I work on the Go team at Google, but this is my personal opinion as someone who built a career on Open Source both at and outside big companies.
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of Open Source maintainer has failed to mature from a hobby into a proper profession.
The catastrophic consequences are almost a daily occurrence. Less than a couple months ago, the United States Cybersecurity & Infrastructure Security Agency issued an alert about the hijacking of a popular NPM package named ua-parser-js
. That project has 6.5k stars on GitHub and has raised a total of $41.61 on OpenCollective. Earlier this week, a severe RCE in a logging library called Log4j2 got everyone, from Apple to Minecraft. As of yesterday, the maintainer who patched the vulnerability had three sponsors on GitHub: Michael, Glenn, and Matt. I could go on and on and on. We've all seen the xkcd.
The status quo is unsustainable
Most maintainers fall in one of two categories: volunteers or big company employees. Sometimes both. Neither model is healthy.
Volunteers are doing their best in their spare time out of passion, or because they are (or were) having fun. They feel tremendous responsibility, but ultimately can't be expected to persevere in the face of burnout, a change in life circumstances (like, having a kid or changing jobs), or even shifting priorities. They also can't be expected to provide professional levels of performance because, again, no one is paying them and they are well within their rights to do only the fun parts of the "job". Professionals are expensive for a reason.
GitHub Sponsors and Patreon are a nice way to show gratitude, but they are an extremely unserious compensation structure. The average maintainer of a successful project would qualify as a Senior Software Engineer, and those can easily make $150k–300k+/year. (90th percentile of SWE salaries, all levels: $355k in NYC, $232k in London, $163k in Berlin. Note that these are low-balls if you negotiate, especially in 2021/2022, and remote positions exist. Read some Patrick McKenzie.) When is the last time you've seen a GitHub Sponsors recipient making more than $1,000/month? That's at least 12 times less than the alternative.
Even more importantly, there isn't a career path. You can't start as a junior maintainer, get training and experience, and expect to eventually grow into a better paid senior maintainer. That's not how any of it works today.
Being employed as a full-time maintainer by a big company pays better but is not much healthier, both organizationally and individually. Executives and promotion committees start asking "what is it that we pay you for exactly?", and suddenly you're spending more and more time proving your work is important, and less and less time doing it. The workload increases as the project grows, but the team struggles to get more resources, no one gets promoted, and people burn out and leave or change roles. I've seen this play out across multiple companies and ecosystems, over and over.
Professionalizing the role of maintainer
"Alright, Filippo," you'll say, "we know everything's broken. Isn't it just an unavoidable tragedy of the commons? Is this just a long rant?" It doesn't have to be. I have hope change is possible because companies are not getting what they want, and they are starting to notice.
Open Source sustainability and ✨ supply chain security ✨ are on everyone's slide decks, blogs, and press releases. Big companies desperately need the Open Source ecosystem to professionalize.
Here are a few examples of what they might want out of Open Source projects:
- security practices, like two-factor authentication and mandatory code review;
- updates to keep up with the evolution of the ecosystem (adopting new versions of dependencies, porting to Python 3...);
- reliable timelines for reviewing and merging or rejecting contributions;
- support and troubleshooting for filed issues and bug reports;
- quality standards, including vetted and minimized dependency trees;
- careful handling of security reports and actionable vulnerability metadata;
- adoption of standards useful to downstream users, such as SLSA;
- even a succession plan to ensure the project won't go unmaintained if a key developer steps down.
Can they demand any of it without paying the maintainers? Definitely not.
However, companies are in the business of getting what they need—by paying invoices. The moment a company has a contractual relationship with a maintainer for a significant sum of money (1x to 0.3x of a market salary, depending on how likely the maintainer is to invoice other companies, too) it can request what it needs as a contractual condition. In turn, maintainers will be free to sustainably focus on the project like professionals, and prioritize the long-term health of the project, as well as deliver on the company requirements. (Or not, if they turn down the contract! I'm very specifically not talking about transferring governance.)
But! Maintainers need to be legible to the big company department that approves and processes those invoices. Think about it: no company pays their law firm on Patreon. You'd be amazed how much harder it is to explain "what the fuck is an open collective?" for a $10k donation, compared to paying a $100k invoice to an LLC that filed a W-9 or W-8BEN and takes payment through ACH. The trick is that you can easily incorporate a pass-through US LLC and open a business account for it even if you're not a US citizen, it's not rocket science. I am not an accountant (and oh god I am not your accountant) but I did it in an afternoon.
This is what I hope to see happen more and more: Open Source maintainers graduating to sophisticated counterparties who send invoices for "support and sponsorship" on letterhead, and big companies developing procedures to assess, approve, and pay them as a matter of routine so that they can get what they need from the ecosystem. Eventually, a whole career path with an onramp for junior maintainers, including training, like a real profession.
Now is the perfect time for Open Source maintainers to become legible to the big companies that depend on them—and that want to get more out of them—and send them five-to-six figure invoices. Big companies can either lead, or play catch up.
Personally, I find this idea more and more exciting and inevitable, and I am planning my future career directions around it. If you want to follow along, you can follow me on Twitter. If you're interested in being part of it, email me at [email protected] this domain, and let's talk.