开源维护者工资过低，安全问题不堪重负，而且已经灰白了

开源项目维护者面临的挑战： 1. 大多数维护者的工作没有得到经济奖励，导致人口老龄化和新进入者减少。 2. 由于网络威胁的增加以及对“xz”等事件的担忧，花在安全问题上的时间增加了两倍。 3. 对新贡献者的信任度有所下降，特别是在“xz”后门事件之后。 4. 维护者主要是欧洲和北美男性，很少有女性或非二元个体参与。 5. 维护人员将大部分时间花在日常维护任务、功能开发和安全措施上。 6. 对 NIST 安全软件开发框架 (SSDF)、OpenSSF 记分卡、SLSA 框架、CISA 的安全设计承诺等行业安全标准的认识正在增强，但实施滞后。 7. 付费维护者比无酬维护者更有可能遵守最佳实践。 8. 维护者通过捐赠、雇主工资（包括开源职责）或 Tidelift 支持合同来赚取收入。 9. 来自企业、开源基金会和政府实体的融资仍然很少。 10. 由于潜在的问题，例如需要额外修复的错误代码生成和过多的拉取请求量，许多维护者对人工智能工具持保留态度。 11. 维护者可能不太欢迎使用人工智能编码工具的贡献者。开源项目维护人员面临的情况需要引起关注，因为他们对于维护重要的软件组件至关重要，但也面临着众多挑战，例如薪酬低、安全时间需求增加、数量减少以及对人工智能日益增长的担忧。为了确保开源项目的持续健康和发展，必须解决这些困难，确保维护者得到公平的补偿和支持，同时吸引各种各样的贡献者。

Open Source Project Maintainers Face Challenges: 1. Most maintainers are not financially rewarded for their work, leading to an aging demographic and fewer new entrants. 2. Time spent on security issues has tripled, due to increased cyber threats and concern after incidents such as 'xz'. 3. Trust in new contributors has decreased, particularly following the 'xz' backdoor incident. 4. Maintainers are primarily European and North American males, with few women or non-binary individuals participating. 5. Maintainers spend most of their time on daily maintenance tasks, feature development, and security measures. 6. Awareness of industry security standards like NIST Secure Software Development Framework (SSDF), OpenSSF Scorecard, SLSA Framework, CISA's Secure by Design pledge is growing, but implementation lagging. 7. Paid maintainers are more likely to adhere to best practices than their unpaid counterparts. 8. Maintainers earn income through donations, employer salaries including open source duties, or Tidelift support contracts. 9. Financing from corporations, open source foundations, and government entities remains minimal. 10. Many maintainers hold reservations regarding AI tools due to potential issues like incorrect code generation requiring additional fixes and excessive pull request volume. 11. Maintainers may be less welcoming towards contributors using AI-coding tools. The situation facing open source project maintainers requires attention, as they are crucial for maintaining vital software components yet face numerous challenges, such as low compensation, increasing time demands for security, dwindling numbers, and growing apprehension about artificial intelligence. To secure the continued health and growth of open source projects, it is essential to address these difficulties, ensuring that maintainers are fairly compensated and supported while attracting a diverse range of contributors.

The majority of open source project maintainers are not being paid for their work, spend three times as much time on security than they did three years ago, and have become less trusting of contributors following the xz backdoor, according to open source package security firm Tidelift.

Small wonder then that the maintainer population is aging – not enough newcomers want the undercompensated, unappreciated job.

Tidelift on Tuesday published its 2024 State of the Open Source Maintainer Report [PDF], the result of a survey answered by over 400 maintainers.

Some 45 percent of the survey takers have been maintainers for more than 10 years and the age distribution is getting older.

According to the report, "the percentage of maintainers self-reporting that they are 46–55 or 56–65 has doubled since our first survey in 2021 (2021: 11 percent; 2023: 27 percent; 2024: 21 percent). Meanwhile, the percentage of maintainers under 26 has dropped precipitously from 25 percent in our 2021 survey to 12 percent last year and 10 percent today."

Respondents hail mainly from Europe (48 percent) and North America (38 percent), and largely identify as male (85 percent), with the remainder checking boxes for female (six percent), non-binary (three percent), and decline to say (six percent).

The portion of respondents who reported they are unpaid hobbyists remains at 60 percent, the same as in last year's survey. Tidelift rates that as “disappointing “ given the xz compromise, which involved at least one attacker patiently gaining a maintainer's trust over years to subvert and backdoor a software package, showed that unpaid lone hand maintainers are a risk to software supply chains – and the many calls to do something about it.

However, the xz incident did have some impact: Two-thirds of maintainers (66 percent) said they had become less trusting of pull requests from non-maintainers. That's not necessarily a bad thing if it means that code contributions get closer scrutiny, but it does mean more work, which may not be appreciated.

There's some indication that's happening. Respondents said they're spending three times more time (11 percent of total time) on security than they did in 2021 (when it was four percent of total time). Other activities include: day-to-day maintenance work (50 percent), building new features (35 percent), seeking financing/support (2 percent), and other (two percent).

Professional and semi-professional maintainers spend more time on security work than unpaid hobbyists (13 percent compared to 10 percent), and on maintenance (53 percent compared to 48 percent).

Maintainers have become more aware of industry security standards like the NIST Secure Software Development Framework (SSDF), the OpenSSF Scorecard, and the Supply Chain Levels for Software Artifacts (SLSA) Framework, and the US Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge.

Of these initiatives, the OpenSSF Scorecard had the highest awareness among maintainers (40 percent), which is better than the prior survey (28 percent).

But in terms of getting maintainers to actually implement recommended practices, paid maintainers were found to be more likely (55 percent on average) to do so than unpaid maintainers.

The report notes that there's a discrepancy in the portion of respondents who consider themselves unpaid hobbyists (60 percent) and the portion who say they're unpaid for their work (47 percent). Tidelift attributes that distinction to the wording of the survey question: Some of those who identify as unpaid hobbyists may get a nominal amount that isn't enough for them to consider themselves paid professionals or semi-professionals.

Even so, Tidelift's report observes that maintainers still largely receive income from donations (25 percent, from programs like GitHub Sponsors), from company salaries that explicitly include open source maintenance (24 percent), or from Tidelift (19 percent). Direct payments from companies (five percent), open source foundations (three percent), and governments or other public entities (one percent) still account for very little of overall maintainer income.

"If we don’t figure out how to properly compensate and recognize maintainers for the value they create, we might wake up one day and find that the projects we rely upon most are no longer being maintained at all," the report states.

Lastly, Tidelift's report looks at how open source maintainers view the impact of AI tools. Twenty-three percent of respondents were "extremely negative," 22 percent were "somewhat negative," 24 percent were "neither positive nor negative," 22 percent were "somewhat positive" and nine percent were "extremely positive."

The cited concerns about AI coding tools among maintainers include code that's incorrect though not obviously so, which creates more work to fix, and pull request spam that has to be dealt with by maintainers. Two-thirds of maintainers (64 percent) said they'd be less inclined to accept pull requests from contributors known to use AI-coding tools. ®

开源维护者工资过低，安全问题不堪重负，而且已经灰白了 Open source maintainers underpaid, swamped by security, and going gray