Denver, CO
Konvoy logo
Q3 2024 Gaming Industry Report Released,
View Here
No items found.

Investing in the frontier of gaming.

Konvoy Ventures is a thesis driven venture capital firm. We invest in the platforms and technologies at the frontier of gaming.

©KONVOY, 2024.

Disclosures

BACK TO
CONTENT

Konvoy's weekly newsletter offers unique insights into video game industry trends and the evolving landscape of venture capital, essential for staying informed in gaming and investment

©KONVOY, 2024.

Disclosures

Open Source: Brace for Impact

September 13, 2024
Open Source

90% of corporations use open source software and the cost is going up

by

Open Source: Brace for Impact

In March 2024, the European Commission announced the approval of the Cyber Resilience Act (CRA) which “aims to safeguard consumers and businesses buying or using products or software with a digital component”. Among other things, the CRA will enforce secure design, vulnerability management, incident reporting, and supply chain security for all digital software and hardware with a digital component. 

On one hand, this regulation is warranted given the multitude of security breaches that we have seen in recent years and the negative impact it can have on consumers. On the other hand, this regulation adds another layer of friction to an industry that thrives on rapid development and experimentation, in addition to the free labor of enthusiastic developers. 

Today, we are going to look at the open source ecosystem, its community, how contributors are compensated, and the potential impact the CRA will have on open source developers and the companies that rely on open source software (OSS).

Who Makes Up The Open Source Community?

Open source software is defined by having source code that anyone can inspect, modify, and enhance (Opensource.com).

The open source community - those who manage, use, and update this code - is an amalgamation of different individuals, entities, and also incentives. On GitHub, over 2 million developers participated in open source projects for the first time in 2023 alone (an all-time-high) and the community made over 300 million contributions to open source projects (GitHub).

On the developer side, there are a range of people maintaining the projects (maintainers) and contributing to these projects (contributors), all of whom have different incentives such as prestige among peers, practicing coding, a new challenge, or payment. Professionals (who are paid to maintain a project) are typically compensated by their primary employer or they generate revenue from sources like Patreon or GitHub Sponsors. 

Despite the unstructured nature of the open source community, their work is critical to thousands of businesses across the globe. Today, more than 90% of Fortune 500 companies are using open source software (NBER). One example of this is Core-js, an open source software that has been downloaded over 9 billion times and used by some of the largest websites in the world including Twitch, Amazon, Twitter, and Microsoft. Interestingly, the Core-js project is largely maintained by one individual, its original creator, Denis Pushkarev (GitHub). 

The State of Compensation in Open Source

Despite the broad impact that open source software has on society, compensation for maintainers remains limited, and increasing demands on these maintainers threaten to push them away from the ecosystem. In the Core-js example above, despite his success, Denis has consistently failed to generate meaningful sponsorship dollars and has publicly said, “I'm tired. Free open source software is fundamentally broken.” (GitHub).

While there are many professional maintainers who get paid by their companies, sponsors, or other organizations, over 80% are either part-time or unpaid despite contributing  ~70% of the total work hours maintaining open source projects. Moreover, the myth that open source developers prefer their work as an unpaid hobby has largely been debunked: 77% of unpaid maintainers say that they would like to get paid for their work (Tidelift). 

On top of all this, the type of work that these maintainers are being asked to do is increasingly laborious as security is becoming increasingly important. 

To summarize, non-professional maintainers of open source software are:

  1. Contributing the lion’s share of the work on these projects (by time spent) 
  2. Largely unsatisfied with their compensation
  3. Increasingly frustrated with the type of work they are being asked to do by the community

Looking ahead, this is a bleak outlook for the future of innovation and appears to present an existential threat to the open source ecosystem. 

CRA’s Impact on Open Source

CRA is not the first piece of legislation that has brought OSS security into focus. Others in the US include Executive Order 14028, and more recently the Request for Information on Open-Source Software Security. However, CRA appears to be the most direct in making all commercial entities take responsibility for the OSS they use. And while this will only apply to the EU in the near-term, this sets a precedent for other countries to follow suit.

This regulation could add an additional layer of friction to the ecosystem causing the marginal maintainer or contributor, who are already frustrated with the state of OSS, to stop supporting their projects. Maintainers may feel obligated to be CRA compliant in order to see adoption and may have to shoulder the larger burden of security, which we have emphasized is largely unpaid. Others may not be willing to adhere to CRA, leaving the responsibility to the company using this software. When maintainers were asked why they may not align with existing regulations, they cited time and money as their largest concerns.

It is unclear how this will impact the broader OSS ecosystem and it is likely to vary dramatically by project. However, CRA compliance will increase dollars into the open source ecosystem, either in the form of large companies hiring additional developers to participate in OSS communities or paying communities to maintain code compliance. 

