3 minute read

The recent supply chain attack involving polyfill.io, which affected over 100,000 websites including high-profile entities like JSTOR and the World Economic Forum, has brought to light a critical issue lurking in the shadows of our digital infrastructure: the precarious state of open-source software (OSS) maintenance.

At first glance, this incident might seem like a straightforward case of cybersecurity negligence. However, dig a little deeper, and you’ll find a more complex narrative that speaks volumes about the sustainability of our digital ecosystem.

The Polyfill Predicament

Polyfill.io, a popular service that dynamically serves JavaScript polyfills, was recently acquired by a Chinese company. Subsequently, the service began injecting malware into websites that relied on it. This turn of events has left many scratching their heads, wondering how such a widely-used tool could become a vector for attack.

The answer, though uncomfortable, is simple: the original maintainers, who had poured countless hours into developing and maintaining this critical piece of infrastructure, eventually stepped away. With no sustainable model for continued development and maintenance, the project became vulnerable to exploitation.

The Invisible Labour Crisis

This incident is merely the tip of the iceberg. Across the digital landscape, countless critical tools and libraries are maintained by individuals or small teams working without compensation. These unsung heroes of the tech world often balance full-time jobs with their open-source commitments, driven by passion and a sense of community responsibility.

However, as projects grow in popularity and become integral to the functioning of major websites and applications, the burden on maintainers increases exponentially. Bug reports flood in, feature requests pile up, and the pressure to keep everything running smoothly becomes overwhelming.

The Sustainability Conundrum

The open-source model has given us incredible innovations and fostered a culture of collaboration that has propelled technology forward. However, it’s becoming increasingly clear that this model has a critical flaw: it often fails to provide sustainable support for the very people creating and maintaining these essential tools.

Consider the following points:

1. Burnout is rampant among OSS maintainers, with many feeling overwhelmed by the demands placed on them.

2. Critical security updates may be delayed or overlooked due to lack of resources or time.

3. Maintainers may be forced to choose between their open-source commitments and their paying jobs, often to the detriment of the former.

4. The risk of abandonment or malicious takeover increases as maintainers struggle to keep up with demands.

Towards a Sustainable Future

So, what can be done to address this crisis? Several potential solutions have been proposed:

1. Corporate Sponsorship: Companies that rely heavily on open-source tools could allocate resources to support their development and maintenance.

2. Community Funding Models: Platforms like GitHub Sponsors and Open Collective allow users to financially support projects they rely on.

3. Paid Maintenance Contracts: Larger organisations could enter into paid support agreements with maintainers of critical dependencies.

4. Education and Awareness: Both developers and organisations need to be more conscious of the labour that goes into the tools they use daily.

5. Government Support: Recognising open-source as critical digital infrastructure, governments could allocate funding to support key projects.

The Path Forward

The polyfill.io incident serves as a stark reminder of the fragility of our digital ecosystem. It’s high time we had a serious conversation about the sustainability of open-source software and the welfare of the individuals who maintain it.

As users of open-source software, we all bear some responsibility. Whether you’re an individual developer, a tech leader at a major corporation, or a policymaker, it’s crucial to consider how you can contribute to a more sustainable open-source ecosystem.

After all, the security and stability of our digital world depend on it. The next time you npm install or pip install, spare a thought for the individuals behind those packages. Their unpaid labour keeps the internet running, and it’s time we recognised and supported their critical work.