Experts with deep experience across open-source software communities share their opinions on how to sustain this critical ecosystem.
The world has come to rely upon the free work of millions of skilled software developers—the maintainers of free open-source software (FOSS) projects. But the world hasn’t given them a tip. While it’s true that many open-source maintainers are passionate and contribute freely to the cause, others feel downtrodden or taken advantage of.
“We continue to experience maintainer inequity in open source,” says Kevin Crosby, senior director of open source funding at GitHub. To improve the status quo, we need greater access to technology, better training, corporate funding that allots time for contributing to open source, and continued community investment, he says.
Open source has been at a crossroads for some time. But the pin on the camel’s back is that companies often don’t contribute back to the packages they use. “The current system’s unsustainability has received more attention, and rightfully so,” says Ann Schlemmer, CEO of Percona. “There is a legitimate argument that not enough is being done to protect one’s infrastructure if one is not contributing to the projects one is reliant on.”
Studies show that 90% of enterprises rely upon open source, and half of large companies have an open-source strategy, i.e. a formal approach to managing their use of open-source software. To their credit, many enterprises are employing or sponsoring open-source maintainers. “Most key maintainers of the Linux Foundation’s largest projects are full-time employees of major companies,” says Priyanka Sharma, executive director of the Cloud Native Computing Foundation (CNCF). The CNCF is an arm of the Linux Foundation that hosts nearly 200 open-source projects.
Yet, while open-source appears to be proliferating, many individual maintainers struggle to finance their ongoing efforts. Expectations are high, and companies often demand volunteers to fix bugs or update features for free. To fix the inequity in FOSS, some have suggested SaaS-like payments, government aid, or increased support from corporations or from the major open-source foundations.
“The open-source ecosystem has become indispensable to software development, but it’s also suffering from its own success,” says Ruth Suehle, executive vice president at the Apache Software Foundation. “The problem is how we sustain this indispensable ecosystem to maintain not only its success for the sake of itself but everything that has become dependent on it.”
The open-source equity dilemma
The core issue is that open source contributors are not paid fairly. 60% of open-source maintainers are unpaid volunteers, and just 13% make a living as professional project maintainers, according to the 2023 State of the Open Source Maintainer Report.
“I see the bar getting higher for open-source projects and contributors,” says Seth Michael Larson, security developer-in-residence at the Python Software Foundation and a maintainer and contributor to many open-source projects, especially in the HTTP and networking space for Python. This is particularly true for critical middle-stack projects, Larson says, which don’t offer “easy” issues for newcomers to cut their teeth on, resulting in fewer contributors and lead maintainer burnout.
This inequity is further deepened by the uneven access to time and resources across the globe, says Jordan Harband, a principal open-source architect at HeroDevs and a maintainer of hundreds of JavaScript projects.
“Open-source maintainers in 2024 find themselves on the losing end of an unfair bargain,” says Donald Fischer, co-founder and CEO of Tidelift. “The reward for creating a highly valuable and widely used project is getting snowed over by bug reports, feature requests, and scanner false positives needing evaluation,” he says. Challenges arise from market saturation, and only “first-rate” projects with all the trappings of commercial products hope to stand out, adds Matt Butcher, founder and CEO of Fermyon Technologies.
Paths to sustain open source
Direct monetization
So, how do we rectify this gap? One suggested method is building revenue streams around a core project. “The most sustainable method to fund and support open-source projects is through some form of commercial support,” says Kevin Crosby of GitHub. For him, “revenue streams” could take the form of premium consultation support, productizing projects with features and software, or enterprise-level funding.
That said, while some maintainers have attempted to monetize their projects, the results haven’t all been sustainable. In some cases, those attempts have led to blowback from the developer community. “Maintainers don’t benefit easily from the monetization of their projects,” says Thomas Johnson, co-founder and CTO at Multiplayer. “This is only getting worse and has forced maintainers to consider alternate open-source licenses in order to push back.”
