The myth of the open-source developer is they’re unemployed young men coding away in basements. The truth is different. The Linux Foundation‘s Open Source Security Foundation (OSSF) and the Laboratory for Innovation Science at Harvard (LISH) new survey, Report on the 2020 FOSS Contributor Survey, found a significant number of women developers, with the plurality of programmers in their 30s, and the majority are working full-time jobs with an annual average pay rate of $123,000.
Of those surveyed, over half surveyed reported they receive payment for free and open-source software (FOSS) contributions — from either their employer or a third party. More than half of those surveyed, 51.65%, are specifically paid to develop open-source programs.
That said, while open-source jobs are in high demand and the pay is great, it’s not money that brings programmers to open-source. Indeed, even those people paid for working on a FOSS project also contributed to other open-source programs without being compensated.
The survey of almost 1,200 developers found the top reason was adding a needed feature or fix to a program they already use. Or, as Eric S. Raymond put it in his seminal open-source work, The Cathedral and the Bazaar, “Every good work of software starts by scratching a developer’s personal itch.”
The other top two reasons were the enjoyment of learning and fulfilling a need for creative or enjoyable work. At the bottom? Getting paid.
It’s not that programmers dislike making money from their open-source work. Far from it! But money alone isn’t that important to them. This can be seen by their answer to another question, which showed that no matter “how many hours they spent on FOSS during paid work time, nearly all respondents also spend some of their free time working on FOSS.”
That said, one vital area of software development is being neglected: Security.
On average, programmers use just 2.27% of their total contribution time on security. Worst still, there’s little desire to spend more time and work on security.
David A. Wheeler, The Linux Foundation’s director of open-source supply chain security, said: “It is clear from the 2020 findings that we need to take steps to improve security without overburdening contributors.”
The solution, the report authors suggest, is to devote money and resources to specific security purposes. This includes adding security-related tools to the continuous integration (CI) pipeline, security audits, and computing resources. In other words, make it easier for developers to add security to their projects.
Specifically, they suggest:
- Fund security audits of critical open-source projects and require that the audits produce specific, mergeable changes.
- Rewrite portions or entire components of FOSS projects prone to vulnerabilities to produce a substantially more secure result (e.g., contribute a rewrite in a memory-safe language).
- Prioritize secure software development best practices.
- Companies should make secure software development training a requirement for hiring or continued professional development for their paid FOSS developers.
- Utilize badging programs, mentoring programs, and the influence of respected FOSS contributors to encourage projects and their contributors to develop and maintain secure software development practices.
- Encourage projects to incorporate security tools and automated tests as part of their continuous integration (CI) pipeline; ideally as part of their default code management platform.
The survey also found that companies are continuing to do better about supporting their people working on open-source projects. Today, over 45.45% of respondents are free to contribute to open-source programs without asking permission, compared to 35.84% 10 years ago. However, 17.48% of respondents say their companies have unclear policies on whether they can contribute and 5.59% were unaware of what policies — if any — their employer had.
The Linux Foundation plans on refreshing The FOSS Contributor Report and Survey. If you’re an open-source developer and you’d like to participate, please sign up here.