It Doesn't Have to Be This Way
In early 2024, a Microsoft engineer named Andres Freund was debugging a performance problem when he noticed something wrong with xz utils. The irregularity was subtle -- a few extra milliseconds in SSH authentication, an unexpected CPU spike. Following it down led him to a backdoor, carefully hidden, inserted by someone who had spent two years building trust with the project's original maintainer under a false identity.
The original maintainer had been running xz utils alone, without pay, for years--he was burning out. A helpful stranger appeared, gradually took on more responsibility, and eventually had the access needed to slip code into a library that ships on nearly every Linux system on the planet. If Freund hadn't been unusually thorough on an unrelated debugging session, it would have handed remote root to millions of servers.
The headline was about the near-miss. The actual story was about the economics that made it possible: one person, unpaid, holding critical internet infrastructure together until someone noticed he was struggling.
That's been the open source bargain for thirty years: the knowledge is free, the labor is optional. But when the labor runs out, the infrastructure breaks.
Artifact-based knowledge economics have been unwinding in slow motion across every sector. Streaming music pays fractions of a cent per play--not because platforms are evil, but because when you can copy a song infinitely at zero cost, the rental value of the copy approaches zero. AI training settlements pay writers a few thousand dollars for their life's work--not as an insult, but as a market signal: the individual artifact is worth less when the model can approximate its style from ten thousand examples. Knowledge rent--income from owning a piece of knowledge that others need--is dying.
The question isn't how to save the rent; it's what replaces it.
Open source already answered this question, unevenly and mostly by accident.
The models that worked funded the labor directly. Red Hat built a business not on selling Linux but on selling support, configuration, and the expertise to run it. Consulting, contracting, corporate sponsorship of critical projects -- these worked because they paid for the act of doing, not the artifact produced. When a company sponsors a maintainer or hires someone to work on a project full-time, they're not buying code they couldn't access anyway. They're buying the labor of someone who understands the code well enough to keep it running.
The models that failed assumed the labor would be its own reward. This produced real things -- a large fraction of the infrastructure the internet runs on was written by people who weren't paid for it--but it also produced the xz backdoor. When the only funding for critical work is a maintainer's goodwill, and goodwill is finite, the failure mode isn't that the work stops. It's that the work continues just long enough for someone to exploit the exhaustion.
Open source proved two things simultaneously: that people will create without rent and that "without rent" doesn't mean "without cost."
The underlying principles are older than software.
Before copyright -- before there was a legal mechanism to collect rent on a fixed knowledge artifact -- creators got paid through patronage and commission. The campfire bard got fed because the village valued having someone who could sing--not because the bard owned the songs or paid royalties out to some other bard 25 towns down the line. The songs were shared freely, the value was in the person who could play them.
Copyright is a legal mechanism, roughly 300 years old, that lets you treat a piece of knowledge like a piece of land -- collect rent on it, license it, sue people who reproduced it without permission. It worked when copying was expensive, when a manuscript had to be hand-copied, and scarcity was real. When a vinyl record required manufacturing, distribution, and shelf space, scarcity was real. When a software library can be forked in seconds and run on a million servers, scarcity is fictional.
Substack, Patreon, GitHub Sponsors: these are patronage infrastructure with modern payment rails. People pay for the creator--not the copy--and it's already happening at scale.
Commissions and bounties fund specific work: "build this feature," "write this analysis," "keep this system running for the next year." Direct exchange of money for defined labor.
And specification as labor: if AI handles implementation, the valuable human work is the judgment layer above it -- defining problems, articulating constraints, making the calls that require actual understanding of the situation. That's skilled work. It's what senior engineers have always been paid for, with implementation treated as evidence of the underlying skill rather than the skill itself.
Patronage works for creators with audiences but doesn't help the person maintaining critical infrastructure that nobody knows they're using. The xz maintainer had no patrons, his work was invisible until it almost wasn't.
The discovery problem is real: how do you fund work that matters but isn't popular? Visible projects attract sponsors. Invisible ones hold up the visible ones.
And the playing field isn't level. Individuals shifting to labor economics are making the right adaptation for their situation. But companies still sitting on infrastructure rent -- platforms extracting value from knowledge they didn't create -- haven't made the same shift. They're still in the landlord business. The creators feeding their models and platforms are the ones navigating post-rent economics, while the platform takes a cut.
The coordination problem runs deeper than any of these individual fixes: distributed funding of distributed labor requires mechanisms that don't exist yet at scale.
Enter Project Glasswing. Glasswing found thousands of zero-day vulnerabilities across every major operating system and browser. The same class of tools that can find them can exploit them. The attack surface the xz maintainer was quietly holding together just got larger and more dangerous.
The xz attack took two years. It needed that time because deep expertise in a specific codebase was slow to develop and impossible to shortcut. The attacker's strategy was patience -- build trust, learn the code, become indispensable. That window existed because there was no faster path.
That window is closing. The same AI capability that found those zero-days can take someone from unfamiliar with a codebase to capable of maintaining it in weeks. One person holding it all together isn't a given anymore. It's a choice.
It isn't a zero-skill choice. Working with AI is closer to a craft than a formula -- more like fine art than a science. Hand anyone oil paint and a blank canvas; they won't produce a Mona Lisa. But they'll produce something, and they'll get better, and the skill transfers in a way domain mastery never did. A decade of xz internals prepared you for a very specific kind of coding, usable within a narrow range of uses. The craft of working with AI compounds across every codebase, every domain. The logical endpoint: Drew Breunig's whenwords -- a software library written in no code at all, just a specification implemented on demand.
The remaining barrier is inference cost. Running frontier models against a large codebase isn't free, and the most capable tools are still being rationed -- though that scarcity is artificial and closing fast. But inference cost is fungible in a way expertise never was. A foundation can pool compute. It could never pool the years of muscle memory in one maintainer's head. The knowledge problem was irreplaceable. The billing problem is solvable.
Knowledge was always shared freely. Copyright was a legal mechanism grafted onto a temporary scarcity, lasting roughly as long as the conditions that created it. The economics are shifting from rent to labor -- from owning the artifact to doing the work.
The mason who builds a staircase gets paid once. After that, everyone who uses the stairs is getting something for 'free'. That always seemed like the argument for copyright -- a way to keep collecting on the stair. But the other reading is different: the mason still got paid. For building, not for owning. And the village has stairs.
The xz scenario required a specific combination: irreplaceable expertise, slow succession, one exhausted person holding the whole thing together. All three of those conditions are breaking down. You can grow a capable maintainer in weeks. You can distribute the vigilance. You can make the fire everyone's responsibility instead of one person's burden.
The campfire doesn't need a single keeper when everyone has matches and access to kindling.
James Henry is a senior engineer who writes about AI, open source, and the slow death of knowledge rent. This post contains an unreasonable number of links to his own previous essays. He publishes at waypoint.henrynet.ca.
Discussion