Mastodawn

The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting. So I wrote a blog post about it

An absolutely ridiculous amount of open source is one person projects. I have the data to prove it

https://opensourcesecurity.io/2025/08-oss-one-person/

Open Source is one person

The Register recently published a story titled Putin on the code: DoD reportedly relies on utility written by Russian dev. They should be ashamed of this story. This poor open source developer is getting beat up now to score some internet points. It’s very upsetting. But anyway, let’s look at some receipts. If you’re not real smrt, it seems like pointing out an open source project is written by one person in a country you don’t like is a bad thing. It could be. But it also could be the software running THE WHOLE F*CKING PLANET is written by one person. In a country. But we have no idea which country. It’s not the same person mind you, but it’s one person.

Open Source Security

Adriano Aug 28, 2025

@joshbressers @shauna “It’s OK. You’re still in the denial stage. Hopefully you’ll reach anger by the end of this post.”

That’s my secret, cap,

Jean-Sébastien Guay Aug 28, 2025

@joshbressers I'd also say lots of single maintainer projects are probably abandoned. This is just my impression, but in the last year, the PRs I've sent to single maintainer repos have generally been unanswered.

I really wonder how a project can survive that. Sure I can fork it and add my bug fixes and features, but the official web page still points to the old abandoned repo. New users will go there. If the maintainer doesn't even reply to posts about passing maintainership, what can you do?

Josh Bressers Aug 28, 2025

@skylark13 Yeah, abandoned things is a whole other can of worms. And sometimes it's not really abandoned, it's just a very busy maintainer

Max L.Aug 28, 2025

@skylark13
> If the maintainer doesn't even reply to posts about passing maintainership, what can you do?

Fork, create a new webpage and start seoing the other one out of listing (hard but if it's really inactive it might work), and once the domain runs out grab it (otherwise it's not really inactive though?)
Alternatively one could try to offer money to buy the project but I personally would not trust such offers.
@joshbressers

Thanks for the article, Josh.

It would really suck to be Malinochkin right about now. That is some incredibly shitty, unfounded fearmonging in that article. Shame on the Register.

Seth Larson Aug 28, 2025

@joshbressers Really really love the title, thank you for writing this. I'm putting this one in the back pocket for later use.

Askold Aug 28, 2025

@joshbressers being dependent on russian code is a security risk, you can't guarantee freedom of expression in a country known to disappear people with wrong political positions.

if everybody does that it doesn't mean that it's safe and "popularity" of single person maintained open source solutions does not in any way hint at their security characteristics

if one person can maintain that code why just not embedded it directly in your repository? be a man, manage your f*cking js modules

Natanox 🇺🇦🇵🇸Aug 28, 2025

@gonzo_askold @joshbressers Unfortunately by now the same applies to projects maintained from the US (and obviously also China). Even though people are usually still traceable im the first, they can't work on anything from within Prison or ICE detention.

Don't think country-based scrutiny of trust in developers works anymore these days.

I agree that you should properly manage your god damn dependencies, of course.

🇸🇪Aug 28, 2025

@joshbressers Thank you for writing this post.

Florian Schmidt Aug 28, 2025

@joshbressers
It would be interesting to see, how many projects are basically the same thing, i.e. "reinventing the wheel". Be it due to lack of findability, or ignorance, or genuine improvement - or due to splitting the same things over and over with every new platform and programming language.
I wonder how to match these however (maybe something like alternativeto.net for packages?)

Thierry Berger Aug 28, 2025

@joshbressers that’s why I contribute to a lot of open source projects! But let’s be real, the little compensation there is to open source is rightfully routed to main authors, so such help is hardly financially sustainable!

Weston Steimel Aug 28, 2025

@joshbressers And using the excellent @ecosystems data for it just serves as a further example of how important many of these single maintainer projects can be.

Josh Bressers Aug 28, 2025

@westonsteimel @ecosystems That's true! ecosyste.ms is a single person project also

piegames Aug 28, 2025

@joshbressers "It’s OK. You’re still in the denial stage. Hopefully you’ll reach anger by the end of this post."

jfroehlich Aug 28, 2025

@andrewrk maybe you want to think about the 1-maintainer-problem for zig. Imho a lot of smaller npm libraries are convenience, performance or security optimizations for repetitive programming tasks needed in every other app. I don’t think the stdlib should be spammed, but a community maintained jetpack lib could be nice

Andrew Kelley Aug 28, 2025

@jfroehlich @joshbressers without looking it up, guess how many % of the commits of ziglang/zig are mine since git init in 2015

jfroehlich Aug 28, 2025

@andrewrk @joshbressers I don’t need to look that up. I know it’s you.

