The Economics Behind the Software That Runs the World
Linux powers most of the internet. It runs the majority of web servers, the cloud infrastructure of Amazon, Google, and Microsoft, most smartphones (via Android), supercomputers, and an enormous amount of the world’s critical infrastructure. It’s also, fundamentally, free.
This raises an obvious question: how does any of this get paid for? Who funds the development of software that trillion-dollar companies depend on but don’t have to pay for?
The answer is complicated, and—depending on your perspective—either inspiring or deeply troubling.
Where It All Started
None of this would exist without Richard Stallman. In 1983, Stallman—then a programmer at MIT’s AI Lab—announced the GNU project, an ambitious attempt to create a completely free operating system. In 1985, he founded the Free Software Foundation to support it.
Stallman’s philosophy was radical: software should be free—not as in price, but as in freedom. Users should have the right to run software for any purpose, study how it works, modify it, and share it with others. He called these the “four freedoms” and argued that restricting them was morally wrong.
To protect this vision, Stallman created the GNU General Public License (GPL). The GPL is clever: it allows anyone to use, modify, and distribute the software, but requires that any derivative works must also be released under the same terms. This “copyleft” mechanism prevents companies from taking free software, making improvements, and locking those improvements away as proprietary code. It’s the reason Linux remains open today.
Throughout the 1980s, the GNU project built the essential tools needed for a complete operating system: compilers (GCC), text editors (Emacs), the shell (Bash), core utilities, and libraries. By the early 1990s, GNU had almost everything—except a working kernel.
That’s where a Finnish student named Linus Torvalds came in.
The Kernel Itself
In 1991, Linus Torvalds created Linux as a hobby project while studying at the University of Helsinki. It was just a kernel—the core component that manages hardware and system resources—but combined with the existing GNU tools, it made a complete, usable operating system. Stallman would argue it should be called GNU/Linux, and technically he has a point.
Over three decades later, Torvalds is still the lead maintainer and has final say over what goes into the kernel. But he’s no longer doing it for free—Torvalds is employed as a fellow by the Linux Foundation, allowing him to work on the kernel full-time without commercial pressure from any single company.
The Linux Foundation is a nonprofit funded primarily through corporate memberships on a tiered model. Platinum members—companies like Google, Microsoft, Intel, IBM, and Huawei—pay substantial annual dues (reportedly $500,000 or more). Gold and Silver tiers pay less. In return, members get governance input and the knowledge that they’re sustaining the infrastructure their businesses depend on.
The Foundation employs several key developers besides Torvalds, including Greg Kroah-Hartman, who maintains the stable kernel releases. It also funds infrastructure, security initiatives, and events like the Linux Kernel Summit.
Here’s the important part: the vast majority of kernel contributions now come from paid developers. According to regular analyses of kernel commits, around 85–90% of contributions come from developers employed by companies like Red Hat, Intel, Google, AMD, Microsoft, and others. The days of Linux being primarily a hobbyist project are long gone—it’s largely developed by professionals who are paid to do so.
This is arguably the healthiest part of the open source ecosystem. The kernel is so critical to so many businesses that they have strong incentives to fund its development. The challenge is that this model doesn’t extend to everything else that makes a Linux system usable.
Distribution Funding Models
The kernel is just the core. On top of it sit Linux distributions—complete operating systems that package the kernel with thousands of other software components. These distributions fall into two broad categories: corporate-backed and community-driven.
Corporate-Backed Distributions
Some distributions have a company behind them that funds development as part of its business model. However, not all corporate-backed distributions work the same way.
Red Hat / Fedora: Fedora is sponsored by Red Hat (now owned by IBM). Crucially, Red Hat created Fedora as its upstream project. Red Hat employs developers to work on Fedora, which serves as a testing ground for features that eventually flow into Red Hat Enterprise Linux (RHEL)—the actual revenue product, sold through enterprise subscriptions, support contracts, and certifications. Red Hat and its Fedora developers contribute more Linux kernel code than any other organisation.
openSUSE / SUSE: Similarly, SUSE created openSUSE as its community distribution. SUSE employs developers to work on openSUSE and sells enterprise subscriptions for SUSE Linux Enterprise.
In both cases, the company built and maintains its own upstream project. The business logic is clear: invest in the community version, build an ecosystem and reputation, then sell enterprise support to organisations that need guarantees and SLAs.
Ubuntu / Canonical: Ubuntu works differently. Rather than creating its own upstream project, Canonical built Ubuntu on top of Debian—an existing community distribution with decades of volunteer work behind it. Canonical earns revenue from enterprise support, cloud services (Ubuntu Pro), and IoT/embedded licensing.
This raises an uncomfortable question: does Canonical give back to Debian? The answer is nuanced. Canonical employs some Debian developers (though some in the Debian community have criticised this as “poaching” rather than supporting). Canonical contributes code upstream and supports various open source foundations including the Eclipse Foundation, CNCF, and GNOME Foundation. Since April 2025, Canonical has also donated $120,000 per year via thanks.dev to open source projects based on their dependency analysis.