Corporate support
While monetization can help, another alternative is direct corporate funding, which can provide ongoing support without changing project licenses or charging for access. Opportunities like GitHub Sponsors or GitHub Accelerator can help create a consistent influx of cash for maintainers. Other funding platforms, such as Patreon and Open Collective, have been actively used to provide maintainers with a budget. “Making direct financial contributions to projects will allow the project developers to focus on the code and remove the stress of financial insecurity,” says Percona’s Schlemmer.
In terms of corporate sponsorship, we have already seen positive wins. For instance, GitHub Sponsors has already directed $40 million to open-source maintainers — 4,200 organizations, including AWS, American Express, Shopify, and Mercedes Benz, have already invested in their open-source dependencies, says GitHub’s Crosby. Another corporate-led initiative is the Open Source Pledge, where participating companies pledge to give open-source developers each $2,000 per year.
One key point is that open-source revenue streams must be continuous instead of one-off payments. “The best way to ensure that open-source projects stay healthy and secure is to pay maintainers a steady income in return for ensuring that their projects are properly maintained and are following secure software development practices,” says Tidelift’s Fischer.
Still, cloud providers have been known to make use of open-source projects for revenue-generating activities without sharing profits with maintainers. As such, some suggest a revenue sharing arrangement going forward. “Companies who generate revenue from open-source projects should share with the project maintainers,” says Multiplayer’s Johnson.
Code contributions
Another form of aid is cementing open-source contributions within specific job roles. This could equate to sponsoring “developer in residence” roles, employing full-time open-source maintainers, or allotting approved time for on-the-job open-source development. “Most CNCF contributors and maintainers (roughly 95%) are affiliated with organizations, and most are hired for their open-source acumen,” says Priyanka Sharma of the CNCF.
Many companies already pay employees for open-source contributions on the job. And some make it a top strategic priority. One example is Adobe. “Since 2015, Adobe has contributed open-source code to 46 technologies that CNCF hosts,” says Sharma. Encouragingly, a Tidelift report found that nearly half of organizations have policies governing employee contributions to open source. Of these groups, most permit contributions to projects the organization uses.
This is precisely the kind of support that open-source projects require to succeed. “Project users should commit to contributing consistently, whether financially or with in-kind contributions,” says Percona’s Schlemmer. “Businesses need to budget for sponsorships for those projects that align with their goals.” She says this sort of corporate stability will ensure that projects retain quality, security, and innovation.
The multitude of open-source security risks alone should encourage corporations to go the extra mile to contribute to and protect projects that are integral to their operations. “Just like vetting the commercial viability of a vendor, the sustainability of an open-source project needs to be understood by the companies involved with it,” Schlemmer says.
Intermediary companies
Open-source maintainers with deep knowledge may be the best qualified to make updates, but they often don’t have the time or resources to implement fixes. As such, there is also an argument for third parties to help provide the necessary means. Intermediary companies could act as agents, helping maintainers by bridging the gap between corporate demands and open-source work.
For instance, Tidelift pays open-source maintainers to implement industry-standard secure development practices, assuring their clients can use these packages more confidently. This model has successfully eliminated a remote code execution (RCE) vulnerability in jackson-databind, improved security practices for urllib3, a popular HTTP client for Python, and enabled two-factor authentication (2FA) for minimist, a popular JavaScript package.
“The best way to fund open source is specifically not charity,” says Alex Clark, an open-source maintainer and the creator of Pillow, a popular image processing package for Python. Instead, Clark believes the marketplace needs companies, like Tidelift, to sit between the demand and the developers to pay maintainers with the income from services they sell.
Open source foundations
Non-profit foundations like the Linux Foundation, the CNCF, the Apache Software Foundation, and the Eclipse Foundation provide resources and scholarships to help sustain open-source projects. “For many projects, the foundation model has worked well as a means of support and funding,” says the Apache Software Foundation’s Suehle.
