Reporting by XinZhiyuan
Editor: Yuan Xie is sleepy
Now, the open source software industry may reach a critical point where it must be changed: the existing model of being a big manufacturer is not sustainable, and open source code farmers must be respected and rewarded accordingly.
If one day, your open source project is photographed by a big factor like Google or Meta, is there a feeling that you can go sideways?
But being selected for a while, maintaining a crematorium, and eventually hollowing out developers for open source projects is the norm rather than a perversion today.
The open source software industry is now also facing the dilemma that the general enthusiasm of developers is difficult to continue.
People who use it for free are more dragged than developers
Blaine Bublitz, developer of Gulp .js, is a living example of his project being used by organizations such as Microsoft and NASA.
Bublitz, however, spends hours a day dealing with emails from users.
These emails often ask for bug fixes, updates to the program platform, and makes his to-do list never end.
Although some of these users are very friendly, many people are arrogant and ask him why he has not moved for so long. At one point, he "disappeared" for six months.
Bublitz said that the lack of money and the uncle of users who claim to have the right to do so make him not want to give it his all.
Coincidentally, Marina Mosti is also spending 10 hours a week maintaining an open source project called FormVueLate, and she doesn't make a dime out of it.
She is the technical director at VoiceThread, earning a salary that funds her work in the open source space.
But the pressure between her task of maintaining open source projects and her full-time job exhausted Mosti.
Other developers of FormVueLate face the same exhausted situation. While some of The FormVueLate's code rewriting needs have been dragging on for months, developers still can't find time to start writing code.
"We don't have the time, the energy or the mental energy to put into it," Mosti said.
Bublitz and Mosti are not alone. Open source developers working on several other key projects have expressed similar feelings.
They say the workload of working on open source software is "unbearable," "is affecting my health and well-being," and "becoming a complete drain on my life."
Extremely dependent on open source, but just don't give money
Open source software is defined as software that is freely built and maintained by community members and whose code is freely and publicly accessible. The history of open source software is as long as the history of the software industry itself.
But since the 1990s, as projects such as the Linux operating system have swept the industry, open source software has become popular.
Now, open source software provides the foundation for cloud platforms like Amazon Web Services and powers important applications from companies like Meta and Google that people use every day.
And the growth momentum of the open source community is unabated. GitHub, a Microsoft-owned host of open source software projects, has posted more than 2.6 billion projects in the past year.
An OpenLogic survey of 2660 professionals found that 77 percent of respondents said their organizations will increase their use of open source software in 2021.
Chris Wright, chief technology officer at software company Red Hat, said: "The bigger context is how much critical the impact of open source software is on the business world and the daily lives of everyone. It's very common in all software industries."
These vital open source projects underpin many of the world's software products and the rich big tech giants.
Companies such as Microsoft, Amazon, and Netflix all rely on open source projects to run their online applications.
However, today's software security incidents have exposed how vulnerable the open source software ecosystem is when developers are exhausted to leave or even sabotage projects on their own. The lack of support for these developers increases the risk of the Internet.
While cyberattacks against large companies and critical facilities have increased dramatically, and digital security of infrastructure has made headlines time and time again, rarely mentioned attacks on open source software are also on the rise.
According to a report by software supply chain management firm Sonatype, cyberattacks against open source vendors increased by 650% from 2020 to 2021. At least 29 percent of popular projects contain at least one known security vulnerability, the report said.
If more people are involved in maintaining and updating code, open source software can theoretically be safer.
But recent security incidents have shown that the devastating impact on the Internet ecosystem can be enormous if developers neglect bug fixes or even actively disrupt their own projects.
In December 2021, hackers used the open source project Log4j to influence large companies such as IBM, Oracle, Amazon, and Microsoft.
Cybersecurity firm Check Point called the potential damage "incalculable" and said it was "clearly one of the most serious vulnerabilities on the internet in recent years."
Just two weeks later, however, the famous library run-off happened: Programmer Malik sabotaged his own project, the widely used Colors .js and Faker, .js to protest the free use of his work by large companies.
Recently, researchers discovered two "critical" security vulnerabilities that are widely exploited in Mozilla's open source Firefox browser. In addition, the open source Linux operating system has just suffered "the worst vulnerability in years."
Tom Kerkhove, maintainer of software Promitor and KEDA, said: "We've seen enough catastrophic supply chain attacks, and this trend isn't going to end. If big businesses want to continue, they really need to help the open source software community maintain their products in time before most people run out of gas."
Although their projects are ubiquitous and vital, most open source developers make little money from their contributions.
Tidelift's survey of nearly 400 maintainers of open source software projects showed that 46 percent of them did not get paid for their efforts in open source.
