For a meeting last week I wanted to show how much of OpenSSL is being written by people paid to do so by their employers, and how much was from individuals in their own time. And it turns out most of OpenSSL is written by people paid to do so. This is crucial to understanding the critical role that corporations provide to Open Source projects such as OpenSSL.

It was actually fairly easy to be able to get this information by writing a script because we require all non-trivial contributions to have a Contributor License Agreement (CLA) from all original authors, this policy being modelled on the practice of the Apache Software Foundation. Corporations that have assigned employees to work on OpenSSL must submit a corporate CLA (CCLA).

So we can look at the git mainline commits for a one year period (up to July 6th 2023), split them out, and we end up with the SanKey flow diagram below:

Starting at the right hand side of the diagram, in the examined period, OpenSSL gained 1,921 commits.

Moving to the middle of the diagram, 99 of the commits were trivial. A submission is trivial if it’s considered trivial under copyright law, so mostly things like corrections of grammatical or typographical errors, whitespace changes, or minor one-line bug fixes. That leaves 1822 non-trivial commits. OpenSSL has a group of committers who have access to commit changes to the tree, there were 20 people in this group over the period, and together wrote 80% of the non-trivial commits. The other 20% came from non-committers.

Looking at the left of the diagram we can now break out the commits into three categories. Firstly, OpenSSL Software Services pays for a set of people to work directly on OpenSSL full-time, six people during this period. So 64% of the non-trivial commits were authored by people paid by OpenSSL. Looking at the CCLAs for the remaining authors, 417 commits came from people under a CCLA, so they’re being paid by their company to contribute to OpenSSL: that’s 23% of the non-trivial commits. The remaining 235 commits (13%) came from individuals.

We can run the script for earlier years too and this shows a similar percentage of commits from individuals - although amongst the corporate contributions the number of commits from people paid directly from OpenSSL has increased over time as we’ve taken on more people to work full-time on the project.

So in conclusion, we found that 87% of the non-trivial commits to OpenSSL in the last 12 months were from 56 people paid by their employer to work on OpenSSL. This result shouldn’t be too surprising, Open Source projects such as OpenSSL rely on commercial organisations contributing their employees’ time in order to survive.