Andrew Kelley Aug 28, 2025

@jfroehlich @joshbressers my point is that how small the % may surprise you

jfroehlich Aug 28, 2025

@andrewrk @joshbressers yea, it did surprise me when I looked it up now. so, the foundation is working and the community is growing which is really awesome to see.

But my thought wasn't actually about the ziglang project, more about the eco system that builds on that. What would be the way to catch useful very small libraries that have a single maintainer (who is about to give up) and are required by a large number of projects? merge them into the stdlib?

Andrew Kelley Aug 28, 2025

@jfroehlich @joshbressers I see, not about the zig project itself, but about the ecosystem.

well, this may be something the zig software foundation can facilitate in the long term, when the compiler & language toolchain are more complete.

Anant Shrivastava aka anantshri Aug 28, 2025

@joshbressers if you participate in scorecard discussions this discussion might be something of your interest https://github.com/ossf/scorecard/discussions/4759 .

Rational behind the suggestion · ossf scorecard · Discussion #4759

I am a single person and for my small project, i enabled scorecard. the first recommendation i get is "If the project has only one contributor, or does not have enough reviewers to practically requ...

GitHub

Thomas Depierre Aug 29, 2025

@anant @joshbressers me and Josh have been in the mines for the scorecard. At this point, I and probably him, consider it a lost battle. The scorecard exist to please certain stakeholders. Not to do anything in the actual world. The actual world is too scary.

Anant Shrivastava aka anantshri Aug 29, 2025

@Di4na @joshbressers thanks i am kind of reaching same conclusions thanks for putting it to words makes me feel seen and not going crazy.

deer Aug 28, 2025

@joshbressers this is interesting

Weirdly enough this gives me a lot of hope that my stupid little projects that nobody uses would actually be popular and useful if I just gave them a little more polish and showed them off
So thanks

neocat_floof_owo

@joshbressers imo that register article is pretty trash.

“Open source software doesn’t need a CVE to be dangerous, It only needs access, obscurity, and complacency”

bruh thats true for any software, not just open source

Kerplunk Aug 28, 2025

Maybe an interesting article, very well protected information.
opensourcesecurity.io
All I see is looping

Verifying you are human. This may take a few seconds.
opensourcesecurity.io needs to review the security of your connection before proceeding.

I think I am Human, do I need a doctors statement to read the article???

Alan Hicks Aug 28, 2025

@joshbressers knowing you're one of those developers and not alone isn't much comfort.

Why Not Zoidberg? 🦑Aug 28, 2025

@joshbressers Obligatory:

Michael Weiss Aug 28, 2025

@WhyNotZoidberg @joshbressers it is, but Munroe was wrong in practice here. It seems over 90% of that image should be those sole-developer blocks.

Josh Bressers Aug 28, 2025

@mweiss @WhyNotZoidberg Long ago I fixed the xkcd comic :)

Reiko Aug 28, 2025

@joshbressers @mweiss @WhyNotZoidberg

ticho Aug 28, 2025

@joshbressers @mweiss @WhyNotZoidberg Wow, Nebraska seems to be full of random persons. :)

Good version! 👍

@joshbressers @mweiss @WhyNotZoidberg
I'm currently working at $DAYJOB where we're integrating a newer ARM core into a system-on-chip.

The software team is having trouble connecting an external debugger to this core because they don't know how the core's debug interface is supposed to work and what the micro-architectural preconditions for stopping code execution on the core are. The setup requirements are documented by ARM, at least, but that team doesn't have all the expertise it needs to set up the standard development toolchains on this new platform.

Even in big companies, crucial digital and computing infrastructure knowledge and implementation experience are all funneled and concentrated to a very few subject matter experts. There are often issues which only one or two people know how to debug in a productive way. (When there are thousands of signals and hardware registers which might contribute to an issue, having to figure it all out from scratch is very hard.)

The number one reason why people don't spend more time learning how to debug other issues or understanding the fundamental architecture and operation is that there's a LOT of testing to do and a LOT of possible issues to investigate and check when debugging, and the schedule of the hardware project ticks on by regardless. There's a certain reckless disregard for creating ultra-low-bus-factor technology at that low level of hardware technology because we still need all the possible micro-optimizations at the hardware level to get the power efficiency and performance that are the standard.

Microelectronics design is also tediously cursed in this manner, though without the same hobby project burden.

Michael Weiss Aug 29, 2025

@frummidge @joshbressers @WhyNotZoidberg proper BCPs should aim for a minimum of three, though in practical cases I often end up with two because of headcount constraints.

When it's one, you're one accident away from loss of business continuity. Or one "got a better offer somewhere else".

