By Matt Asay
There isn’t nearly enough money in open source today. We can complain about venture capitalists distorting open source licensing, wring our hands about sustainability, and fret over how much foundation execs like Mozilla’s make, but the real issue isn’t that we have too much money sloshing around GitHub repositories. It’s that there isn’t more. Much, much more.
Think about it for a second. How much does the world depend on open source today? Now make that more personal: How much do you or your employer depend on open source? According to the 2024 Open Source Security and Risk Analysis (OSSRA) report, “open source components and libraries form the backbone of nearly every application in every industry.” We can’t rely on peace, love, and Linux to ensure the security and ongoing development of that code. We need money.
More money, more open source
This is saying something, as we already have lots of money in open source. I’ve pilloried the trillion-dollar cloud cabal for taking disproportionately to what they give to open source, but, really, that’s true of every single one of us. Even the most active open source contributor or maintainer consumes much more open source than she creates. That’s how it works. It’s a feature, not a bug.
Employees of these same clouds also do excellent work to ensure open source becomes meaningful as software evolves. One key area is artificial intelligence. As RedMonk analyst James Governor highlighted recently, employees from Microsoft, Google, and AWS are actively involved in the committee to define open source for AI. The cynical take on this is that of course they are—they’re protecting a trillion-dollar supply chain. The more optimistic view is that however true that may be of their employers, it’s not true of those particular individuals: They’re true open source believers and have spent years helping communities to function well.
Here’s the thing: The incentive is somewhat immaterial. All we should really care about is the outcome: more open source. Granted, this breaks down unless there is a desire to profit from open source and to contribute to it, but that’s another post.
Some are more equal than others
“More open source” also doesn’t really address the inequities in how open source is funded. Some projects, like Linux, have deep-pocketed, diverse sources of funding. This makes sense, given the central importance Linux has to so many enterprises. We really can’t spend enough money on its development, security, etc.
But most projects aren’t Linux and don’t enjoy its level of financial support. This may not be an issue for one random GitHub repository among the 160 million-plus repositories, but what if it’s JavaScript? The vast majority of Linux kernel maintainers are fully employed by Google, Intel, or other companies. But nearly half of JavaScript contributors don’t work for a big company, or if they do, they contribute in their spare time. This might give us nostalgic, old-timey open source vibes, but it presents a big problem, given that JavaScript is the world’s most popular programming language. Even Linux, with all its funding, still faces ongoing supply chain issues, but for a project like JavaScript, the supply chain risk is high.
The good news is that the OpenJS Foundation is on the case, raising money to help fund the security and sustainability of JavaScript. Under its parent organization, the Linux Foundation, OpenJS is introducing a new revenue-sharing model that aims to support archived, end-of-life, or older versions of OpenJS-hosted projects such as jQuery or Node.js. Time will tell if this particular approach will work, but there’s cause for optimism because the Linux Foundation has many years of experience raising and applying cash to support open source software.
In a nutshell, JavaScript needs more money, just as most open source projects do. Whether that money finds its way to projects through foundations or individual corporations, we need more of it to ensure the sustainability and security of open source, not less.
