A survey of 400 maintainers of open-source software projects suggests IT organizations should be paying a lot more attention to the degree to which the stewards of these projects are compensated before downloading software components.
Conducted by Tidelift, a provider of a platform that is used to compensate maintainers of open-source software projects, the survey finds that paid maintainers of open-source software projects are 55% more likely to implement critical security and maintenance practices than unpaid maintainers.
The top security practices implemented by paid maintainers include two-factor authentication (76% compared to 68% for unpaid maintainers), static code analysis (75% vs. 59%), providing fixes and recommendations for vulnerabilities (70% vs. 54%), security disclosure plan (66% vs. 43%), secrets management (58% vs. 39%), and signed release and published artifact provenance (50% vs. 28%).
The top maintenance practices implemented by paid maintainers include a formal policy around backward compatibility (59% compared to 39% for unpaid maintainers), reproducible and verifiable build process (58% vs. 50%), code peer review process with multiple reviewers (53% vs. 27%), and a defined dependency management process (50% vs. 33%).
In addition, paid maintainers are also 55% more likely to implement security practices such as the OpenSSF Scorecard and the NIST Secure Software Development Framework (SSDF). However, only a total of roughly 40% of respondents said they were even aware of these frameworks.
Overall, the survey finds that 60% of respondents are unpaid for their efforts, with 44% acknowledging they would appreciate getting paid for their efforts. Only 16% wanted no compensation.
A quarter of maintainers (25%) report receiving income from donation programs, while for 24% of maintainers, their open-source maintenance work is paid for as part of their salary because it is an explicit part of their job responsibilities. Another 19% of maintainers report receiving income from Tidelift. Only a very small percentage of maintainers report receiving income from other sources, including 5% reporting direct payments or donations from companies other than their employer and another 5% reporting direct payments or donations from individuals.
Only 3% report that they have received income from open-source foundations and only 1% receive direct payments or donations from governments or other public entities.
Not surprisingly, about half of maintainers said they are not compensated enough, while 48% said they are unappreciated for doing thankless work. A full 43% said they add stress to their daily lives and well over half 60% have quit or considered quitting their maintenance work.
Maintainers are now, on average, spending 11% of their time and effort on security work and two-thirds (66%) of maintainers report that they are now less trusting of pull requests from non-maintainers in the wake of the XZ Utils hack.
A Toll on the Open-Source Community
Tidelift CEO Donald Fischer said for better and worse efforts to insert malware into software components that are used in downstream applications are taking a toll on the open-source software community. However, despite that level of added stress, most maintainers are skeptical of artificial intelligence (AI) tools. Two-thirds (64%) of maintainers would be less likely to review and accept contributions they knew were created using AI-based coding tools. The overall maintainer perception of the impact of AI-based coding tools on their work leaned negative, with almost half (45%) of maintainers predicting that these tools will have a somewhat negative (22%) or extremely negative (23%) impact on their work.
It’s not clear to what degree the open-source software community might be on the cusp of crisis if there are no longer enough maintainers willing to participate in software development initiatives. However, the one certain thing is there needs to be more incentives and financial rewards for taking on tasks that fewer are willing to simply do when so many others are benefiting from their efforts so much more.