Jordan Harband is the sort of person the tech industry depends on: a maintainer of open source software projects.
Lots of them — by his count, about 400.
Harband, who has worked at Airbnb and Twitter, among other companies, was laid off from Coinbase more than a year ago. The Bay Area resident is now a contractor for the OpenJS Foundation, as a security engineering champion.
He also gets paid for some of his freelance open source maintenance work, by Tidelift and other sponsors, labor that he estimates takes up 10 to 20 hours a week.
His work is essential to the daily productivity of developers around the globe. In aggregate, some projects he maintains, he told The New Stack, are responsible for between 5% and 10% of npm’s download traffic.
But spending all of his time on his open source projects, he said, would not be possible “without disrupting my life and my family and our benefits and lifestyle.”
Case in point: his COBRA health insurance benefits from Coinbase run out at the end of the year. “If I don’t find a full-time job, I have to find my own health insurance,” he said. “That’s just not a stressor that should be in anyone’s life, of course, but certainly not in the life of anyone who’s providing economic value to so many companies and economies.”
Harband is the sole maintainer of many of the projects he works on. He’s not the only developer in that situation. And that reliance on an army of largely unpaid hobbyists, he said, is dangerous and unsustainable.
“We live in capitalism, and the only way to ensure anything gets done is capital or regulation — the carrot or the stick,” he said. “The challenge is that companies are relying on work that is not incentivized by capital or forced by regulation. Nobody’s held to task, other than by market forces, if they have ship poor or insecure software.”
And, Harband added, “There is a lack of enforcement of fiduciary duty on companies that use open source software — which is basically all of them — because it’s their fiduciary duty to invest in their infrastructure. Open source software is everyone’s infrastructure, and it is wildly under-investment.”
The ‘Bus Factor’ and the ‘Boss Factor’
The world’s reliance on open source software — and the people who maintain it — is no secret. For instance, Synopsys’ 2023 open source security report, which audited more than 1,700 codebases across 17 industries, found that:
- 96% of the codebases included open source software.
- Just over three-quarters of the code in the codebases — 76%— was open source.
- 91% of code bases included open source software that had had no developer activity in the past two years — a timeframe that could indicate, the report suggested, that an open source project is not being maintained at all.
This decade, there have been a number of attempts to set standards for open source security: executive orders by the Biden administration, new regulations from the European Union, and the formation of the Open Source Security Foundation (OpenSSF), and the release of its security scorecard.
In February 2022, the U.S. National Institute of Standards and Technology (NIST) released its updated Secure Software Development Framework, which provides security guidelines for developers.
But the data show that not only are open source maintainers usually unaware of current security tools and standards, like software bills of materials (SBOMs) and supply-chain levels for software artifacts (SLSA), but they are largely unpaid and, to a frightening degree, on their own.
A study released in May by Tidelift found that 60% of open source maintainers would describe themselves as “unpaid hobbyists.” And 44% of all maintainers said they are the only person maintaining a project.
“Even more concerning than the sole maintainer projects are the zero maintainer projects, of which there are a considerable amount as well that are widely used,” Donald Fischer, CEO and co-founder of Tidelift, told The New Stack. “So many organizations are just unaware because they don’t even have telemetry, they have no data or visibility into that.”
In Tidelift’s survey, 36% of maintainers said they have considered quitting their project; 22% said they already had.
It brings to mind the morbid “bus factor” — what happens to a project if a sole maintainer gets hit by a bus? (Sometimes this is called the “truck factor.” But the hypothetical tragic outcome is the same.)
An even bigger threat to continuity in open source project maintenance is the “boss factor,” according to Fischer.
The boss factor, he said, emerges when “somebody gets a new job, and so they don’t have as much time to devote to their open source projects anymore, and they kind of let them fall by the wayside.”
Succession is a thorny issue in the open source community. In a report issued by Linux Foundation Research in July, in which the researchers interviews 32 maintainers of some the top 200 critical open source projects, only 35% said their project has a strong new contributor pipeline.
Valeri Karpov has been receiving support from Tidelift for his work as chief maintainer of Mongoose, MongoDB’s object modeler, for the past five years. The Miami resident spends roughly 60 hours a month on the project, he told The New Stack.
