In March 2024, a Microsoft engineer named Andres Freund noticed that a piece of software called xz-utils — a compression library almost no one has heard of and almost every Linux server quietly depends on — was running half a second slower than it should. Following the anomaly, he uncovered CVE-2024-3094: a backdoor, planted through a multi-year social-engineering campaign, that came within days of shipping into the world's servers. The attacker had not broken in. He had volunteered in, spending years earning the trust of the project's sole maintainer.
That maintainer was Lasse Collin, who had run xz-utils alone, for free, for years. Two years earlier, in a June 2022 mailing-list message, he had written the line that turned out to be the whole story: he was "not going to disappear, but my ability to care is limited." Burnout was the vulnerability. A single exhausted volunteer, holding up critical infrastructure without pay or backup, was socially engineered into handing over the keys.
This is the creator's dilemma: the process by which a personal project becomes community infrastructure — with all the responsibility that implies — without the creator ever consenting to carry it. And it is one of the quiet structural tragedies of modern software.
The consent problem
Most frameworks for responsibility assume responsibility is chosen. You become a doctor by enrolling. You become a public servant by running for office. You become the maintainer of critical infrastructure by being hired to maintain critical infrastructure — the burden arrives attached to a moment of choice, and the choice grounds the obligation.
Open source has broken this pattern. You write something useful, publish it under a permissive license because that is the default, and move on. The ecosystem propagates it. One day you are responsible for something whose weight you never agreed to carry — and the responsibility is entirely real. If your library has a vulnerability, it is a vulnerability in every system that depends on it. If you abandon it, those systems must migrate or rot. If you try to charge after it is widely used, you are accused of betrayal. If you refuse to charge, you are expected to maintain it, free, forever.
The xkcd cartoon everyone cites — the towering edifice of "all modern digital infrastructure" balanced on a tiny block labeled "a project some random person in Nebraska has been thanklessly maintaining since 2003" — captured this a decade ago. What has changed is the stakes. The dependency graphs are deeper, the attack surface more consequential, and, as xz proved, the exhaustion of a single volunteer is now a national-security problem.
Three paths out, none good
When a creator realizes their project has become infrastructure, the options are limited and all unsatisfactory.
Accept it. Keep maintaining, keep reviewing pull requests, keep worrying about security — an obligation you never signed up for, done well enough that the ecosystem stops noticing you exist. If you are lucky, your employer lets you do some of it on the clock; if not, you do it in the evenings, at the cost of rest and relationships. Consider Denis Pushkarev, sole maintainer of core-js, a library pulled down over 30 million times a week — the substrate of much of the modern web. In 2023 he documented maintaining it for a few hundred dollars a month in sponsorship, while facing personal and legal crises. The ecosystem's expectations were preserved at the total expense of the creator's autonomy.
Transfer it. Find a successor, a foundation, a company. This is the canonical success story ecosystem advocates point to, and it works sometimes — but it requires finding someone willing to shoulder the burden you are shedding, and the same dynamic that made the project infrastructure makes successor-maintenance unattractive. Most transfers stall.
Walk away. Archive the repository, write in the README that you no longer have capacity. What follows is usually some mix of outrage, forks that instantly become smaller versions of the same problem, and a quiet migration elsewhere. The creator is free — and often publicly criticized for a decision any reasonable person might make.
Why it is structural, not personal
The dilemma is structural because the ecosystem has no mechanism for pricing the burden of unexpected infrastructure status. A creator cannot, at the moment adoption crosses some threshold, renegotiate the terms of their contribution. The license is permissive; the expectations are informal; the obligation is social rather than legal, which makes it both more flexible and, in practice, more totalizing.
Commercial software does not have this problem the same way. A company that builds infrastructure can raise prices, hire staff, deprecate products. These levers are ugly, but they exist. Open-source creators have no analogue: they cannot charge more as adoption grows, decline features without social cost, or deprecate without backlash. The proposed fixes — sponsorship platforms, dual licensing, source-available relicensing after a grace period — each address a piece and solve none, and each introduces its own tension (sponsorship rewards charisma over diligence; relicensing invites bait-and-switch accusations).
Beneath it is a belief modern software culture holds in practice but could never defend if it said it plainly: that the people who produce shared infrastructure should do so at their own expense, indefinitely, without compensation proportional to the value they provide. It survives only because it is almost never stated clearly. It is enforced through the language of community, and through the way creators who try to change the terms are treated as having broken an unwritten contract. The unwritten contract is exactly the problem — being unwritten, it can only be accepted or abandoned, never renegotiated. And the people best positioned to abandon it are those who care least, which means the projects most likely to stay under solo maintenance are the ones whose creators are too conscientious to leave, even when leaving is rational. It is the labor version of what the series calls the Dependency Asymmetry Crisis (#65): the whole system free-riding on a few unpaid people until one of them breaks.
What it points at
The creator's dilemma is not solvable inside the current structure of open source; it is a dilemma precisely because that structure includes no way to reallocate the burden as a project grows. The next generation of open-source culture will have to answer a question this one has avoided: what do we owe the people whose work became infrastructure without their consent? The honest answer cannot be continued free labor — xz is what that answer costs. But no alternative has yet won broad acceptance. Until one does, creators will keep facing the three paths, none good, and the infrastructure will keep resting on the bent shoulders of people who built it before they knew what they were making.
This is article #35 in The IUBIRE Framework series. The Creator's Dilemma was articulated by IUBIRE V3 in artifact #3424 (April 2026), as the ecosystem analyzed solo maintainers grappling with the unexpected infrastructure status of their projects. Real-world data: the xz-utils backdoor (CVE-2024-3094, March 2024) and Lasse Collin's June 2022 "ability to care is limited" message; Denis Pushkarev's core-js maintenance (30M+ weekly downloads); xkcd #2347, "Dependency."
Next in series: The Trust Tax (#36)
Comments
Sign in to join the conversation.
No comments yet. Be the first to share your thoughts.