<nettime> Filippo Valsorda: Professional maintainers: a wake-up call

[nettime's_collaborative_filterer <nettime@kein.org>]

< https://blog.filippo.io/professional-maintainers/ >

Professional maintainers: a wake-up call Filippo Valsorda,
11 Dec 2021

I work on the Go team at Google, but this is my personal
opinion as someone who built a career on Open Source both at
and outside big companies.

{image}

The popular xkcd 2347: Dependency, with a screenshot saying
"3 sponsors are funding rgoers's work" at the top of the
arrow pointing to the little piece holding the whole stack
in place.

Open Source software runs the Internet, and by extension the
economy. This is an undisputed fact about reality in 2021.
And yet, the role of Open Source maintainer has failed to
mature from a hobby into a proper profession.

The catastrophic consequences are almost a daily occurrence.
Less than a couple months ago, the United States
Cybersecurity & Infrastructure Security Agency issued an
alert about the hijacking of a popular NPM package named
ua-parser-js. That project has 6.5k stars on GitHub and has
raised a total of $41.61 on OpenCollective. Earlier this
week, a severe RCE in a logging library called Log4j2 got
everyone, from Apple to Minecraft. As of yesterday, the
maintainer who patched the vulnerability had three sponsors
on GitHub: Michael, Glenn, and Matt. I could go on and on
and on. We've all seen the xkcd. The status quo is
unsustainable

Most maintainers fall in one of two categories: volunteers
or big company employees. Sometimes both. Neither model is
healthy.

Volunteers are doing their best in their spare time out of
passion, or because they are (or were) having fun. They feel
tremendous responsibility, but ultimately can't be expected
to persevere in the face of burnout, a change in life
circumstances (like, having a kid or changing jobs), or even
shifting priorities. They also can't be expected to provide
professional levels of performance because, again, no one is
paying them and they are well within their rights to do only
the fun parts of the "job". Professionals are expensive for
a reason.

GitHub Sponsors and Patreon are a nice way to show
gratitude, but they are an extremely unserious compensation
structure. The average maintainer of a successful project
would qualify as a Senior Software Engineer, and those can
easily make $150k-300k+/year. (90th percentile of SWE
salaries, all levels: $355k in NYC, $232k in London, $163k
in Berlin. Note that these are low-balls if you negotiate,
especially in 2021/2022, and remote positions exist. Read
some Patrick McKenzie.) When is the last time you've seen a
GitHub Sponsors recipient making more than $1,000/month?
That's at least 12 times less than the alternative.

Even more importantly, there isn't a career path. You can't
start as a junior maintainer, get training and experience,
and expect to eventually grow into a better paid senior
maintainer. That's not how any of it works today.

Being employed as a full-time maintainer by a big company
pays better but is not much healthier, both organizationally
and individually. Executives and promotion committees start
asking "what is it that we pay you for exactly?", and
suddenly you're spending more and more time proving your
work is important, and less and less time doing it. The
workload increases as the project grows, but the team
struggles to get more resources, no one gets promoted, and
people burn out and leave or change roles. I've seen this
play out across multiple companies and ecosystems, over and
over. Professionalizing the role of maintainer

"Alright, Filippo," you'll say, "we know everything's
broken. Isn't it just an unavoidable tragedy of the commons?
Is this just a long rant?" It doesn't have to be. I have
hope change is possible because companies are not getting
what they want, and they are starting to notice.

Open Source sustainability and -- supply chain security --
are on everyone's slide decks, blogs, and press releases.
Big companies desperately need the Open Source ecosystem to
professionalize.

Here are a few examples of what they might want out of Open
Source projects:

* security practices, like two-factor authentication and
mandatory code review;

* updates to keep up with the evolution of the ecosystem
(adopting new versions of dependencies, porting to Python
3...);

* reliable timelines for reviewing and merging or rejecting
contributions;

* support and troubleshooting for filed issues and bug
reports;

* quality standards, including vetted and minimized
dependency trees;

* careful handling of security reports and actionable
vulnerability metadata;

* adoption of standards useful to downstream users, such as
SLSA;

* even a succession plan to ensure the project won't go
unmaintained if a key developer steps down.

Can they demand any of it without paying the maintainers?
Definitely not.

However, companies are in the business of getting what they
need -- by paying invoices. The moment a company has a
contractual relationship with a maintainer for a significant
sum of money (1x to 0.3x of a market salary, depending on
how likely the maintainer is to invoice other companies,
too) it can request what it needs as a contractual
condition. In turn, maintainers will be free to sustainably
focus on the project like professionals, and prioritize the
long-term health of the project, as well as deliver on the
company requirements. (Or not, if they turn down the
contract! I'm very specifically not talking about
transferring governance.)

But! Maintainers need to be legible to the big company
department that approves and processes those invoices. Think
about it: no company pays their law firm on Patreon. You'd
be amazed how much harder it is to explain "what the fuck is
an open collective?" for a $10k donation, compared to paying
a $100k invoice to an LLC that filed a W-9 or W-8BEN and
takes payment through ACH. The trick is that you can easily
incorporate a pass-through US LLC and open a business
account for it even if you're not a US citizen, it's not
rocket science. I am not an accountant (and oh god I am not
your accountant) but I did it in an afternoon.

This is what I hope to see happen more and more: Open Source
maintainers graduating to sophisticated counterparties who
send invoices for "support and sponsorship" on letterhead,
and big companies developing procedures to assess, approve,
and pay them as a matter of routine so that they can get
what they need from the ecosystem. Eventually, a whole
career path with an onramp for junior maintainers, including
training, like a real profession.

Now is the perfect time for Open Source maintainers to
become legible to the big companies that depend on them --
and that want to get more out of them -- and send them
five-to-six figure invoices. Big companies can either lead,
or play catch up.

Personally, I find this idea more and more exciting and
inevitable, and I am planning my future career directions
around it. If you want to follow along, you can follow me on
Twitter. If you're interested in being part of it, email me
at hi@ this domain, and let's talk. Filippo Valsorda


Cryptogopher on the Go team at Google. RC F'13, F2'17. You
might know me as @FiloSottile.


#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject: