Close
Eugene van Ost
Eugene van Ost
Code2 / IT Soothsayer
June 15, 2022
Maintaining Open-source Software: A Thankless Job

Maintaining Open-source Software: A Thankless Job🔗

Open-source projects are an enigma to regular people. How they start, flourish, and get maintained is not known to anyone but the geekiest of us. But there must be someone taking care of these projects upon which so much rests, right?

Maybe there are tiny people behind the scenes, who make sure that these gigantic efforts are sustained, much like the dwarves of Erebor, "the Lonely Mountain," or "the kingdom under the mountain" in the Hobbit, relentlessly mining the gold and gems underground.

Or, maybe it is all thanks to the efforts of a handful of combative men and women who don't know how to quit, like the 300 Spartans who stopped the huge Persian army in its tracks at Thermopylae.

The stakes associated with open-source maintenance are so high that a harder look at it is justified.

Getting to know the contributor funnel🔗

Who are these unsung heroes of the software industry that make the open-source world go round? People involved in open-source software can be grouped under three categories:

Users: People who just use the software and rarely interact with the maintenance crew. They don't submit code or documentation. Contributors: People who care about the software enough to file good, detailed issues and open pull requests. Maintainers: People who review the external contributions, conduct triage, and merge them. Maintainers are the ones who set the direction of the project because they get to prioritize the issues.

These three categories comprise a contributor funnel, a term coined by Homebrew project leader and GitHub principal engineer Mike McQuaid. In a presentation he gave in 2016, McQuaid goes into detail on the contributor funnel, which is actually a blueprint to turn some of the users into contributors and some of the contributors into maintainers so that open-source projects will not die.

Understaffed, underfunded, underappreciated🔗

Open-source projects' coming to an abrupt end is highly likely because most of these projects lack the funds and staff that could guarantee their survival. This applies to even the most popular projects out there.

When the widely-popular open-source crypto library OpenSSL was diagnosed with the Heartbleed vulnerability on April 7, 2014, it was being maintained by just two people and receiving a whopping $2000 a year in donations.. Many other open-source projects are maintained by a single maintainer who makes all releases and reviews and merges all pull requests. McQuaid gives a similar number for Homebrew, which had around 500,000 users and 5,000 contributors in 2016 but only around ten maintainers. That makes one maintainer for every 50,000 users. And remember, maintainers are not compensated for their time and effort. They have day jobs, families they need to take care of, and bills they should pay. To add to that, maintaining a project is not the most exciting job a coder can have, as explained by Vladimir Agafonkin, the creator of the Javascript library Leaflet:

"… once the project gets established and mature, most of your work is not about exciting features and doing cool things anymore—99% of the work is just dealing with some weird bugs, some obscure situations, and just trying to reproduce someone else's problem, and boring things like that. It can be demoralizing, and sometimes people will burn out and not be able to handle the project once it becomes really popular."

If you think the recognition maintainers receive from the open-source community should be enough, think again because tracking individual contributions back to contributors is no easy task. Even if it is possible, very few people are interested in learning who solved which problem. So, maintaining an open-source project remains a thankless job.

Loosening the purse strings (at last)🔗

In the absence of material gain and recognition, what drives maintainers is their love for the profession and the open-source ideals they try to uphold. Keeping these people motivated is in the interests of everybody benefitting from the open-source projects. One way of doing that is to sort out the financial viability of those projects.

Humanity cannot afford to treat projects that underpin huge businesses and government institutions as hobby projects. Fortunately, corporate decision-makers and government officials seem to be awakening to this reality. Ensuring the security of open-source projects has become paramount with the recent Log4j vulnerability and pushed the White House to call for an Open Source Security Summit. The U.S. administration mobilized companies such as IBM, Microsoft, Meta, Linux, and Oracle to take measures to counter such risks. During the summit, tech companies jointly pledged $30 million to shore up the security of open-source projects. Companies also agreed to conduct annual reviews of the 200 most popular open-source projects.

Having donated $15 million to open-source security in 2021, Google took the opportunity during the Open Source Security Summit to announce the launch of the "Open Source Maintenance Crew." This team of developers is tasked with standardizing security procedures in open-source projects and tightening security configurations.

Conclusion🔗

Big tech and the government have stepped up to the plate and assumed responsibility for the security and sustainability of open-source software. This was long overdue, but it still is good news. However, the open-source community is not wholly dependent on others to survive. Open-source projects can become self-sufficient, take care of their maintainers, and even expand their staff if they are monetized properly. Our next blog post will tell you how.

No-code Open-source