In mid-2024, Tidelift fielded its third survey of open source maintainers. More than 400 maintainers responded and shared details about their work, including how they fund it, who pays for it, and what kinds of security, maintenance, and documentation practices they have in place today or would consider in the future. They also shared their thoughts about some “in the headlines” issues like the recent xz utils hack and the impact of AI-based coding tools. In this post, we share the fourth of twelve key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now.
We are always interested to learn more about how maintainers spend their time. So for this year’s survey, we asked them, as we had in our 2021 survey (we skipped the question in the 2023 survey), to break down the amount of time per month they spend in the following areas on their projects:
- Security work (including fixing vulnerabilities and issuing patches, code scanning, dealing with insecure dependencies, complying with security best practices, and responding to new security research reports)
- Day to day maintenance work (including writing documentation, reviewing PRs from contributors, general dependency management, reviewing and responding to issues, and removing technical debt)
- Building new features (i.e. writing and testing new code)
- Seeking financial support and sponsors
- Other
The total amount of time had to equal 100%, and we included a slightly longer set of categories to choose from in our 2021 survey that we’ve combined into “other” for the sake of simplicity here (those additional categories included “Marketing and external communication," "Meetings, management, and operations of the project," and "Guiding the project's strategic direction," none of which accounted for more than 5% of their time).
How do maintainers spend their time in 2024 vs. 2021?
While the percentage of time spent on day-to-day maintenance work stayed pretty consistent between the 2021 and 2024 surveys, from 53% in the previous survey to 50% today, the other percentages changed quite a bit.
Perhaps the most significant change was that maintainers now report they are spending almost 3x more time (11%) on security work than they reported in 2021 (4%). While this could be in part a factor of the changes to the category choices we provided this year, it is also not surprising, given that maintainers are also seeing increasing demands for their time from corporate users of their projects, security companies giving them potential vulnerabilities to investigate, and pressure to comply with new security requirements and initiatives like the OpenSSF Scorecard and the NIST Secure Software Development Framework, among others.
Building new features also increased significantly as a percentage of the time maintainers spend on project maintenance work, going from 25% to 35% between 2021 to 2024.
We also took a look at the same data to see if maintainers who consider themselves to be professional or semi-professional maintainers spend their time differently than those who consider themselves unpaid hobbyists.
Professional and semi-professional maintainers spend slightly more time on security (13% vs. 10%) and maintenance (53% vs. 48%) work than unpaid hobbyist maintainers, which comes at the expense of their having as much time to build new features (29% vs. 39%).
Regardless of whether they are paid or unpaid, all maintainers need to make tradeoffs with the limited time they have to work on their projects. For maintainers of larger, more established projects with many users, we would not be surprised if the percentage of time they need to spend on security and maintenance work continues to increase over time as the number of requirements and complexities they are expected to manage rises with it.