On June 7th, for the third year in a row, we hosted Upstream, a virtual, one-day celebration of open source, the developers who use it, and the maintainers who make it. It was our biggest Upstream yet, with hundreds of attendees joining us in discussions about the current state of open source and how to make it better for everyone.
For the second panel of the day, Tidelift CMO and resident data nerd Chris Grams brought forward enlightening data points from the 2023 Tidelift state of the open source maintainer report to a discussion with a notable panel including Al Gillen, Group VP, software development and open source of IDC, Python maintainer Seth Larson, and Tidelift VP of product Lauren Hanford. Together, the group brought industry and maintainer perspectives on each highlighted data point to better contextualize the key findings.
We asked maintainers how they’d best describe their role as an open source maintainer. Sixty percent answered that they would describe themselves as unpaid hobbyists, 23% described themselves as a semi-professional maintainer, and 13% said that they were a professional maintainer earning most of their income from maintaining projects.
In response to where Seth—maintainer of urllib3, a package that is downloaded over 250 million times per month, saw himself, he had this to say:
“I consider myself a semi-professional maintainer. I have a day job—a full-time job—outside of open source maintenance. I am paid, I have multiple income streams coming from open source and those income streams do not sum up to an amount where I could stop doing that full-time job and do open source full-time. Obviously there’s more than just money that comes into all of this. If you’re to write me a contract that says, for a year we’ll pay you this huge salary to do open source, if you quit your job. Well then you have to start thinking about things like the job market, health insurance, retirement—you have to think about all of these things that aren’t purely a monetary aspect. It’s a really hard mountain to get over, this idea of I’m being paid to do open source versus this open source is the thing that I do exclusively. It’s a tough problem.”
Is the industry aware of this issue of unpaid and underpaid open source maintainers? Al Gillen says, unlikely:
“I don’t think they [leaders at enterprise organizations] fully realize this, because if they realized it, I think they would be a lot more willing to try to do something about finding a way to engage with developers who are doing this maintenance. Truthfully, I think it’s partly caused by the fact that open source software has been a rising tide. We started out with a collection of projects that were literally hobbyist projects, that overtime became more commercially viable—at some point transitioned as being recognized as a commercial solution. I don’t think the same recognition has followed that, as to how the people who are creating and maintaining these technologies are accomplishing this.
I would argue that the creation part is important, but that the maintenance part is more important. The reason why is because when you think about projects, something that’s new like generative AI, that if I was going to participate in an open software project, that would be the thing I’d probably want to be involved with because it’s exciting, it’s new, and it’d help my career. But the reality is that these projects that have been around for twenty or so years still need someone looking at them and maintaining them, and I don’t think that’s something that most enterprises are thinking about.”
With the increase of vulnerabilities such as the Log4Shell incident, there have been a number of resulting initiatives from both the U.S. government and across the industry to address open source software security.
At the U.S. government level we started with White House Executive Order 14028 in early 2021, which led to the creation of the NIST Secure Software Development Framework (SSDF). As a direct follow up to Executive Order 14028, the Office of Management and Budget (OMB) created M-22-18 which formalized the NIST guidance as the government requirements for developing secure software and established deadlines for compliance. (Since M-22-18 was released in September 2022, they’ve revised the deadlines in June 2023’s M-23-16.) Additionally, the White House released the National Cybersecurity Strategy in March 2023, which highlighted a future of increased government cybersecurity regulation and requirements, a liability shift from consumers to commercial producers of software, and the concept of a safe harbor for organizations employing best practices. Embedded in these strategies are efforts to address the security of the open source software supply chain, in particular in the National Cybersecurity Strategy:
“In partnership with the private sector and the open-source software community, the Federal Government will also continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”
Alongside the U.S. government requirements, the industry is working to create their own standards for open source software. Projects such as SLSA, OpenSSF Security Scorecards, and Tidelift’s own TACOS framework, are working to create methods to both simplify and standardize open source software project maintenance and security.
With all of these regulations and frameworks coming out of the woodwork, how have they been received, if at all, by the open source software maintainers themselves?
In our survey, we found that over half of maintainers are not aware of prominent software security standards and that 39% of maintainers have no plans to align to these standards.
After presenting these findings, Chris asked Seth if he was surprised that so many maintainers hadn’t heard of these standards. His response:
“I’m not really surprised at all that most maintainers are not up to date on every single thing that’s happening in the open source software security supply chain—this explosion of complexity that we’re all living through right now. There are so many things to learn and every single thing that’s happening in this space is completely additional and orthogonal to a lot of the typical motivations for people getting into open source work.
You don’t get into open source work being excited to implement the security policies of your project, that’s typically not the motivation for people joining and working on open source day-to-day. This is all after the fact that these people joined in a volunteer-capacity. It’s all extra, it’s all new, and it’s all very complicated. There’s a lot happening right now and a lot to sift through."
Lauren, our resident NIST SSDF expert, shared her thoughts:
“As a leader in a business, what are your expectations for internal development at your company? You would not expect a new development hire to understand what the expectations are for secure practices without having those layers of compliance, DevSecOps, and standards. Which is something that I love about the SSDF, it points to all of that infrastructure that has to be in place and invested in before you get to secure development outcomes.
I do think that something that doesn’t appear in this data set that we've learned is there’s also a lot of inherent skepticism about a framework or set of standards being blanket applied to all of open source. There’s a lot of nuance across different ecosystems and different types of packages. It’s really challenging to blast something at the whole of open source without that nuance.”
In our survey we asked maintainers to provide more insight as to what motivates maintainers to do the work that they do. We asked what they enjoy about being a maintainer, what they enjoy not so much, if they work solo or with co-maintainers, if they experience burnout, and what support they need.
One of the most staggering findings was finding out that a majority of those surveyed said that they have considered quitting one of their projects, with 22% having quit a project.
Chris asked Seth what we could do to give maintainers the additional help they need to be more successful. In response, Seth shared his personal experience:
“Having more individuals around—I definitely feel the loneliness of all of those people who are responding that way. It’s night and day the difference between when I was lead maintainer of urllib3 before Quentin, my co-maintainer, came along. It is a world of a difference to have one more person who is in the driver’s seat with you. And humans for the most part are social creatures. You’re going to derive so much more meaning and joy from an experience if you’re able to share it with someone.
How can we as an industry get at least one other person on a project? Even if it needs something along the lines of like, you’re spending a small percentage of your time, as a consumer of open source, contributing back. Or putting input on issues or project direction, even if you’re not willing to become that maintainer. Having active contributors, having people that keep coming back to projects is pretty comparable to having another maintainer. Even if it’s just one or two individuals makes a world of difference.”
This recap only scratches the surface of the engaging discussion, insightful perspectives, and sentiments of hope that the group offers. You can watch the entire Upstream talk on-demand here. You can also watch Chris’ previous webinar on the 2023 Tidelift state of the open source maintainer report, read the blog series, or download the survey in full.