News: 1726659006

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Open source maintainers underpaid, swamped by security, and going gray

(2024/09/18)


The majority of open source project maintainers are not being paid for their work, spend three times as much time on security than they did three years ago, and have become less trusting of contributors following the xz backdoor, according to open source package security firm Tidelift.

Small wonder then that the maintainer population is aging – not enough newcomers want the undercompensated, unappreciated job.

Tidelift on Tuesday published its [1]2024 State of the Open Source Maintainer Report [PDF], the result of a survey answered by over 400 maintainers.

[2]

Some 45 percent of the survey takers have been maintainers for more than 10 years and the age distribution is getting older.

[3]

[4]

According to the report, "the percentage of maintainers self-reporting that they are 46–55 or 56–65 has doubled since our first survey in 2021 (2021: 11 percent; 2023: 27 percent; 2024: 21 percent). Meanwhile, the percentage of maintainers under 26 has dropped precipitously from 25 percent in our 2021 survey to 12 percent last year and 10 percent today."

Respondents hail mainly from Europe (48 percent) and North America (38 percent), and largely identify as male (85 percent), with the remainder checking boxes for female (six percent), non-binary (three percent), and decline to say (six percent).

[5]

The portion of respondents who reported they are unpaid hobbyists remains at 60 percent, the same as in last year's survey. Tidelift rates that as “disappointing “ given the [6]xz compromise , which involved at least one attacker patiently gaining a maintainer's trust over years to subvert ad backdoor a software package, showed that unpaid lone hand maintainers are a risk to software supply chains – and the many calls to do something about it.

Linus Torvalds ponders maintainer age

Linux kernel maintainer Linus Torvalds has also pondered concerns about the aging maintainer population.

Torvalds [7]told the Linux Foundation's Open Source Summit Europe this week he understands the maintainer community is not getting any younger, but that a project as complex as Linux needs maintainers with many years of experience.

He indicated he intends to continue in his role for years, and suggested his graying hair is "the right color." He also said it's far too early to [8]give up on Rust in the kernel as it's still early days.

However, the xz incident did have some impact: Two-thirds of maintainers (66 percent) said they had become less trusting of pull requests from non-maintainers. That's not necessarily a bad thing if it means that code contributions get closer scrutiny, but it does mean more work, which may not be appreciated.

There's some indication that's happening. Respondents said they're spending three times more time (11 percent of total time) on security than they did in 2021 (when it was four percent of total time). Other activities include: day-to-day maintenance work (50 percent), building new features (35 percent), seeking financing/support (2 percent), and other (two percent).

Professional and semi-professional maintainers spend more time on security work than unpaid hobbyists (13 percent compared to 10 percent), and on maintenance (53 percent compared to 48 percent).

[9]The empire of C++ strikes back with Safe C++ blueprint

[10]Oracle urged again to give up JavaScript trademark

[11]Using AI in your tech stack? Accuracy and reliability a worry for most

[12]Microsoft's Copilot 'Wave 2' is a tsunami of unanswered questions

Maintainers have become more aware of industry security standards like the NIST Secure Software Development Framework (SSDF), the OpenSSF Scorecard, and the Supply Chain Levels for Software Artifacts (SLSA) Framework, and the US Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge.

Of these initiatives, the OpenSSF Scorecard had the highest awareness among maintainers (40 percent), which is better than the prior survey (28 percent).

But in terms of getting maintainers to actually implement recommended practices, paid maintainers were found to be more likely (55 percent on average) to do so than unpaid maintainers.

[13]

The report notes that there's a discrepancy in the portion of respondents who consider themselves unpaid hobbyists (60 percent) and the portion who say they're unpaid for their work (47 percent). Tidelift attributes that distinction to the wording of the survey question: Some of those who identify as unpaid hobbyists may get a nominal amount that isn't enough for them to consider themselves paid professionals or semi-professionals.

The graying open source community needs fresh blood [14]READ MORE

Even so, Tidelift's report observes that maintainers still largely receive income from donations (25 percent, from programs like GitHub Sponsors), from company salaries that explicitly include open source maintenance (24 percent), or from Tidelift (19 percent). Direct payments from companies (five percent), open source foundations (three percent), and governments or other public entities (one percent) still account for very little of overall maintainer income.

"If we don’t figure out how to properly compensate and recognize maintainers for the value they create, we might wake up one day and find that the projects we rely upon most are no longer being maintained at all," the report states.

Lastly, Tidelift's report looks at how open source maintainers view the impact of AI tools. Twenty-three percent of respondents were "extremely negative," 22 percent were "somewhat negative," 24 percent were "neither positive nor negative," 22 percent were "somewhat positive" and nine percent were "extremely positive."

The cited concerns about AI coding tools among maintainers include code that's incorrect though not obviously so, which creates more work to fix, and pull request spam that has to be dealt with by maintainers. Two-thirds of maintainers (64 percent) said they'd be less inclined to accept pull requests from contributors known to use AI-coding tools. ®

Get our [15]Tech Resources



[1] https://explore.tidelift.com/2024-survey

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zur5Iyonb2P5fVKwFPeDJgAAAdE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zur5Iyonb2P5fVKwFPeDJgAAAdE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zur5Iyonb2P5fVKwFPeDJgAAAdE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zur5Iyonb2P5fVKwFPeDJgAAAdE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/03/29/malicious_backdoor_xz/

[7] https://www.youtube.com/watch?v=OM_8UOPFpqE

[8] https://www.theregister.com/2024/09/02/rust_for_linux_maintainer_steps_down/

[9] https://www.theregister.com/2024/09/16/safe_c_plusplus/

[10] https://www.theregister.com/2024/09/17/oracle_urged_to_surrender_javascript_trademark/

[11] https://www.theregister.com/2024/09/17/ai_is_great_for_churning/

[12] https://www.theregister.com/2024/09/16/microsoft_copilot_wave_2/

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zur5Iyonb2P5fVKwFPeDJgAAAdE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[14] https://www.theregister.com/2024/07/15/opinion_open_source_attract_devs/

[15] https://whitepapers.theregister.com/



Unsurprising

Dan 55

Have you seen what young people are paid these days in their daytime job? There's more chance of them spending their spare time in a second job to make ends meet than contributing to FOSS.

Re: Unsurprising

Snake

It can also explain the resistance towards new thought / change, for example the adoption of Rust: older people (and yes, I'm one) are more likely to be intransigent and resistant to change, 'What worked before' and all that. "I climbed a hill going to school, both ways, and you'll do the same!" hack wheeze

Now get off my lawn.

If that's where we have to go . .

Pascal Monett

I'm glad that industry people are starting to fear that the projects they make money out of and pay nothing for just might end up not being supported any more.

When that happens, maybe industry will think of a remuneration package for new maintainers. Oh, of course, it will be new young maintainers with a vast lack of experience and all the problems that may ensue but hey, you only have yourselves to blame for that.

Re: If that's where we have to go . .

karlkarl

I'm hoping that open-source software just "simplifies".

At the moment it is a bloated mess, reaching into every dependency imaginable. This is not sustainable and people are finally starting to see this.

zimzam

11% to 27% to 21% in 3 years? I think counting might be part of the issue there.

Competing with free

Throatwarbler Mangrove

I think it was Steve Ballmer who said "You can't compete with free." It turns out you can; you just have to outlast the people giving their product away.

You can get *anywhere* in ten minutes if you drive fast enough.