Foundations also can help in more indirect ways, like mentorship, recognition, and community support, and by providing metrics to help business owners quantify the impact of projects and direct investments. “Foundations take up a huge portion of project support beyond straightforward funding,” says Brian Proffitt, senior manager of community outreach in the Open Source Program Office at Red Hat. “For Red Hat, supporting the many diverse foundations in the free and open-source software ecosystem is one of the ways we can ensure that as many projects as possible can remain healthy and vibrant,” he says.
As open-source maintainer Seth Michael Larson sees it, the best method to support open source is by “paying full-time staffing at non-profit foundations to work on various swaths of the ecosystem with a broad scope.” This could help fill in the gaps around security, process, documentation, releases, and governance, he says, without taking away incentives for people to continue contributing on their own time.
However, many critical open-source projects do not wish to be housed in a foundation, says Suehle, for various reasons. We need to find ways to support them as well, she says, adding that several projects have attempted to address this issue over the years, such as SustainOSS.
Public aid
Another option, and perhaps the most forward-thinking, is to recognize that open-source software is a public good and to finance the ecosystem through public money rather than from individual or corporate support. “What’s needed now are well-considered regulations involving the proper stakeholders from major world governments,” says maintainer Jordan Harband.
Germany’s Sovereign Tech Fund is already headed in this direction, having amassed roughly €10 million per year ($10.9 million) to invest in approximately 30 projects. Other examples include the US government’s Open Technology Fund and the UK government’s proposal to establish a similar fund.
“Germany’s Sovereign Tech Fund is the best example I can think of public money being provided more or less directly to open-source maintainers with broader societal goals in mind,” says Harband. “This is the entire purpose of government — to fund the things that business isn’t forward-looking enough to justify funding.”
According to Serkan Holat, an independent researcher and developer specializing in open-source software, economic problems such as the tragedy of the commons and the free-rider problem currently limit companies’ contributions. “If there is a shared resource, they will never know how much to contribute back,” Holat says. He suggests a dedicated sales tax on closed-source subscriptions to be redirected to fund critical public open-source projects.
Many others agree that open-source infrastructure should be publicly funded, though they may disagree on the specifics. “FOSS maintenance should be funded by governments on behalf of the taxpayer,” writes Matthew Hodgson for The Matrix.org Foundation. A European Public Digital Infrastructure Fund White Paper goes so far as to say that public support can be “the only viable business model” for services and tools that demonstrate the ability to deliver public value.
Funding the software the world depends on
If open-source code wasn’t freely available, estimates say it would cost $8.8 trillion to assemble it from scratch. Yet, perhaps surprisingly, most developers don’t expect direct financial support for their contributions. Instead, “learning to code better” is the most common motivation for contributing to corporate or vendor-owned open-source software projects, SlashData’s 2024 Q1 Developer Nation study found.
This view might need a reassessment, given the world’s reliance on open source. “Open-source software underpins everything from Android phones to supercomputers to Netflix,” says the CNCF’s Sharma. “But most people don’t know it, so companies are not held accountable.” A lack of awareness and support not only leads to inequities but can threaten the maintenance of this critical lifeline.
We’ve already seen critical projects fall through the cracks. “Maintainers report that the work is stressful, lonely, and financially unrewarding,” says Tidelift’s Fischer. Beyond being an ethical dilemma, burnout can lead to unaddressed vulnerabilities or social engineering risks, as was the case with the XZ backdoor.
As such, how we support open source is the question of our time. While some believe sponsorship from corporate entities is the answer, others look to different forms of sustenance. “There is no one-size-fits-all solution here, which is why there have to be better efforts to identify which projects are in actual need,” says Red Hat’s Proffitt.
Considering the ubiquity of open source, regulating its support through public funding appears to be the strongest long-term vision. However, such government-led initiatives are at an early stage. Until public initiatives mature, the ecosystem will need a combination of corporate sponsorship, foundational stewardship, and increased public awareness to ensure its survival.