A recent report by Tidelift analyzed the workload and habits of open source maintainers. The report looked at the survey responses of over 300 maintainers — the people who create and maintain open source software projects.
The report found that maintainers are being asked to take on additional work to meet government and industry standards, even though 60% of maintainers describe themselves as unpaid hobbyists. Thirteen percent describe themselves as professional maintainers who earn most or all of their income from maintaining projects.
Other key findings include:
- 81% of professional maintainers spend more than 20 hours per week maintaining their projects, compared to 27% of semi-professional maintainers and 7% of unpaid hobbyist maintainers.
- Over 50% of maintainers are not aware of new security standards initiatives like OSSF scorecards, SLSA and the NIST SSDF.
- Of the maintainers aware of one or more of these standards, 43% have already begun work to align to these industry standards or plan to begin work within the next year.
- 39% have no plans to align to industry standards and 19% are still on the fence, reporting that they either do not know or are not sure whether they will do the work to ensure their packages align with these industry standards.
- 38% of maintainers who do not plan to align their projects with industry standards say they just don’t have the time, while 37% won’t do it because they are not being paid for the work.
- 54% of maintainers would appreciate help so they can better understand these new standards and how they apply to their project, while 47% of maintainers want to be paid for undertaking the work needed to align their projects with the new standards.
- More than 50% of paid maintainers have implemented or plan to implement 12 out of 16 common security and maintenance practices. Five out of 16 unpaid maintainers have done the same.