The maintainer crisis is a broken reciprocity loop, not a volunteer shortage. A 1925 anthropology book saw it coming.
In January 2022, a developer named Marak Squires pushed an update to two of his own JavaScript libraries and broke a meaningful slice of the internet on purpose. The libraries were colors and faker: small, unglamorous utilities, the kind nobody thinks about, with billions of downloads between them and something like nineteen thousand other projects depending on colors alone. The update did one thing: it ran an infinite loop that spat out the word “LIBERTY” over and over, followed by a wall of garbage characters, into the console of every application that pulled it in. Build pipelines hung. Apps printed nonsense. Thousands of teams who had never heard Squires's name spent a morning discovering that a piece of their production stack belonged to a man they had never paid.
The sabotage wasn't random, and it wasn't a hack. Two months earlier, Squires had opened a thread on GitHub with a title that reads, in retrospect, like a thesis statement: “No more free work from Marak: Pay Me or Fork This.” He was done, he wrote, “freely supporting Fortune 500 companies” who built products on his labor and sent nothing back. When the money didn't come, he didn't quietly walk away. He reached back into the gift he had given the world and turned it into a weapon.
If that sequence (give freely for years, receive nothing in return, and finally lash out by destroying the gift itself) sounds less like a software story than an anthropology one, that's because it is. A French sociologist named Marcel Mauss wrote the playbook for exactly this rupture in 1925, and once you've read him, the entire maintainer-burnout crisis stops looking like a shortage of volunteers and starts looking like the specific, predictable failure he warned about a century ago.
Mauss's little book The Gift dismantled a comfortable assumption: that a gift, unlike a market transaction, is free. It isn't. In the societies Mauss studied, a gift is bound by three obligations, and all three are mandatory. You are obligated to give. You are obligated to receive, since refusing a gift is itself an insult. And, the one that matters here, you are obligated to reciprocate. A gift, in Mauss's framing, is a “total prestation”: it carries a piece of the giver's identity and reputation, and it opens a relationship with a debt inside it. To accept the gift and never return anything is not a neutral act of thrift. It is read as hostility, a refusal of the relationship, close to a declaration of war.
Now, before going further, an honest acknowledgment, because the next sentence is twenty-seven years old: yes, people have called open source a gift economy before. Eric Raymond said exactly that in his 1998 essay “Homesteading the Noosphere,” arguing that hacker culture is a gift culture where status comes not from what you hoard but from what you give away, and where the reciprocation that closes Mauss's loop is reputation: peer credit, the respect of other hackers. Raymond was right, and his model worked beautifully for the world he was describing: a community of peers who all stood inside the same gift culture and all paid each other back in the same currency of prestige.
The reason Marak Squires was screaming into a GitHub thread in 2021 is that Raymond's model describes a world that no longer exists at the scale that matters. The receivers of the gift are no longer peers inside the culture. They are corporations consuming from entirely outside it, and they don't pay in reputation, because a Fortune 500 company does not care about its standing among npm maintainers. Raymond mapped the gift economy's healthy interior. What he didn't price is what happens at its boundary, where the gift logic meets commodity capitalism and the receiver simply takes.
Put a number on the imbalance and it stops being a vibe. In 2024, three economists (Manuel Hoffmann, Frank Nagle, and Yanuo Zhou) published a Harvard Business School working paper estimating the value of open-source software, and the figures are almost difficult to hold in your head. The demand-side value of OSS, what it's worth to all the firms that use it, is roughly $8.8 trillion. The supply-side cost, what it would take to recreate all that software from scratch, is about $4.15 billion. That's a thousand-to-one ratio between value received and cost to produce, and it means the average company would have to spend about three and a half times more on software if open source vanished tomorrow.
