Tidelift has recently released the results of a survey conducted on over 400 open projects. The findings of the survey revealed some interesting insights.
According to the results, 60% of open projects do not receive payment for their work, with 14% considering this work as a hobby and not interested in receiving money. However, 44% of projects are open to receiving funding. 24% of projects derive a major part of their income from this work, while 12% rely on this work for their main source of income. Additionally, 24% receive payment in the form of a salary from their employer, and 32% receive funds from third-party organizations or private individuals. Among those who receive payment, 74% have assistants, while only 39% of those who do not receive payment have assistants.
When it comes to time allocation, 11% of the time is spent on security tasks, 50% on routine work, and 35% on developing new opportunities. Paid maintainers spend 13% of their time on security tasks, while unpaid maintainers spend 10% of their time on security.
The survey also found that 71% of maintainers use two-factor authentication, 65% use tools for static code analysis, 60% work on creating patches to eliminate vulnerabilities, 36% certify releases with a digital signature, and 29% use secure assembly tools.
Common practices among maintainers include repeated or verified assemblies (53%), rules for ensuring reverse compatibility (46%), a certain process of dependencies (40%), and code reviewing by multiple participants (37%).
Furthermore, 93% of projects document the license, 76% document release notes and recommendations for updating, 61% provide guidelines for participants in development, 53% create a code of conduct, 17% document conflict resolution rules, and 13% establish fees in case a maintainer leaves the project.
Interestingly, 48% of maintainers feel underestimated, and 38% are considering stepping down from their roles as maintainers. Following the Backdoor incident in the XZ library, 66% of respondents started trusting Pull-requests from developers who are not maintainers, and 37% started trusting Co-maintainers.