- XZ is critical software
- XZ was (is?) developed by a single person
- XZ developer does XZ development in their spare time, having a normal job to pay the bills
- XZ developer gets overburdened. Not making money, they can't hire another dev.
- Pressure builds up. Hacker leverages and takes advantage of this. Especially since everything can't be checked due to said overburden
Look at it from the flip side. Take the counterfactual of if XZ Utils was making money for their work
- XZ is critical software, therefore it is funded
- XZ is funded and critical, so more than one developer is hired to ensure quality
- XZ is funded, developers don't have a second job. They have ONE job
- XZ is over burdened. XZ is funded. XZ hires more devs.
It's true that a hacker can still infiltrate corporate software, but it is also true that the pressures would have been far lower were the main dev not doing 2 fucking jobs.
Of course if there were a large company maintaining XZ Utils then that would dramatically mitigate the cyber risk, but isn't this is the default economics of OSS?
Approaching it from the point of view of "it's obviously unjust and stupid that people voluntarily offered their software for nothing" without questioning the prior seems a bit short-sighted.
If you want to say "no one should use OSS because of the cyber risk", you might be right. But then what should replace it? What's the proposal?
What does this mean? Can you give an example?