SOSS Fusion 2024

It’s hard to be an open source maintainer in 2024. Despite increasing demands, 60% maintainers still don’t get paid for their work and 58% have considered quitting or already quit maintaining their projects. Earlier this year, the xz utils scare brought to light the very real implications of what could happen when maintainers are not supported. While this particular attack was caught, the bottom line is most maintainers are unpaid hobbyists who do not receive both the financial or societal (community, mental health, training, time) support needed to ensure the security and resilience of the open source software we all rely on. Overworked and underappreciated maintainers are a huge problem that leads directly to organizational security risk. So what can you do about it? This session will share maintainer perspective on xz and how it has affected the way they approach their work. We'll discuss a set of tips security-conscious leaders can take away to decrease their security risk from under-maintained open source packages. Finally, we'll look at some benefits that downstream consumers receive when maintainers are paid to ensure their projects remain secure and healthy.