In mid-2024, Tidelift fielded its third survey of open source maintainers. More than 400 maintainers responded and shared details about their work, including how they fund it, who pays for it, and what kinds of security, maintenance, and documentation practices they have in place today or would consider in the future. They also shared their thoughts about some “in the headlines” issues like the recent xz utils hack and the impact of AI-based coding tools. In this post, we share the first of twelve key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now.
In our 2023 state of the open source maintainer report, we asked maintainers to describe whether they consider themselves to be an unpaid hobbyist or a paid professional maintainer. We gave them four choices:
- I’m an unpaid hobbyist and do not want to get paid for maintaining projects
- I’m an unpaid hobbyist, but would appreciate getting paid for maintaining projects
- I’m a semi-professional maintainer, and earn some of my income from maintaining projects
- I’m a professional maintainer, and earn most or all of my income from maintaining projects
The most cited stat from that previous survey was that 60% of maintainers described themselves as unpaid hobbyists. We asked the same question again this year to see if things had changed. As it turns out, they have not changed a bit.
As you can see in the above chart, even with a larger sample of maintainers filling out this year’s survey, the percentage of maintainers who describe themselves as unpaid hobbyists stayed identical: 60%. Sixteen percent of maintainers said they were unpaid hobbyists and would not want to get paid (compared to 14% in 2023), and 44% said they were unpaid hobbyists but would appreciate getting paid (compared to 46% in 2023).
Meanwhile, the percentage of maintainers saying they earn most or all of their income from maintaining projects is almost identical at 12% this year versus 13% in 2023. And the percentage of semi-professional maintainers was 24% this year and 23% in 2023.
Full disclosure: it would have been awesome if this headline was different, if we’d found that the percentage of maintainers being paid for their work had increased significantly over the past year. But the fact is that things haven’t changed, and especially in the year of the xz utils hack and with increased focus by both governments and organizations on the importance of the secure software supply chain, this is a newsworthy—and disappointing—finding to report.
Are paid maintainers more likely to have co-maintainers?
We were interested in finding out if there is any correlation between being a paid (professional or semi-professional) maintainer and the number of co-maintainers a project has, and it turns out there is.
Over half of maintainers (53%) who describe themselves as paid maintainers have two or more co-maintainers on their projects. Only 26% of this group is made up of solo maintainers.
Meanwhile the opposite is true of unpaid maintainers. Sixty-one percent of unpaid maintainers are solo maintainers, with only 20% of unpaid maintainers having more than two co-maintainers.
What do we make out of this? It’s hard to definitively say what is a cause and what is an effect here. Are projects with more maintainers simply larger projects that are able to command more income? Or because their maintainers are getting paid for their work, they are able to entice more people to help? Similarly, perhaps unpaid maintainers are unpaid because their projects are relatively new or haven’t attracted a ton of interest? Or maybe they are unable to bring in more co-maintainers because there isn’t money to fund the work?
Interestingly, in one example of how this particular finding impacts project health and security, the OpenSSF SLSA authors (SLSA is a set of standards and technical controls that can be adopted to improve project integrity) believe that having multiple maintainer projects is a best practice. But they had to remove mandatory two-person review of all changes from version 1.0 until this solo maintainer issue is addressed (the OpenSSF Scorecard does still recommend a two-person review when feasible as a security best practice).
In later findings, we’ll delve into some additional data about paid and unpaid maintainers, including exploring differences in the security and maintenance practices paid maintainers are able to implement versus their unpaid counterparts. But because this has been the most often quoted statistic from our previous maintainer survey, we wanted to update the “60% of maintainers are not paid for their work” headline.
Unfortunately, the update is that it has not changed.