Open Source: Brace for Impact
In March 2024, the European Commission announced the approval of the Cyber Resilience Act (CRA) which “aims to safeguard consumers and businesses buying or using products or software with a digital component”. Among other things, the CRA will enforce secure design, vulnerability management, incident reporting, and supply chain security for all digital software and hardware with a digital component.
On one hand, this regulation is warranted given the multitude of security breaches that we have seen in recent years and the negative impact it can have on consumers. On the other hand, this regulation adds another layer of friction to an industry that thrives on rapid development and experimentation, in addition to the free labor of enthusiastic developers.
Today, we are going to look at the open source ecosystem, its community, how contributors are compensated, and the potential impact the CRA will have on open source developers and the companies that rely on open source software (OSS).
Who Makes Up The Open Source Community?
Open source software is defined by having source code that anyone can inspect, modify, and enhance (Opensource.com).
The open source community - those who manage, use, and update this code - is an amalgamation of different individuals, entities, and also incentives. On GitHub, over 2 million developers participated in open source projects for the first time in 2023 alone (an all-time-high) and the community made over 300 million contributions to open source projects (GitHub).
On the developer side, there are a range of people maintaining the projects (maintainers) and contributing to these projects (contributors), all of whom have different incentives such as prestige among peers, practicing coding, a new challenge, or payment. Professionals (who are paid to maintain a project) are typically compensated by their primary employer or they generate revenue from sources like Patreon or GitHub Sponsors.
Despite the unstructured nature of the open source community, their work is critical to thousands of businesses across the globe. Today, more than 90% of Fortune 500 companies are using open source software (NBER). One example of this is Core-js, an open source software that has been downloaded over 9 billion times and used by some of the largest websites in the world including Twitch, Amazon, Twitter, and Microsoft. Interestingly, the Core-js project is largely maintained by one individual, its original creator, Denis Pushkarev (GitHub).
The State of Compensation in Open Source
Despite the broad impact that open source software has on society, compensation for maintainers remains limited, and increasing demands on these maintainers threaten to push them away from the ecosystem. In the Core-js example above, despite his success, Denis has consistently failed to generate meaningful sponsorship dollars and has publicly said, “I'm tired. Free open source software is fundamentally broken.” (GitHub).
While there are many professional maintainers who get paid by their companies, sponsors, or other organizations, over 80% are either part-time or unpaid despite contributing ~70% of the total work hours maintaining open source projects. Moreover, the myth that open source developers prefer their work as an unpaid hobby has largely been debunked: 77% of unpaid maintainers say that they would like to get paid for their work (Tidelift).
On top of all this, the type of work that these maintainers are being asked to do is increasingly laborious as security is becoming increasingly important.
To summarize, non-professional maintainers of open source software are:
- Contributing the lion’s share of the work on these projects (by time spent)
- Largely unsatisfied with their compensation
- Increasingly frustrated with the type of work they are being asked to do by the community
Looking ahead, this is a bleak outlook for the future of innovation and appears to present an existential threat to the open source ecosystem.
CRA’s Impact on Open Source
CRA is not the first piece of legislation that has brought OSS security into focus. Others in the US include Executive Order 14028, and more recently the Request for Information on Open-Source Software Security. However, CRA appears to be the most direct in making all commercial entities take responsibility for the OSS they use. And while this will only apply to the EU in the near-term, this sets a precedent for other countries to follow suit.
This regulation could add an additional layer of friction to the ecosystem causing the marginal maintainer or contributor, who are already frustrated with the state of OSS, to stop supporting their projects. Maintainers may feel obligated to be CRA compliant in order to see adoption and may have to shoulder the larger burden of security, which we have emphasized is largely unpaid. Others may not be willing to adhere to CRA, leaving the responsibility to the company using this software. When maintainers were asked why they may not align with existing regulations, they cited time and money as their largest concerns.
It is unclear how this will impact the broader OSS ecosystem and it is likely to vary dramatically by project. However, CRA compliance will increase dollars into the open source ecosystem, either in the form of large companies hiring additional developers to participate in OSS communities or paying communities to maintain code compliance.
In the latter case, the trend of establishing Open Source Program Offices (OSPOs) within companies is likely to rapidly increase, arguably becoming a must-have at any large corporation. An OSPO serves as the center of competency for an organization's open source operations and structure and is responsible for defining and implementing strategies and policies to guide these efforts (GitHub). Today, ~30% of the Fortune 100 companies have OSPOs (GitHub). In 2023, OSPO and OSS initiative adoption increased 32% year-over-year and with 11% of surveyed companies saying they are planning on implementing one soon (Linux Foundation).
How could this impact game developers?
One of the most popular open-source projects in gaming is Godot, a free, cross-platform game engine released under the MIT license. As of September 2024, the Godot Github repository has over 20k forks and ~90k stars (Github). Popular games like Sonic Colors: Ultimate, Cassette Beasts, Brotato, and The Case of the Golden Idol have all been developed using Godot.
While the final implications of CRA will require legal interpretation, the use of Godot as a game engine is unlikely to be impacted by CRA given it is largely used for its output. However, many developers leverage other OSSs like Nakama (game backend), Mirror Networking (net code), CMake (build automation), or Nextcloud (file hosting) with their games. These services that manage sensitive information may be highly scrutinized, and compliance will fall on the companies utilizing the code, in this case, the developers and studios.
Takeaway: The Cyber Resilience Act marks a turning point for the open source ecosystem, as it imposes new security and regulatory demands on software leveraged by corporations. While the intent to safeguard digital products is crucial in a world of increasing cybersecurity risks, the burden this legislation places on the open-source community could deepen existing frustrations with maintainers.
Many maintainers, who are already underpaid and frustrated may fail to comply with regulations, forcing large corporations who use this software to pay up. It is likely that we see increased corporate investment in open source projects through Open Source Program Offices (OSPOs), through sponsorships for existing maintainers, or by paying employees to contribute necessary security measures to projects that they use.