(2021-12-11) Valsorda Open Source Professional Maintainers A Wakeup Call

Filippo Valsorda: Professional maintainers: a wake-up call. I work on the Go team at Google, but this is my personal opinion as someone who built a career on Open Source both at and outside big companies.

the role of Open Source maintainer has failed to mature from a hobby into a proper profession.

Less than a couple months ago, the United States Cybersecurity & Infrastructure Security Agency issued an alert about the hijacking of a popular NPM package named ua-parser-js. That project has 6.5k stars on GitHub and has raised a total of $41.61 on OpenCollective. Earlier this week, a severe RCE in a logging library called Log4j2 got everyone, from Apple to Minecraft. As of yesterday, the maintainer who patched the vulnerability had three sponsors on GitHub: Michael, Glenn, and Matt.

Most maintainers fall in one of two categories: volunteers or big company employees. Sometimes both. Neither model is healthy.

They also can't be expected to provide professional levels of performance because, again, no one is paying them and they are well within their rights to do only the fun parts of the "job".

GitHub Sponsors and Patreon are a nice way to show gratitude, but they are an extremely unserious compensation structure

Being employed as a full-time maintainer by a big company pays better but is not much healthier, both organizationally and individually. Executives and promotion committees start asking "what is it that we pay you for exactly?", and suddenly you're spending more and more time proving your work is important, and less and less time doing it.

I have hope change is possible because companies are not getting what they want, and they are starting to notice

Here are a few examples of what they might want out of Open Source projects:
security practices, like two-factor authentication and mandatory code review;
updates to keep up with the evolution of the ecosystem (adopting new versions of dependencies, porting to Python 3...);
reliable timelines for reviewing and merging or rejecting contributions;
support and troubleshooting for filed issues and bug reports;
quality standards, including vetted and minimized dependency trees;
careful handling of security reports and actionable vulnerability metadata;
adoption of standards useful to downstream users, such as SLSA;
even a succession plan to ensure the project won't go unmaintained if a key developer steps down.

However, companies are in the business of getting what they need—by paying invoices.

But! Maintainers need to be legible to the big company department that approves and processes those invoices. Think about it: no company pays their law firm on Patreon. You'd be amazed how much harder it is to explain "what the fuck is an open collective?" for a $10k donation, compared to paying a $100k invoice to an LLC that filed a W-9 or W-8BEN and takes payment through ACH.

This is what I hope to see happen more and more: Open Source maintainers graduating to sophisticated counterparties who send invoices for "support and sponsorship" on letterhead

Personally, I find this idea more and more exciting and inevitable, and I am planning my future career directions around it.

Mar'2022 follow-up: How to pay professional maintainers

While the previous piece addressed maintainers, this one is aimed at the companies that depend on Open Source projects and wish to get a solid contractual relationship with this critical part of their supply chain, improving its sustainability.

Pay the maintainers

Pay them real money

If your goal is ensuring the ongoing maintenance of the project, you should target figures between 25% and 100% of a SWE compensation package, depending on how likely the project is to get multiple sources of funding. $1,000/month without benefits is a nice way to show appreciation, but won't achieve any other goals.

Pay for maintenance

Governance is a delicate and complex topic, and you want to leave it as orthogonal as possible to funding.

Maintainers are worried that taking your money will take control away from them.

fund them so that they can dedicate resources to the project, and trust them to direct those resources like you'd trust a senior engineer to execute on a broadly scoped project.

Other things you should pay for

That doesn't mean the contract should come with no strings attached. Half the point of paying maintainers is getting solid guarantees back. (The other half is making the ecosystem sustainable.)

Moreover, you can ask for recognition in the project's documentation or as part of the project's updates

once you have the contractual relationship, it's easy to extend it to add scoped work like specific extensions, support, or training

Keep paying them

You're not expected to provide the same long term commitment of a full-time employer, but structuring the payment as a one-off bonus is not going to be as effective as a renewable contract.

A way to get both marketing exposure and the information to decide on contract renewal is to request an end-of-year article detailing the work that was performed thanks to the funding.