In the latter case, the trend of establishing Open Source Program Offices (OSPOs) within companies is likely to rapidly increase, arguably becoming a must-have at any large corporation. An OSPO serves as the center of competency for an organization's open source operations and structure and is responsible for defining and implementing strategies and policies to guide these efforts (GitHub). Today, ~30% of the Fortune 100 companies have OSPOs (GitHub). In 2023, OSPO and OSS initiative adoption increased 32% year-over-year and with 11% of surveyed companies saying they are planning on implementing one soon (Linux Foundation). 

How could this impact game developers?

One of the most popular open-source projects in gaming is Godot, a free, cross-platform game engine released under the MIT license. As of September 2024, the Godot Github repository has over 20k forks and ~90k stars (Github). Popular games like Sonic Colors: Ultimate, Cassette Beasts, Brotato, and The Case of the Golden Idol have all been developed using Godot. 

While the final implications of CRA will require legal interpretation, the use of Godot as a game engine is unlikely to be impacted by CRA given it is largely used for its output. However, many developers leverage other OSSs like Nakama (game backend), Mirror Networking (net code), CMake (build automation), or Nextcloud (file hosting) with their games. These services that manage sensitive information may be highly scrutinized, and compliance will fall on the companies utilizing the code, in this case, the developers and studios.

Takeaway: The Cyber Resilience Act marks a turning point for the open source ecosystem, as it imposes new security and regulatory demands on software leveraged by corporations. While the intent to safeguard digital products is crucial in a world of increasing cybersecurity risks, the burden this legislation places on the open-source community could deepen existing frustrations with maintainers. 

Many maintainers, who are already underpaid and frustrated may fail to comply with regulations, forcing large corporations who use this software to pay up. It is likely that we see increased corporate investment in open source projects through Open Source Program Offices (OSPOs), through sponsorships for existing maintainers, or by paying employees to contribute necessary security measures to projects that they use.

Open Source: Brace for Impact

September 13, 2024
Open Source

90% of corporations use open source software and the cost is going up

by
Listen on Apple Podcasts

Welcome to Game Changers, the podcast that takes you beyond the games and into the heart of the gaming industry's future. Brought to you by Konvoy, a Denver-based venture capital firm investing in the platforms and technologies at the frontier of gaming. This podcast is your backstage pass to the pioneers, innovators, and visionaries who are redefining how we play and experience these virtual worlds.

In each episode, your hosts—Josh Chapman, Jason Chapman, and Jackson Vaughan, the founders of Konvoy — invite you to join them for candid and open conversations with the industry's most influential leaders. These guests are the “Game Changers”, the masterminds behind the scenes who've built remarkable enterprises and continue to push the boundaries of what's possible for our industry.

Whether you're a gamer, a tech enthusiast, or a startup aficionado, the Game Changers podcast offers valuable insights, inspiring stories, and exclusive access to the minds shaping the future of the gaming industry. Join us as we explore who these Game Changers are, what they've built, and what they're doing now.

Are you ready to level up your understanding of the gaming industry? Subscribe now to "Game Changers" and embark on a journey that goes beyond the screen to uncover the stories behind the gaming world.

Open Source: Brace for Impact

Konvoy logo

Open Source: Brace for Impact

In March 2024, the European Commission announced the approval of the Cyber Resilience Act (CRA) which “aims to safeguard consumers and businesses buying or using products or software with a digital component”. Among other things, the CRA will enforce secure design, vulnerability management, incident reporting, and supply chain security for all digital software and hardware with a digital component. 

On one hand, this regulation is warranted given the multitude of security breaches that we have seen in recent years and the negative impact it can have on consumers. On the other hand, this regulation adds another layer of friction to an industry that thrives on rapid development and experimentation, in addition to the free labor of enthusiastic developers. 

Today, we are going to look at the open source ecosystem, its community, how contributors are compensated, and the potential impact the CRA will have on open source developers and the companies that rely on open source software (OSS).

Who Makes Up The Open Source Community?

Open source software is defined by having source code that anyone can inspect, modify, and enhance (Opensource.com).

The open source community - those who manage, use, and update this code - is an amalgamation of different individuals, entities, and also incentives. On GitHub, over 2 million developers participated in open source projects for the first time in 2023 alone (an all-time-high) and the community made over 300 million contributions to open source projects (GitHub).

On the developer side, there are a range of people maintaining the projects (maintainers) and contributing to these projects (contributors), all of whom have different incentives such as prestige among peers, practicing coding, a new challenge, or payment. Professionals (who are paid to maintain a project) are typically compensated by their primary employer or they generate revenue from sources like Patreon or GitHub Sponsors. 

