Security Needs Create More Work for Open Source Maintainers
Sixty percent of open source maintainers consider themselves to be unpaid hobbyists, according to a new study. With concerns about the security of the software supply chain paramount, this situation looks dangerous for organizations that depend on open source code.
The study by Tidelift, released Tuesday, showed that 77% of unpaid maintainers would like to be paid for their work.
Regardless of whether maintainers are paid or not, more than half of them — 52% — are not aware of major standards that have emerged for open source security, including the OpenSSF Security Scorecards, the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF), or the Supply Chain Levels for Software Artifacts (SLSA) framework.
Of those open source maintainers who are aware of the new security standards, only 43% are either already using them (28%) or plan to use them in the next year (15%), according to the study. Thirty-nine percent don’t plan to use them at all, and 19% don’t know or aren’t sure.
And then there’s this finding, which makes the fact that so many open source developers are not keeping up with security standards a bit nerve-wracking: 44% of maintainers say they are the only person maintaining their open source project.
Tidelift surveyed 339 open source maintainers, mostly in Europe, North America and Asia, in late 2022. It is the company's fifth survey on open source and the second report to focus on project maintainers.
A Backlash to ‘Shift Left’
Open source maintainers are pushing back hard on the expectation that they take greater responsibility for security, according to the study.
When it comes to open source projects, the “shift left” notion that developers should play a greater role in securing code runs up against the reality that most of the people maintaining that code are unpaid and short on time.
Thirty-eight percent of maintainers that are not aligning their projects to current industry standards said this is because of a lack of time. Nearly as many, 37%, said the reason they’re not aligning to security standards is that they’re not being paid for the work.
Paid maintainers are more likely to follow industry-standard security practices than their non-paid peers, according to the study. More than two out of three paid maintainers, for instance, use two-factor authentication for source code hosting and package managers, compared to just over half of non-paid maintainers.
What would it take to get more open source maintainers to align their projects with standards like the OpenSSF Scorecards and SLSA? Surprisingly, getting paid isn’t at the top of the maintainers’ wish list. Fifty-four percent of respondents said they would like help in understanding the new standards and how they apply to their projects.
Learn more about the kind of support open source maintainers need from this conversation with Dawn Foster, director of open source community strategy at VMware’s open source program office, recorded at Open Source Summit Europe in Dublin.