Open Source & More - Blog | Tidelift

Upstream rewind: the 2023 keynote, the accidental supply chain, and what it means today

Written by Caitlin Bixby | April 30, 2024

As we count down to this year’s Upstream, we’ll be looking back at Upstream moments from years past. Discover how topics may have changed and how yesterday’s problems continue into today—and find out how they may lead into an uncommon solution to a common problem.

What is the accidental supply chain?

To kick off last year’s Upstream, Luis Villa, Tidelift co-founder and general counsel, introduced the theme: the accidental supply chain—accidental in that, open source isn’t built to be a traditional supply chain. The accidental “open source supply chain” is predominantly volunteers, individuals who oftentimes work solo, and who, most importantly, do not label themselves as suppliers

The open source supply chain is not without its proposed regulations. The pressure continues to mount as government and industry checklists and requirements, often referred to as unfunded mandates, place even more pressure on volunteer maintainers—maintainer burnout is very real. In the 2023 Tidelift state of the open source maintainer survey, 58% of maintainers have either quit or considered quitting maintaining their projects. To quote Luis from the keynote, “And that’s just those who have stayed engaged enough to answer our survey.” 

Hearing from open source maintainers

JavaScript maintainer Jordan Harband sat down with Luis to share a personal anecdote of his experience with maintainer burnout. In his story he details how he adopted a popular open source project from a maintainer who no longer had the bandwidth to maintain his projects, projects he’d been maintainer for well over a decade. 

“The more you have a package that gets heavy usage and adoption, the more burden is placed on you, as people complain that things are broken as people ask you to add features,” Jordan said as he explained why maintainers could feel burned out from a project. 

The xz utils backdoor hack, paying maintainers, and the Upstream 2024 theme

And if you’re thinking that this story is all too familiar, you’re very right. Not even a month ago from posting this were we first hearing news of the xz utils backdoor incident, a technically sophisticated and socially nefarious attack on the obscure but important xz library. Over a stretch of time, attackers took advantage of a maintainer needing help, slowly earning his trust in the hopes to execute an attack as soon as access was granted. 

How are the two stories alike? Both the maintainer of the project Jordan took over and the xz maintainer were burnt out. In the words of the xz maintainer, emphasis ours:

“I haven’t lost interest but my ability to care has been fairly limited... it’s also good to keep in mind that this is an unpaid hobby project.”

In the same email, he mentioned that the maintainer, the one who, unbeknownst to him, was acting in bad faith, was helping alleviate the list of tasks it took to maintain the project. 

The impact of paying maintainers

The hack left many wondering what could have been done to prevent this and, while paying open source maintainers is not the magic bullet, it should be considered the heart of the efforts we all need to employ to improve the security and resilience of open source. In Jordan Harband’s case, Jordan was already a Tidelift partnered maintainer at the time when he considered taking over the soon-to-be-abandoned minimist project, receiving payment from Tidelift (made possible by Tidelift customers, Tidelift pays maintainers based on factors like customer usage and package criticality) to implement enterprise class secure software development practices across many of the JavaScript packages he maintains. Because of this, he was able to add the project to the list of packages he receives income for from Tidelift. (To read more about his story, follow this link.)

Upstream 2024: unusual ideas to solve the usual problems

The issue of insecure open source software, the lack of support for open source maintainers—these are old problems that still have not yet been solved. At this year’s Upstream, we’re bringing together open source maintainers, government and industry leaders, and thought leaders, to hear about new approaches to improving open source health and security. We’re thinking of it as attacking a very old problem in very new ways. 

— — — — — —

Join us Wednesday, June 5th for this free virtual event: RSVP here. Listen to last year’s keynote and other talks by following this link

Additional resources: