A new survey of FOSS (Free and Open Source Software) contributors, conducted by the Linux Foundation and academic researchers, reported that 91 per cent of respondents are male, the great majority has full-time paid employment, and that they spend on average under 3 per cent of their time on security issues, with little inclination to increase it.
The research is a collaboration between the Core Infrastructure Initiative at the Linux Foundation – now part of The Open Source Security Foundation (OpenSSF) formed in August – and the Laboratory for Innovation Science at Harvard University. There were 1,196 survey respondents, split between invited participants who work for "the most widely used open source projects," and those who responded to an open invitation.
The survey was international, with 35 per cent of respondents based in the Americas, 53 per cent in Europe, Middle East and Asia, and 13 per cent in the Asia Pacific regions. Yes, it was rounded up to 101 per cent.
Contributors give security a low priority both in time spent and time they would like to spend on open source contributions
"The majority of respondents were male and between 25 and 44 years old," said the report, and they were generally in full-time employment despite the COVID-19 economic downturn, observed the researchers. 48.7 per cent were paid by their employer specifically for time spent on open source projects and 2.95 per cent received payment from another party – enabling the researchers to conclude that just over half were paid directly for their FOSS contribution.
Change of heart for employers?
Ten years ago, only around 35 per cent of employees were allowed to contribute to FOSS projects without specific permission. That figure has risen to over 45 per cent, indicating a positive change in attitudes, but the researchers said "there is still room for improvement," with some firms having unclear or poorly communicated policies.
The impact of involvement in open source projects is positive for both employees and employers, the researchers said. Companies that encourage open source contributions attract higher calibre programmers, the report said, and the skills acquired via FOSS are valuable.
Why do people contribute to FOSS?
The top reason was pragmatism, with developers adding or fixing features they use in their own projects. Other high-ranking motivations were enjoyment, a sense of obligation to contribute back to FOSS, and belief in its mission. Payment ranked rather low in the list of motivations. There was also a high level of commitment, with most respondents saying they are "extremely likely" to keep contributing, the research found.
The OpenSSF is focused on security and it is here that the survey raised some difficult issues. Asked how time was allocated between areas such as writing new code, bug reports, documentation, researching new ideas, and so on, security came at the bottom of the pile, taking less than 2.5 per cent of their effort.
Further, "the respondents do not report a desire to increase this significantly," said the report. Comments quoted include that "I find the enterprise of security a soul-withering chore" and that "I find security an insufferably boring procedural hindrance."
These attitudes are unfortunate in the context of wide use of open source in business-critical software and infrastructure. What is to be done? The report noted that bearing in mind their motivations, "it is unlikely that simply offering money to contributors for focusing on security will move the needle a great deal."
Other approaches must be found; and suggestions include automation of security warnings in the "CI [Continuous Integration] pipeline," and funding audit reports of critical FOSS projects. "Developers generally do not want to become security auditors; they want to receive the results of audits," the researchers said.
The report's authors also suggested rewriting code, including "entire components of FOSS projects that are prone to vulnerabilities." This presumes that the new code is written in a more secure manner than what it replaces, which the report suggested could be done with a "switch from memory-unsafe languages (such as C or C++) into memory-safe languages (such as nearly all other languages)."
Mozilla's effort to rewrite parts of Firefox in Rust was mentioned. The report acknowledged, though, that "this approach has many challenges," including the work of rewriting, effort in learning new languages, and difficulty in getting contributors to agree on the new language to be used.
Another problem is interop with existing code. "If its callers are typically written in C, it's often simplest to write the component in C," the report said.
Yet another snag is that although security work is costly, it will "have no immediate visible advantage to users since they will typically not see an immediate functional improvement."
Another proposal is for badging programs "like the Core Infrastructure Initiative's Best Practices Badge" to become "a powerful new norm that encourages projects to develop and maintain secure software development practices," the report said - though we doubt that would be enough to sway those who find it a "soul-withering chore."
Further details can be found in the full report here. ®