Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Professional maintainers: a wake-up call

: “I work on the Go team at Google, but this is my personal opinion as someone who built a career on Open Source both at and outside big companies. Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of Open Source maintainer has failed to mature from a hobby into a proper profession.The catastrophic consequences are almost a daily occurrence. Less than a couple months ago, the United States Cybersecurity & Infrastructure Security Agency issued an alert about the hijacking of a popular NPM package named ua-parser-js. That project has 6.5k stars on GitHub and has raised a total of $41.61 on OpenCollective. Earlier this week, a severe RCE in a logging library called Log4j2 got everyone, from Apple to Minecraft. As of yesterday, the maintainer who patched the vulnerability had three sponsors on GitHub: Michael, Glenn, and Matt. I could go on and on and on. We’ve all seen the xkcd. Most maintainers fall in one of two categories: volunteers or big company employees. Sometimes both. Neither model is healthy. Volunteers are doing their best in their spare time out of passion, or because they are (or were) having fun. They feel tremendous responsibility, but ultimately can’t be expected to persevere in the face of burnout, a change in life circumstances (like, having a kid or changing jobs), or even shifting priorities. They also can’t be expected to provide professional levels of performance because, again, no one is paying them and they are well within their rights to do only the fun parts of the “job”. Professionals are expensive for a reason…”

Sorry, comments are closed for this post.