How a Few Volunteers Keep the Internet’s Core Software Alive

Introduction

Many critical components of the modern Internet are maintained by a handful of volunteers. When those maintainers stop working or are unavailable, the software that billions of devices rely on can break, creating systemic risk.

1. The Time‑Zone (TZ) Database

The TZ database (also known as the IANA Time Zone Database) encodes the legal time‑zone and daylight‑saving rules for every region. Governments change these rules frequently, sometimes with only days of notice, so operating systems and programming language libraries must update the database promptly to avoid incorrect timestamps, scheduling errors, and even security failures in time‑sensitive cryptographic protocols.

Key platforms that ship the TZ data include:

BSD families (FreeBSD, OpenBSD, NetBSD) and their derivatives macOS and iOS

Linux distributions

Android

GNU C library and languages that depend on it (C, C++, Rust, Go, etc.)

Java, PHP, Perl, Python, Ruby, JavaScript runtimes

Major databases such as Oracle, MySQL, PostgreSQL, MongoDB, SQL Server

Historically the database was maintained by two volunteers: Arthur David Olson (NIH) and Paul Eggert (UCLA). After Olson retired in 2011, stewardship passed to ICANN, but the day‑to‑day work still rests on Eggert and Tim Parenti . No large corporate team is dedicated to its continuous maintenance.

2. SQLite – The Ubiquitous Embedded Database

SQLite is an embedded SQL engine that runs inside the process of the host application. It is compiled into virtually every modern smartphone, desktop, and many embedded devices. Notable deployments include:

All Android and iOS devices

All macOS computers

Windows 10 and later

Major browsers (Chrome, Firefox, Safari)

Set‑top boxes and many IoT devices

Default database for PHP and Python installations

Desktop applications such as WhatsApp, Dropbox, Skype, iMessage, Adobe Acrobat Reader, and many others

The project is “open source but not open contribution”: the source code is publicly available, but only three core developers ( D. Richard Hipp , Mike Owens , and H. W. K. Miller ) have commit rights. External patches are reviewed and often rejected; the maintainers release new versions on a regular schedule (e.g., 3.45.0 released 2024‑03‑15). The SQLite website provides a git clone https://github.com/sqlite/sqlite.git repository and binary release tarballs.

3. Other Critical Volunteer‑Run Projects

Beyond TZ and SQLite, many essential tools are stewarded by small teams:

ImageMagick – image processing library, maintained by a core team of < 5 people.

xz – LZMA2 compression utility; a single maintainer discovered a backdoor in 2023 after noticing a half‑second performance regression.

FFmpeg – multimedia framework; a volunteer group of < 10 developers provides the core codecs used by YouTube, Netflix, and most video players.

Large corporations (e.g., Microsoft, Google) regularly depend on these libraries but typically contribute only occasional patches or one‑time payments, leaving the long‑term sustainability to the volunteers.

4. Risks and Lessons

Critical infrastructure depends on projects that receive little or no regular funding from the foundations that profit from them.

Even well‑known desktop environments (KDE, GNOME) struggle to pay two full‑time developers.

Recent incidents—such as the XZ backdoor discovered by a lone maintainer—show that a single point of failure can expose massive attack surfaces.

Without a sustainable support model (e.g., long‑term maintenance contracts, dedicated funding streams), the risk of accidental abandonment or malicious sabotage grows.

Conclusion

The stability of the global software ecosystem hinges on a few volunteer‑maintained projects. Ensuring their long‑term health requires coordinated funding and governance mechanisms rather than ad‑hoc, one‑off contributions.