Is open source sustainable when software is reliant on a project run by a random guy in Nebraska?

It's been nearly five months since the SolarWinds hack came to light, causing lots of chin-scratching about vulnerabilities in the software supply chain.

Well, here's a vulnerability for you: what if the open-source project that powers your business software falls foul of a show-stopping functionality bug or security flaw? What if the project goes belly up altogether because the maintainer leaves?

Companies paying a commercial vendor for their software can typically pressure them for a bug fix, and it's unlikely that the commercial entity will vanish overnight. That's less true for open-source software (OSS) projects, which are often maintained single-handedly by a random person somewhere as a hobby.

Commercial reliance on open-source software (OSS) is huge. Software integrity company Synopsys, which publishes a regular report on open-source security and risk, found that the number of open-source components per commercial application jumped from 84 in 2016 to 528 last year. Yet the money that open-source maintainers get for working on this software, often in their free time, hasn't grown much if at all.

Funding for OSS projects is typically dire. In 2019, developer André Staltz collected data from Open Collective and GitHub to assess project revenues. Over 50 per cent of projects couldn't sustain their maintainers above the poverty line, while 31 per cent generated enough for a salary considered unacceptable in the industry.

Leave a Comment