Despite the unstructured nature of the open source community, their work is critical to thousands of businesses across the globe. Today, more than 90% of Fortune 500 companies are using open source software (NBER). One example of this is Core-js, an open source software that has been downloaded over 9 billion times and used by some of the largest websites in the world including Twitch, Amazon, Twitter, and Microsoft. Interestingly, the Core-js project is largely maintained by one individual, its original creator, Denis Pushkarev (GitHub). 

The State of Compensation in Open Source

Despite the broad impact that open source software has on society, compensation for maintainers remains limited, and increasing demands on these maintainers threaten to push them away from the ecosystem. In the Core-js example above, despite his success, Denis has consistently failed to generate meaningful sponsorship dollars and has publicly said, “I'm tired. Free open source software is fundamentally broken.” (GitHub).

While there are many professional maintainers who get paid by their companies, sponsors, or other organizations, over 80% are either part-time or unpaid despite contributing  ~70% of the total work hours maintaining open source projects. Moreover, the myth that open source developers prefer their work as an unpaid hobby has largely been debunked: 77% of unpaid maintainers say that they would like to get paid for their work (Tidelift). 

On top of all this, the type of work that these maintainers are being asked to do is increasingly laborious as security is becoming increasingly important. 

To summarize, non-professional maintainers of open source software are:

  1. Contributing the lion’s share of the work on these projects (by time spent) 
  2. Largely unsatisfied with their compensation
  3. Increasingly frustrated with the type of work they are being asked to do by the community

Looking ahead, this is a bleak outlook for the future of innovation and appears to present an existential threat to the open source ecosystem. 

CRA’s Impact on Open Source

CRA is not the first piece of legislation that has brought OSS security into focus. Others in the US include Executive Order 14028, and more recently the Request for Information on Open-Source Software Security. However, CRA appears to be the most direct in making all commercial entities take responsibility for the OSS they use. And while this will only apply to the EU in the near-term, this sets a precedent for other countries to follow suit.

This regulation could add an additional layer of friction to the ecosystem causing the marginal maintainer or contributor, who are already frustrated with the state of OSS, to stop supporting their projects. Maintainers may feel obligated to be CRA compliant in order to see adoption and may have to shoulder the larger burden of security, which we have emphasized is largely unpaid. Others may not be willing to adhere to CRA, leaving the responsibility to the company using this software. When maintainers were asked why they may not align with existing regulations, they cited time and money as their largest concerns.

It is unclear how this will impact the broader OSS ecosystem and it is likely to vary dramatically by project. However, CRA compliance will increase dollars into the open source ecosystem, either in the form of large companies hiring additional developers to participate in OSS communities or paying communities to maintain code compliance. 

In the latter case, the trend of establishing Open Source Program Offices (OSPOs) within companies is likely to rapidly increase, arguably becoming a must-have at any large corporation. An OSPO serves as the center of competency for an organization's open source operations and structure and is responsible for defining and implementing strategies and policies to guide these efforts (GitHub). Today, ~30% of the Fortune 100 companies have OSPOs (GitHub). In 2023, OSPO and OSS initiative adoption increased 32% year-over-year and with 11% of surveyed companies saying they are planning on implementing one soon (Linux Foundation). 

How could this impact game developers?

One of the most popular open-source projects in gaming is Godot, a free, cross-platform game engine released under the MIT license. As of September 2024, the Godot Github repository has over 20k forks and ~90k stars (Github). Popular games like Sonic Colors: Ultimate, Cassette Beasts, Brotato, and The Case of the Golden Idol have all been developed using Godot. 

While the final implications of CRA will require legal interpretation, the use of Godot as a game engine is unlikely to be impacted by CRA given it is largely used for its output. However, many developers leverage other OSSs like Nakama (game backend), Mirror Networking (net code), CMake (build automation), or Nextcloud (file hosting) with their games. These services that manage sensitive information may be highly scrutinized, and compliance will fall on the companies utilizing the code, in this case, the developers and studios.

Takeaway: The Cyber Resilience Act marks a turning point for the open source ecosystem, as it imposes new security and regulatory demands on software leveraged by corporations. While the intent to safeguard digital products is crucial in a world of increasing cybersecurity risks, the burden this legislation places on the open-source community could deepen existing frustrations with maintainers. 

Many maintainers, who are already underpaid and frustrated may fail to comply with regulations, forcing large corporations who use this software to pay up. It is likely that we see increased corporate investment in open source projects through Open Source Program Offices (OSPOs), through sponsorships for existing maintainers, or by paying employees to contribute necessary security measures to projects that they use.

Please register below to receive your copy of the report.

OTHER REPORTS

Gaming Industry Report - Q3 2024

Q3 2024

Gaming Industry Report - Q2 2024

Q2 2024

VIEW REPORT

Something went wrong
VIEW report