Building a more secure, and sustainable, open source ecosystem

Once again, a critical security vulnerability has shone a light on the reality of open source today. Unpaid hobbyists maintaining so-called 'Nebraska projects', named for the now ubiquitous XKCD comic, 'Dependency' (see below), bear the weight of the modern world on their shoulders.

All software has bugs, including critical security vulnerabilities. Proprietary vendors are famous for Patch Tuesday. Some look for evidence that paying maintainers increases security, but let’s be honest: Open source hobbyists already do a darn good job of producing high-quality software. Yes, through efforts such as OpenSSF, we should proactively identify, prioritise, audit and fix vulnerabilities in critical components. Incidents such as the one affecting XZ Utils should rouse us to do so.

Incidents like XZ should also rouse us to stop burning out maintainers. XZ maintainer Lasse Collin’s burnout was a decisive factor in the success of the XZ social engineering attack. It made him more vulnerable to pressure to accept the 'Jia Tan' persona as a co-maintainer. XZ is another high-profile symptom of the underlying open source sustainability crisis.

Open source sustainability, as I define it, is “when any smart, motivated person can produce widely adopted open source software and get paid fairly without jumping through hoops.” Jumping through hoops takes many forms: starting a consulting company, working on proprietary software, producing educational content. All of these can subsidise an individual‘s open source work, which is great, but they do not directly sustain it. When push comes to shove, open source loses out, because the incentives are misaligned.

Until we face up to the economics of open source and fix the incentives, we will continue burning out maintainers. Open source is like a restaurant. Most companies dine and dash. Tax-based approaches such as Sovereign Tech Fund can be a part of the answer. Revenue sharing models, such as the one HeroDevs and OpenJS recently announced, are another promising approach. Ultimately, we need companies broadly across the economy to step up and pay the maintainers. FOSS Funders is a start, but there is much more work to be done.

Opening the corporate floodgates is one challenge, perhaps the hardest. Right behind it is another: where should the money go? How can we most efficiently allocate funding to maintainers in a way that ensures a thriving, productive ecosystem? Direct-to-maintainer platforms such as GitHub Sponsors and Thanks.dev are one method, but this may put too much burden on companies to engage with the long tail of their dependencies. I’m increasingly coming to see open source foundations as having a major opportunity here. In fact, new European legislation is formalising their role as open source software stewards.

We need to provide individual developers like Lassie Collin with a clear pathway to follow when they find success with an open source project. Perhaps foundations in the future will incentivise innovation by “acquiring” popular projects, paying the original author to take over maintenance. Then, once within a foundation, take-what-you-want models can provide economic incentives compatible with the intrinsic motivation at the heart of open source. Tools such as Open Collective Expenses and Liberapay Teams already exist to help with this.

Security incidents like XZ will always be with us. We should work to lessen them. We should also work to provide appropriate economic rewards to those who, year after year, are shipping excellent open source software. With a thoughtful approach, we can balance the individual freedom and creativity at the heart of open source with the rigour and security the modern world requires.

Chad Whitacre is head of open source at Sentry, a specialist in application performance monitoring and error tracking. A career-long software engineer, he has also spent time working at cyber security firm Proofpoint, among others.