“Inequities against maintainers continue to occur in open source,” said Kevin Crosby, head of open source funding at GitHub. To improve the situation, we need broader access to technology, better education, and more time to contribute to open source. He said that corporate funding and continuous community investment are needed.
Open source has been at a crossroads for quite some time. The problem is that companies use the package and do not return the contribution for that part. “Concern is growing about the unsustainability of our current system,” said Ann Schlemmer, CEO of Percona. Of course, we should pay more attention. “If companies only rely on projects but do not contribute, not enough efforts will be made to protect the infrastructure,” he pointed out.
Research shows that 90% of companies rely on open source, and half of large companies have an open source strategy, or a formal approach to managing the use of open source software. In my defense, many companies hire or sponsor open source maintainers. “Most of the main maintainers of the Linux Foundation’s large projects are full-time employees of major companies,” said Priyanka Sharma, director of the Cloud Native Computing Foundation (CNCF). CNCF is an organization affiliated with the Linux Foundation and hosts approximately 200 open source projects.
Although open source appears to be this widely used, many private maintainers are having difficulty raising the funds needed to sustain their efforts. Expectations are high, and companies often ask volunteers to fix bugs or update features for free. To address this unfairness problem in FOSS, some have proposed a SaaS-like payment method, government support, or increased support from companies or major open source foundations.
“Open source ecosystems have become essential to software development, but their success comes with challenges,” said Ruth Suell, vice president of the Apache Software Foundation. “The challenge is how to sustain this vital ecosystem, not only for the success of the open source ecosystem itself, but for everything that depends on it.”
Open source’s dilemma about fairness
The core problem is that open source contributors do not receive fair financial compensation. According to the 2023 State of Open Source Maintainers report, 60% of open source maintainers are volunteers who work for free, and only 13% make a living as project maintainers.
“The bar for open source projects and contributors is getting higher and higher,” says Michael Larson, a security developer at the Python Software Foundation and a maintainer and contributor to many open source projects, especially in the HTTP and networking areas related to Python. Larson pointed out that this phenomenon is especially noticeable in important middle-stack projects. By not providing the kinds of “easy” issues that beginners can easily engage with, the result is fewer contributors and lead maintainer burnout.
Jordan Haband, lead open source architect at HeroDevs and maintainer of hundreds of JavaScript projects, said that access to time and resources is uneven across the world, which exacerbates these inequities.
“As of 2024, open source maintainers are suffering from unfairness,” said Donald Fisher, co-founder of Tidelift. “The reward for creating a very valuable and widely used project is being buried in bug reports, feature requests, and scanner false positives that need to be reviewed.” Matt Butcher, founder and CEO of Fermyon Technologies, added that problems arise with market saturation, and only “first-tier” projects with all the trappings of a commercial product can hope to stand out.
The path to maintaining open source
Direct monetization
What can we do to bridge this gap? One suggested approach is to build revenue streams around key projects. “The most sustainable way to fund an open source project is through some form of commercial support,” said GitHub’s Kevin Crosby. The “revenue streams” Crosby refers to can take the form of premium consulting support, commercializing projects with features and software, or enterprise-level funding.
Some maintainers have actually tried to monetize their projects, but the results haven’t always been good, and in some cases, such attempts have led to backlash from the developer community. “It’s not easy for maintainers to profit from project monetization,” said Thomas Johnson, co-founder and CTO of Multiplayer. “As the situation worsens, maintainers are having to consider other open source licenses.”
corporate support
While monetization can help, another alternative is direct corporate financing. In this case, we can provide ongoing support without charging you for access or changes to your project license. Opportunities like GitHub Sponsors and GitHub Accelerator can help maintainers earn consistent cash revenue. Additionally, funding platforms such as Patreon and Open Collective are also actively used to provide budgets to maintainers. “Making a direct financial contribution to a project allows project developers to focus on the code without the stress of financial instability,” Percona’s Schlemmer said.
There are already positive results in the corporate sponsorship sector. For example, GitHub sponsors gave $40 million to open source maintainers. GitHub’s Crosby said 4,200 organizations, including AWS, American Express, Shopify and Mercedes-Benz, have already invested in the open source they depend on. Another corporate-led initiative, the Open Source Pledge, pledges participating companies to provide $2,000 annually to open source developers.
The important thing is that open source revenue streams must be continuous, not one-off. “The best way to ensure that open source projects remain healthy and safe is to continue to fund maintainers in return for ensuring that the projects are properly managed and follow safe software development practices,” Tidelift’s Fisher said. said.
However, as is known, cloud companies use open source projects for profit-generating activities but do not share profits with maintainers. For this reason, some say that a profit sharing agreement is needed in the future. “Companies that make money from open source projects should share that revenue with the project maintainers,” Multiplayer’s Johnson said.
code contribution
Another form of support is incorporating open source contributions within specific job roles. This could take the form of sponsoring a “developer-in-residence” role, hiring a full-time open source maintainer, or allocating approved time for open source development. “Most CNCF contributors and maintainers (about 95%) are affiliated with the organization, and most are hired for their proficiency in open source,” said Priyanka Sharma of CNCF.
Many companies already reward employees for open source contributions at work. Some are even making this a top element of their strategy. Adobe, for example. “Adobe has been contributing open source code to 46 technologies hosted by CNCF since 2015,” Sharma said. The Tidelift report is encouraging, finding that nearly half of organizations have policies governing open source contributions by employees. In these groups, most organizations allow contributions to projects that the organization uses.
