Hobbyist Maintenance

Nearly 60% of all code being actively shipped in an app or product in the wild is hobbyist-maintained open-source. And that probably undercounts all the build systems and compilers that support this. If your plans for open-source sustainability or security do not align first and foremost with this population it is not going to achieve anything. Thomas DePierre article podcast

This page is a Forage.

YOUTUBE Lf_GXGV3WCQ Hobbyist Maintainers with Thomas DePierre on the Open Source Security podcast, 2025-06-15 youtube

If we want to have impact on open source, having better security or having code that is done better, or having code that is more resilient where we have someone to act if we need something to change, the main people we target are hobbyists. And we don’t know who they are and what they do and how they work.

Before offering help, before trying a scheme you have in your head that may help, that you think will make things better, you really need to do the user research to understand this demographic.

If you want to give money to people and you want them to be able to take the money, it needs to be something they can make a career of.

[One maintainer who was interviewed on the podcast] mentioned his rent. "Nice. You are giving me that amount of money. My rent is four times that."

I spend probably something like one to two hour a month on my maintainership for all the packages I have. In that time, what I can do most of time is update dependencies, fix the build system, because it probably broke due to some kind of update of Ubuntu. I have a few of the stuff I manage that use web stuff, like they have a graphic interface using web stuff which means that I’m probably going to spend two hours per month doing CSS updates. ... Maybe sometimes I may have a couple hours per year where I can write code that is not just pure maintenance of dependencies.

The other aspect of this is that I am paid full time to work on software. I’m a software developer, among other things. And I have a house with a mortgage and I have food to buy.

I don’t know if you know that, but the software engineer marketplace is not great for part-time work. It’s full time or nothing. Or contract. But if you do contract, you have all kinds of other things because you need to spend time managing your clients and finding new ones and that stuff. There is a lot of work there.

What that means is if someone come out tomorrow wanting to pay me a grant to work on this stuff a bit more, I can’t.

Thomas DePierre argues that the many software foundations attempting to fund open source are working from a model of open source that no longer exists—that the funding sources are disconnected from the realities of the hobbyist maintainers.

There are millions of maintainers out there who can only afford to spend an hour a month (as an educated guess) maintaining the code that keeps the whole world running.

It is unrealistic to demand that those millions of maintainers respond immediately when a new security threat is identified when they have to make their living by some other means.

Short-term grants and part-time funding do not solve the problem, because the maintainers need a stable income.

At a minimum, the funding would need to be in three to four year grants for full-time work in order to fit with a typical length of professional employment and the rhythms of job changes.

An alternative arrangement might include companies paying half-time and the foundations paying half-time.

But even these schemes are unlikely because the existing opensource ecosystem grew up in the spare time of hobbyists. One maintainer with a few projects is unlikely to have enough work in those projects to justify full-time work.

The conversation references the left-pad incident. The author who removed left-pad from NPM published this reflection on that experience eight years after it happened. It reinforces DePierre's points that the world depends on mostly unknown hobbyist maintainers who each have unique motivations. blog