Most of the maintainers of open source projects do not get paid for their work, they spend three times as much time on security as they did three years ago, and after the xz backdoor they trust the contributors less, according to a survey by the security company Tidelift. So it’s no wonder that the maintenance population is aging – not many new arrivals want to do an underpaid, unappreciated job.
A Tidelift 202-es State of the Open Source Maintainer Report report summarizes the opinions of more than 400 professionals. About 45 percent of those who completed the survey have been working for more than 10 years, and the age distribution is getting older. According to the report, “since our first survey in 2021, the proportion of those who declared themselves to be 46-55 or 56-65 years old has doubled, while the proportion of those under 26 has fallen from 25 percent measured in our 2021 survey to 12 percent last year, and now to 10 percent “. Linus Torvalds, the father of the Linux kernel, also spoke about concerns about obsolescence. This week at the Linux Foundation Open Source Summit Europe he saidthat he understands that the maintainer community isn’t getting any younger, but a complex project like Linux needs participants with years of experience. He indicated that he intended to continue in the role for many more years, suggesting that his graying hair was “the right color”. Respondents are mainly from Europe (48 percent) and North America (38 percent) and mostly self-identify as male (85 percent), with the remainder being female (six percent), non-binary (three percent) and non-respondent (six percent) checkboxes were ticked.
60 percent of the respondents declared themselves to be unpaid hobbyists – this is the same as in last year’s survey. Tidelift says this is “disappointing” because the xz compromise – in which at least one attacker patiently wormed his way into programmers’ trust for years to build a backdoor into a software package – showed how much of a risk unpaid, lone maintainers pose to software supply chains. However, the xz incident had some effect: Two-thirds of the respondents (66 percent) said that they have less confidence in requests from outside. This isn’t necessarily a bad thing if it means code contributions are more closely scrutinized, but it means more work that may not be appreciated.
There is some indication that this is happening. According to respondents, they spend three times as much time (11 percent of total time) on security as they did in 2021 (when it accounted for four percent of total time). Other activities include daily maintenance work (50 percent), building new features (35 percent), seeking funding/support (2 percent), and other (two percent). Professional and semi-professional programmers spend more time on security than unpaid hobbyists (13 percent vs. 10 percent) and maintenance (53 percent vs. 48 percent).
Respondents became more familiar with industry security standards such as the NIST Secure Software Development Framework (SSDF), the OpenSSF Scorecard, and the Supply Chain Levels for Software Artifacts (SLSA) Framework, as well as the US Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by A promise called Design. Among these initiatives, the OpenSSF Scorecard had the highest awareness (40 percent), which is better than in the previous survey (28 percent). However, when it comes to actually implementing the recommended practices, paid workers were more likely (55 percent on average) to do so than unpaid workers.
The report notes that there is a wide disparity between respondents who identify themselves as unpaid hobbyists (60 percent) and those who work unpaid for their work (47 percent). Tidelift attributes this difference to the wording of the survey question: A portion of those who identify as unpaid hobbyists may receive a nominal amount that is not enough to consider themselves a paid professional or semi-professional. Even so, Tidelift’s report finds that people are still largely funded by donations (25 percent, from projects like GitHub Sponsors), corporate payments that specifically include open source maintenance (24 percent), or Tidelift (19 percent) receive income. Direct payments from companies (five percent), open source foundations (three percent), and governments or other public institutions (one percent) still make up a very small portion of maintainers’ total income.
“If we don’t figure out how to properly compensate and recognize workers for the value they create, we may one day wake up to find that the projects we rely on the most are no longer maintained at all,” the report said. Finally, Tidelift’s report looked at how open source developers see the impact of AI tools. 23 percent of the respondents said “extremely negatively”, 22 percent “somewhat negatively”, 24 percent “neither positively nor negatively”, 22 percent “somewhat positively”, and nine percent “extremely positively”. Some of the concerns with AI coding tools include bad, but not obviously bad, code causing more work to fix, and pull request spam. Two-thirds of people (64%) said they were less willing to accept pull requests from contributors using AI coding tools.
Source: sg.hu
