thanks.dev sounds pretty shady. They seem to collect donations for projects on their behalf without telling them. So while you think you are donating to some dependency you really are giving the money to thanks.dev where they can hold onto the money until someone realizes their project has more than the minimum amount. The FAQ says that if people don't withdraw the money within 3 months it just gets sent to other people. This means that someone could donate $100 to a project and then that money ends up never making it to the author of the project. Or if you have a small project your donations never reach enough for you to withdraw them.
The article mentions that thanks.dev has a global blacklist of people who you can't donate to. This means they have the power to make certain dependencies get a bigger share of the money that is being donated.
Only projects that sign in are receiving funds. thanks.dev only makes money from tips at time of donation. The minimum withdrawal amount is $1 and that's a UI limitation mostly. Good idea re the global blacklist being overridable by the end user!
Hope that clarifies things. Let me know if you have any other concerns. :)
Not sure I understand the question correctly, but the way it's working is that Sentry have allocated a monthly budget to be distributed to their dependency tree. That budget gets trickled down to the projects that have signed in. The list and breakdowns are visible here https://thanks.dev/p/gh/getsentry.
Donors decide how much to tip thanks.dev at time of donation.
Please let me know if I missed the question or if I can improve thanks.dev in any way. I'm very keen to learn. :)
Donations are only allocated to the projects in the dependency tree that have signed up with thanks.dev. In the Sentry list for example if you click the more link at the bottom you'll see all the projects that hadn't signed in. The ones showing verified next to their name signed in after the funds for this month were processed. I see how this is causing a bit of confusion and will work on improving this aspect asap.
If you're improving the UI around here it would also be good to see how the list was determined. For automated detection in particular it seems like the tooling used also should be made public to allow testing. I know of at least one dependency that I would expect to turn up on sentry's list that doesn't. (A first guess: a bug in how you handle Rust workspaces, using the root to calculate dependency depth; alternatively a bug in your handling of non-lowercase github usernames, I notice there are only lowercase usernames in the list, but that might just be an artifact of your UI design).
How does a project sign in? As a developer, I have no idea if you are holding money for my project, or how to claim existing or future funds owing. Everything I see is about analyzing my tree and donating to other people.
As long as they are upfront about it with the donors that seems pretty fair. If I donate money to a project but the author doesn't want/need the money then I am fine with them instead giving it to another one of my dependencies. I can imaging companies like it as well since they can immediately write off the donation, rather than wait 3 weeks to see if their money will be returned.
It's definitely opt in. Sorry I just noticed the FAQs weren't up to date – should be fixed now. You can see the break down of Sentry's donation at https://thanks.dev/p/gh/getsentry. The feedback has been overwhelmingly positive from maintainers.
Why would it be fraud if they're upfront about it?
It looks like the entire point of thanks.dev is that you give them your dependency list and they attempt to distribute your donation budget between your dependencies. Their target audience specifically doesn't want to think about where exactly the cash goes, they just want to make sure it goes to maintainers of software they use.
No one is being defrauded when the exact distribution of the funds changes because the exact distribution of funds is explicitly delegated to thanks.dev.
The article mentions that thanks.dev has a global blacklist of people who you can't donate to. This means they have the power to make certain dependencies get a bigger share of the money that is being donated.