Proof of Contribution
A foundational principle within The tea Protocol is that Free & Open-Source Software (FOSS) should be recognized for actual impact, not just visibility or immediate utility. This is true across the entire software stack – from the sleek user interfaces we experience, to the often invisible libraries that make it all possible. It is critical for the protocol to accurately determine the value of open-source, to fulfill its mission of fairly rewarding its maintainers, and it relies on the oracle Proof of Contribution.
Unlike traditional onchain mechanisms that rely on computational power or financial stakes, Proof of Contribution evaluates the impact of software contributions within open-source using teaRank, a network-based metric that reflects the quantity and quality of a project’s dependents. The score adapts over time, encourages new projects to challenge established ones, and ensures that recognition extends throughout the entire open-source stack—from glibc to the latest javascript UI libraries
Why is a new approach needed?
The Open Source ecosystem which underpins all software can be pictured as a tower of bricks where lower layers are (often) long forgotten, but still maintained by dedicated engineers, and relied upon by the rest of the stack. Only projects at the top of the tower are typically known and receive sponsorship. This biased selection leads to essential bricks that hold up the tower attracting no donations, while favorites receive more than they need. Existing funding models allow consumers of projects to propose payment for developers to build specific features, thus only remunerating projects for doing things, not necessarily in their best interest. And again, only rewarding favorites.
tea changes this. Inspired by PageRank, the oracle models FOSS as a directed graph, where each node represents a project, and each edge a dependency relationship. This dependency data is gleaned from individual package managers, and consolidated into one view of the open-source graph. With teaRank, contributors, users, and the protocol have a 1-100 score to quantify the impact of an individual package relative to others within FOSS.
Why can’t we use PageRank?
PageRank, at its core, is a probability distribution algorithm that assigns scores to nodes in a graph, representing the likelihood that anything randomly navigating the graph will arrive at a particular node. This algorithm is particularly effective in a graph-like data structure, such as the internet, because it quantifies the importance of each node (or web page) based on the quantity and quality of edges (links) to it. Google modified the algorithm to better discern the web’s topology and identify fraudulent links between web pages, allowing them to mitigate spam attacks, where certain pages were artificially inflated in importance through manipulative linking strategies.
However, the strategies employed by PageRank to combat spam on the web become less effective when applied to FOSS. Unlike web pages, most package metadata in open-source software, such as lines of code and commit messages, are user-generated and can be easily spoofed. Package managers today are targeted by spam campaigns, where attackers bloat the registry with packages containing phishing links or other malicious content.
During the tea protocol’s testnet phase, spammers published useless packages to ruby and npm en masse to boost their teaRank and gain a larger share of rewards. The process of identifying and publicizing spam packages falls in the hands of security firms or good samaritans – neither of which are a scalable means to mitigate spam attacks in FOSS. Our solution was to build out an enhanced spam detection system that rewards legitimate projects, removing the motivation for the creation of "junk" projects in package managers.
The primary goals of tea’s Proof of Contribution mechanism are threefold:
- Quantifying Impact: By evaluating the role and utility of projects over time, PoC ensures that contributions are measured accurately, reflecting their true importance to the ecosystem.
- Rewarding Contributions: Each project is assigned a teaRank, which directly influences the distribution of TEA tokens—the native digital token of the tea Protocol.
- Enhancing Fairness and Resilience: PoC attempts to identify and isolate non-impactful projects, so only legitimate and valuable projects are rewarded.
1 Preventing Comment Spam, Google blog
2 artiebits/fake-git-history, a tool to help you attain a reputable contribution graph on GitHub
3 Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links
4 Ruby’s blogpost response to a surge in created ruby gems with tea.yaml files
5 A Phylum Blogpost detailing the targeted spam campaigns on package managers, driven by our testnet phase
6 A GitHub user publishing examples of various spam attacks to package managers