Before writing a full blog post, I want to gather some reactions.
What if we made it legally obligated that if an employee can show (putting aside the validation mechanism here, lot of options with different tradeoffs) they contribute to open source a bit (and i really mean a low amount. Even an obscure package count, even a few PR to fix real bug) on their non work time.
Then the employer have to give them one more (paid) free day a week. 80% job for the salary of 100% one.
@thisalex this has not been my experience with government. Policy makers tend to prefer super targeted bills, because then noone outside of the domain hear about it. It really simplifies the policy making work.
The larger it gets, the harder it gets to do anything.
For everyone that calls for ways to make open source more secure, or for all their magical solutions that will provide money and resources to FOSS maintainers, please read this.
This is a rare account of the reality of maintainers, things that are hard, but also how much knowledge and niche expertise you need for anything in there.
That is why just giving money to experts will not help that much. It is too hard to train experts in this. But we may make it easier
If you are on the board of an organization, you accepted a role of leadership. You may not think you did, and that is ok, misunderstanding happen. But when it comes time to do the role you signed up for, at least try to do it.
After the crisis, yes you can abdicate. But starting with abdication, you better accept that no one will ever respect you again.
For anyone wondering why I have not withdrawn my maintainer status from nixpkgs The Determinate Systems' Community, is it because I will follow the letter I signed. So we will check on 1st of May.
Bets are open, but I think we all know what PR I will have to make.
I need to write a blog post about this but in the meantime.
If you do postmortems, retrospective, incident analysis or whatever Learning from Incidents.
Consider that the Learning is about using the analysis as a tool for replanning. Do not focus only on "How did we get there?" but consider this a starting point to ask "How are we changing what our plan is?" and also "How are we reflecting on our model of the world?".
The goal is not to find what went wrong. The goal is to revisit decisions.
People often tell me I am awfully negative and pessimistic. Guilty as charged!
It is in large part because it feels really lonely and hopeless to yell into the void for years.
But the @sovtechfund gives me hope. Why? Because they did their legwork. They are a rare voice that seems to actually look at the problem before jumping to solutions, and it means their solution actually helps.
If you want to create an event to workshop solutions to help heavily ressource constrained maintainers, consider starting from the pov of "what kind of event a resource constrained maintainer could participate in".
Otherwise, your event will join the long list of useless one.
And if you need help thinking through that or bouncing ideas, my contact are all over my website. I will spend my constrained resources to help you, for free, because I do care a lot about this.
What about "yet giving the ability to give advice require deeper proof of expertise and understanding of the life of maintainers?"
Said otherwise. Fuck off.
>>> yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a โquick fixโ to any problem.
I will have to do a proper take down later because this is a looooot of shit.
I will simply repeat my advice from last time. It is ok to step down when you are not helping. It is even better for everyone. Sometimes we are not equipped to do a job. It is the responsible and self respecting things to recognise it and step down when it happens.
@Di4na lmao. "Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack."
This just in: OpenSSF declares OpenSSF scorecard to possibly be a social engineering attack
This is the single thing published about xz by an org that seems to have actually done the work.
If you want a voice to amplify, the @sovtechfund seems to be the only one that listened to maintainers'. So please go read it and amplify it. Let's try to make visible orgs that are humble and do the work.
And thank you to everyone at the @sovtechfund for doing this work, like this. โฅ๏ธ It helps so much.
So we have it now. Rust solved a large number of the safety problems of the system language level. Not everything ofc, but still. Lot of them. And it is actually being adopted.
So I have a question for my cybersecurity/infosec crowd.
Have you introspected why 3 decades of yelling about that stuff got no results, 3 decades of sanitisers and fuzzers barely moved the needle, but Rust slam dunked it?
Where is the retrospective of what went wrong? Where are the learnings?
i am genuinely interested. It is a domain I keep being surprised not finding discussions about. And I feel like I must be missing. I am probably not looking in the right place.
So I am asking the internet to do its magic and point me to these places please :)
@Di4na We should recognise the possibility that it may have simply been random factors that caused the adoption of Rust where other solutions didn't take off; that there wasn't something specific Rust did right or the others did wrong.