However, there’s no evidence of direct financial donations from Canonical to Debian as an organisation—despite Ubuntu being fundamentally built on Debian’s foundation. This is a long-running criticism in the open source community. Ubuntu benefits enormously from Debian’s development community, which allows Canonical’s developers to focus on user experience and commercial features rather than the underlying infrastructure work that Debian volunteers provide.
Community-Driven Distributions
Other distributions have no commercial entity behind them. They’re entirely community-governed and funded through donations and volunteer labour.
Debian: Debian operates under Software in the Public Interest (SPI), a US-based nonprofit. Its funding comes primarily from individual and corporate donations. Money goes toward hardware, servers, domain names, cryptographic certificates, and the annual DebConf conference. Notably, no single company controls Debian’s direction—it’s governed entirely by its community of developers.
Arch Linux: Arch is also an SPI member project, accepting donations via PayPal and Click&Pledge. No developers are paid—funds go strictly to hosting costs and server hardware. It’s one of the leanest operations among major distributions.
Gentoo, Void, and similar projects: These rely almost entirely on individual donations and volunteer effort, sometimes supplemented by hosting donations from companies or mirror sponsors.
The BSD Family: A Different Path
Linux isn’t the only free Unix-like operating system. The BSD family—FreeBSD, OpenBSD, NetBSD, and DragonFly BSD—predates Linux and takes a different philosophical and licensing approach.
BSD (Berkeley Software Distribution) originated at the University of California, Berkeley in the late 1970s. While the BSDs went through legal troubles with AT&T in the early 1990s—which arguably gave Linux the window it needed to gain traction—they emerged as mature, robust systems that power critical infrastructure today.
The key difference is licensing. BSD uses permissive licences that allow anyone to take the code, modify it, and use it in proprietary products without releasing their changes. This is fundamentally different from the GPL’s copyleft approach.
Apple’s operating systems are a notable example. macOS, iOS, and Apple’s other platforms run on Darwin, whose XNU kernel is a hybrid combining the Mach microkernel (originally developed at Carnegie Mellon University) with substantial components from FreeBSD—including the process model, network stack, and virtual file system. The BSD permissive licence allowed Apple to take this code, build a proprietary operating system on top of it, and keep much of the result closed-source. Sony’s PlayStation operating system is also BSD-based, as is the software in many network appliances, routers, and embedded systems.
From a funding perspective, the BSDs operate much like community Linux distributions:
FreeBSD: Supported by the FreeBSD Foundation, a US nonprofit funded by donations from individuals and companies. Major users like Netflix, which runs its entire streaming infrastructure on FreeBSD, contribute both code and funding. The Foundation employs some developers and funds specific development projects.
OpenBSD: Famous for its focus on security and code correctness, OpenBSD operates on a shoestring budget funded almost entirely by donations and merchandise sales. The project has created hugely influential software including OpenSSH (used by almost every server on the internet) and LibreSSL. Despite this impact, funding has been a recurring crisis—the project has publicly appealed for donations multiple times to keep the lights on.
NetBSD: Focused on portability across hardware platforms, NetBSD is supported by the NetBSD Foundation and runs primarily on donations and volunteer effort.
The BSD story illustrates both the power and the problem of permissive licensing. Companies can take BSD code and build empires on it—Apple is worth trillions—but there’s no legal mechanism requiring them to give anything back. Some do (Netflix is a notable contributor to FreeBSD), but many don’t. The BSDs survive largely on goodwill, volunteer labour, and the donations of those who appreciate their work.
Where the Money Actually Goes
For community distributions, the cash that does come in typically covers:
- Server hosting and bandwidth
- Build infrastructure (the machines that compile all those packages)
- Domain names and TLS (previously SSL) certificates
- Conferences and developer sprints
- Hardware upgrades
What it usually doesn’t cover is paying the developers themselves. The real “funding” behind most community distributions is thousands of unpaid volunteer hours.
How Do the Developers Survive?
This is the question that gets to the heart of open source economics. The short answer: most of them have day jobs.
Employed by companies that use Linux: The majority of active contributors to major distributions work at companies like Red Hat, Canonical, SUSE, Google, Microsoft, Amazon, Intel, or Samsung. These companies pay engineers to work on open source as part of their business strategy. A Red Hat engineer might spend their workday packaging Fedora and contributing kernel patches—that is their job.
Consulting and contract work: Some developers freelance as Linux sysadmins, DevOps engineers, or embedded systems consultants. Their distribution contributions serve as a portfolio and reputation builder. The Debian LTS project, for example, is run through Freexian—companies pay into a pool, and Debian developers are hired on contract to provide security updates.
It’s a hobby: A surprisingly large number of contributors—especially in distributions like Arch, Gentoo, and Void—are doing this in their spare time alongside unrelated careers. They might be software developers, academics, students, or IT professionals whose packaging work is essentially a serious hobby.
