Open Source technologies build the foundation of the free and open internet, but many are developed by only a single maintainer or a very small community.
Despite the critical role these tools play in the internet ecosystem, they are perpetually under-funded and under-supported.
The similarity to other “system relevant” professions is striking: The more we need them to keep the system running, the less we are willing to appreciate and sufficiently fund them.
Who cares? We all need to, as without proper funding and without redundant staffing, these projects may die out, leaving critical components unmaintained.
This year we see the 10th anniversary of the disclosure of Heartbleed, an OpenSSL bug allowing for massive exploit of that key encryption library.
At the time of disclosure, some 17% (around half a million) of the Internet's secure web servers were believed to be vulnerable to the attack.
It allowed theft of the servers' private keys and users' session cookies and passwords,
making this the “worst vulnerability found since commercial traffic began to flow on the Internet” (Wikipedia).
When Heartbleed was discovered, OpenSSL was maintained by a handful of volunteers, only one of whom worked full-time.
Yearly donations to the OpenSSL project were about $2,000$.
In my talk, I will showcase the state of a couple of key and well-known Open Source technologies, exploring their staffing and funding situation.
We will revisit the improvements that happened since Heartbleed put a spotlight on the situation, but I will also share examples of a continuation of the problem, like the Log4j exploit in 2021.
The keynote is meant as a call to action both for us as individuals as well as a society, to care for Open Source software and those who write it - as one.of the key common goods our society ‘s infrastructure is built on.