But they are not working for free, they're doing this work during work hours. Individual volunteer maintainers this article is about are a minority. The majority of contributions to the open source projects that "the internet runs on" are from businesses that use the software and maintain or improve it.
I'm not talking about your small hobby project with a few dozen users - as good as it may be, the internet doesn't run on it. cURL is really an exception, not the rule.
OpenSSL has hundreds of contributors, not just one guy, and the 'heartbleed bug' guy they were referring to wrote the code during his PhD, so it wasn't a volunteer donating his spare time.
The whole thread is anecdotal. I'm not aware of any quantitative study in the matter. There are also the distributions like Debian which is essentially run by volunteers.
I know there are volunteers that do a lot of Debian work, but that is not to say Debian is purely volunteer work. Obviously there is plenty of sponsored work. https://www.debian.org/partners/
I’d argue without trying to classify and quantify Debian contributions, there is no way to know who is doing work on Debian on their employer’s dime.
I also try to contribute to various projects in spare time as well. My contributions don’t really add up to much overall, though.
Sure, it’s all anecdotal. But otoh, the notion that FOSS is mostly volunteer work is probably worth challenging. Most non-huge projects I’ve come across only have 4 or 5 key contributors. Open source is at least, not as distributed as believed for most projects. On the other hand, companies using FOSS have incentives to contribute, and sometimes will even hire contributors on important projects.
I didn't do any quantitative study, but I'd be really surprised if most maintainers in the project are not volunteers. Those contributors, though usually individually small, tend to add up. It's also probably difficult to justify Debian package maintenance to your employer, unless you work for canonical. Even products that distribute a .deb tend to do it outside of the distribution, rather than really contributing.
Actually, there's certainly of reasons you might do maintenance work on company time. At Google for example, the gLinux distribution is heavily based on Debian[1]. Why would individuals do it on company time otherwise? One example is to solve a business problem. I have definitely contributed upstream to open source projects to solve problems at work.
80% of new contributions are from companies. That shouldn't be surprising at all, because these companies are also the biggest users of the project.
As for myself, in the rare occasions I contributed a patch to an OSS project, most of the time it was to solve a problem I encountered at work, so I have anecdotal evidence that at least some from the category 'volunteers' also got paid to write that code.
I'm not talking about your small hobby project with a few dozen users - as good as it may be, the internet doesn't run on it. cURL is really an exception, not the rule.