Last week, Sonatype presented their annual Report on the State of the Software Supply Chain which looked at the patterns of open source (OS) maintenance, adoption and consumption. Specifically, it investigated the growth of the software supply chain, the use of software bill of materials (SBOM), the rise of OS regulations, as well as the use of artificial intelligence (AI) and machine learning (ML) by developers.
The report measured that within the four major ecosystems (Javascript, Java, Python, and .NET), open source projects have been published at a 15% average rate per year over the past three years, which indicates a steady pace and scale of innovation in the ecosystems. The pace has reduced significantly since the above 60% rate seen in the pre-2019 period. While the authors attribute the slump in productivity to the COVID-19 pandemic and the decrease in the developers’ free time, they also note a recovering rate of production growth, with the number of OS projects growing by one third between 2022 and 2023. Despite the demand side of the market experiencing a slowdown due to its overall saturation, the two largest ecosystems included in the study – Maven and npm – are requested a staggering 1 trillion and 2.3 trillion times respectively. This shows a continued interest in OS consumption.
According to the report, supply chains are “one of the fastest growing vectors for adversaries to execute malicious code,” with nation-state actors becoming increasingly active in leveraging supply chain vulnerabilities for nefarious purposes. However, the report also concludes that developers are making great strides in addressing these concerns by adopting new security policies, such as mandatory multi-factor authentication, cryptographically signed releases or deploying fuzzing tools to check for vulnerabilities. Authors also point out that organisations should be more diligent about software updates, having found that around 96% of downloaded components with known vulnerabilities had a fixed version that was already available at the time of the download.
To get a fuller picture, it is good to have a look at other resources which focus on the developer/maintainer side of the equation. According to Tidelift’s “State of the Open Source Maintainer” report, 60% of maintainers consider themselves unpaid hobbyists, while only 13% identify themselves as professional maintainers earning most of their income from maintaining projects. However, contrary to a popular theory that most maintainers prefer to work on open source as an unpaid hobby, 77% of the maintainers who are not paid said they would prefer to get paid. This points to a larger issue in the OS consumption patterns. OS makes up up to 90% of code used in contemporary digital infrastructure, with most of the maintenance work depending on the labour of (often) unpaid and strained developers.
Having said that, other reports – like the Linux Foundation’s “Open Source Maintainers” – point out that maintainers are well-aware of issues that can arise with their way of working (e.g. burnout), and deploy techniques to prevent them from occurring. This can take the form of recognising that OS work is never finished, designing a lifestyle that balances work and personal pursuits, avoiding taking on unpaid projects that require excessive administrative work, automating workflows to increase efficiency, or setting boundaries with regard to communication and work hours.
The Sonatype report suggests that AI and ML components and models may make it possible to offload some of the maintenance workload onto machines. Indeed, the report finds that 97% of the interviewed developers currently incorporate generative AI in their workflows to some degree, with around half of them using AI to generate and test their code, saving as much as six hours a week. Due to the capability and widespread adoption of these tools, the report quotes OpenAI’s Andrej Karpathy in claiming that “the hottest new programming language is English.” However, this implementation comes with its own challenges – over the summer, software developers filed a class action lawsuit against Microsoft, GitHub and OpenAI, alleging that GitHub’s Copilot programming suggestion service lifted nearly identical lines of code to the ones they had created in violation of US federal copyright laws.
The report provides a comprehensive look at the state of OS software development, pointing out some persisting challenges and the interest in OS adoption. It is clear that addressing security and maintenance issues remains a top priority for the whole ecosystem, but this will not be possible without greater financial and structural support for the developers and maintainers.