Individual sponsorship: Platforms like GitHub Sponsors, Open Collective, Liberapay, and Patreon allow individuals to support developers directly. These typically generate modest income—enough for a coffee habit, rarely enough for a salary.
The Uncomfortable Truth
Open source has a well-documented sustainability crisis. Maintainers of critical infrastructure often burn out after years of unpaid work. There have been high-profile cases of essential projects being maintained by a single exhausted volunteer—software that millions of systems depend on, kept alive by someone in their spare bedroom.
In 2024, we saw exactly how dangerous this can be.
The xz Backdoor: A Case Study
XZ Utils is a data compression library embedded deep within Linux systems. It’s the kind of unglamorous infrastructure component that most people have never heard of—but it’s used by SSH, the protocol that secures remote access to servers worldwide.
In late March 2024, a Microsoft engineer named Andres Freund noticed something odd: his SSH logins were taking 500 milliseconds instead of the usual 100. Most people would have ignored it. Freund didn’t. He investigated, traced the slowdown through layers of system calls, and eventually discovered a sophisticated backdoor hidden in XZ Utils.
What he uncovered was chilling. The backdoor hadn’t been inserted by a hacker breaking in—it had been carefully planted by someone who had spent over two years earning the trust of the project’s maintainer.
The attacker, operating under the pseudonym “Jia Tan,” first appeared in October 2021, submitting small, legitimate patches. Over the following months, they contributed code reviews, translations, and infrastructure improvements—all genuine, helpful work designed to build credibility. Meanwhile, suspicious accounts began pressuring the original maintainer, Lasse Collin, complaining about slow releases and unresponsive maintenance. Collin was a volunteer, maintaining XZ Utils in his spare time. Under pressure and grateful for help, he eventually granted Jia Tan co-maintainer status.
By early 2024, Jia Tan had enough access to insert malicious code into the release packages—code that would have given them a master key to potentially hundreds of millions of servers running SSH. The backdoor was caught purely by luck: one curious engineer noticing a half-second delay.
Security researchers believe this was likely a state-sponsored operation—the patience and sophistication involved points to significant resources. But the attack only worked because it exploited something more fundamental: an overworked, unpaid volunteer maintaining critical infrastructure alone, who was grateful when someone offered to help.
The xz incident is not an isolated case. Following its discovery, the Open Source Security Foundation warned that similar social engineering attempts had been detected targeting other projects. The uncomfortable truth is that much of the world’s critical infrastructure depends on people who aren’t paid to maintain it—and that makes the entire ecosystem vulnerable.
The Bigger Picture
The economic model works because companies capture most of the commercial value from Linux—through cloud services, enterprise support, and hardware sales—and reinvest some of that back by employing contributors. Community volunteers fill in the enormous gaps.
It’s a system that produces extraordinary software but distributes the financial rewards very unevenly. People brilliant enough to build the infrastructure that runs the internet, smartphones, and supercomputers… give much of it away for free while trillion-dollar companies build empires on top of it.
The Cultural Context
There’s a cultural element to this as well. The free software movement was founded on idealism—Richard Stallman’s philosophy was that software should be free, that restricting it is morally wrong. That ethos attracted people who are deeply principled but not always business-minded.
The hacker culture has historically looked down on commercialisation as a kind of betrayal. Developers who try to monetise their work sometimes face backlash from their own community. It’s a bit like musicians or artists—incredibly skilled people who’ve normalised being undervalued because “you should do it for the love of it.”
The good news is that the conversation is shifting. Younger developers are more willing to say “pay me,” and there’s growing recognition that sustainability isn’t selling out. But decades of cultural momentum are hard to reverse.
What’s Changing
Several initiatives are emerging to address the sustainability gap:
Direct funding platforms: GitHub Sponsors, Open Collective, and Tidelift allow companies and individuals to fund developers directly. KDE, for example, introduced an in-app donation prompt that raised nearly €330,000 in a single quarter—mostly from small individual donors.
Foundation models: The Linux Foundation funds infrastructure and key developers (including Linus Torvalds himself) through corporate memberships on a tiered model. Companies pay annual dues based on their size.
Paid LTS support: Models like Debian LTS via Freexian create a way for companies to pay for extended security support, with that money going directly to Debian contributors.
Corporate contributions: There’s increasing pressure on companies that profit from open source to contribute back—whether through employing developers, sponsoring projects, or donating to foundations.
Why This Matters
If you use a computer, you depend on open source software. Your web browser, your phone, most of the websites you visit, your router, possibly your car—all of them run code that was given away for free by people who often weren’t paid to write it.
Understanding how this ecosystem works—and its fragility—matters. The next time you hear about a critical security vulnerability in some obscure library that affects millions of systems, there’s a good chance it was maintained by an unpaid volunteer who was doing their best.
The open source model has given us remarkable software. The question for the coming years is whether we can find sustainable ways to support the people who create it.
Last updated: March 2026