He inherited the chief maintainer role in 2014 when he worked at MongoDB as a software engineer. The project’s previous maintainer had decided not to continue with it. Today, a junior developer who also works for Karpov’s application development company contributes to Mongoose, along with three volunteers.
For a primary maintainer who does not have the support he has, he said, there are other challenges in addition to the matter of doing work for free. For starters, there’s finding time to keep up with changes in a project’s ecosystem.
Take Mongoose for example. The tool helps build Node.js applications with MongoDB. “JavaScript has changed a lot since I started working on Mongoose, Node js as well,” Karpov said. “When I first started working on Mongoose, [JavaScript] Promises weren’t even a core part of the language. TypeScript existed, but still wasn’t a wasn’t a big deal. All sorts of things have changed.”
And if your project becomes popular? You’ll be spending an increasing amount of time offering user support and responding to pull requests, Karpov said: “We get like dozens of inbound GitHub issues per day, Keeping up on that is took some getting used to.”
How Maintainers Can Get Paid
It would seem to be in the best interest of the global economy to pay the sprawling army of hobbyists who build and maintain open source code — compensating them for the time and headaches involved in maintaining their code, recruiting new contributors and making succession plans, and boning up on the latest language and security developments.
But the funding landscape remains patchy. Among the key avenues for financial support:
Open source program offices (OSPOs). No one knows exactly how many organizations maintain some sort of OSPO or other in-house support for their developers and engineers who contribute to open source software.
However, data from Linux Foundation Research studies shows increasing rates of OSPO adoption among public sector and educational institutions, according to Hilary Carter, senior vice president of research and communications at the foundation.
About 30% of Fortune 100 companies maintain OSPOs, according to GitHub’s 2022 Octoverse report on the state of open source software. Frequently, an enterprise will support work only on open source software that is directly related to the employer’s core business.
Why don’t more corporations support open source work? “Many organizations, especially those outside the tech sector, often do not fully understand the advantages of having an OSPO, or the strategic value of open source usage, or the benefits that come from open source contributions,” said Carter, in an email response to The New Stack’s questions.
“Their focus may be short-term in nature, or there may be concerns about intellectual property and licensing issues. Depending on the industry developers work in, highly regulated industries like financial services often have policies that prohibit any kind of open source contribution, even to projects their organizations actively use. Education and outreach are key to changing these perceptions.”
Stormy Peters, vice president of communities at GitHub, echoed the notion that many companies remain in the dark about the benefits of OSPOs.
“An OSPO can help software developers, procurement officers and legal teams understand how to select an open source license, or how non-technology staff can engage local communities in the design and development of a tool,” Peters wrote, in an email response to The New Stack’s questions.
“OSPOs create a culture shift toward more open, transparent and accountable methods of building tech tools to ensure sustainability.”
Foundations. Sometimes foundations created to house an open source project will provide financial support to the maintainers of that project. The Rust Foundation, for example, offers grants to maintainers of that popular programming language.
However, such an approach has its limits, noted Harband. “One of the huge benefits of foundations for projects is that they give you that sort of succession path,” he said. “But private foundations can’t support every project.”
In 2019, Linux Foundation introduced CommunityBridge, a project aimed at helping open source maintainers find funding. The foundation pledged to match organizational contributors up to a cumulative total of $500,000; GitHub, an inaugural supporter, donated $100,000.
But CommunityBridge has evolved into LFX Crowdfunding, part of the foundation’s collaboration portal for open source projects. “Projects receive 100% of donations and manage their own funds, which can support mentorship programs, events or other sustainability requirements,” wrote Carter in her email to TNS.
Carter also pointed to OpenSSF’s Alpha-Omega Project. Launched in February 2022, the project supports maintainers who find and fix security vulnerabilities in critical open source projects. In June, for instance, the project announced that it had funded a new security developer in residence for one year at the Python Software Foundation.
Alpha-Omega, Carter wrote, “creates a pathway for critical open source projects to receive financial support and improve the security of software supply chains.” She urged organizations that have a plan for how funds can be used or can offer funding to get in touch with OpenSSF, which is a Linux Foundation project.
