hammer nails with, well, a hammer; not with pliers — DAOs are just that, a tool like no other to manage your open source organization; automating the repository management process.
As a DAO every repository is maintained by several developers. People will be able to see who is maintaining what, who voted one way or another, etc. And because, in a DAO, enterprises participate in the governance of open source repositories, this will cut down costs overall — seeing as it cuts out duplicated efforts. If Library X is used by 10 companies, right now, each of them has to hire a part-time engineer to maintain it. They pay them a yearly salary. Let’s make it low: say, $20,000 per year. Overall that’s 200k spent by all 10 companies just to maintain this library. With DAOs, however, each of these enterprises can now donate $3000, and have a direct voice in the governance of the repository, making sure it is secure, while cutting costs dramatically.
Open source is already used by many people, most may not want to pay for it, but those that need it to provide security already do; the people who don’t pay, won’t pay, those who do, will pay a lot less.
The Foundation model works, the only problem is that there aren’t enough of them to cover all of open source. DAOs on GOSH take this model, scale it to include anyone, and build an open version of the open source Foundation.
This release is only the first step. We would love to hear your feedback on how we can improve DAOs on GOSH in the future, until we can confidently say we do the work of Foundations better than Foundations.
For more updates on DAOs on GOSH: