Open-Source Developer Burnout, Low Pay Putting Web at Risk

  • The internet and many of the world’s largest companies rely on open-source software.
  • This software is built by developers who make little to no money and are often at risk of burnout.
  • Developers say the companies relying on this software should contribute more money and code.

Every day, Blaine Bublitz spends hours sifting through emails from users of Gulp.js, an open-source software project he volunteers to maintain that’s used by organizations like Microsoft and NASA. 

These emails typically push for updates and fixes to the platforms, piling onto his never-ending to-do list. And while some users are friendly, many are quick to press him on what’s taking so long. The demands of these messages wreck his mood and, at one point, even led him to “disappear” for six months and stop working on the project altogether.

“The lack of money combined with the entitlement where people are shouting at you that you need to work on something makes me not want to work on it at all,” Bublitz said.

Marina Mosti, another open-source volunteer, spends 10 hours a week maintaining a project called FormVueLate, from which she hasn’t made a “single dollar.” She also works as a technical lead full time at VoiceThread, which monetarily supports her work in open source. 

But balancing the demands of maintaining the popular project with her paying job has Mosti burned out. The other developers on the FormVueLate team are burned out, too, she said. While some of FormVueLate’s code has needed a complete rewrite for months, they still haven’t written the first line of code to get started.

“We don’t have time, energy, or mind space to put into it,” Mosti said. 

Bublitz and Mosti are not alone. Open-source developers working across several other crucial projects echoed the feeling, telling Insider the work has felt “insurmountable,” “was affecting my health and happiness,” and “became a drain in my life.” 

But the internet can’t afford for their work to fall by the wayside. Often invisible, open-source projects are crucial to our digital world, underpinning much of the world’s software and even the largest and richest tech giants. Companies like Microsoft, Amazon, and


Netflix

, for example, rely on open-source projects to run their web applications.

The internet has long run on the backs of unpaid open-source developers and is already hanging on by a thread. Now a storm of recent security incidents exposed just how fragile the ecosystem is while open-source developers burn out, step away, and even sabotage their projects in protest. A lack of support for these developers is putting the internet at risk.

While the sharp rise in cyberattacks against big companies and critical infrastructure makes headlines again and again, what’s less discussed is how open source is also reeling from the surge. There was a 650% year-over-year increase in cyberattacks aimed at open-source suppliers from 2020 to 2021, according to a report from software supply-chain management company Sonatype. And at least 29% of popular projects contain at least one known security vulnerability, the report said.  

With more eyes able to see the code, open-source software can, in theory, be more secure. But recent security incidents showed how devastating the effects on the internet ecosystem can be if developers aren’t around to fix vulnerabilities — or even go so far as to sabotage their projects. In December, hackers exploited the open-source project Log4j, affecting companies like IBM, Oracle, Amazon, and Microsoft. The cybersecurity firm Check Point called the potential for damage “incalculable” and said it was “clearly one of the most serious vulnerabilities on the internet in recent years.” 

Then just two weeks later, a programmer sabotaged his own projects — the widely used Colors.js and Faker.js —  in protest against large companies using his work for free. 

Even more recently, researchers discovered two “critical” security flaws actively being exploited in Mozilla’s open-source Firefox browser. Additionally, the open-source Linux operating system was just hit in “its most high-severity vulnerability in years.”

“We’ve seen enough supply-chain disasters already, and it will not be the last one,” Tom Kerkhove, maintainer of the software Promitor and KEDA, said of these incidents this past winter. “Enterprises really need to help maintainers build the products they are building before they have burned out.”

All in on open source

Open source — which refers to publicly accessible code built and maintained by community members — has been used for as long as software itself, but it became popular in the 1990s as projects like the Linux operating system swept the industry. Now open source provides the foundation for cloud platforms like Amazon Web Services and powers important pieces of the apps people use every day from companies like Facebook and Google.

And open source continues to grow. Microsoft-owned GitHub, which hosts open-source projects, saw over 2.6 billion contributions in the past 12 months. An OpenLogic survey of 2,660 professionals found that 77% of respondents said their organizations increased the use of open-source software in 2021. 

Thomas Dohmke standing cross-armed in front of the GitHub logo.

GitHub CEO Thomas Dohmke.

GitHub


“The bigger story is how impactful and how important open source is to the broad business world and all of us in our daily lives,” said Chris Wright, the chief technology officer at the software company Red Hat. “It’s really pervasive across all the software industry.”

Working for little or no pay

Despite the ubiquity and essential roles of their projects, most open-source developers make little to no money from their contributions. 

A Tidelift survey of nearly 400 open-source maintainers said 46% are paid nothing for their work. Of those who do get paid, only about half receive over $1,000 a year. Additionally, about half of those surveyed cited not being paid enough for their work as their top complaint about being a maintainer. 

The free nature of open source also leads to inequity. Open source is dominated by men, and people who don’t have as much leisure time or stability might be less likely to contribute to open source when there’s no compensation involved.

Today, sites like GitHub Sponsors, Tidelift, and Open Collective are trying to solve this funding problem by allowing developers to receive donations and other types of compensation. Still, developers say relying on donations isn’t sustainable, and many make only enough to buy a cup of coffee each month. 

“I’ve tried every platform that exists,” Bublitz said. While these sites are “successful in that you’re no longer working for absolutely free,” he said he receives about $5 a month from GitHub Sponsors. Even though he works nearly full time on open source, Bublitz’s income came largely from consulting for the past two years. 

For some developers, it’s especially hard to square the lack of money in open source with the fact that the richest companies are some of the biggest beneficiaries of these projects. And many feel these companies don’t give back enough. 

Amazon, for example, repackages open-source software to sell and run on its cloud, but developers and smaller companies say it doesn’t contribute much code back despite profiting off the work. Microsoft and Google boast of being open-source-friendly, but Microsoft doesn’t sponsor open-source projects other than a select few with its Free and Open Source Software Fund. Meanwhile, Google claims ownership over open-source code its employees write in their free time.

“The problem is companies and individuals don’t realize they’re actually part of an ecosystem,” the open-source developer Amal Hussein said. “It’s important that they contribute with their time or money.”

Open source is plagued by burnout

With the ongoing pandemic, increased rate of cyberattacks, growing complexity of software, responsibility riding on their backs, and financial instability that comes with their work, open-source developers face a unique combination of burnout risks. Over 40% of open-source maintainers cited personal stress and feeling underappreciated as things they dislike about being a maintainer in the Tidelift survey. A lot of stress is rooted in receiving complaints from users, said Donald Fischer, the Tidelift CEO and cofounder.

Tidelift_Founders

Tidelift’s founders, from left, Donald Fischer, Luis Villa, Jeremy Katz, and Havoc Pennington.

Tidelift


Matteo Collina, a developer, refers to these demanding people as “vampires.” 

“The status quo is simply unsustainable as more long-term maintainers are burning out, while the vampires are out there,” Collina said. 

Natalia Tepluhina, a core member of the Vue project used by Google, Apple, and Nintendo, said users will ask questions like, “why have you not fixed this in two weeks?” or “why are you being so slow?”

“It’s like, dammit, I work for you for free,” Tepluhina said. “Why are you saying this?”

Ifiok Otung Jr. on the other hand, receives sponsorships for his project Remirror, but he said that only brought more scrutiny. Last year, he stepped back for six months.

“The more I pushed down that path, the less enjoyable it became,” Otung said. “It became a drain in my life.”

Many developers have been stepping back from their projects, or even ghosting them altogether. About 59% of maintainers who responded to the Tidelift survey have at one point quit or considered quitting their projects.

Ryan Bigg, for example, used to work full time as the sole maintainer of the e-commerce project Spree, used by companies like GoDaddy and Blue Apron. But eventually, the work felt “insurmountable.” He’d wake up every day to over 250 messages demanding new requests or fixes. He left that job in 2014 to work at a tech company.

“Ultimately it was affecting my health and happiness,” he said.

Martin Donath, the creator of Material for MkDocs, which is used by companies like Microsoft and Amazon, is another open-source developer who said he was recently at a “junction” in deciding whether he wanted to keep working on his software as demands grew. But financial support helped keep him going.

“The reasons projects are abandoned are a lack of time and interest, and time is money,” Donath said.

When a project runs out of money

Even when open-source developers are paid enough to focus on building their software full time, they’re often at risk of running out of money. Babel, an open-source project used by Facebook, Airbnb, and Netflix, pays the salaries of three core developers, but it nearly ran out of money in 2021. At the time, Nicolò Ribaudo considered stopping his work with Babel and applying to work at a company full time instead.

Nicolò Ribaudo Babel

Nicolò Ribaudo, a Babel core-team member.

Courtesy of Nicolò Ribaudo


Fortunately, Babel was able to capture enough attention to successfully fundraise. Its core developers asked for help in a blog post, and companies relying on Babel realized it was something they “took for granted,” Ribaudo said. Donations poured in, allowing its core team members to get paid and continue maintaining and improving Babel. Ribaudo acknowledged the team isn’t getting “top-tier salaries” and that he could earn more at a company, but he said the salary is sufficient to make a living in Italy, where he lives. 

“We can provide higher-quality work to the project, and it’s mentally easier for us because we don’t need to sacrifice other parts of our free time for that,” Ribaudo said.

Babel was lucky, and other larger projects like Google-born Kubernetes, Facebook-born React, and the Linux operating system get by on sponsorships. But for every large project that gets funding, many smaller projects the industry relies on don’t make — or pay maintainers — a cent. 

A convention center floor with hundreds of people and several tables and desks and displays

KubeCon 2019 in Barcelona, Spain.

Google


“They’re further down the food chain and a lot of times don’t get the recognition and don’t get the sponsorships,” said Nicholas Zakas, creator of the project ESLint, which is used by Facebook, Microsoft, and Netflix. While his project does receive funding, it’s “nowhere near enough money” to fund a full-time team, Zakas said. 

A house of cards 

Open source is reaching a breaking point as maintainers face burnout, piling demands, and low pay. Meanwhile, large companies profit from the software and give little back. 

While developers certainly don’t get into open source for the money, the risks that come with working for free in turn put the internet at risk. Because when they can’t keep up to quickly address security incidents  — or even quit — software becomes more vulnerable.

The US government recently took steps to address vulnerabilities in open-source software. In February, President Joe Biden’s administration formed a panel to investigate cybersecurity failures including Log4j. This panel is the first of its kind and aims to “thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors,” Secretary of Homeland Security Alejandro N. Mayorkas said in a statement.

Beyond that, developers say companies should use their budgets to support open-source projects they depend on. And it’s not just about money — they’d appreciate it if companies would contribute code and fixes.

“Open source itself has nothing to do with money,” said Daishi Kato, a developer. “Sure, it can sustain in some form. But the culture behind it is something like mutual help. It is not ethical and healthy to maliciously take everything without giving anything back.”

================

Source link

Leave a Reply