Open source developers, who work for free, are discovering they have power

Comment

Image Credits: aurielaki / Getty Images

Most people don’t realize it, but many of the devices and apps you use every day are built on top of open source software, maintained by one or two developers that aren’t paid for their time, who patch bugs and improve their code to give back to the community or as a passion project.  

Take cURL, for example, a library that makes it simple for software to access data in another system, such as in an API. The library is used in practically every modern connected device, from the iPhone to cars, smart fridges and TVs — and yet it’s essentially been maintained by a single developer, Daniel Steinberg, for free for almost three decades.

Despite many open source projects being included in for-profit software and devices, generally without compensation outside of a simple acknowledgment, the system mostly works reliably. Some open source developers are able to successfully support their work through programs like GitHub Sponsors and Buy Me A Coffee, maintenance contracts with companies or taking a job at a company that pays them to maintain their library — but this is far from the norm.

This system’s inequity is often revealed when there’s a widespread security breach, such as the Log4shell vulnerabilities that emerged in the Log4j Java library in December 2021, triggering a slew of critical security vulnerability bulletins that affected some of the largest companies in the world. 

The developers of the affected library were forced to work around the clock to mitigate the problems, without compensation or much acknowledgement that their work had been used for free in the first place. CURL’s developer experienced similar behavior, with companies depending on his projects demanding he fly out to help them when they faced trouble with their code, despite not paying him for his services. 

As a result, it shouldn’t be a surprise that some open source developers are beginning to realize they wield outsized power, despite the lack of compensation they receive for their work, because their projects are used by some of the largest, most profitable companies in the world.

In early January, for example, Marak Squires, the developer of two popular npm packages, “colors” and “faker,” intentionally introduced changes to their code that broke their functionality for anyone using them, outputting “LIBERTY LIBERTY LIBERTY” followed by gibberish and an infinite loop when used. 

While Squires didn’t comment on the reason for making the changes, he had previously said on GitHub that “I am no longer going to support Fortune 500s (and other smaller-sized companies) with my free work.” 

Squires’ changes broke other popular projects, including Amazon’s Cloud Development Kit, as his libraries were installed almost 20 million times per week on npm, with thousands of projects directly depending on them. Within a few hours, npm had rolled back the rogue release and GitHub suspended the developer’s account in response. 

While npm’s response was to be expected after previous incidents in which malicious code was added to libraries and was ultimately rolled back to limit damage, GitHub’s was a new one: the code-hosting platform took down Squires’ entire account, even though he was the owner of the code and was his rights to change it as he pleased. 

This isn’t the first time a developer has pulled their code in protest, either. The developer of “left-pad” pulled his code from npm in 2016, breaking tens of thousands of websites that depended on it following a fight with the Kik messenger over the naming of another open source project he owned.

What’s astonishing is that despite the occasional high-profile libraries protesting the way the industry works, these types of incidents aren’t all that common: open source developers continue to work for free, maintaining their projects as best they can, even though multimillion-dollar products are being created off the back of their work.

Even the White House has acknowledged the importance of open source to the technology industry after a meeting with the industry following the Log4J incidents, saying in January 2022 that “open source software brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance.”

And yet, despite this declaration, massively popular open source software is woefully underfunded — at least until it gains the spotlight. Before the Heartbleed vulnerability put the wider internet at risk, the affected open source project, OpenSSL, received just $2,000 per year in donations which grew to $9,000 after the issues came to light. 

The team behind OpenSSL, which is used by practically every modern networking device, wrote at the time that “[t]here should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL.” Instead, the project team continues to find contracting work to cover the cost of maintaining the project.

Developers could change their open source license, turn their work into products, or hustle for more sponsors, but there’s no one-size-fits-all solution for every project. Until the industry figures out a better way to fund all of this free work — which nobody seems forthcoming about — we should expect more open source developers to perform acts of disobedience, intentionally breaking their work to shine the light on what they’re contributing. 

This just isn’t sustainable in the long run — but it isn’t clear how we’re going to get out of this mess, as the use of open source balloons in every piece of software and connected device produced today, but continues to depend on a few open source developers not having a terrible day and deciding to break everything. 

If a library like cURL, which is used by millions of devices, is included in everything from your washing machine to your car, but its creator gets tired of supporting it and decides to send a message to the world, then what? We’ve been lucky in the past that the damage could be rolled back, but we might not be so lucky in the future. 

More TechCrunch

“When I heard the released demo, I was shocked, angered and in disbelief that Mr. Altman would pursue a voice that sounded so eerily similar to mine.”

Scarlett Johansson says that OpenAI approached her to use her voice

A new self-driving truck — manufactured by Volvo and loaded with autonomous vehicle tech developed by Aurora Innovation — could be on public highways as early as this summer.  The…

Aurora and Volvo unveil self-driving truck designed for a driverless future

The European venture capital firm raised its fourth fund as fund as climate tech “comes of age.”

ETF Partners raises €284M for climate startups that will be effective quickly — not 20 years down the road

Copilot, Microsoft’s brand of generative AI, will soon be far more deeply integrated into the Windows 11 experience.

Microsoft wants to make Windows an AI operating system, launches Copilot+ PCs

Hello and welcome back to TechCrunch Space. For those who haven’t heard, the first crewed launch of Boeing’s Starliner capsule has been pushed back yet again to no earlier than…

TechCrunch Space: Star(side)liner

When I attended Automate in Chicago a few weeks back, multiple people thanked me for TechCrunch’s semi-regular robotics job report. It’s always edifying to get that feedback in person. While…

These 81 robotics companies are hiring

The top vehicle safety regulator in the U.S. has launched a formal probe into an April crash involving the all-electric VinFast VF8 SUV that claimed the lives of a family…

VinFast crash that killed family of four now under federal investigation

When putting a video portal in a public park in the middle of New York City, some inappropriate behavior will likely occur. The Portal, the vision of Lithuanian artist and…

NYC-Dublin real-time video portal reopens with some fixes to prevent inappropriate behavior

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

1 day ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions