Open Source Developers Discover Their Power

The Unseen Foundation of Modern Technology: Open Source Software

A significant portion of the technology individuals utilize daily relies on open source software. This software is often maintained by a limited number of developers, frequently without financial compensation, who dedicate their time to bug fixes and improvements as a community contribution or personal endeavor.

The Critical Role of Individual Developers

Consider cURL, a library simplifying data access for software through APIs. This tool is integral to nearly all contemporary connected devices – encompassing iPhones, automobiles, smart refrigerators, and televisions. Remarkably, it has largely been sustained for nearly three decades by a single developer, Daniel Steinberg, on a voluntary basis.

While many open source projects are integrated into commercial software and devices, typically receiving only basic acknowledgment, the system generally functions reliably. Some developers secure funding through platforms like GitHub Sponsors and Buy Me A Coffee, maintenance agreements, or employment at companies that support their library’s upkeep, but this remains uncommon.

Security Vulnerabilities and Unacknowledged Labor

The inherent inequity of this system becomes apparent during major security breaches. The Log4shell vulnerabilities discovered in the Log4j Java library in December 2021, for instance, triggered widespread security alerts impacting numerous large corporations.

The library’s developers were compelled to work continuously to address the issues, without remuneration or substantial recognition for their previously uncompensated efforts. The cURL developer encountered a similar situation, facing demands from companies to provide on-site assistance with code-related problems, despite not being paid for their services.

Developers Asserting Their Influence

Consequently, it’s unsurprising that some open source developers are recognizing their considerable influence, despite lacking compensation. Their projects are utilized by some of the world’s largest and most profitable companies.

In early January, Marak Squires, the creator of the popular npm packages “colors” and “faker,” deliberately introduced code modifications that disrupted their functionality for all users. These changes outputted “LIBERTY LIBERTY LIBERTY” followed by nonsensical text and an infinite loop.

A Protest Against Uncompensated Work

Although Squires refrained from commenting on the rationale behind these alterations, he had previously stated on GitHub that he would no longer provide free support to Fortune 500 companies and other businesses.

Squires’ actions disrupted other prominent projects, including Amazon’s Cloud Development Kit, as his libraries were downloaded approximately 20 million times weekly on npm, with thousands of projects directly dependent on them. Within hours, npm reverted the problematic release, and GitHub suspended the developer’s account.

GitHub's Response and Past Incidents

While npm’s response was predictable given prior incidents involving malicious code injections, GitHub’s action was unprecedented. The platform removed Squires’ entire account, despite his ownership of the code and his right to modify it.

This isn’t an isolated event. In 2016, the developer of “left-pad” removed his code from npm following a dispute with the Kik messenger over the naming of another open source project, causing disruptions to tens of thousands of websites.

The Persistence of Uncompensated Labor

Remarkably, despite these occasional high-profile protests, such incidents remain relatively infrequent. Open source developers continue to work without pay, maintaining their projects to the best of their ability, even as multimillion-dollar products are built upon their work.

Government Recognition and Funding Shortfalls

Even the White House has acknowledged the significance of open source software to the technology sector, following a meeting with industry representatives after the Log4J incidents. In January 2022, a statement was released recognizing the unique value and security challenges of open source software due to its widespread use and reliance on volunteer maintenance.

However, despite this acknowledgment, widely used open source software remains severely underfunded. Before the Heartbleed vulnerability exposed the internet to risk, the affected project, OpenSSL, received only $2,000 annually in donations, which increased to $9,000 after the issue surfaced.

The Need for Sustainable Funding Models

The OpenSSL team, utilized by virtually every modern networking device, stated at the time that “[t]here should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL.” The project team continues to rely on contract work to cover maintenance costs.

Developers can explore alternative licensing, productization, or sponsorship opportunities, but there is no universal solution. Until the industry establishes a more sustainable funding model for this unpaid work – a solution that remains elusive – we can anticipate further acts of defiance from open source developers seeking to highlight their contributions.

A System on the Brink

This situation is unsustainable in the long term. The increasing reliance on open source software in all software and connected devices, coupled with its dependence on a small number of developers, creates a precarious situation. The risk of a developer experiencing burnout or intentionally disrupting their work looms large.

If a crucial library like cURL, used in millions of devices, is integrated into everything from washing machines to cars, and its creator decides to make a statement, what then? While past damage has been reversible, future incidents may not be so easily contained.