In a recent study conducted by Tidelift, it was found that paid maintainers are 55% more likely to implement critical security and maintenance practices compared to unpaid maintainers. These paid maintainers are dedicating more time to implementing security practices, such as those outlined in industry standards like the OpenSSF Scorecard and the NIST Secure Software Development Framework (SSDF).
The importance of funding open-source maintainers has been underscored by the increasing attacks on the software supply chain. Ignoring the needs of overworked, underappreciated, and underpaid maintainers poses a significant threat to the security of organizations relying on open-source software. Donald Fischer, CEO of Tidelift, emphasized the crucial role that maintainers play in ensuring the security of global software infrastructure. By funding the work of these maintainers, organizations can enhance their own security measures.
Paid maintainers have been observed to implement top security practices, including two-factor authentication, static code analysis, and providing fixes for vulnerabilities, at higher rates than unpaid maintainers. Similarly, they also excel in maintenance practices such as enforcing backward compatibility policies and conducting code peer reviews.
However, despite the clear benefits of compensating maintainers for their work, a significant portion of maintainers still remain unpaid hobbyists. A survey revealed that 60% of maintainers fall into this category, with only a small percentage receiving income through donation programs, salaries, or other sources.
Maintainers have expressed feelings of being inadequately compensated, underappreciated, and stressed due to the demands of their work. This has led to a high turnover rate, with 60% of maintainers either quitting or considering quitting their maintenance work. The awareness of industry standards and initiatives has been increasing among maintainers, with initiatives like the OpenSSF Scorecard and the NIST SSDF gaining traction.
As demands for security measures increase, maintainers are spending nearly three times more time on security work compared to previous years. The XZ Utils hack has also impacted maintainers’ trust in pull requests from non-maintainers. Additionally, maintainers have expressed concerns about the negative impact of AI-based coding tools on their work, with many being hesitant to review and accept contributions created using such tools.
Despite these challenges, maintainers have identified opportunities for AI to address various open-source problems related to documentation, issue triage, code quality, and security. The younger generation of maintainers, in particular, has shown a greater willingness to adopt AI-based coding tools.
Overall, the study highlights the importance of supporting and compensating open-source maintainers to ensure the security and success of the software supply chain. By recognizing the contributions of maintainers and providing adequate resources, organizations can strengthen their own security measures and drive innovation within the open-source community.