jaapio, 1 month ago

@rob I think one of the underlying issues is there are too few maintainers. Any regular contributor will become a maintainer fast, because anybody maintaining a widely used project wants to have a backup in the end.

This makes the single maintained projects extra vulnerable.

rob, 1 month ago

@jaapio For small projects, there are too few regular contributors too.

wouterj, 1 month ago

@rob @jaapio as many others have also said, I think this is logical for projects like this.

It's no longer "innovative", there aren't many changes and as a result very little visibility for projects like this and their contributors.

jaapio, 1 month ago

@wouterj @rob you are absolutely right, the smaller projects have this issue too. But the impact is smaller. However it's a wide issue that we have too few contributors for the amount of work that is done in opensource.

However I know you both from the opensource work you are doing so mostly talking to people who already agree with me😎

wouterj, 1 month ago

@rob @jaapio I'm afraid the only way to help these packages is by having contributors that do not do this because they want it, but because they are paid to do it.

However, even if companies know their full supply chain, they can't possibly help maintaining all their dependencies up to this deep. It's a very hard problem to tackle...

rob, 1 month ago

@wouterj @jaapio Regardless of whether the maintainer is paid or if there is a team of maintainers, humans trust people that they think they know.

Hence, a project is likely to trust someone who’s been around the project for a while.

Similarly, a company is likely to trust a senior dev who’s been around a while.

xz is as much a social engineering attack as it is a technical one.

jaapio, 1 month ago

@rob @wouterj I agree just money is not the solution here. Opensource is a matter of trust, the good thing is, we can check what is happening, with closed source you can't.

However that comes with the responsibility to keep doing that. Which costs money...
In fact our whole security system is based on trust... And trust will be abused.

rob, 1 month ago

@jaapio @wouterj I could reasonably argue that our entire society is based on trust. Crime happens because that trust is abused.

Security is hard because it’s not entirely a technical problem.

dgoosens, 1 month ago

@rob @jaapio @wouterj

Sadly not
Current society is based on control, not trust

#OSS is based on the same principles as the Commons (described by Ostrom)
It is based on trust and ao rules accepted by all stakeholders
Within Commons, one trusts each other to respect these rules

The exact opposite of our society where nobody trusts anybody.
Without trust, everything needs to be checked, controlled over and over again.
IMHO a terrible waste of resources and a sad way to see human relations

wouterj, 1 month ago

@rob @jaapio I 100% agree with this.

However, you are much more likely to become a maintainer in projects with a lack of contributors in the first place (although I realise I've literally grown up inside a very extreme bubble where there is an abundance of maintainer-worthy people).

Which is why I believe foundations/companies can play a crucial role in the social side of things here, as they can help removing the need to recruit new maintainers in the first place by assisting the maintainer.