I suppose I think it's fair to ask the broader question: Are we only going to address the precise issue which caused the `xz`, or are we going to finally address the related elephant in the room? Too many are doing unpaid work which benefit the largest, most profitable corporations which have ever existed. And not only are they unpaid, they are generally treated like garbage by their own FOSS "communities".
I think there comes a point where many say: This is simply ridiculous. I love open source. I appreciate the opportunities it has afforded me, but the lack of dignity afforded developers and maintainers is grotesque. It's unsustainable and will collapse in upon itself, if the big players don't right the ship.
Play FOSS licensing games, win FOSS licensing prizes. No one is forcing these folks to release their stuff under those licenses, and no one should expect any kind of support for stuff released under a FOSS license.
IMO, the only real solution to this mess is getting past the stigma of paying for software and libraries. There is not enough goodwill/karma in the world to convince enough folks to pay for something they receive for free.
> IMO, the only real solution to this mess is getting past the stigma of paying for software and libraries. There is not enough goodwill/karma in the world to convince enough folks to pay for something they receive for free.
For that to work you'd need to solve liabilities internationally.
Taxes are the most pressing issue - if the company and the (F)OSS developer are in the US, it's relatively easy, but a lot of developers aren't in the US but in Europe, Africa or Asia. Some of these places have authorities that don't care about anything, but others (like Germany) are bureaucratic monsters.
Then come sanctions and AML/KYC issues - it's easy enough for an anonymous person from Russia, China, North Korea, Iran, Cuba, Venezuela or Syria to participate in a (F)OSS project. But once payments come into play, the usual regulatory bullshit comes into play as well. As, say, Microsoft, you can't just go and Western Union a few hundred dollars to an (effectively) anonymous person, you have to verify their identity and make sure that they're not the target of sanctions against themselves or their country. European countries have it easier because the only place we're seriously sanctioning outside of North Korea is Russia and Belarus, but that's a headache as well.
And then come civil liabilities. As a (F)OSS developer, all major licenses explicitly disallow warranty claims or patent claims. But once you get paid for something, that implicitly or explicitly (depending on jurisdiction) makes you a commercial trade partner, which means you can be held liable should your code prove to be the cause of a security vulnerability. And that's not even getting into the minefield of software patents and DRM, which add criminal liabilities on top of all that crap.
Even if Microsoft or whoever wanted to drop me some money for something I wrote, there's no way in hell I'd accept anything below 100k simply because all of the overhead of shielding myself. I'd need to start up the German equivalent of a LLC which costs a few thousand euros plus recurring fees for accounting requirements, I'd need to purchase insurance which given the potential claims of a company like Microsoft would run many thousand euros a month...
In an ideal world, at least the G18 (i.e. G20 minus China and Russia who already don't cooperate with the RoW that much regarding anything IP-related) would come together and agree on a common framework that makes funding for open source developers easy and hassle free, but I'd guess it would take a few xz and log4j2-level events on a global scale to even move the issue high enough that regular politicians pick it up.
Yeah that's all true, but fixing that is going to do little to address the security issues. A campaign like this would find or create another opportunity. They spent at least a year infiltrating the project.
> Yeah that's all true, but fixing that is going to do little to address the security issues.
I'm not sure this is the case. I'd imagine it would be harder to infiltrate a project which pays its contributors. Yes, there is incentive to stay on as maintainer, provide some modicum of dignity, but also maintainers wages would be traceable back to real bank accounts. Professionalize a project and that project can get serious about security, etc., too.
This seems obtuse.
I suppose I think it's fair to ask the broader question: Are we only going to address the precise issue which caused the `xz`, or are we going to finally address the related elephant in the room? Too many are doing unpaid work which benefit the largest, most profitable corporations which have ever existed. And not only are they unpaid, they are generally treated like garbage by their own FOSS "communities".
I think there comes a point where many say: This is simply ridiculous. I love open source. I appreciate the opportunities it has afforded me, but the lack of dignity afforded developers and maintainers is grotesque. It's unsustainable and will collapse in upon itself, if the big players don't right the ship.