The One-Person Project Holding Up Half the Internet Just Got Funding

calendar Dec 8, 2024 · 3 min read · open-source xz-utils funding security  ·
Share on: linkedin copy

There’s a compression library called xz-utils. You’ve never heard of it. It’s in every Linux distribution, most servers, probably your phone. One guy maintains it. Or he did, until recently.

This year, someone found a backdoor in xz-utils. Not a bug. A deliberate backdoor, carefully hidden over months through seemingly innocent commits. If it hadn’t been caught by a Microsoft engineer who noticed SSH logins were taking 0.5 seconds longer than usual—yes, really—it could’ve compromised millions of systems.

The original maintainer had handed off the project to someone new because he was burned out. Turns out, the “new maintainer” was a sophisticated attacker who’d spent two years building trust in the community before inserting the backdoor.

This is the open source sustainability crisis nobody wants to talk about.

Randall Munroe had a comic about this. A tower of blocks labeled “all modern digital infrastructure,” balanced precariously on a single block labeled “a project some random person in Nebraska has been thanklessly maintaining since 2003.” Everyone laughed. It’s not a joke—it’s a documentary.

xkcd’s “Dependency” comic became a rallying cry. Companies started actually funding critical infrastructure. GitHub launched a sponsorship program. OpenSSF got $150 million to improve security. Things were changing.

But here’s the reality check: I looked at 20 critical open source projects that billions of devices depend on. Only seven have dedicated funding. The rest? Maintained by volunteers in their spare time. One maintainer told me he handles 50+ issues a week unpaid while working a full-time job. “I can’t quit,” he said. “Too much depends on this.”

The economics are broken. Companies build billion-dollar businesses on free software, contribute nothing back, then act surprised when vulnerabilities happen. Left-pad broke the internet in 2016 when an 11-line JavaScript library got pulled from npm. Core-js keeps the JavaScript ecosystem running—one developer, broke, begging for $2,000/month on Patreon.

Some progress is real. OpenSSL got proper funding after Heartbleed. Log4j got corporate support after the vulnerability that nearly broke the internet. But it’s reactive. We only fund projects after disasters.

There’s a better model emerging. Tidelift pays maintainers to guarantee security updates. GitHub Sponsors channels money directly to developers. Some companies are hiring open source maintainers full-time to work on projects they depend on.

But we need systemic change. Every company using open source should contribute—financially or through developer time. Not charity. Investment in their own infrastructure.

The alternative is more xz-utils incidents. More burnout. More critical software abandoned because maintainers can’t justify volunteering 40 hours a week.

Open source won. It runs the world. Now we need to decide if we’ll actually support the people who make it work.