Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Open Source

Report Finds Few Open Source Projects are Actively Maintained (infoworld.com) 53

"A recent analysis accounting for nearly 1.2 million open source software projects primarily across four major ecosystems found that only about 11% of projects were actively maintained," reports InfoWorld: In its 9th Annual State of the Software Supply Chain report, published October 3, software supply chain management company Sonatype assessed 1,176,407 projects and reported an 18% decline this year in actively maintained projects. Just 11% of projects — 118,028 — were receiving active maintenance.

The report also found some new projects, unmaintained in 2022, now being maintained.

The four ecosystems included JavaScript, via NPM; Java, via the Maven project management tool; Python, via the PyPI package index; and .NET, through the NuGet gallery. Some Go projects also were included. According to the report, 18.6% of Java and JavaScript projects that were being maintained in 2022 are no longer being maintained today.

Other interesting findings:
  • Nearly 10% reported security breaches due to open source vulnerabilities in the past 12 months.
  • Use of AI and machine learning software components within corporate environments surged 135% over the last year.

This discussion has been archived. No new comments can be posted.

Report Finds Few Open Source Projects are Actively Maintained

Comments Filter:
  • In my experience, open source means no more no less than allowing someone else, usually a big corporation, to steal your work and then demand you keep maintaining it for free because they rely on your project to make money. F... off.

    • by AleRunner ( 4556245 ) on Sunday October 15, 2023 @12:03PM (#63926647)

      In my experience, open source means no more no less than allowing someone else, usually a big corporation, to steal your work and then demand you keep maintaining it for free because they rely on your project to make money. F... off.

      If you have a problem with this then you need to fix your software license. Normally (but not always) a license like the AGPLv3 will ensure that they are contributing back to your software base. If they demand fixes without being willing to pay, rather than providing fixes and helping you, then they are customers not collaborators. Non paying customers get non-service.

  • Zipf distributions seem to be everywhere. Most web pages hardly get any visitors, a few get tons. Most words in a dictionary are rarely used, a few are used all the time. And here: most OSS projects are unmaintaned, a few are very actively maintained.
  • by sjames ( 1099 ) on Sunday October 15, 2023 @12:06PM (#63926655) Homepage Journal

    Since Open Source projects don't have a sales and marketing department rending their garments for new features nor executives desperate for "shareholder value", once mature and sufficient, they tend not to be actively maintained unless or until someone actually needs another feature bad enough to submit a patch or pay someone else to.

    • by HBI ( 10338492 )

      I had an employer (since passed on) who had run a contracting company dependent on the US government for many years before I came to work for him. I remember him saying to me about how he'd tried many times to work in the commercial sector exclusively but he couldn't stop sucking at the tit of government.

      I think this is hugely analogous to the open source thing. I've contributed to a number of OSS projects but I don't go back and look at what I submitted. It was single use, one shot that scratched *my* i

    • by Merk42 ( 1906718 )
      "Maintain" doesn't solely mean "add new features". It can also mean "ensure existing functionality doesn't break in an ever changing environment" or "ensure no security vulnerabilities from an ever growing list of attack vectors".
      • by sjames ( 1099 )

        Sure, but if it is well programmed rather than relying on the flavor of the week dependencies, it can run correctly for years or decades. Many apps that don't include network functionality actually have no security implications.

        • by Merk42 ( 1906718 )
          Yes, if your software only prints "Hello World" and doesn't interact with anything ever, sure. However, most software is just a little more complicated than that.
          • by sjames ( 1099 )

            Really, if your software isn't run with elevated privileges and doesn't interact with the network, it doesn't really have much relevance to security as long as it doesn't do anything really stupid like treat data as executable (looking at MS products).

            Some software reaches maturity and then doesn't really need anything but a way to download it.

  • by quantaman ( 517394 ) on Sunday October 15, 2023 @12:11PM (#63926665)

    So they're talking about dependency management.

    Only 11% of Open Source projects are maintained. But most of those unmaintained projects are hobby projects where the person lost interest, or internal tools from a company (that also lost interest).

    But when I'm installing a dependency in my project I'm using something like numpy or pandas. I'm not using phil_lib unless Phil did something really critical that I needed, and even then it's probably something pretty small and very specific and it probably doesn't matter if Phil moves on.

    So what's the percentage of actively maintained software that has a dependency that is no longer maintained? I didn't see that figure which makes me believe it's pretty low or the "software supply chain management company" would have made it the headline.

    There's a ton of "open source projects" that are some individual's hobby, or a company's internal tool. It becomes a project until they lose interest, and then it's gone.

    • by pjt33 ( 739471 )

      Not to mention that I'm surely not the only person to have a few "open source projects" on Github which are just a minimal reproducible demonstration of a bug which I needed to put online before submitting the bug.

    • Dependency management is hard. Deps go wonky all the time even when they are actively maintained. Example: security issue forces a breaking API change, breaking my code.

