Open Source Needs an Attribution Standard
Or How we might build on Drupal Credits approach to standardize attribution
Evaluating open source contributions, especially at the organizational level,remains frustratingly opaque. Who's actually investing in the projects we all depend on? Right now, there's no reliable way to say definitively. That lack of transparency is a true barrier to sustainability efforts.
I've been proposing versions of "Drupal Credits, but for all of open source" for years. It hasn't gained the traction I'd hoped for, but I keep coming back to it because the need hasn't gone away. (Notably, GitLab seems to be advancing something similar with "Contribution Records", which is worth watching.)
What is the Drupal Credits program?
For those unfamiliar: Drupal's credit system lets contributions: code, documentation, event sponsorship, and more - be attributed to individuals, their employers, or the clients funding their time. Everyone benefits. Contributors build reputation, companies get recognized for their investment. The project gains visibility into who's actually sustaining it. Years ago, I contributed a module on behalf of a client funding my time, and they were genuinely delighted to be credited. That's the kind of alignment we should make easy everywhere.
Yes, there are complexities - multiple contributors, potential for gaming the system—but Drupal has iterated on this for years and their documentation reflects real lessons learned. (Drupalistas: please flag anything I'm missing here.)
Why should we have this capability more broadly?
Right now, its very hard if not impossible for a company/org/individual to speak to their impact on a project without doing a lot of their own data curation. I recently tried to write a script to pull all [organization_name] members who contributed to the top 5 critical packages as defined by Ecosyste.ms API, but rate limits are a thing that exists. Even with a project to ingest data over time for analysis, it's just a whole lot of work on all sides.
![[PHASE 1] Fetching organization sponsorships... Currently sponsoring: 1 entities Previously sponsored: 0 entities [PHASE 2] Loading packages from example-packages.json... Loaded 5 packages from file [PHASE 3] Analyzing 5 packages... This may take several hours depending on API rate limits. [1/5] psf/requests (pypi/requests) Fetching members of microsoft organization... Found 4464 public org members GraphQL errors: [{'type': 'NOT_FOUND', 'path': ['user'], 'locations': [{'line': 3, 'column': 11}], 'message': "Could not resolve to a User with the login of 'psf'."}] ✓ Contributors: 4, Commits: 0, PRs: 2, Sponsorship: NOT_SPONSORED [2/5] curl/curl (other/curl)](https://sunnydeveloper.com/content/images/2025/12/image-2.png)
GitHub, GitLab and Codeberg contribution graphs are helpful as a snapshot, but you cannot tell if a customer paid for that work; if it relates to employed or personal time - it also doesn't capture non-coding contribution, like event sponsorship, board membership, code of conduct committee membership and more - that really make up the big picture.
Where should it live?
I no longer think this belongs in a single product's workflow. Instead, I believe we need a standard something communities can adopt and adapt to their own values, implemented through CI/CD workflows.
Not unlike a Code of Conduct, really: a template that defines what contributions count, how value is measured, and how attribution flows. Each community decides what matters to them. And as communities learn, they contribute back to the evolution of that standard.
How can it help?
It gives organizations and individuals visible, meaningful credit for their efforts - not just marketing fluff, but something with real weight in the project they support. It also reveals who's missing.
What does it miss?
As Dries pointed out in this recent blog post, there are remaining questions about behavior changes:
"How do we distinguish between companies that can't contribute and those that won't? What actually changes corporate behavior: shame, self-interest, punitive action, exclusive benefits, or regulation?"
Credit and visibility are necessary foundation to then address these motivational challenges.
Who should build it?
Any ecosystem standards organization can do this and be an example for others. Drupal has put in the groundwork, and learning over years its just a matter of intention. This is work that requires humans.
I am sure you have ideas too! These are mine, on my own time: observed and written since being layed off at Microsoft. I appreciate sponsorship, and opportunities to work on efforts like this for your organization or project. Get in touch!
Also check out:
- Open Source Wishlist, which is just getting going!
- AI alignment in open source (working group)