Hi
As we all know the XZ-Backdoor showed how open source can help to find out how and when things happened. You can look back into the source code, commits and comments to see what happened. Many started to talk about what it means regarding open source, and also showed that security is a very important part of computers and software.
But the XZ-Incident showed again one of the biggest problems of FOSS (and OSS), the lack of support the maintainers and contributors get. The maintainer of XZ (before he got replaced by Jia Tan via a social engineer attack), talked about mental issues and overall many things to look after. He was the only maintainer for a library that is used in many big Linux distributions but no one thought maybe to help him or support him.
We all use FOSS projects either knowingly or unknowingly (the XKDC comic comes to mind with the Nebraska maintainer project) and we all love and fight for open and free (libre) software. Simply using and pushing it is not enough we need to support the people that code, test and maintain the projects, libraries, programs that we use. If we don’t, it will crash down on us sometime in the future.
When a friend does something for you, you say thank you and maybe buy him/her a beer. Why not do that too for a converter you used or some cool little terminal addition you found and now can’t live without it?
As an experiment, make a list of all FOSS/OSS things you use in your daily life that you know of, and then look them up to see if they need funding or in general how they stand. Maybe you can donate to a few of them.
Make FOSS not only a philosophy but also a community that looks after each other.
I wasn’t prepared for a project of this magnitude, seriously OSS is everywhere
Interestingly, Windows also pulled in libarchive to support extracting tar.* files from Windows explorer. The exploit code doesn’t target Windows, but it’s not just the open source projects that are affected by attacks these.
As someone who makes a living supporting servers running various forms of software, almost all of which is open-source, even just the things I know of the top of my head have large dependency trees. Just look at a base install of Ubuntu, you probably have no less than a thousand projects supporting the system. That doesn’t even begin to include additional functionality, install PHP or Python, even just system drivers, and you can easily double or triple that count.
At which point if I’m expected to give a dollar to each of them, then I’m basically screwed. I’ve seen some licenses trying to claim “1% of your revenue if you use my package”… But if I use 1000 of them I now owe 10x my revenue to a bunch of “leftpad” libraries?
Or am I somehow supposed to give like… 10000 3 penny donations? How would that even work? The costs to “donate” a dollar to someone with modern banking (once the CC and whatever donation site takes their cut) almost makes it not worth it.
Especially once indirect dependencies get pulled in (which is a large part of the FOSS ecosystem… tons of people use ffmpeg without ever realizing they are) how does that work? If I use a library, and that library suddenly adds 20 more dependencies, do I need to shell out $20? Or am I as a maintainer supposed to divvy up any donations I get to every library I used (I bet you used a compiler to build whatever your tool is).
It’s rough, and I don’t see it really working for anything but a few special snowflake projects. It’s just not workable at the scale FOSS has turned into. A blessing a curse I suppose.
deleted by creator
Yeah and this still wouldn’t cover something like xz-utils because I would only be aware of end user projects and not the libraries behind them. I’d have to draw up entire dependency graphs.
I’d imagine doing this for a simple website project only for npm to tell me there are over 2000 packages installed. Donating even $1 to each of them would be unsustainable (as myself, for a company that’s another story). I think what we need is a more scalable way of supporting these projects. For example, should
is_even
get the same amount of support aszod
?