Nowadays it’s rare to build an application without incorporating an open source element. For context, approximately 92% of applications contain open source components and open source code makes up 70% or more of the average application. However, despite open source being the backbone of modern applications, many of the people behind the packages—open source maintainers—are doing this work as unpaid volunteers.
In the 2021 security incident that impacted log4j, maintainers were forced to work nights and weekends, without compensation, to essentially stop the internet from catching fire. And with the U.S. government and other governments around the world creating new cybersecurity guidelines (such as executive order 14028, OMB memorandum M-22-18, and the most recent White House National Cybersecurity Strategy) and industry leaders pushing for more security standards like those outlined in the OpenSSF scorecard, the work demanded from maintainers is only increasing.
In a recent article in TechTarget, maintainers and industry leaders outlined their perspectives, frustrations, and hopes for the future of open source maintainership. You can read the entire article on TechTarget’s website—or read on for some key quotes from those interviewed below.
Alex Clark of Pillow, a popular Python package downloaded millions of times, had this to say: "Our income is disproportionate if this thing is everywhere -- across the entire globe, used by Fortune-whatever companies. It's disproportionate. And there's no easy way to fix that."
On top of a growing list of guidelines from the U.S. government and the industry, maintainers are often met with frustrations and requests for quick fixes when things go awry. Software engineer Jordan Harband, who currently maintains some of the most widely-used npm packages, added: "People get mad, and they vent their frustration in your direction. Sometimes they're polite about it, and sometimes they're hateful about it, but you're still receiving their frustration. That's not trivial to deal with. That's not easy."
Open source needs to be acknowledged for what it is: crucial to modern software development. The imbalance between its usage and the funding and support open source maintainers receive is necessary to highlight as we move forward in the open source landscape. Financing open source not only improves the lives of the maintainers behind the scenes, but it helps to ensure a more secure and innovative future for technological development.
To close out the discussion, Jordan had this to say: "I'm not trying to get rich on open source -- I just want to be able to fund my life. If I'm doing something that provides value to society, I should be able to have the option of doing that without throwing my life into chaos."
To hear from more maintainers and industry experts, you can read the entire article now on TechTarget’s IT Operations blog.
Learn more about how Tidelift pays open source maintainers and stay informed about the latest government open source cybersecurity initiatives.