The recent XZ Utils Linux backdoor shone a spotlight on a major problem in the open source community: maintainer burnout. It’s time for a change.
The Linux world was rocked in late March when Microsoft engineer Andres Freund discovered a malicious backdoor in the popular XZ Utils package, a set of compression libraries and tools used by nearly every major Linux distro. Unlike some attacks, what sets apart the XZ backdoor is the amount of work that went into achieving it.
The primary maintainer, Lasse Collin, was burnt out and dealing with mental health issues—an all too common situation among open-source maintainers. In fact, according to a survey by Tidelift, nearly 60% of maintainers have quit, or at least thought about quitting. Interestingly, some of the top reasons for maintainers quitting were other priorities, losing interest, burnout, not making enough money, the project taking too much time, not enjoying the work anymore, and too many demands from workers.
When lumping those various reasons together, they all form varying degrees of the same problem: being an open-source maintainer is often a thankless job that puts incredible demands on people’s time and patience and rarely pays enough to make it worthwhile.
Collin knows that all too well. Already burnt out, he was an easy target for a bad actor named Jia Tan. Tan, and possibly others working with them, alternately built Collin’s trust and bullied him into giving Tan full maintainer rights to the project. Tan then carefully added the malicious code to the XZ Utils project over a period of time, taking measures to make sure the code would not be discovered. Unfortunately, Collin’s situation is likely one that will repeat over and over again.
What Is Causing the Problem?
Why are open-source maintainers burning out? What is contributing to the problem?
Much of it comes from unrealistic demands on maintainers’ time and energy. Many maintainers start out developing an app, library, or tool for their own purpose. As others begin using the software and it becomes more popular, it may eventually find its way into the repos of various Linux distros. Once that happens, other packages may start depending on the software, relying on it as a dependency.
Once that happens, maintaining the package can quickly become a nightmare as individual users and corporations depend on it, request new features, and make increasing demands on the maintainers’ time.
To make matters worse, increased cybersecurity legislation adds additional burdens on maintainers, stretching their resources even more.
What Is the Solution?
There are actually several solutions that could help alleviate the problem.
Corporation Need to Step Up
The single biggest solution to the problem is for companies and organizations that rely on packages to step up and help support the maintainers of those packages. If a multi-million or multi-billion dollar corporation relies on open source packages, it’s not unreasonable to contribute to the maintainer of said package in a meaningful way.
While this seems like a no-brainer, it’s shocking how many times a multi-billion corporation puts demands on volunteer maintainers. Microsoft recently did this with the FFmpeg developers.
After politely requesting a support contract from Microsoft for long term maintenance, they offered a one-time payment of a few thousand dollars instead.
This is unacceptable.
We didn’t make it up, , this is what @microsoft @microsoftteams actually did:
— FFmpeg (@FFmpeg) | April 2, 2025
Here is the comment from the Microsoft on the FFmpeg tracker:
Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help,
To emphasize the point, Microsoft is a $3 trillion company asking for a high-priority fix on an open-source library on which their commercial product relies. When pressed, the best the company would offer is a one-time payment rather than offering to help support a project that is critical to one of its commercial products.
Even more to the point, this is unacceptable and needs to change.
Individuals Should Help Out
Individuals can and should contribute to their favorite open-source projects. Even if it’s only a few dollars a month, if hundreds or thousands of users chip in and support a project, it can result in a substantial benefit to the maintainer.
Reduce Dependencies
Another thing that could help reduce the strain on developers is for Linux distro to reduce the number of dependencies. There are instances where a project is genuinely a required dependency of another project. Many times, however, projects experience dependency creep, adding additional dependencies that aren’t really required.
Reducing the number of dependencies to only what is truly required would help reduce the workload on maintainers of smaller projects.
Open Source Is Too Important to Fail
Open-source software is far too important for the status quo to remain. In fact, 99% of new software projects rely on at least some open-source components, according to Gitnux.
If companies, and individuals, want to continue to benefit from the open source community, it’s time to step up and help support projects they value.