TheTomas Aug 28, 2025

@joshbressers just some thoughts on that: The Open Source Universe is quite a bit larger than NPM (in fact I avoid all software on NPM in my stacks). Nothing about Debian Repo there, when checking what Apache ressources they use, I only see a fraction of projects included. So the data of this Website is quite misleading. It even did not work properly (see screenie)

Thomas Depierre Aug 29, 2025

@TheTomas @joshbressers Debian is mostly not maintainers, but even there it is mostly one person if there is someone at all

It is not misleading. Qualitative analysis shows that the patterns hold.

Brian "bex" Exelbierd Aug 28, 2025

The maintainer being discussed said, “I maintain the project alone, as over the years the community has not expressed a need for more active participation.”

This is the politest “no one wants to help,” I’ve read in a while.

This is not the time to discuss a new funding model or how the maintainer should form a legal entity and offer support. This is where you roll up your sleeves and find time to review patches and write new ones.

Su_G Aug 28, 2025

@joshbressers
Stunning conclusion:
“Open source, the thing that drives the world, the thing Harvard says has an economic value of 8.8 trillion dollars (also a big number). Most of it is one person. And I can promise you not one of those single person projects have the proper amount of resources they need. If you want to talk about possible risks to your supply chain, a single maintainer that’s grossly underpaid and overworked. That’s the risk. The country they are from is irrelevant.”
🤔

Khleedril Aug 28, 2025

@joshbressers I'm not seeing a problem here. It is open source, and professional people, such as government employees and security researchers, do scrutinize it.

gkrnours Aug 28, 2025

@joshbressers there is an easy solution, giving a living wage to everyone, no question asked

⁂ Fish Id Wardrobe Aug 28, 2025

> But it also could be the software running THE WHOLE F*CKING PLANET is written by one person.

linux time zone database. if that goes, so does the whole internet.

I remember reading a few years ago that it was maintained by a schoolteacher in the american midwest somewhere.

PulkoMandy Aug 28, 2025

@joshbressers how many projects have zero maintainers?

Michael Weiss Aug 28, 2025

@pulkomandy @joshbressers there's the scary reality. If you look at these projects from a business continuity perspective, a large percentage of "one maintainer" projects are either already "zero maintainer" projects or will become one of them soon, because life happens to people.

They become parents and focus more time on their kids. They had a job that paid the bills and gave them the free time to devote to the project...until they lost the job and had to hustle with other stuff just to make ends meet. Their parent became unexpectedly ill and they had to devote time to care. They got into a vehicle collision and were either incapacitated or...died.

Seriously, how many of these get abandoned because the lone maintainer died? With no business continuity plan, things go bad in a hurry. And with probably millions of these sole-maintainer projects, it's an absolute guarantee that this is happening frequently. Silently.

PulkoMandy Aug 28, 2025

@mweiss @joshbressers even when things don't go bad, I have something like a hendred projects I'm involved with (some alone, some with other people). Most of these I wouldn't say have one maintainer, more like 0.01 depending on how I'm busy with my paid job and the 99 other projects. And for some of them I just lost interest and moved on to other things.

So that's an even more worrying thing that doesn't show in the graphs in the article.

Michael Weiss Aug 29, 2025

@pulkomandy @joshbressers yeah, when they say there's only one maintainer, that hardly means it's their full time job. But most projects don't need a full human being to maintain it. They do need continuity and consistency, though, which is literally impossible with just one person. A realistic minimum is three.

Jan D Aug 28, 2025

@joshbressers It is fascinating to me that much of the open source tooling (e.g. git) and practices are shaped by the large scale collaboration in Linux Kernel development when most projects are created in a very, very different context.

World Basement Classic Aug 28, 2025

@joshbressers I believe Tidelift was working on this - fundraising from big corps to direct towards critical components. Not sure what's happening since they got bought by Sonar though.

Greg Aug 28, 2025

@joshbressers curious how many of those "more than 1 maintainer" projects is actually just "one maintainer, plus a guy who sent in one commit to fix his build problem 9 years ago"

Matt Aug 28, 2025

@joshbressers gitlab relied on a ruby framework for their aws integrations written by a single engine yard employee who abandoned the project after a few years. Meanwhile gitlab is a hundred million a year plus company. Guy never saw a fraction of that income... Gitlab still keeping his code on life support though

Adam Aug 28, 2025

Access to the blog post blocked by Cloudflare ☹️

Josh Bressers Aug 28, 2025

@adamsaidsomething Apologies for that. Getting the blog to be self hosted is on my list, but it's sadly not super high on my list

fuzzyfuzzyfungus Aug 28, 2025

@joshbressers The "Request a demo of Entercept, the first and only platform designed to identify and track foreign influence in your software." at the bottom of the 'analysis' tells you most of what you need to know.