      Which is why I'm ok with using Newtonsoft.Json or NumPy, but not so much gfhs.ciwn.H4ck4r3.DoEverythingLib with 400 recursive dependencies, including multiple incompatible versions of the same exact ones. Or for that matter HansReisersCoolNewKillerFS.

      I try to audit all direct and indirect 3rd party dependencies of the software for wh

  • Yes, so? (Score:5, Interesting)

    by gweihir ( 88907 ) on Sunday October 15, 2023 @12:16PM (#63926671)

    There are a lot of FOSS projects that are not relevant. There are also some that are stable and do not need maintenance. For example, gzip will likely need maintenance when systems move to 128 bit.

    The metric metric is mostly bogus. This seems to be somebody that thinks they can compare commercial software and FOSS in this way. Just shows a lack of clue.

    • This seems to be somebody that thinks they can compare commercial software and FOSS in this way. Just shows a lack of clue.

      Except they show all these open source statistics but none on closed source. They don't actually DO a comparison.

      Most proprietary programs I ever used have been discontinued and not all ever had a patch. Some were dropped by the company stopping my use as they no longer operated the online component needed to run it. So how is that any different?

  • OMG, so few?? (Score:4, Insightful)

    by Kiliani ( 816330 ) on Sunday October 15, 2023 @12:18PM (#63926673)

    Seriously. I read this as "there are around 130,000 projects actively supported". That is not a small number, so I am not sure why I am supposed to be worried. It's easy to submit, there is early excitement by the developers etc. etc. Seems to be human nature, not a software thing.

    From my perspective, if that number _stays_ in that range for an extended amount of time, that may just be the natural level. Besides, sometimes even a not actively supported project may be useful, at least until a major software upgrade breaks things. Not everything needs to be updated all the time. Granted, (very) small percentage of total projects.

    Anyway, I find this number to be interesting and, ultimately, not surprising. Moving on, nothing to see here.

  • As a prof... (Score:5, Insightful)

    by bradley13 ( 1118935 ) on Sunday October 15, 2023 @12:30PM (#63926693) Homepage

    All of my coursework and projects are BSD licensed, so open source. Ones that are no longer in use are still available, but "unmaintained". That's probably 30 or 40 repositories on various platforms.

    So what? Someone may still find them useful. There's no need for maintenance.

    I expect a lot of open source projects are similar. How many of you have some personal project out there, that you haven't changed recently? I have sudoku and nonogram games, they work, they're finished. Again, there's no need for any maintenance.

  • In related news... (Score:5, Insightful)

    by Waffle Iron ( 339739 ) on Sunday October 15, 2023 @12:33PM (#63926705)

    Likewise, only a tiny percentage of all of the closed-source software that has ever been released is still actively maintained.

  • Many are simple and work fine without maintenance
    Many are unused and the developer lost interest
    Many simply suck mightily
    In general, creating is fun, maintaining is work, often hard, unpleasant work

    • This right there.

      There are 2 kinds of projects that don't receive updates:

      1) Those that are finished (or at least without any relevant issues/bugs/flaws) and don't need any.
      2) Those that are abandoned and don't interest anyone.

      In case of 1, be happy and use it. In case of 2, if you need it, fork it and maintain it.

      In either case, there's zero use whining about poorly maintained projects.

    • Yup, a lot of the small stuff I see was "one and done". Sadly code that depends on other things, like a commercial database, accumulates defects over time until that "last maintained in 2020" git site stops working. I end up having to review their work but I'm limited to my knowledge of the language and subject and I may just have to pass on it.

      >In general, creating is fun, maintaining is work, often hard, unpleasant work

      The real thankless job is maintaining. Documenting is even less thanked.

      It remind

  • by Rosco P. Coltrane ( 209368 ) on Sunday October 15, 2023 @12:42PM (#63926739)

    Because the giga-corporations that built their billions on the back of open source more often than not have never paid a single dime to the software programmers that made their fortunes.

    Maintaining software is work. People tend to enjoy being paid to do work. Me, I put a few open source projects out there over the decades. I worked on them as long as they were fun or solved a problem I had, and I stopped working on them when they weren't fun anymore or they were good enough to solve my problem. Pay me and I'll keep maintaining them if you want me to.

    Those who complain that open source projects aren't maintained are welcome to fork them and maintain their own fork.

  • How many millions are unmaintained? Funny, I bet it won't be easy to find all those products/projects much less check for updates as easy as querying github.

  • by Opportunist ( 166417 ) on Sunday October 15, 2023 @01:20PM (#63926809)

    If you find a page with node.js, rejoice. At least if you want to break into it. Because it's almost a given that you will find a way to abuse that page.

    Node.js suffers from the "everyone and their dog" problem. Everyone and their dog can somehow hack together some javascript monstrosity. And I mean monstrosity in the Frankenstein sense. Cut together from bits and pieces that somehow fit together, a hodgepodge of code that works kinda-sorta, usually without the idiot hacking it together having even the first clue of what he does. After all, node.js was created when we noticed that we have a lot of webdesigners that can somehow write JS code but we don't need them, but we could use a few backend programmers.

