Most people don’t realize it, but many of the devices and apps you use every day are built on top of open source software, maintained by one or two developers that aren’t paid for their time, who patch bugs and improve their code to give back to the community or as a passion project.
Take cURL, for example, a library that makes it simple for software to access data in another system, such as in an API. The library is used in practically every modern connected device, from the iPhone to cars, smart fridges and TVs — and yet it’s essentially been maintained by a single developer, Daniel Steinberg, for free for almost three decades.
Despite many open source projects being included in for-profit software and devices, generally without compensation outside of a simple acknowledgment, the system mostly works reliably. Some open source developers are able to successfully support their work through programs like GitHub Sponsors and Buy Me A Coffee, maintenance contracts with companies or taking a job at a company that pays them to maintain their library — but this is far from the norm.
This system’s inequity is often revealed when there’s a widespread security breach, such as the Log4shell vulnerabilities that emerged in the Log4j Java library in December 2021, triggering a slew of critical security vulnerability bulletins that affected some of the largest companies in the world.
The developers of the affected library were forced to work around the clock to mitigate the problems, without compensation or much acknowledgement that their work had been used for free in the first place. CURL’s developer experienced similar behavior, with companies depending on his projects demanding he fly out to help them when they faced trouble with their code, despite not paying him for his services.
As a result, it shouldn’t be a surprise that some open source developers are beginning to realize they wield outsized power, despite the lack of compensation they receive for their work, because their projects are used by some of the largest, most profitable companies in the world.
In early January, for example, Marak Squires, the developer of two popular npm packages, “colors” and “faker,” intentionally introduced changes to their code that broke their functionality for anyone using them, outputting “LIBERTY LIBERTY LIBERTY” followed by gibberish and an infinite loop when used.
While Squires didn’t comment on the reason for making the changes, he had previously said on GitHub that “I am no longer going to support Fortune 500s (and other smaller-sized companies) with my free work.”
Squires’ changes broke other popular projects, including Amazon’s Cloud Development Kit, as his libraries were installed almost 20 million times per week on npm, with thousands of projects directly depending on them. Within a few hours, npm had rolled back the rogue release and GitHub suspended the developer’s account in response.
While npm’s response was to be expected after previous incidents in which malicious code was added to libraries and was ultimately rolled back to limit damage, GitHub’s was a new one: the code-hosting platform took down Squires’ entire account, even though he was the owner of the code and was his rights to change it as he pleased.
This isn’t the first time a developer has pulled their code in protest, either. The developer of “left-pad” pulled his code from npm in 2016, breaking tens of thousands of websites that depended on it following a fight with the Kik messenger over the naming of another open source project he owned.
What’s astonishing is that despite the occasional high-profile libraries protesting the way the industry works, these types of incidents aren’t all that common: open source developers continue to work for free, maintaining their projects as best they can, even though multimillion-dollar products are being created off the back of their work.
Even the White House has acknowledged the importance of open source to the technology industry after a meeting with the industry following the Log4J incidents, saying in January 2022 that “open source software brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance.”
And yet, despite this declaration, massively popular open source software is woefully underfunded — at least until it gains the spotlight. Before the Heartbleed vulnerability put the wider internet at risk, the affected open source project, OpenSSL, received just $2,000 per year in donations which grew to $9,000 after the issues came to light.
The team behind OpenSSL, which is used by practically every modern networking device, wrote at the time that “[t]here should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL.” Instead, the project team continues to find contracting work to cover the cost of maintaining the project.
Developers could change their open source license, turn their work into products, or hustle for more sponsors, but there’s no one-size-fits-all solution for every project. Until the industry figures out a better way to fund all of this free work — which nobody seems forthcoming about — we should expect more open source developers to perform acts of disobedience, intentionally breaking their work to shine the light on what they’re contributing.
This just isn’t sustainable in the long run — but it isn’t clear how we’re going to get out of this mess, as the use of open source balloons in every piece of software and connected device produced today, but continues to depend on a few open source developers not having a terrible day and deciding to break everything.
If a library like cURL, which is used by millions of devices, is included in everything from your washing machine to your car, but its creator gets tired of supporting it and decides to send a message to the world, then what? We’ve been lucky in the past that the damage could be rolled back, but we might not be so lucky in the future.