In April, one of the open source code movement's first and biggest success stories, the Network Time Protocol, will reach a decision point. At 30 years old, will NTP continue as the preeminent time synchronization system for Macs, Windows, and Linux computers and most servers on networks?
Or will this protocol go into a decline marked by drastically slowed development, fewer bug fixes, and greater security risks for the computers that use it? The question hinges to a surprising degree on the personal finances of a 59-year-old technologist in Talent, Ore., named Harlan Stenn.
The Network Time Protocol is important enough that the likes of Google and Apple speak up if they find a bug in the protocol that needs fixing, or a modification they think is needed. But NTP has worked so well for so long that few people think there's any problem.
Not all is well within the NTP open source project. The number of volunteer contributors -- those who submit code for periodic updates, examine bug reports, and write fixes -- has shrunk over its long lifespan, even as its importance has increased. Its ongoing development and maintenance now rest mostly on the shoulders of Stenn, and that's why NTP faces a turning point. Stenn, who also works sporadically on his own consulting business, has given himself a deadline: Garner more financial support by April, "or look for regular work.”
Stenn's shaky personal finances illustrate one very real risk to the future of the Internet. A number of widely used foundations of the Internet -- such as OpenSSL, the Domain Name System, and NTP -- are based on open source code. Open source means no one owns the software, anyone can use it, and it's maintained through a collaborative process of people submitting changes to a central governing group. Some open source projects, such as the Android mobile OS, have a rich uncle like Google that pays people who maintain the code as a side job. Or, the project is trendy enough that working on it helps to spur consulting work. But a project like NTP, which is buried deep in the infrastructure, doesn't have a clear-cut financial backer. That leaves support up to people like Stenn.
For the last three-and-a-half years, Stenn said he's worked 100-plus hours a week answering emails, accepting patches, rewriting patches to work across multiple operating systems, piecing together new releases, and administering the NTP mailing list. If NTP should get hacked or for some reason stop functioning, hundreds of thousands of systems would feel the consequences. "If that happened, all the critics would say, 'See, you can't trust open source code,'" said Stenn.
Sam Ramji, CEO of the Cloud Foundry Foundation, cited Stenn’s work in an address at the Open Compute Summit 2015 in San Jose Mar. 11. He dubbed him "Father Time," and said he was "scraping by" as he continued to work on NTP.
Stenn is hardly the only open source coder living in such straits. Ramji also mentioned Werner Koch in Germany, the author and maintainer of Gnu Privacy Guard, which is used in three popular email encryption programs. In a Feb. 5 article, Koch told ProPublica that he was "going broke" on $25,000 a year since 2001. Chet Ramey, part of the networking infrastructure team at Case Western Reserve, has been the primary maintainer of the Bash shell for Unix since 1990 with minimal support.
Ramji noted that OpenSSL developers had been receiving less than $2,000 a year in donations when the Heartbleed exploit of OpenSSL broke out last April. "Secure code is hard to write and maintain," Ramji noted. Users have to decide whether they want to leave these projects to survive as best they can.