    And thus, this monstrosity was born.

    So what you have now is a bunch of people who think they can program when all they really can do is cargo-cult some stackexchange answer together. And of course every single one of them has to write his own database module. How many "standards" for accessing PostgreSQL in node.js exist today? A dozen? More? How many of those are still maintained?

    Because the same programmers that can't be assed to learn programming also can't be assed to maintain their atrocities after they lose interest. Which is about 5 nanoseconds after they finish their projects, but not before smearing their shit all over github for everyone to download, because MY database connector is HEAPS better than the score that already exists.

    And now the really big problem starts.

    Because now people who know even less about programming than these idiots enter the ring and download their connectors. Without checking first whether there has ever been any maintenance in the past 3 years. Hell, chances are that even if they checked, they'd find out that ALL of them didn't receive a patch in the past 3 years, so pick your poison. Or, hell, create your own and add to the mess...

    And then the inevitable happens. Someone finds a security flaw in one of the more popular Frankensteins. It's not like you have to look long or far. And now you're stuck with a piece of code you'd have to fully rewrite to use some other database access code (because you don't think that they'd give a fuck about compatibility with any of the other existing code, do you?), and how many bosses will actually approve the cost of that?

    Seriously, people. I had to review quite a few of node.js pages. Not a single one of them was without a critical flaw.

    • by leptons ( 891340 )
      Nodejs is no more a "clusterfuck" than any other language or platform. Maybe loosen your tin foil hat or shave your neckbeard a little. You're just mad because you never invested the time to learn javascript and it became more popular than your favorite language. The world passed you by, and you're sad about it.
      • left-pad...

      • nodejs passed python in popularity? When did that happen since yesterday [tiobe.com]?

        JS may have its space to spice up webpages. But relying on this ugly, bloated mess to run webservers? That's something it was never meant to do and shouldn't do.

        • by leptons ( 891340 )
          >nodejs passed python in popularity? When did that happen since yesterday [tiobe.com]?

          Cherry-picking much? nodejs is not a language, python is a language. But you seem confused about that. Python has been less popular than Javascript depending on the hundereds of different surveys you care to look at. They are all flawed, so nice strawman you have there.

          >But relying on this ugly, bloated mess to run webservers?

          That's just your opinion. I find other languages far more bloated than javascript. So
          • Fuck your strawman. Learn a sensible backend language or go back to making webpages slow, where JS belongs.

            • by leptons ( 891340 )
              I know plenty of languages. C, C++, C#, Python, Java, PHP, Go, I've done them all really. I've even done typed JScript.NET/ASP for a back-end before. Fuck your ad hominem and assuming that I only know one language. I've been programming for 40 years, so you're barking up the wrong tree. I happen to also know and like Javacsript and have not had any problem with it on the back end. YMMV.
              • I'm in security. I get to test servers on a daily base. So believe me when I tell you, yes, I do know JS better than I want to. I also get to see what technologies are used to power servers, on both sides, backend, frontend, what's used in between and so on.

                The most severe problems, because they're those problems that cannot be fixed easily, are problems that arise from using outdated modules, libraries and plugins that cannot be updated. If it's just outdated and has a security issue, the fix is usually ea

  • Major paradox among those who build for its own sake. People only interested in money or power are never confused about what to do next: Their greed guides them them a bright North Star. But if you make something to make it, and you feel like the job is done, you'll now want to make something else instead of sticking around to be a janitor for those who come after. The exceptions should be considered especially laudable.
  • How can they tell? (Score:4, Informative)

    by TechyImmigrant ( 175943 ) on Sunday October 15, 2023 @02:41PM (#63926965) Homepage Journal

    I have several open source project on my github (https://github.com/dj-on-github).

    Many of them I haven't touch for a long time because they work and no bugs have been reported. So would those count and not being maintained? They are maintained in as much as I am available to fix bugs that are reported and add features as needed, they just don't need much maintaining.

  • by bugs2squash ( 1132591 ) on Sunday October 15, 2023 @03:37PM (#63927053)

    They are all maintained to exactly the level they need to be maintained.

    If interest in using them is low then the maintenance is unjustified, if interest is high then there will be contributions back or, maybe even local patches applied. Either way the level of effort is ideal.

  • So 11% are actively maintained. How many are actively used? I guess the percentage is about the same.

  • Most of the open source projects I created are now unmaintained. And this trend will continue as more and more of my projects will still be publicly available, but I'm not interested in them anymore. This is just a mathematical trend.

    But is it a problem?

    The problem is not the maintainer's fault. The problem is on the users side. If the project is unmaintained and you care about it, take it over. Or just use something else instead.

  • I've written a few minor open-source pieces of software, and most I haven't updated for years. Yet I use them regularly. The reason is that they still do what they are supposed to do, in the way that they are supposed to do it. They are (more or less) simple utilities that do one thing well. A study like this will conclude that because they haven't been updated in years, that they are essentially unmaintained. That's mistaken. I still care about them and I will fix them if they have bugs that I deem worth

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...