Open source isn’t free. We’re just not paying for it

Who maintains the maintainers?

A lot of things don’t add up in the world of software. The skills gap remains stubbornly wide, with IT and data skills the hardest to recruit for five consecutive years. Yet, at the same time, entry level roles are declining as employers redeploy existing employees rather than hiring new ones.

This change has been both rapid and profound. The Linux Foundation found that that 72% of organisations prioritised upskilling over hiring in 2025, up from 48% percent the previous year.

Developers increasingly rely on open source to prove skills publicly to diminishing field of potential employers, but that work is often unpaid and squeezed into personal time.

Those same employers are making enormous use of open source software, but are not always contributing to its upkeep in a meaningful way. Meanwhile, the bottleneck in the skills pipeline is storing up trouble for the future.

“With a decreasing number of roles open to junior developer staff, apparently as a consequence of the ability of AI to perform many of the more mundane and formulaic tasks, there comes the challenge of building hands-on experience to enable learning which is garnered from completing those same tasks and gradually building skills,” writes Amanda Brock, CEO of non-profit advocacy group OpenUK in the foreword to its latest skills report.

“Ironically at the same time there is a shortage of staff with certain skills.”

Open source as optional

Open source is mission critical - more than 90% of code (even in proprietary products) is open source, and the top security protocols and libraries are all open - yet it’s often treated as optional. The people writing and maintaining it are, by and large, unpaid, invisible and unsupported.

That said, activity in the UK is up. OpenUK reports that the number of people making at least one contribution to open source projects has risen by 7% since last year. This pattern is broadly replicated in other countries.

And the picture for jobseekers isn’t all one-sided. The trend for employers to seek out a prospect’s published code rather than filtering through piles of increasingly generic GPT-generated CVs has some positives. For one, it bypasses traditional gatekeepers, allowing developers from non-computer science backgrounds to gain a foothold and establish a record of achievement.

But it the ecosystem seems to be getting out of balance, with the few profiting increasingly from the unpaid labour of the many.

Who maintains the maintainers?

Every new codebase that gains traction needs at least one reliable maintainer to oversee code review, security patching, governance, roadmap setting and community moderation over the long term. That’s a lot of responsibility - and the task is growing more arduous over time.

Recent research by Tidelift found that most maintainers are volunteers, with stress and burnout common. In the last two years the workload has increased dramatically thanks to the volume of AI-generated pull requests and issue reports. The AI-generated code can also be harder to parse, again adding to the maintainer’s burden, and AI has not (yet) produced reliable tools to make the job easier. Unwilling or unable to carry on working for free, 60% have quit the role or are considering doing so.

At the same time, the requirement for security in the face of organised threat actors with sophisticated tools has never been greater.

In summary, open source software underpins the digital economy, but it is sustained by poorly paid, time‑poor individuals. This has long been the case, but AI has intensified the pressure, and there is a serious risk of maintainers quitting and not being replaced, leaving core projects vulnerable. Meanwhile the stream of new talent who learn skills while doing their job is being choked off.

There are foundations that house and support core projects and initiatives like the GitHub Secure Open Source Fund, GitHub Sponsors and Microsoft Spotify and Bloomberg provide direct financial support to projects they depend on, but in the grand scheme of things, this is the tip of the iceberg. The majority of projects, even important widely used ones, get by on a shoestring.

Toward professional maintainers

An example of how long-term funding of maintainers can work is Rustls, a memory-safe TLS library written in Rust. Creator Joe Birr-Pixton originally developed Rustls in his spare time, but when it took off he was able to obtain funding from the internet security research project Prossimo and later administrative support from the Rust Foundation. Eventually he left his job to become a full-time maintainer.

"Receiving stable funding not only let me work on Rustls full-time, but changed what kind of project Rustls could become,” he told Computing.

“While this kind of funding remains an exception, and is notably absent from UK government policy, funding critical open source infrastructure as a public good brought us here. The Rustls maintainers continue to look for funding sources to support our future work."

There are other routes, too. Fillipo Valsorda left Google in search of a sustainable approach to open source maintenance, becoming a full-time independent professional open source maintainer for hire.

But structural issues remain. Successive governments have paid lip service to the importance of open source, but there is more to be done to make the model sustainable. Options include establishing a UK open source infrastructure fund to provide predictable support for high impact projects and maintainers, providing incentives for organisations to devote developer time to the projects they use, and supporting “maintainership” as a profession.

OpenUK research director Jennifer Barth said: “Ultimately, open source has already demonstrated its capacity to build skills, create opportunity, and underpin innovation at scale. The challenge now is to ensure that the individuals behind this system are no longer hidden.”