selbekk

Open source sustainability: It's time to step up

January 12, 2022
5 min read

Open source libraries can't sustainably be maintained without its users leaning into their responsibility.

A couple of days ago, a worn down maintainer of a few very popular NPM dependencies had had enough. The user, only known as Marak, ended up introducing a bug into the colors package, and force pushing a complete wipe of the Faker.js repository. Both changes were published to NPM, and downloaded tens of thousands of times.

As a result, development teams across the world had to spend thousands of work hours trying to track down errors in dependencies, most likely several layers of dependencies deep. As an experienced JavaScript developer, I know these kinds of errors are hard to track down, since they show up from nowhere, in dependencies you don't have any idea of were in your dependency tree.

Unfortunately, we were warned about this disaster. Marak had been pretty vocal about him abandoning the project, and didn't want to "spend his free time working for Fortune 500 companies". And to be frank – it's hard to argue his point.

Not the first time

This is far from the first time open source maintainers have taken their hat and left. The most infamous of these episodes might be the "left pad gate", where a tiny piece of code was removed from the NPM package repository. Turns out, these 11 lines of code were depended upon by several of the most well-used packages in our ecosystem, and returning it to the NPM package repository wasn't as easy to do as you might think.

Another famous example was the Heartbleed bug, a bug that made almost all encryption on the internet vulnerable for exploitation. The people maintaining the library in question - OpenSSL - were overworked and underfunded, and had let a tiny mistake cause enormous consequences.

The most recent example was found in the Log4J library, which enabled remote code execution on any web server that used the logging framework. Here as well, the library was maintained by very few people with even less dedicated resources.

An issue of sustainability

The way open source software is being used and depended upon today, is not sustainable. Some of the biggest companies and tech conglomerates in the world base their very products on hundreds of voluntarily maintained packages without any funding or sustainable path forward.

A bunch of blocks, illustrating "All modern digital infrastructure", being propped up by a tiny block, illustrating "A project some random person in nebraska has been thanklessly maintaining since 2003"
Source: explainxkcd.com/wiki/index.php/2347:_Dependency

There is a more humane aspect to this as well. There isn't a week that goes by without a open source maintainer burning out because of the immense workload, often in a pretty public fashion. Because, for many, quitting a project that supports much of our shared infrastructure, isn't a thing they feel comfortable doing. So they're just stuck there, working for as long as they can, until they can't anymore. Lots of times, their lives are severly damaged because of the immense pressure, and sometimes scorn, placed on them by the community.

This isn't right. It isn't right at all.

A path to sustainability

This isn't an unsolvable challenge. But we need to start taking actual steps to helping critical open source projects onto a sustainable path of maintenance.

One of the major challenges, is that we often look to private persons to open their wallets and sponsor the projects they like. Some projects can even get some funding this way. However, it's not enough, and it's not on us as private citizens to finance what all corporations use to make their products and profits.

Instead, we need to move the burden of financing development and maintenance of open source to larger entities, with the time and resources to spend on these kinds of projects.

In my mind, there are several different paths forward.

Commercial licenses

One is to change open source licences to require payment for commercial usage. Changing licenses has been discussed at lengths, among other reasons as a way to stop ICE. Another approach would be to restrict usage for any commercial usage without first paying some sort of maintenance fee.

There have been several people trying to make this happen. Unfortunately, it hasn't caught on. This might be due to it just being a new idea, or it might be because it's just to hard to implement and follow up. Most open source maintainers aren't lawyers, and the international nature of open source kind of gets in the way of using licensing in this way.

Incorporating corporations

Another approach is to lobby corporations, large and small, to contribute both time, talent and monetary resources to the projects most critical to their technology.

Some tech companies are doing this already, albeit with relatively small amounts. Others are letting their employees spend some company time on open source contributions and maintenance. However, with no oversight, and no centralized planning, this won't scale to all critical open source projects. At least it hasn't so far.

International cooperation

A third approach is to start a global fund, sponsored by both nations and large corporations, which would distribute money to ensure maintenance of critical infrastructure.

This approach seems to me like one that would have the greatest impact of all. Billions of dollars could be raised without any one nation having to pay a particularly large amount. The funds could partially be used to help developing nations build technology communities, and ensure that all successful open source projects could be funded with at least a living wage.

Introducing something like this would require a lot of lobbying and cooperation across country lines. Cooperation between nations that otherwise doesn't get along well. However, we've seen these kinds of cooperations before, in science, arts and space travel - so it's definitely feasible.

Moving forward

In order to make open source sustainable in the long run, people need to get paid for their efforts. They might get paid by the company they work for to do this work on corporate time, or they might develop and maintain open source technologies as a living.

Either way, it's key that we move forward with new ideas and new ways to keep our open source software working. Without people getting hurt.

All rights reserved © 2022