Once again, a critical security vulnerability has brought attention to the current state of open source software. Unpaid hobbyists working on ‘Nebraska projects’, a term inspired by the popular XKCD comic ‘Dependency’, are responsible for maintaining crucial components of modern software.
While all software contains bugs, including security vulnerabilities, proprietary vendors address these issues through regular updates. Some argue that paying maintainers could enhance security, but the truth is that open source hobbyists already create high-quality software. Initiatives like OpenSSF aim to proactively identify and address vulnerabilities in important software components, such as the recent incident involving XZ Utils.
The XZ incident highlights the need to prevent maintainer burnout. Lasse Collin, the maintainer of XZ, experienced burnout which made him susceptible to a social engineering attack. This incident sheds light on the sustainability crisis within open source.
Open source sustainability is about enabling individuals to produce widely adopted software and receive fair compensation without facing obstacles. Until we address the economic issues within open source and create sustainable incentives, maintainer burnout will continue. Collaborative efforts between companies and initiatives like FOSS Funders are steps in the right direction.
Finding the right funding allocation model for maintainers is another challenge. While platforms like GitHub Sponsors exist, open source foundations may offer a more structured approach to supporting projects and incentivizing innovation. Legislation in Europe is recognizing the important role of open source foundations in this process.
Incentivizing maintainers and providing clear pathways for success in open source projects is crucial. Foundations can potentially acquire popular projects and compensate the original authors for maintenance. Tools like Open Collective Expenses and Liberapay Teams can assist in this endeavor.
While security incidents will always be a risk, we must work to reduce them and reward those who consistently deliver high-quality open source software. By balancing individual creativity with security requirements, we can ensure a thriving open source ecosystem.
Chad Whitacre, currently heading up open source at Sentry, brings a wealth of experience in software engineering and cybersecurity. His insights shed light on the challenges and opportunities within the open source community.