As we count down to this year’s Upstream, we’ll be looking back at Upstream moments from years past. Discover how topics may have changed and how yesterday’s problems continue into today—and find out how they may lead into an uncommon solution to a common problem.
Last year’s Upstream theme was around the “accidental supply chain,” inspired by the rising determination by the industry to define the concept of an “open source supply chain” and the direct responses from open source maintainers challenging the notion, such as Thomas Depierre’s blog post entitled: I am not a supplier. In a traditional supply chain, there is a clear agreement between supplier and customer that includes a mutual exchange of value. Whereas, an open source supply chain lacks this mutual exchange of value and in its current state, is greatly imbalanced.
In the final panel of the day, we were joined by open source maintainers Jason Coombs, Gary Gregory, and Ceki Gulcu, to discuss open source software standards, the open source software supply chain, and how open source users can give back to those who create the open source software they rely on. As we think about this year’s Upstream theme, “unusual ideas to solve the usual problems,” the topics of this final panel resonate and will no doubt echo throughout this year’s Upstream event.
Log4Shell, xz utils backdoor—what’s next?
With the attempted xz utils backdoor hack at top of mind, it’s hard to imagine it not appearing in discussions at this year’s Upstream. No doubt, with the open source community and news outlets rolling out reactions and with many asking “how could this have been prevented?,” it will find itself at home in the maintainer panel, because who better to ask than the open source maintainers themselves? And for good reason, as the xz backdoor highlighted, just as Log4Shell did, the need to pay open source maintainers to build a stronger foundation for a secure and reliable software supply chain.
The maintainer of xz who was facing the deliberate attack was, in his own words at the time the hack began, “unpaid.”
“I haven’t lost interest but my ability to care has been fairly limited... it’s also good to keep in mind that this is an unpaid hobby project.”
The xz hack brings the reality of the current life as an open source maintainer. While paying open source maintainers is not the magic bullet, it should be considered the cornerstone of the efforts we as a community need to employ to improve the security and resilience of open source.
One of the maintainers on last years open source panel, Gary Gregory, reflected on the demand during the Log4Shell incident:
“When Log4Shell came in, the whole team stopped what they were doing and we dealt with that. I [was] on vacation that week. So vacation ‘bye-bye’.”
Not every urgent case can a maintainer drop everything to address the needs of a hobby project. Without compensation and a network of support, there are competing needs that in some cases, will trump the security and maintenance of an unfunded project—a day job, mental and physical health, and more. In cases like Log4Shell and xz, the demand for fixes comes from all angles and without support, enter: maintainer burnout.
Pay the maintainers! 📣
We shouldn’t have to ask maintainers to stop their lives to work hours on an issue without pay while organizations profit off of their efforts. Recently, open source was valued as a trillion-dollar industry, and open source maintainers are rarely the ones seeing the monetary benefits.
Open source maintainers are usually unpaid volunteers who are often working as a one-person team, many of which are experiencing maintainer burnout. In our 2023 state of the open source maintainer survey, we found that almost 60% of maintainers have quit or considered quitting maintaining one of their projects. What the open source maintainers from the panel had to say regarding compensation:
“There’s a reason why corporations employ people and pay them. Because that’s the best way to get work done. Getting paid should be considered normal, not out of the ordinary.”
Gary Gregory“It’s only recently that I'm discovering that you can actually earn a living by doing open source. And I think it's a discovery for me, and I hope that this will become a possibility for other people as well.”
Ceki Gulcu
Additionally, we’ve found that the more maintainers get paid, the more they work on maintaining their open source projects and the more time they have to commit to aligning their projects to government and industry standards. A reliable income means more breathing room, more time to get projects where they want them to be.
— — — — — —
At this year’s Upstream, we’re excited to host another maintainer panel and we hope to see you there for the virtual event on June 5th! If you’d like to watch last year’s maintainer state of the union panel, you can watch it on-demand by following this link.