Thinking about what the open source community can do to support maintainers against social engineering attacks like what seems to have happened with #xz.
Charges users on a per deploy-minute basis (if the users are orgs with $1m or more IT budgets).
Distribute funds to maintainers, provide security support for maintainers, and in some cases, let governmental agencies (eg NIST) pick up support of mature projects.
Add comment