Open Source: Easier to Use, Harder to Keep Alive

Synopsys

Fred Bals, researcher / writer, Synopsys Cybersecurity Research Center

Open source components and libraries are the foundation of literally every application in every industry. Synopsys' 2020 Open Source Security and Risk Analysis (OSSRA) report found 99% of the 1,253 codebases audited in 2019 contained open source. In fact, open source made up 70% of the audited codebases.

Now the flip side and the bad news: One of the reasons behind the popularity of open source are the communities improving and updating the code and patching issues as they become known. However, even when a user takes care to download components from robust open source communities, there's no guarantee the community will remain active in maintaining that component or any specific version of that component. Data shows the opposite being true. The audits detailed in the OSSRA report found that 88% of the codebases examined contained open source components with no development activity in the last two years.

The Tragedy of the Commons Meets Open Source Software

Open source projects going cold.  It's the tragedy of the commons in action; a shared resource growing so large in popularity that it can't remain viable unless the community consuming it shifts to sustaining rather than exploiting. Witness the Twitter thread started by James M. South, creator of several popular open source solutions, who bemoaned the fact that, "#ImageSharp passed 6 million downloads this weekend and I'm a lot less happy about it than I probably should be."

Why? South goes on in several follow-up tweets, "Over 5 years of development there have only been 98 collaborators, 23 of which have made more than 10 commits...it's not about money, it never was and never will be, it's about sustainability." Several other developers chimed in: "...a similar story for #FluentValidation. Over 41 million downloads... 140 contributors, but only 1 has made more than 10 commits," "Same with ReportGenerator... 15 million downloads but not a single sponsor."

With open source, the number of people working to ensure updates—including feature improvements as well as security and stability patches—decreases over time, especially when the project is being maintained by only a handful of committed developers or is a one-person operation. At some point, as a limited-supported or unsupported open source component ages, it's going to break—or open a codebase to exploit, and then all users suffer.

Too few people—and their organizations—who rely on open source software for their jobs and businesses are contributing to the projects whose open source they use. While development support is important, it's not necessarily just about the code—whether you're a writer, translator, designer, information security or legal specialist, the chances are good that you too can help support the community in some fashion. From a pragmatic standpoint, engaging with the communities whose open source projects you rely on is also one of the best ways to ensure those projects stay healthy, vital, and up to date.

Sustaining Partners