In mid-2024, Tidelift fielded its third survey of open source maintainers. More than 400 maintainers responded and shared details about their work, including how they fund it, who pays for it, and what kinds of security, maintenance, and documentation practices they have in place today or would consider in the future. They also shared their thoughts about some “in the headlines” issues like the recent xz utils hack and the impact of AI-based coding tools. In this post, we share the seventh of twelve key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now.
In our previous finding we shared results about the security practices maintainers have implemented for their projects or would be willing to implement if they were paid for the work. As we did last year, we also asked about a common set of maintenance and documentation practices to better understand which they have already implemented or would be willing to implement as well.
First, we asked maintainers about the maintenance practices they have implemented today. Only one of the maintenance practices we asked about has been implemented by more than half of maintainers: providing reproducible and verifiable build processes (53%).
The next most common practice was having a formal policy about backwards compatibility, which has been implemented by 46% of maintainers. This was followed by having a defined dependency management process (40%) and having a code peer review process with multiple reviewers (37%).
For the maintenance practices covered in our 2023 survey, we also wanted to see if maintainers are implementing more maintenance practices today. Just like with security practices, adoption has risen across the board.
The practices with the biggest increases were having a defined dependency management process (+16%, to 40% in this year’s survey) and having a formal policy about backwards compatibility (+12%, to 46% in this year’s survey).
We also asked maintainers about their common documentation practices. The top four practices we asked about are all implemented more often and by more maintainers than the top maintenance practice (as discussed above). First was having a clearly documented open source license, which almost all maintainers (93%) do today. Second was having documented release notes and upgrade considerations, which 76% of maintainers provide today. Third is publishing a contributor guide, which 61% of maintainers do today. And fourth is having a published code of conduct, which 53% of maintainers provide today.
As with the maintenance practices, we also asked about many of these documentation practices in the 2023 survey. Several of these stayed more stable year over year, although the percentage of maintainers who have implemented the top two documentation practices, having a clearly documented open source license (+7% to 93% this year) and having documented release notes and upgrade considerations (+13% to 76% this year), both increased.
Next, we broke down the percentages of paid (professional and semi-professional) maintainers and unpaid hobbyist maintainers who complete these practices today. As was the case with common security practices, paid maintainers are much more likely to complete more common maintenance and documentation practices than unpaid maintainers.
On maintenance practices, the biggest gap between paid and unpaid maintainers was for having a code peer review process with multiple reviewers, which 53% of paid maintainers are implementing today (+26% above unpaid maintainers). Next was having a formal policy about backwards compatibility, which 59% of paid maintainers are implementing today (+20% above unpaid maintainers).
Across the board, paid maintainers also currently implement more documentation practices. For the practices we asked about, the biggest gaps between paid and unpaid maintainers were for having a published contributor guide, which 74% of paid maintainers are providing (+22% above unpaid maintainers) and having a published code of conduct, which 65% of maintainers are providing (+20% above unpaid maintainers).
Finally, as we did with security practices in our previous finding, we combined the percentage of maintainers who reported that they had already implemented common maintenance and documentation practices with the percentage of maintainers who indicated that they would be willing to implement these practices if they were paid for their work. This gives us a roadmap for what maintenance and documentation practices we might be able to positively impact by paying maintainers.
In the case of maintenance practices, we could expect that most maintainers would provide reproducible and verifiable build processes (82%) and formal policies around backward compatibility (77%) if they were paid, and about two-thirds of maintainers would also provide a defined dependency management process (66%) and a code peer review process with multiple reviewers (61%) if they were paid.
Even more interestingly, the percentages for some less implemented practices virtually triple when you add in the maintainers who would implement them if they were paid. For example, having a formal process or set of standards to prioritize the order in which pull requests and issues are addressed would jump from 14% of maintainers who implement today to 53% if you include the maintainers who report they would complete the task if they were paid for it. And having a formal process or set of standards to verify all new contributors would jump from 12% to 45%.
For common documentation practices, virtually all maintainers would provide a clearly documented open source license (96%) and documented release notes and upgrade considerations (91%) if they were paid (although these percentages were already high to begin with). Perhaps more interesting is the percentage of maintainers who would be willing to publish a contributor guide (86%) or a code of conduct (78%).
And as with the maintenance practices, two of the less-implemented documentation practices would become exponentially more common if the maintainers were paid. Only 13% of maintainers currently have a succession plan, but that percentage jumps to 63% when you include maintainers who would provide it if they were paid. Similarly, having a clearly defined process for conflict resolution is only implemented by 17% of maintainers today, but that percentage jumps to 50% when including those who would be willing to do the work to create a process if they were paid.
Looking at all of the questions about security, maintenance, and documentation practices together, the findings are remarkably consistent, and perhaps unsurprising.
Paid maintainers already complete a lot more security, maintenance, and documentation work than unpaid maintainers. And there is willingness on the part of maintainers to do even more, but they have also made it abundantly clear: if we want this important work done, we need to pay them for it.