How come some of the core Linux projects are missing maintainers?
Posted by swarmOfBis@reddit | linux | View on Reddit | 46 comments
I was playing around with my fingerprint reader today and landed on [linux-pam/linux-pam (#301)](https://github.com/linux-pam/linux-pam/issues/301), where you can read that proper implementation of \`any\` directive is impossible simply due to missing manpower.
How come such a core project as PAM is missing manpower? Most of the big distros (if not all) are using PAM and the man behind it doesn't have enough time for it. Does he even have time to address new vulnerabilities popping up? Why is it even a single man operation? What are the distros planning to do when he's not capable of maintaining it anymore?
It seems so weird that something so core to modern Linux is left by itself to wither.
clearlybreghldalzee@reddit
You would be surprised how some foundational linux projects (GTK for example) have so few maintainers. Equivalent windows or android toolkits maintainer count are probably easily x10-20 times larger
swarmOfBis@reddit (OP)
I mean, I am fully aware that there's limited manpower in FOSS, always have been. But you'd think that between all the organisations and foundations running Linux there could be an additional person or two spared for a project this important.
whitemice@reddit
Those organizations and foundations have no money.
Several_Clients@reddit
The Linux Foundation had $311 million in revenue last year.
Less than 3% of that went to the Linux kernel, but that doesn't mean they have "no money."
xenarthran_salesman@reddit
What do you think the Linux Foundation does
marrsd@reddit
What does the Linux Foundation do?
xenarthran_salesman@reddit
It supports development of the Linux Kernel, and
it supports the development, governance, infrastructure and legal framework for about 1000 other projects, many of them huge.
Off the top of my head, nodejs, electron, kubernetes (and the whole CNCF), pytorch, jenkins, etc.
Every time there's some company that takes their open source ball and goes home, the linux foundation picks up the fork (valkey, opensearch, opentofu) and makes space for the maintainers to succeed in keeping the open source alive.
It also houses a ton of standards organizations that are less code and more protocols.
Then there's events, and also training/education/certification.
The linux foundation is really a "massive open source" foundation -> similar to how the apache foundation is more than just the apache webserver.
DehydratedButTired@reddit
The fact that someone gets to these at all shows they are important. How much abandonware is out there?
Complaining is not contributing.
Human-Check828@reddit
Rather than tell us your delusions why not become a dev and do it yourself?
gplanon@reddit
Needlessly hostile.
kombiwombi@reddit
Ok, ket's re-ask the OP's question.
My firm pays one of the big Linux companies over $0.5m a year. Lot's of firms do this: Red Hat had $6.5B in revenue in 2025. It is 45% of IBM's business.
So why linux-pam under-maintained?
FattyDrake@reddit
A better question to ask is: Are the firms paying Red Hat asking for an "any" module for PAM? Is there a business need for one? If there was the effort and money would be put in to get it working.
This seems mostly like an consumer end-user use case. So the consumer end-users (or companies selling to them) need to pay for it in money or time.
I'm not saying the situation doesn't suck, but that's the cold calculation being done here.
One thing I've been told and come to see the point of is that the major Linux players (Canonical, Red Hat/IBM, SUSE, etc.) do not see any money in general purpose, consumer Linux. So they do not expend much effort or money into it.
The only company that has so far is Valve. And they are primarily focused on single-user devices.
swarmOfBis@reddit (OP)
I am not talking about this specific issue, it's just what brought my attention to the fact that there's one person maintaining pretty much the core of authentication in userland.
FattyDrake@reddit
Think of a maintainer as more of a manager. They may be the primary contributor, but they mostly manage the code base, pull requests, etc.
Over the past year there's been over 40 contributors, and about 5-6 of them with many commits. So it's well over one person that's worked on it.
themightyug@reddit
This is a big issue with open source software.. while the big projects and apps get tons of developers and corporate sponsorship, the essential but 'boring' stuff can get left behind with just a lone volunteer, or no-one at all, holding it together
I don't know what the solution is, but sooner or later we'll need to find one
Astronaut6735@reddit
I don't see this as a problem. Effort is directed where it is needed most, efficiently and without any artificial coordination. If something is really that important to enough people, it will get the attention it needs.
nelmaloc@reddit
This thread's a concrete example that it doesn't.
pseudonym-161@reddit
Believe it or not sometimes the big corporations will pay someone to maintain linux since their fates are intertwined. That said, it’s always better off if they aren’t the ones to do it.
Artichoke808@reddit
Well you could jump in and contribute in your spare time. Oh you don't code?
Okay well you could give the maintainer a big donation to incentivise him or even allow him to employ someone for a few hours here and there? Oh, cash is a bit tight?
Okay, organise a fundraiser for him? Oh, too busy / don't think it will work / other reasons?
Well now you know why it's a single man operation.
manny2206@reddit
This….
Dramatic_Mastodon_93@reddit
And what about the countless companies that use Linux to earn profit?
marrsd@reddit
You want them buying Linux development? Suit yourself.
