Capitalism: Log4j or why corporations love open source solutions

Vitaliy_Kiselev

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.

"I work on Log4j in my spare time"
"always dreamed of working on open source full time"
"3 sponsors are funding @rgoers's work: Michael, Glenn, Matt"

It is not a joke.

Vitaliy_Kiselev

Most maintainers fall in one of two categories: volunteers or big company employees. Sometimes both. Neither model is healthy.

Volunteers are doing their best in their spare time out of passion, or because they are (or were) having fun. They feel tremendous responsibility, but ultimately can't be expected to persevere in the face of burnout, a change in life circumstances (like, having a kid or changing jobs), or even shifting priorities. They also can't be expected to provide professional levels of performance because, again, no one is paying them and they are well within their rights to do only the fun parts of the "job". Professionals are expensive for a reason.

GitHub Sponsors and Patreon are a nice way to show gratitude, but they are an extremely unserious compensation structure. The average maintainer of a successful project would qualify as a Senior Software Engineer, and those can easily make $150k–300k+/year. (90th percentile of SWE salaries, all levels: $355k in NYC, $232k in London, $163k in Berlin. Note that these are low-balls if you negotiate, especially in 2021/2022, and remote positions exist. Read some Patrick McKenzie.) When is the last time you've seen a GitHub Sponsors recipient making more than $1,000/month? That's at least 12 times less than the alternative.

Even more importantly, there isn't a career path. You can't start as a junior maintainer, get training and experience, and expect to eventually grow into a better paid senior maintainer. That's not how any of it works today.

Being employed as a full-time maintainer by a big company pays better but is not much healthier, both organizationally and individually. Executives and promotion committees start asking "what is it that we pay you for exactly?", and suddenly you're spending more and more time proving your work is important, and less and less time doing it. The workload increases as the project grows, but the team struggles to get more resources, no one gets promoted, and people burn out and leave or change roles. I've seen this play out across multiple companies and ecosystems, over and over.

https://blog.filippo.io/professional-maintainers/

Vitaliy_Kiselev

Bleeping Computer dug up one of Squires’ posts on GitHub from November 2020, in which he declares he no longer wants to do free work. “Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work,” he says. “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”

https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Howdy, Stranger!

Categories

Tags in Topic

Top Posters