Of those who get paid, only about half get more than $1,000 a year.
In addition, about half of respondents said that the lack of remuneration for work was their biggest dissatisfaction as project maintainers.
The free nature of open source also leads to inequality. Open source software projects are developed by real people, and people who don't have as much leisure time or life stability are unlikely to contribute to open source projects without pay.
Today, sites like GitHub Sponsors, Tidelift, and Open Collective are trying to address this funding problem by allowing developers to receive donations and other types of compensation.
Still, developers say it's not possible to make a living by relying on donations from these sites, with many people getting money from them for just one cup of coffee a month.
Bublitz said, "I've tried all the platforms that exist." While the sites "do succeed in getting you to stop working for free," he says he only receives about $5 a month from GitHub sponsors.
Although he works almost full-time in open source, Bublitz's income comes largely from consulting gigs over the past two years.
What's particularly hard for some developers is the fact that developers of open source software are struggling, but the biggest beneficiaries of these projects are the richest companies on the planet. Many people believe that these companies are not giving enough returns.
For example, Amazon repackages open source software to sell and run on its cloud. But original developers and smaller companies of open source software say Amazon doesn't contribute much code despite profiting from open source projects.
Microsoft and Google claim to be friendly to open source software, but microsoft does not pay for open source software for its own use, except for a few projects conducted through its Free and Open Source Software Foundation.
Google, meanwhile, claims ownership of open-source software code written by its employees in their free time.
Amal Hussein, an open source software developer, said, "The problem is that these companies and individuals who benefit but don't pay for it don't realize that they're actually part of an ecosystem, and they're going to die together."
"They're contributing with their time or money, which is really important for maintaining the ecosystem."
Exhausted, money bottomed out
As COVID-19 spreads, cyberattack rates increase, software complexity increases, responsibilities are burdened, and free work comes with financial instability, developers face unique burnout.
In Tidelift's survey, more than 40 percent of open source maintainers cite personal stress and feelings of undervaluation as reasons they don't like maintaining open source projects.
Natalia Tepluhina, a core member of Vue, said users often ask questions like, "Why didn't you fix this in two weeks?" or "Why are you so slow?"
Tepluhina said that I have worked for you for free, why are you still so picky.
Ifiok Otung Jr., a developer at Remirror, said that while the project is sponsored, it will only lead to more scrutiny: "The farther I go down this path, the less happy I become." It has become a burden in my life."
In Tidelift's survey, about 59 percent had dropped out at one point or were considering quitting their projects.
Ryan Bigg was the sole developer of the e-commerce project Spree, and he was a full-time developer. At the time, the project was being used by companies like GoDaddy and Blue Apron.
However, Bigg wakes up every day with more than 250 messages asking for new requests or fixes. Eventually, he left the project in 2014 and moved to a tech company.
Bigg said that project had affected my health and well-being at the time.
Martin Donath, creator of Material for MkDocs, said the project was abandoned because of a lack of time and interest, and time is money.
Even if open source developers are paid enough to devote themselves to software construction, they are often at risk of running out of money.
Babel is an open source project used by Meta, Airbnb, and Netflix, with three core developers. Even so, the project's funding will be almost depleted by 2021.
At the time, Nicolò Ribaudo had considered terminating the development and maintenance of Babel in favor of applying for a full-time job at a company.
Nicolò Ribaudo
Fortunately, donations poured in after the core members published a pleas for help blog post.
Ribaudo said that although the team did not receive a "top" salary, the money was enough for him to earn a living in Italy.
Other high-impact projects, such as Google's Kubernetes, Meta's React, and the Linux operating system, are sponsored. In contrast, more smaller projects did not make a penny.
Nicholas Zakas, the creator of ESLint, said: "They are downstream in the food chain, and many times they are not recognized or sponsored."
Zakas' projects are used by Meta, Microsoft and Netflix, and while he's funded, the money is "far from enough" to support a full-time team.
A house of cards
While developers mostly don't go into open source for money, the risks associated with working for free have in turn put the internet at risk.
Developers of maintenance projects are not only faced with a mountain of demands and extremely low pay, but at the same time, large companies that profit from open source software rarely reciprocate.
When developers can't resolve security incidents quickly or even exit projects outright, these open source software becomes even more vulnerable.
Some developers say companies should set aside a portion of their budget to support the open source projects they rely on. Of course, it would be better if you could contribute code and fix bugs at the same time.
Perhaps, the mechanism that sustains the entire open source code is about to reach a point where it is not optimistic.
Resources:
https://www.businessinsider.com/open-source-developers-burnout-low-pay-internet-2022-3