A couple of years ago, Heartbleed epitomized a massive open source sustainability problem for critical parts of the internet infrastructure. The bug, which affected the popular OpenSSL cryptographic software library, notably compromised the confidentiality of 4.5 million US patient records and cost the industry an estimated $500M.
It was soon revealed that the root-cause of the issue was that the OpenSSL project was precariously understaffed.
Open source sustainability became a major theme overnight. Stories of maintainer burn-out made the headlines. And tentative solutions started to emerge.
Funding open source
A few key projects received direct funding from top industry players, notably through the Core Infrastructure Initiative which was formed as a response to the Heartbleed crisis.
But for the vast majority, charity-based contributions (patronage) was the only available option. A few smart developers were able to leverage their network to carve out a revenue stream large enough to work on open source part time or even full time. But these were few and far between.
For most projects, contributions were—and still are—a trickle. Open Collective, one of the biggest platform in this space, barely collects $1M a year, more than a quarter of which goes to a single project.
Furthermore, addressing the issue of open source sustainability by funding developers to work on code full time creates an undesirable dichotomy between makers of open source software on one side, and consumers of open source software on the other. Misaligned incentives abound.
Let’s face it, patronage isn’t the silver bullet some make it out to be. It’s a great option for those who want to focus exclusively on open source work for a while. It’s not, however, a scalable solution to open source sustainability.
But if patronage isn’t the solution, what is?
Is there no other way to keep open source software afloat? Is it doomed by the tragedy of the commons?
Value beyond the code
To find a solution to open source sustainability, we have to better understand the value of open source.
When we think about the value of open source, we often focus on the code itself, on the program that can be run. In doing so, we forget that this program is the output of a process. An extremely complex process that brings together people of competing companies; of different race, ethnicity, and gender; and of varying abilities and experience; to build software.
This process trains developers. Spreads good practices. Keeps them up to date on current technology. Creates networks. Fosters leadership and empathy. It is so unique in its ability to level-up developers that the single most asked question to potential hires is:
“What’s your GitHub handle?”
And while it’s obvious to companies that open source experience is paramount, the same companies are often oblivious to its corollary: Being able to practice open source as part of their day job is critical to the very developers they want to hire. How else can they stay competitive? Burning the midnight oil only goes so far.
In April 2016, a Twitter survey I created on the topic got more than 2000 replies (my surveys barely attract 100 respondents, generally). 65% percent of respondents answered that being able to release and contribute to open source software as part of their full time job was extremely or somewhat important against only 18% who said it was not important at all. More recently, Cory House ran a similar poll and got similar numbers.
Yet, few companies leverage the ability of open source to make them more desirable to candidates, help them retain and foster their existing talent, and drive a better engineering culture. Those who do reap the benefits, while others simply leave money on the table.
Making open source sustainable won’t happen through patronage. It’ll happen by making companies better understand the value of having a real open source strategy and execute on it.
While that seems like a hard thing to do, there is a precedent. Two decades ago, most companies where just as cautious to use open source as they are now to contribute to it. Our job today, is to show them that the ROI of contributing to open source is just as good as the ROI of using it.