Dexterus@reddit
They already likely pay for or buy most linux development.
meditonsin@reddit
Why would they invest money into something that someone is already doing for free?
mmmboppe@reddit
the biggest issue of any company is to pay more its employees, who generate profit directly. and you expect them to spend money on software, which they benefit indirectly from. naive expectation, they rather have the CEO buy another island or superyacht
meskobalazs@reddit
Well, they don't earn money on PAM, do they?
swarmOfBis@reddit (OP)
Every company that runs Linux server uses PAM
HotAdministration939@reddit
look up apples contribution to bsd after yoinking
MatchingTurret@reddit
Can you point to a single company that makes money using PAM? I can't think of any.
Responsible-Sky-1336@reddit
All the U2F key providers. Actually one of Arch's maim sponsors.
rbrownsuse@reddit
And even fewer than that make money from PAMs finger print scanning support
daddyd@reddit
you do know that famous xkdc webcomic about that one maintainer piece of software where the whole internet is dependent on? it is not just a joke. https://xkcd.com/2347/
Several_Clients@reddit
We know, this is the third comment about it
natermer@reddit
I think you are misunderstanding what is going on in the bug report.
First off.. Linux PAM is kinda awful. It is something from the "bad old days". It is something really hard to get right and really easy to mess up. Trivial changes look straight forward and easy and act like they work, but can complete destroy a system's security.
This is then combined with the fact that it is a core security feature that everybody depends on from the enterprise distros on down makes the whole project extremely sensitive. Any change is a very significant undertaking.
So do to what they want would require a very significant rewrite and adding a lot of complexity and bugs to something that is already hard to deal with.
And it is already solved in other applications like GDM that can handle multiple auths in parallel.
Essentially they are saying that it is probably going to be easier for the reporter to write his own software on his own to do this rather then expecting them to take on the burden of making what he wants working.
kopsis@reddit
Don't confuse maintenance with development. Fixing defects is maintenance. Adding features is development.
The work required to implement even a seemingly simple feature can be huge. Sometimes a feature can't be implemented without large scale design changes. That's the situation in this case. As the maintainer explains:
The possibility of introducing deadlocks and race conditions into a core element of system security is somewhat terrifying. I, for one, wouldn't want to see this change even if they had infinite resources. In any case, the benefit to the community needs to be great enough that the community (not just the maintainer) is willing to commit the resources to make it happen. That's not the case here. I'm not saying it wouldn't be useful ... just that it wouldn't be useful enough (especially when there are viable alternatives like combining the modules you want to parallelize and doing the multithreading at the module level instead of the stack level).
You're free to disagree. But unless you are willing to commit the time and/or money to make it happen, that disagreement doesn't carry a lot of weight.
Plenty-Emphasis-5669@reddit
But, but... Claude can do it! /s
gesis@reddit
Relevant xkcd
MatchingTurret@reddit
Just wait for the outrage when someone decides to fix the problem and we get a systemd-pam module.
cripblip@reddit
https://imgs.xkcd.com/comics/dependency_2x.png
FattyDrake@reddit
It's still being maintained, and there's activity.
The problem, reading the issue, is that in order to add it they would have to re-architect PAM, which would require a lot of QA and testing to make sure existing functionality does not break.
I cannot stress this enough: It would be a MAJOR undertaking. In business terms we're talking a few hundred thousand dollars at least and months if not a year+ of work for such a critical piece of underlying infrastructure.
This isn't just adding or changing some code. It's basically tearing it all down and rewriting it.
What is being requested is a real "nice to have" but is not critical. If there was a major business use case, or rather NEED for it, money and manpower would be found.
And it seems that workarounds can be done with a display manager login (GDM was mentioned specifically.) Someone also seems to have hacked together an any module for a few auth types. Likely not well enough to be included in the main project.
RoomyRoots@reddit
There a re lots of developers out there. Very few good one and even less with the responsibility necessary to take over something this big.
khne522@reddit
People always forget that the better developers can burn out trying to deal with others.
rebootyourbrainstem@reddit
If you look at the issue, there are solutions. They just kind of suck for the general case, but they work fine for big projects like distros and GDM.
This is part of a common pattern where making something flexible is really hard and expensive, and the only people who really need that flexibility are the people who aren't collecting a paycheck.
Behrus@reddit
Adrian Vovk (and probably others) is kinda aiming for that. There was some discussion about it on the systemd GitHub about that last fall, but that quieted down since then. Should be right up STF's alley though. Here is hoping...
removedI@reddit
Developing these components require high skill and have almost 0 payoff. Its litterally people pouring their freetime into work they can get payed for elsewhere.
r3dk0w@reddit
looking through the issues, they are mostly usage questions and feature requests. I would guess these old libraries are probably mostly stable to the point they don’t take new features and are just in maintenance mode.
this repo also had a new release in January and has 183 repo contributors, so that seems relatively active.