This is the kind of support open source projects need to succeed. Percona’s Schlemmer said, “Project users must continue to contribute, whether through monetary or in-kind contributions. “Companies need to budget sponsorships for these projects that align with their corporate goals,” he said. “This kind of corporate stability allows projects to maintain quality, security and innovation.”
Considering open source security risks alone, companies should naturally put more effort into contributing to and protecting mission-critical projects. “Similar to assessing the commercial viability of a vendor, companies participating in open source projects need to understand the sustainability of the project,” Schlemmer said.
brokerage firm
Updates are best done by open source maintainers with in-depth knowledge, but they often don’t have the time or resources to implement fixes. The argument here is that a third party can help provide the necessary means. Brokerage firms can act as agents and help maintainers bridge the gap between enterprise requirements and open source work.
For example, Tidelift rewards open source maintainers for practicing industry-standard secure development practices so clients can use these packages with more confidence. This model successfully eliminated a remote code execution (RCE) vulnerability in jackson-databind, improved security in urllib3, a popular HTTP client for Python, and implemented two-factor authentication (2FA) in minimist, a popular JavaScript package.
Alex Clark, an open source maintainer and creator of Pillow, said charity is not the best way to fund open source. Clark said the market needs companies like Tidelift that sit between demand and developers, paying maintainers through revenue from the services they sell.
open source foundation
Nonprofit foundations such as the Linux Foundation, CNCF, Apache Software Foundation, and Eclipse Foundation provide resources and scholarships to help sustain open source projects. “For many projects, the foundation model has been effective as a vehicle for support and funding,” said Suel of the Apache Software Foundation.
Foundations can also help indirectly by providing mentorship, recognition, community support, and metrics that help business owners quantify the impact of their projects and direct investments. “Foundations are a big part of project support beyond just funding,” said Brian Prophet, senior manager of community communications in Red Hat’s Open Source Program Office. “At Red Hat, supporting many diverse foundations in the free and open source software ecosystem is one way we ensure that as many projects as possible remain healthy and vibrant.”
Open source maintainer Seth Michael Larson said the best way to support open source is “to pay full-time, non-profit foundations to work on a wide range of different parts of the ecosystem.” Larson said this allows you to fill gaps in security, process, documentation, release and governance without taking away the incentive to continue contributing during your personal time.
But Suel said many major open source projects do not want to be housed within the foundation for a variety of reasons. We also need to find ways to support them, Suel said, adding that several projects, including SustainOSS, have attempted to solve this problem over the past few years.
public support
Another option, and the most progressive one, is to recognize open source software as a public good and support this ecosystem through public funding rather than individual or corporate support. “What we need now is carefully crafted regulations that involve the right stakeholders from the world’s major governments,” said maintainer Jordan Harband.
Germany’s Sovereign Tech Fund is already moving in this direction, raising about 10 million euros ($10.9 million) each year to invest in about 30 projects. The U.S. government’s Open Technology Fund is a similar case, and the British government has also proposed establishing a similar fund.
“Germany’s Sovereign Tech Fund is a best example of providing some level of direct public funding to open source maintainers with broader social goals in mind,” Haband said. “This is the whole purpose of the government. “You’re funding an area where companies aren’t looking far enough into the future to justify funding,” he said.
According to Serkan Horat, an independent researcher and developer specializing in open source software, the factors currently limiting companies’ contributions are economic issues such as the tragedy of the commons and the free rider problem. “When it comes to shared resources, they don’t know how much to contribute,” Horat said. Horat proposed redirecting sales taxes on closed-source subscriptions to fund key public open source projects.
Although opinions may differ on the details, many agree that open source infrastructure should receive public funding. “The government should fund FOSS maintenance on behalf of taxpayers,” Matthew Hodgson wrote for the Matrix.org Foundation. The European Public Digital Infrastructure Fund White Paper goes further, arguing that public support is “the only sustainable business model” for services and tools that demonstrate the capacity to deliver public value.
Funding for the software the world depends on
Studies show that if open source code were not freely available, it would cost $8.8 trillion to create it from scratch. But surprisingly, most developers do not expect direct financial support for their contributions. SlashData’s Q1 2024 Developer Nation study found that the most common motivation for contributing to enterprise- or vendor-owned open source software projects was “learning how to code better.”
Given the world’s reliance on open source, this view may need to be re-evaluated. “Open source software is used in everything from Android phones to supercomputers to Netflix,” said CNCF’s Sharma. “But most people don’t know that, so they can’t hold companies accountable.” Lack of awareness and support can not only lead to injustice, but also threaten the maintenance of this important lifeline.
In fact, several important projects collapsed. “Maintainers describe the work as hard, lonely and without financial compensation,” says Tide Drift’s Fisher. Beyond ethical dilemmas, burnout can lead to unresolved vulnerabilities or social engineering risks. The XZ backdoor is an example.
How to support open source is the question of our time. Some people think corporate sponsorship is the answer, but others are looking for other forms of sustainability. “There is no one-size-fits-all solution,” Red Hat’s Prophet said. “More effort needs to be done to understand which projects are actually needed,” he said.
Considering the universality of open source, coordinating support through public funding appears to be the most likely long-term vision. However, these government-led initiatives are still in their early stages. For this ecosystem to survive until public initiatives reach maturity, a mix of corporate sponsorship, foundation management, and public awareness will be needed.
editor@itworld.co.kr
Source: www.itworld.co.kr
