Corporate involvement in open-source projects might not always be a good thing Open padlock on laptop
While getting paid to work on open source might be a good thing, it also draws into question the sustainability of the project if the corporate interest in the project dwindles or fades away completely.
The finding is part of a new comprehensive report from the Linux Foundation that reveals that nearly half of its respondents are paid by their employees to contribute to open source software.
Compiled by the Linux Foundation’s Open Source Security Foundation (OpenSSF) together with the Laboratory for Innovation Science at Harvard, the report shares findings from nearly 1,200 respondents working on open source software.
Taking stock
The report is part of an ongoing effort to study and identify ways to improve the security and sustainability of open source software. OpenSSF argues that its contributor survey will help it understand “structural and security complexities in the modern-day supply chain where open source is pervasive but not always understood.”
One of the key findings of the survey is that 48.7% of its respondents contribute to open source software as part of their employment. In view of this finding, the report suggests several steps to ensure the project remains viable even if the corporate backing is suddenly withdrawn.
One of the suggestions include incentivizing the paid contributors to mentor new volunteer contributors. Furthermore, the report authors suggest that such corporate-backed projects should be transferred to a foundation with a neutral governance.
Security of the realm
In terms of security, the report worryingly found that on an average its respondents only spend 2.27% of their total contribution time on security.
Since the respondents weren’t interested in increasing the time they devoted to security, the survey suggests that companies should make secure software development training a requirement for all the paid FOSS developers.
“Understanding open source contributor behaviors, especially as they relate to security, can inform how we apply resources and attention to the world’s most-used software,” said David Wheeler, director of open source supply chain security, the Linux Foundation.
“It is clear from the 2020 findings that we have work to do to ensure we staff across the community for security and to enable individuals to confidently contribute to open source software.”
While getting paid to work on open source might be a good thing, it also draws into question the sustainability of the project if the corporate interest in the project dwindles or fades away completely. The finding is part of a new comprehensive report from the Linux Foundation that reveals…
