In late 2022, Tidelift fielded its second survey of open source maintainers. Hundreds of maintainers responded with thoughts about getting paid for their work, the security and maintenance practices they have in place for their projects, and where they need help most, along with a host of other interesting insights. In this post, we share the fourth of eleven key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now.
Over the past few years, organizations that build applications using open source software have begun to think of maintainers as suppliers and their packages as part of the software supply chain. As pointed out by Thomas Depierre in his blog post I am not a supplier, maintainers usually have no contractual relationships with or obligations to the organizations that choose to use their “as is”-licensed open source project.
Meanwhile, as the aftermath of the Log4Shell vulnerability made clear, volunteer open source maintainers regularly are asked to do high stress work under tight deadlines to stop a vulnerability from impacting the organizations that rely on their packages.
Maintainers have started speaking up and the message is clear: Unless they are being paid to do the work, many of them will not take on the added responsibilities required to align their packages to the emerging government and industry standards.
In this year’s survey, we asked the 48% of maintainers who said they had no plans to ensure their projects align to industry standards to provide their reasons why.
The two most common reasons? They don’t have the time and are not being paid to do the work. Thirty-eight percent of maintainers said they don’t have the time, closely followed by 37% who said they weren’t being paid to do it. An additional 24% of maintainers said they didn’t have enough resources to align to the standards in a timely manner.
It also appears from the answers we received that understanding the standards and how and whether they apply is also still a key issue. Thirty percent of respondents reported that some standards would not apply to their project, while 29% said they did not understand which standards were applicable. Eighteen percent said they didn’t understand how to align to the standards and 14% see too many competing standards standing in the way of knowing where to focus limited time.
We also asked maintainers to give us insight into the type of support that would make them more likely to consider aligning their projects to the new standards:
A majority, 54% of maintainers, would appreciate help understanding these new standards and how they might apply to their project. Forty-seven percent of maintainers want to be paid for undertaking the work needed to align their projects with the new standards. And 34% of maintainers would appreciate help actually doing the work needed to align with the standards, while only 13% said that nothing would make it more likely for them to consider aligning to these new standards.
The effort to improve cybersecurity cannot just stop at defining and publishing new standards. We have to ask ourselves, who is going to do the work and what do they need? This data revalidates the need for investment, especially from organizations that rely on open source components, in the open source maintainer community. We need to implement programs that cover both awareness and education as well as efforts to pay maintainers for undertaking the significant amount of effort that will be required in aligning to these new standards.
We hope you found some useful and actionable information in this blog post. If you’d like to get notified as future posts come out, please sign up for our blog digest here. Or if you don’t want to wait, download the full survey results today and RSVP for the webinar on Thursday, May 18 at 3 p.m. ET, where we’ll be unveiling the top findings from the survey.