The majority of open source project maintainers are not being paid for their work, spend three times as much time on security than they did three years ago, and have become less trusting of contributors following the xz backdoor, according to open source package security firm Tidelift.
Small wonder then that the maintainer population is aging – not enough newcomers want the undercompensated, unappreciated job.
Tidelift on Tuesday published its 2024 State of the Open Source Maintainer Report [PDF], the result of a survey answered by over 400 maintainers.
Some 45 percent of the survey takers have been maintainers for more than 10 years and the age distribution is getting older.
According to the report, "the percentage of maintainers self-reporting that they are 46–55 or 56–65 has doubled since our first survey in 2021 (2021: 11 percent; 2023: 27 percent; 2024: 21 percent). Meanwhile, the percentage of maintainers under 26 has dropped precipitously from 25 percent in our 2021 survey to 12 percent last year and 10 percent today."
Respondents hail mainly from Europe (48 percent) and North America (38 percent), and largely identify as male (85 percent), with the remainder checking boxes for female (six percent), non-binary (three percent), and decline to say (six percent).
The portion of respondents who reported they are unpaid hobbyists remains at 60 percent, the same as in last year's survey. Tidelift rates that as “disappointing “ given the xz compromise, which involved at least one attacker patiently gaining a maintainer's trust over years to subvert ad backdoor a software package, showed that unpaid lone hand maintainers are a risk to software supply chains – and the many calls to do something about it.
However, the xz incident did have some impact: Two-thirds of maintainers (66 percent) said they had become less trusting of pull requests from non-maintainers. That's not necessarily a bad thing if it means that code contributions get closer scrutiny, but it does mean more work, which may not be appreciated.
There's some indication that's happening. Respondents said they're spending three times more time (11 percent of total time) on security than they did in 2021 (when it was four percent of total time). Other activities include: day-to-day maintenance work (50 percent), building new features (35 percent), seeking financing/support (2 percent), and other (two percent).
Professional and semi-professional maintainers spend more time on security work than unpaid hobbyists (13 percent compared to 10 percent), and on maintenance (53 percent compared to 48 percent).
- The empire of C++ strikes back with Safe C++ blueprint
- Oracle urged again to give up JavaScript trademark
- Using AI in your tech stack? Accuracy and reliability a worry for most
- Microsoft's Copilot 'Wave 2' is a tsunami of unanswered questions
Maintainers have become more aware of industry security standards like the NIST Secure Software Development Framework (SSDF), the OpenSSF Scorecard, and the Supply Chain Levels for Software Artifacts (SLSA) Framework, and the US Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge.
Of these initiatives, the OpenSSF Scorecard had the highest awareness among maintainers (40 percent), which is better than the prior survey (28 percent).
But in terms of getting maintainers to actually implement recommended practices, paid maintainers were found to be more likely (55 percent on average) to do so than unpaid maintainers.
The report notes that there's a discrepancy in the portion of respondents who consider themselves unpaid hobbyists (60 percent) and the portion who say they're unpaid for their work (47 percent). Tidelift attributes that distinction to the wording of the survey question: Some of those who identify as unpaid hobbyists may get a nominal amount that isn't enough for them to consider themselves paid professionals or semi-professionals.
The graying open source community needs fresh blood
READ MORE
Even so, Tidelift's report observes that maintainers still largely receive income from donations (25 percent, from programs like GitHub Sponsors), from company salaries that explicitly include open source maintenance (24 percent), or from Tidelift (19 percent). Direct payments from companies (five percent), open source foundations (three percent), and governments or other public entities (one percent) still account for very little of overall maintainer income.
"If we don’t figure out how to properly compensate and recognize maintainers for the value they create, we might wake up one day and find that the projects we rely upon most are no longer being maintained at all," the report states.
Lastly, Tidelift's report looks at how open source maintainers view the impact of AI tools. Twenty-three percent of respondents were "extremely negative," 22 percent were "somewhat negative," 24 percent were "neither positive nor negative," 22 percent were "somewhat positive" and nine percent were "extremely positive."
The cited concerns about AI coding tools among maintainers include code that's incorrect though not obviously so, which creates more work to fix, and pull request spam that has to be dealt with by maintainers. Two-thirds of maintainers (64 percent) said they'd be less inclined to accept pull requests from contributors known to use AI-coding tools. ®