Pay the maintainers! That’s our rallying cry at Tidelift, so we were delighted to read a new article from The New Stack by Heather Joslyn succinctly summarizing why paying maintainers is important, called Open Source Needs Maintainers. But How Can They Get Paid?
These days, open source maintainers are being asked to maintain a fragile ecosystem, often without financial incentive, and often without any means of support. With recent U.S. government requirements calling for organizations to attest to the secure software development practices followed by the maintainers of the open source packages they are using in their apps, there’s bound to be even more demand coming for unpaid work from those in the open source community.
With that said, we’re excited to see more being written on the need to help open source maintainers.
Tidelift-partnered maintainers Jordan Harband and Valeri Karpov were featured in Heather Joslyn’s article, which did a great job explaining just how vital maintainers like them are to the health and security of the software supply chain.
Jordan, who we’ve spoken with about open source software supply chain security in the past, discusses how difficult it can be to balance the demanding workload of being an open source maintainer with a day job, and how without the benefits that accompany a full-time job (pay, insurance, etc.), volunteering limited time to support open source packages isn’t sustainable. He emphasizes the need for companies to support the maintainers behind the open source packages they profit off of because without incentive to keep those packages maintained and secure, the open source ecosystems risks falling prey to vulnerabilities, such as the Log4Shell incident in December 2021.
Both Jordan and Valeri discuss the need for not only pay, but for more time. Valeri, another Tidelift maintainer partner, brought up the issue of trying to keep up with changes in the project’s ecosystem and how, especially if working alone, that can be incredibly demanding when juggling the volunteer work on top of a day job. Additionally, there’s providing support to the users of the package and if your package is popular, the requests can be endless.
The long and short of it is, open source maintainers are often working unpaid and on their own. Heather highlighted one of the stats from our 2023 state of the open source maintainer survey to perfectly encapsulate this point:
“A study released in May by Tidelift found that 60% of open source maintainers would describe themselves as ‘unpaid hobbyists.’ And 44% of all maintainers said they are the only person maintaining a project.”
In response, Tidelift CEO and co-founder, Donald Fischer had this to say to The New Stack, “Even more concerning than the sole maintainer projects are the zero maintainer projects, of which there are a considerable amount as well that are widely used. So many organizations are just unaware because they don’t even have telemetry, they have no data or visibility into that.”
You can hear more about the sole maintainers involved in this tenuous, accidental supply chain in the keynote from this year’s Upstream. Tidelift co-founder Luis Villa shares the alarming fact that most projects are maintained by just one individual. Then he sits down with Jordan Harband to hear about how he adopted a very popular open source project because the maintainer didn’t have a phone and couldn’t do the two-factor authentication required on GitHub. It’s a fascinating story.
Heather Joslyn does a fantastic job laying out the current landscape of paying the maintainers, and why this is so important. You can check out the whole article here.