Source URL: https://www.theregister.com/2024/09/18/open_source_maintainers_underpaid/
Source: The Register
Title: Open source maintainers underpaid, swamped by security, and going gray
Feedly Summary: AI-coded contributions? Most would rather skip the bot’s work
The majority of open source project maintainers are not being paid for their work, spend three times as much time on security than they did three years ago, and have become less trusting of contributors following the xz backdoor, according to open source package security firm Tidelift.…
AI Summary and Description: Yes
**Summary:** The Tidelift 2024 State of the Open Source Maintainer Report reveals that the open-source maintainer community is experiencing a demographic shift, with older maintainers dominating and an increase in security-related work. Concerns about trust and AI tool impacts are prevalent, highlighting the need for better compensation and recognition for maintainers.
**Detailed Description:**
The Tidelift report provides critical insights into the state of open-source maintainers, highlighting several key points of significance for professionals involved in security, compliance, and software development:
– **Demographic Shift:**
– The number of maintainers aged 46-65 has doubled from previous years, while those under 26 have significantly decreased, indicating an aging maintainer population.
– Predominantly male demographic (85% male, 6% female, 3% non-binary).
– **Declining Compensation & Time on Security:**
– 60% of maintainers report being unpaid hobbyists, with significant dissatisfaction concerning their compensation despite increasing security responsibilities.
– Maintainers are dedicating three times more time to security tasks than they did three years ago, now spending 11% of their total time on security initiatives.
– **Increased Security Awareness:**
– There’s a growing awareness of security frameworks such as NIST SSDF, OpenSSF Scorecard, and CISA’s Secure by Design, particularly among professional maintainers (55% vs. 40% average awareness).
– The xz backdoor incident has led maintainers to scrutinize pull requests more closely, resulting in increased workload.
– **Societal Challenges and Future Risk:**
– The disparity between those who identify as unpaid hobbyists and those who claim they are unpaid creates confusion, revealing the economic challenges faced within the open-source community.
– If sustainable compensation models are not established, key projects vital to software infrastructure may become unsustainable.
– **AI Impact on Coding Practices:**
– A significant percentage of maintainers have negative perceptions about AI coding tools, fearing incorrect code generation and consequent maintenance burdens.
– About two-thirds of respondents express reluctance to accept contributions from developers using AI tools, indicating a potential cultural sift and trust issues within collaboration environments.
**Key Implications for Security and Compliance Professionals:**
– **Supply Chain Security:** The increase in security-related activities among maintainers highlights the need for organizations to bolster their supply chain security practices, ensuring that open-source components meet established security standards.
– **Trust and Collaboration:** Professionals must recognize the importance of maintaining trust within developer communities, especially as scrutiny of code contributions increases, and AI tools become more commonplace.
– **Compensation Models:** Acknowledging the role of sustainers and finding viable compensation methods will be crucial in attracting new talent into the open-source ecosystem, fostering innovation, and maintaining project viability.
**Overall**, the report serves as a wake-up call for the industry to address the economic and operational challenges facing open source maintainers, which directly impact software security and reliability across infrastructures.