Then comes the figure that turns an economics paper into a Mauss seminar: 96% of that demand-side value is created by just 5% of open-source developers. Trillions of dollars of value, flowing out of the hands of a tiny minority of people, most of them unpaid. The webcomic xkcd drew the same fact years earlier and more honestly than any spreadsheet: a towering, precarious structure labeled “all modern digital infrastructure,” resting its entire weight on one small block at the bottom, “a project some random person in Nebraska has been thanklessly maintaining since 2003.” Everyone who builds software has laughed at that cartoon. Fewer have noticed that it is a diagram of an unpaid debt.
Mauss's student-of-sorts Marshall Sahlins gave us the tool to see precisely what has gone wrong, by pointing out that reciprocity isn't binary, it's a spectrum. At one end is generalised reciprocity: you give freely, expecting nothing specific back, because the other party is close to you (kin, comrades, the people you'd give a kidney to). In the middle is balanced reciprocity: a roughly equivalent return within a reasonable timeframe, the mode of trading partners. And at the far end is negative reciprocity, each side trying to get more than it gives, which Sahlins described, in a phrase that should stop any tech executive cold, as the mode “typical of strangers and enemies.”
Early open source ran on generalised and balanced reciprocity. Peer-hackers gave code to a community that gave code back, and reputation flowed both ways; everyone was, in Sahlins's sense, kin. The maintainer crisis is the sound of the whole system sliding down the spectrum, from the intimate end to the hostile one. When a corporation embeds a solo-maintained library deep in its product, depends on it in production, profits from it, and returns neither money, nor a single upstreamed patch, nor even an acknowledgment, it is not behaving like a trading partner who simply hasn't gotten around to settling up. It is practicing negative reciprocity. It is relating to the maintainer the way you relate to a stranger you intend to extract from. As Sahlins put it, moving from generalised to negative reciprocity is the very thing that “maps the transition from intimacy to hostility.” That sentence is not a metaphor for the maintainer crisis. It is a clinical description of it.
Once you have the framework, the headline maintainer revolts of the last few years stop looking like isolated meltdowns and start looking like the same wound, reopening on schedule.
Squires bricking colors.js is the purest case, and there's a second anthropologist who decodes it. Annette Weiner described “inalienable possessions”: gifts that, even as they circulate, never fully leave the giver, the bond stays attached. Squires's “LIBERTY” loop was, in those terms, a maintainer reasserting the inalienable bond by force: this was always mine, and you forgot there was a string attached. He destroyed the gift to remind the takers that it had been a gift all along.
Denis Pushkarev's story is quieter and sadder. He maintains core-js, a library so foundational it has been downloaded over nine billion times and runs on more than half of the world's ten thousand most-visited websites. For this, his income fell from around $2,500 a month to roughly $400, as one funding platform halved its payout and another froze payments entirely. In 2023 he wrote a long, exhausted post declaring that open source, as a bargain, is simply broken, and stepped back from the daily grind. No sabotage; just a giver withdrawing from a relationship that had only ever flowed one way. Mauss would have recognized the resentment in every line.
And then there is the case that turns the whole argument from a moral complaint into a security briefing. In early 2024, the world learned that xz/liblzma, a compression library buried in nearly every Linux distribution, and therefore in a vast amount of the planet's server infrastructure, had been backdoored. The mechanism is the part worth dwelling on. The library's longtime maintainer, Lasse Collin, was burned out; in 2022 he had written, publicly, that “my ability to care has been fairly limited mostly due to longterm mental health issues.” A patient adversary operating under the name “Jia Tan” spent something like two and a half years building trust, contributing real and useful work, while sockpuppet accounts applied pressure on the exhausted maintainer to hand over more control, and then graciously offered to help. It worked. “Jia Tan” gained co-maintainer status and quietly inserted a backdoor that came within a hair of shipping to the stable releases of major distributions. It was caught almost by accident, when a Microsoft engineer named Andres Freund noticed his SSH logins were running about half a second slow and went looking for why.
Be careful with the causation here, because it matters: the burnout did not cause the backdoor. It was the precondition the attacker exploited, the unguarded door, deliberately found and pushed. But that is precisely the point the Atlantic Council made afterward, that overworked, under-resourced maintainers “augment insider-threat risk.” The reciprocity gap is no longer just unfair. It is an attack surface. Mauss said that a refusal to reciprocate is a kind of declaration of war; in the XZ incident, that stopped being a figure of speech and acquired a CVE number.
Here is the counterintuitive heart of the thing, the reason this is an anthropology problem and not a management one. Every instinct, faced with maintainer burnout, says the same thing: there aren't enough maintainers, so let's recruit more. Run a contributor drive. Onboard volunteers. Grow the bus factor.
Mauss says that instinct makes it worse. The relationship is already hostile, not because of a labor shortage, but because the third obligation has been broken. Pouring more volunteers into a loop that refuses to reciprocate doesn't repair the loop; it just feeds more un-reciprocated givers into a relationship the anthropology has already classified as enmity, where they will burn out on the same schedule as the people before them. You cannot volunteer your way out of a debt the receiver won't acknowledge. The broken part isn't the supply of givers. It's the return path, and adding givers does nothing to a broken return path except waste more people against it.
One honest qualification, because the crisis isn't universal and pretending otherwise would weaken the case. A great deal of open source is, in fact, well reciprocated: the Linux kernel, Kubernetes, and most of the projects under the Cloud Native Computing Foundation are maintained substantially by paid corporate engineers; there, the loop is closed, the companies are inside the gift culture, and it shows. The rupture is concentrated almost entirely in the long tail: the unglamorous, transitive, load-bearing dependency that nobody chose on purpose and nobody can name, the Nebraska tier. The gift fails exactly where it is most invisible, where the dependency is so deep in the tree that no relationship ever formed in the first place, and so no one ever felt the obligation to return anything.
So the repair is not managerial, and it is not “more volunteers.” It is anthropological: restore the third obligation. Reciprocate, in whatever currency is actually missing. Fund the maintainers, through GitHub Sponsors or Open Collective or Tidelift or a plain retainer, so that the people holding up your product can afford to keep doing it. Upstream your patches instead of hoarding a private fork, so your labor flows back into the commons you draw from. Credit the source, loudly, because in a gift culture recognition is not decoration, it is part of the payment. And assign paid engineering time to the dependencies you'd die without, treating their maintenance as a shared cost rather than someone else's hobby. None of this is charity. It is settling an account that Mauss would say has been open, and accruing hostility, the entire time.
The move you can make this week is smaller and more concrete than any of that. Open your dependency graph (you already have it) and find the one library your product genuinely could not survive losing. Then find out who maintains it, and whether they are paid. If the answer is a single person and the answer is no, you have located one of your unreciprocated gifts, and you are now in a position to be the first receiver who actually gives something back. Do that, and then do it again for the next one down.
Because the alternative to reciprocating is not that the maintainer keeps giving for free forever. That is the comfortable fiction the last decade has demolished. The real alternatives are the ones with names and dates: colors.js, where the giver burned the gift; core-js, where he quietly laid it down; and xz, where the unguarded door let someone far worse walk in. A community that only takes the gift has, in the oldest language we have for it, already declared the relationship hostile. The maintainers have been telling you the same thing in plainer words. Pay them, or fork it.
Reciprocation needs a record of who actually gave what.
Two of the essay's repairs depend on provenance: crediting the source (recognition is part of the payment) and knowing who is really behind a contribution. The xz backdoor was a provenance failure as much as a funding one, “Jia Tan” was trusted for two and a half years because no one could verify the identity and intent behind the commits. As more of that contribution comes from autonomous agents, the question gets sharper: who made this change, and can you prove it? Chain of Consciousness anchors every action an agent takes to a tamper-evident record, so authorship and credit are verifiable facts rather than a name in a commit field.
See a verified action chain · Hosted Chain of Consciousness
pip install chain-of-consciousness · npm install chain-of-consciousness