Solo.io is donating its open source API Gateway, Gloo Gateway, to the Cloud Native Computing Foundation (CNCF) to further its mission of building a complete omni-gateway connectivity solution.
It's Not Enough to Just Hope for Secure Open Source Software
September 30, 2024
If you are like many developers, your work relies heavily on open source code. But do you ever stop to consider where this code comes from and what motivates the people who write it to keep it maintained and secure? We recently surveyed over 400 open source maintainers to learn more about their work, including how they fund it and what kinds of security and maintenance practices they have in place. Here are a few of the most critical findings we uncovered that impact development teams relying heavily on open source.
60% of maintainers are not paid for their work
Would it surprise you to find out that the majority of open source packages are maintained by completely unpaid hobbyist volunteers?
And that very few packages are maintained by full-time paid professional maintainers?
Unfortunately volunteer maintainers are the norm and not the exception today. Our study found that 60% of maintainers describe themselves as unpaid hobbyists while only 12% are professional maintainers, who earn most of their income from maintaining their projects. Another 24% of maintainers identify as semi-professional maintainers and earn some of their income from maintaining projects.
Meanwhile, maintainers who get paid more are also able to devote more time to maintaining their open source projects. We asked maintainers how much time they spend on their maintenance work, then cut the data into three categories: professional maintainers, semi-professional maintainers, and unpaid hobbyists.
For professional maintainers, 82% are able to devote more than 20 hours per week to their maintenance work. Conversely only 8% of unpaid hobbyists devote more than 20 hours per week, and the vast majority (78%) devote 10 hours per week or less.
Question to address within your team: what is our strategy to replace deeply nested open source projects if the maintainer isn't able to devote enough time to keeping it secure and well maintained due to time and financial constraints?
Paid maintainers implement more critical security and maintenance practices than unpaid maintainers
So what is the impact of having so many maintainers as unpaid hobbyist volunteers?
It means that they can't afford to make the time to do the same security and maintenance work that paid maintainers can do — and they often don't.
We asked maintainers to tell us if they had implemented 16 important security and maintenance practices for their projects. Paid maintainers are on average 55% more likely to have implemented these critical practices than unpaid maintainers.
When it comes to key practices, like having a security disclosure plan, having signed releases and artifact provenance, and fixes and recommendations for vulnerabilities, paid maintainers were significantly more likely to have implemented the practices than unpaid maintainers, as you see in the chart included here.
Questions to address within your team: how much do you know about the security and maintenance practices followed by the maintainers of the open source projects you rely on most? Which of these practices would you expect to be in place for the code you write yourselves?
Maintainers are underpaid, underappreciated and stressed out
Each year in our survey, we ask maintainers to tell us what they dislike most about their work. The answers stay remarkably consistent. The number 1 thing maintainers dislike is that they are not financially compensated enough or at all for their work, with exactly half of maintainers choosing this reply. Slightly less than half of maintainers (48%) report that they feel underappreciated or like the work is thankless. And 43% of maintainers say the work adds to their personal stress. Meanwhile 39% of maintainers dislike that they are asked to comply with requirements they don't have the time for and the same percentage think that users are too demanding and expect too much of them.
Maintainers had a lot to say on this subject. As one open source maintainer told us, "the entitlement of the open source community is off the charts." Another maintainer observed that "most users, even ones who require fixes, are not willing to roll up their sleeves to help. They just expect someone else to fix it for free."
Against this backdrop it may come as no surprise that 60% of maintainers have either quit or considered quitting their maintenance work.
Questions to address within your team: do we know which packages we rely on have been or are at risk of being abandoned or declared end of life? What is our strategy if we need to rip and replace up to 60% of our open source? Are we prepared to fork and maintain it ourselves?
How can you contribute to the health and security of the open source software your organization depends on?
It does not require a PhD in economics to understand that when people are paid, they will do more than when they are not paid, and that the more you pay them, the more they are willing to do. But this year's survey gives us a few different lenses through which to explore the improvements organizations can expect to see when they prioritize paying the maintainers of the projects they use. If having healthy, well-maintained, and secure open source dependencies is a priority for your organization, ensuring your maintainers themselves are financially healthy and well-maintained should be a priority, too.
Industry News
November 14, 2024
LaunchDarkly announced a new approach to software delivery—Guarded Releases—that empowers organizations to ship with confidence and manage risk proactively.
November 14, 2024
Diagrid announced details of the upcoming release of Dapr 1.15, a Cloud Native Computing Foundation project maintained by Diagrid, Microsoft, Intel, Alibaba, and others.
November 14, 2024
Fermyon™ Technologies announced the release of Spin 3.0, enabling enterprises to quickly move toward more sophisticated production applications based on WebAssembly (Wasm).
November 13, 2024
Mirantis announced Mirantis Kubernetes Engine (MKE) 4, the latest evolution in its long-established product line that sets the standard for secure enterprise Kubernetes.
November 13, 2024
Cequence Security announced the launch of its new API Security Assessment Services.
November 13, 2024
Pulumi announced improvements including major updates to the EKS provider supporting Amazon Linux 2023 and Security Groups for pods, the release of Pulumi Kubernetes Operator 2.0 with dedicated workspace pods, Pulumi ESC integration with External Secrets Operator, and a new Kubernetes-native deployment agent for enhanced security and scalability.
November 13, 2024
Loft Labs announced the public beta of vCluster Cloud, a managed solution that simplifies and reduces the costs of Kubernetes clusters.
November 13, 2024
DevZero announced DXI (Developer Experience Index), an initiative aimed at transforming developer productivity by unifying engineering throughput and operational metrics.
November 13, 2024
Horizon3.ai announced the release of NodeZero™ Kubernetes Pentesting, a new capability available to all NodeZero users.
November 13, 2024
The CNCF Technical Oversight Committee (TOC) has voted to accept wasmCloud as a CNCF incubating project.
November 12, 2024
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Dapr.
November 12, 2024
NetApp announced an expanded collaboration with Red Hat to offer new solutions to streamline and accelerate enterprise application development and management in virtual environments.
November 12, 2024
Akamai Technologies announced the Akamai App Platform, a ready-to-run solution that makes it easy to deploy, manage, and scale highly distributed applications.
November 12, 2024
Snyk has acquired Probely, a modern Dynamic Application Security Testing (DAST) provider based in Porto, Portugal, with coverage of API security testing and web applications.