Monetization platforms. Tidelift is among the platforms listed at oss.fund, a crowd-sourced and -curated catalog of sources through which open source maintainers can acquire financial support.
Fischer’s organization pays people “to do these important but sometimes tedious tasks” that open source projects need, he said. “We’ve had success attracting new maintainers to either projects where the primary maintainer doesn’t want to do those things, or in some rare cases is prohibited from doing it because of their employment agreement with somebody else.”
The rates for such work vary, depending on variables including the size of the open source project and how widely it is used. “Our most highly compensated maintainers on the platform are now making north of six figures, U.S. income, off of their Tidelift work,” Fischer said. “Which is great, because that means, basically, independent open source maintainership is now a profession.”
Among the most high-profile monetization platforms is GitHub Sponsors, which was launched in beta in 2019 and became generally available for organizations to sponsor open source workers this past April. As of April, the most recent data available, GitHub reported that Sponsors had raised more than $33 million for maintainers.
In 2022, GitHub reported, nearly 40% of sponsorship funding through the program came from organizations, including Amazon Web Services, American Express, Mercedes Benz and Shopify. In 2023, it added a tool to help sponsors fund several open source projects at once.
The introduction of the bulk-support function and other upgrades have helped GitHub sponsors see the number of organizations funding open source projects double over the past year, according to Peters, of GitHub. More than 3,500 organizations support maintainers through GitHub Sponsors, she wrote in an email to TNS.
“For far too long, developers have had to choose between their careers and open source passions — what they’re paid to do [versus] what they actually love,” Peters wrote. “Open source developers deserve to accelerate their careers at the rate they’re accelerating the world.”
LFX Crowdfunding is integrated with GitHub Sponsors, Carter told TNS in an email. She offered some guidance to help users get connected: “Community members can add and configure your sponsor button by editing a Funding.yml file in your repository’s .github folder, on the default branch.”
“Any mechanism that makes it easy for projects to find the support they need is important, and we’re excited to facilitate funding channels for existing and new initiatives,” she wrote.
Open Source as a Career Accelerator
GitHub, Peters noted, has identified an emerging trend: developers contributing to open source projects as a way to learn how to code and start careers. Two projects the company started in recent months are aimed at helping more of those early-career open source contributors gain support.
In November, GitHub launched GitHub Fund, a $10 million seed fund backed by Microsoft’s M12. The fund supported CodeSee, which maps repositories, and Novu, an open source notifications infrastructure.
“Since GitHub’s investment in CodeSee, the company has added generative AI into the platform, allowing developers to ask questions about a code base in natural language,” Peters wrote.
In April, GitHub started Accelerator, a 10-week program in which open source maintainers got a $20,000 sponsorship to work on their project; in addition, they received guidance and workshops. The project, Peters said, got 1,000 applications from maintainers in more than 20 countries; 32 participants made up the first cohort.
The participants included projects like Mockoon, a desktop API mocking application.
Poly, a Go package for engineering organisms; and Strawberry GraphQL, a Python library for creating GraphQL APIs.
The direct investment, Peters wrote, was a “game changer” for Accelerator participants. “What we found there is very little existing support for open source maintainers who want to make it full time, and building a program that spoke directly to those folks had an oversized impact.
And it’s helping to create a foundation for future funding, she added: “Based on the advice from experts, folks built a path to sustainability — whether that was bootstrapping, VC funding, grants, corporate sponsors or something else.”
Karpov offered an idea for companies that want to support their employees’ work open source projects: providing engineers with an “open source budget” along with the learning budgets that have become a common perk.
“The developers that are typically using these [open source] projects, most actively have zero budget,” he noted. “ They can’t purchase anything — and frankly, frequently, they don’t even know who to ask about purchasing these sorts of things.”
An open source budget, for instance, could be spent on things like GitHub Sponsors. In return for sponsoring an open source maintainer, Karpov said, perhaps “you get a direct communication line with them, to be like, ‘Hey, can you answer this question?’ That could make kind of developers at these big companies much more productive.”