Open source maintainers: What they need and how to support them

Image: Created with DALL·E with permission from Ashwin Ramaswami

Core to the Linux Foundation and Open Source Security Foundation (OpenSSF)’s mission is to ensure the security and sustainability of widely used open source software projects. Free and open source software (FOSS) makes up the digital infrastructure we all rely on. And maintainers play an important role in keeping that ecosystem functional, easy to use, and secure.

To best support the open source ecosystem, we must first understand the role of maintainers, their motivations, and their needs. Previous research in this space, particularly the Linux Foundation’s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH)’s 2020 FOSS Contributor Survey and Tidelift’s 2021 open source maintainer survey, help shine a light on these issues. Such research demonstrates what’s already working and where existing initiatives fall short, showing intervention points to further support the community of open source maintainers.

Who are maintainers?

There is no fixed definition for maintainers, but broadly, the term refers to those contributors who lead an open source project. They may be the final decision makers on which portions of source code go into a build or release; they may do all the code review and host the code under their names for smaller projects; and they may make the ultimate decision over the direction of a project. Their day-to-day work may vary but can consist of reviewing pull requests and other contributions, releasing new versions of software, triaging and handling security fixes, and community management and moderation. While open source projects can have participants who contribute at all levels, maintainers steward and lead these projects that make up our digital commons. Census II of Free and Open Source Software — Application Libraries shows that 136 developers were responsible for more than 80% of the lines of code added to 50 top FOSS packages.

Monetary factors and motivations

The data indicates that most open source maintainers are not just working on open source, for free, full-time. Both the 2020 FOSS Contributor Survey and Tidelift surveys found that the overwhelming majority – nearly three-quarters – of respondents have full-time jobs. However, both surveys reveal a disparity: while slightly over half of respondents are paid for their FOSS contributions (whether by their employers or other funding sources), the other half are not paid for their FOSS contributions. In fact, over a third of respondents to the FOSS Contributor Survey listed financial contributions as beneficial, only second to code contributions.

However, it is also important to recognize that monetary factors are often not maintainers’ primary motivations for the work. Both surveys found that respondents consistently ranked non-monetary motivations, such as making an impact on the world, enjoying learning, or doing creative work over getting paid. Yet burnout is also a real problem, particularly considering the time and effort required to maintain a widely used project. The Tidelift survey found that 59% of maintainers have considered quitting, and both surveys found that open source contributors frequently leave projects due to other personal or professional commitments. As one maintainer said, “There is no day off for OSS maintainers.”

Other maintainer needs include security. The FOSS Contributor Survey found that respondents spend very little time and expressed little interest in responding to security issues; time – being able to triage and handle all the incoming issues and code requests for a single project; and other non-code contributions, such as documentation and community management. Among the most beneficial security-related contributions by respondents were bug/security fixes, free security audits, and simplified ways to add security-related tools to their CI pipelines. And according to the Tidelift survey, the top areas where maintainers needed assistance included improving the experience for new users and contributors and marketing the project to find new users and contributors. 

Recommendations

While open source projects certainly need financial contributions to be successful, efforts to pay or support open source projects should be informed by the motivations of maintainers and the structures of projects so that they can be the most successful. In that vein, building on the recommendations from the FOSS Contributor Survey, some concrete ways to best support open source projects and maintainers include:

• Consider using monetary resources to leverage other motivations for open source software developers. For example, support work that may be more mundane but important (such as CI pipeline improvements, security audits, or computing resources), invest in documentation, or make it easier for users and contributors to get involved with an open source project. This could open the door for open source contributors and maintainers to focus more on what they prefer to do.
• Funding could help support the portion of maintainers who are not paid for their FOSS contributions. This could particularly be aimed at helping advance contributor diversity by making it possible for more people from different backgrounds to contribute. It’s also possible that some projects may not have anyone paid to contribute to them, which could benefit from additional monetary resources.
• Support initiatives that make open source software easier to work with and more secure without unreasonably burdening open source maintainers and contributors. For example, such initiatives could include better tooling for issue and community management or training on effective open source maintenance, open source governance, documentation and marketing, and community management. On the security end, efforts could include: improving and more widely integrating security and automated tooling through CI pipelines, better education around writing secure software, dedicated security audits such as OSTIF, and improving memory safety through initiatives such as Prossimo.
• Enhance the positive trend of corporate support for employees’ contribution to FOSS by making it easier for employees to contribute to open source during work time and get paid for it. Companies should not just submit pull requests and put all the work on maintainers to review them; they should train their own employees to become maintainers, community organizers, or code reviewers in the future.
• Stakeholders should balance corporate and project interests as more open source contributors are paid by their employers to contribute. Projects with paid contributors should ensure they maintain sufficient transparency around the level of corporate or monetary involvement in open source projects. Maintaining transparency and clear governance mechanisms can help projects continue to attract individual or volunteer contributors.

Maintainers are superheroes. They play a critical role in running the vital digital infrastructure we rely on. But they shouldn’t need to shoulder the entire burden themselves, and those using open source software need to give back to those who create and develop it. There are clear ways for monetary and non-monetary contributions to address specific areas that can improve the experience and diversity of maintainers, on the one hand, and the security and quality of open source projects, on the other.