The XZ-Backdoor shows again the problem of FOSS maintainers regarding support and donations

furrowsofar, 2 months ago (edited 2 months ago)

Supply chain attacks also show one reason that using older software like Debian stable may be a better plan for things that matter. All new software versions need some time to be tested and vetted.

It also shows the importance of security in depth. That less is more in terms of code dependencies and complexity. That knowing dependencies is as important as knowing your code.

I would consider the xz incident to be a success. The supply chain attack was found pretty rapidly. We have already seen many of these and we will see more. Ones I remember off the top of my head include Linux Kernel, NodeJS, Python PyPI.

I would not over blow this. Security is an ongoing activity and all security is porous.

tesseract, 2 months ago

While I agree that many FOSS devs/maintainers would find donations and other monetary support very useful, please remember that money isn’t the solution for everything. This is especially the case for mental and emotional wellbeing. Funding might increase the entitlement and demands of the users on the maintainer’s time. What the maintainer really needs might be some time off or reduction on their workloads.

I’m all for donating to these projects. But don’t let that be an excuse to treat them badly and make unreasonable demands on them.

dog, 2 months ago

You do realize with more donations they can AFFORD to hire more people, and to get the help they need? Money is the solution. Let’s not downplay the value of it.

loops, 2 months ago (edited 2 months ago)

What would be an even better alternative then involving capitalist ideals, is to learn how to code and freely contribute to the project.

astraeus, 2 months ago

Kind of goes against the underlying principles of FOSS to hire a team to work on a project. Not that all FOSS work is volunteer based, but once something becomes an incentivized project the FOSS part starts to become a bit ambiguous.

averyminya, 2 months ago

I also just don’t see donations ever funding a long term development team. $20 an hour? For how many people? (X) to doubt. Idk it’s a rough circumstance

anlumo, 2 months ago

Works pretty well for the Linux kernel, and that’s arguably the most successful FOSS project ever.

astraeus, 2 months ago

The Linux Foundation isn’t doing most of that legwork though, multiple corporations with their own interests are. Microsoft, Valve, and Red Hat are some of the biggest contributors to the kernel, but they aren’t paying teams specifically to keep up Linux as much as they are paying teams to develop for them things which must be contributed back to the kernel.

penquin, 2 months ago

As an experiment, make a list of all FOSS/OSS things you use in your daily life that you know of, and then look them up to see if they need funding or in general how they stand. Maybe you can donate to a few of them.

I haven’t been doing this enough, not gonna lie. I’m gonna start doing it more. Thank you for the reminder.

astraeus, 2 months ago

Make a list of all the FOSS/OSS things you use in your daily life

I wasn’t prepared for a project of this magnitude, seriously OSS is everywhere

skullgiver, 2 months ago (edited 2 months ago)

deleted_by_author

astraeus, 2 months ago

As someone who makes a living supporting servers running various forms of software, almost all of which is open-source, even just the things I know of the top of my head have large dependency trees. Just look at a base install of Ubuntu, you probably have no less than a thousand projects supporting the system. That doesn’t even begin to include additional functionality, install PHP or Python, even just system drivers, and you can easily double or triple that count.

csh83669, 2 months ago

At which point if I’m expected to give a dollar to each of them, then I’m basically screwed. I’ve seen some licenses trying to claim “1% of your revenue if you use my package”… But if I use 1000 of them I now owe 10x my revenue to a bunch of “leftpad” libraries?

Or am I somehow supposed to give like… 10000 3 penny donations? How would that even work? The costs to “donate” a dollar to someone with modern banking (once the CC and whatever donation site takes their cut) almost makes it not worth it.

Especially once indirect dependencies get pulled in (which is a large part of the FOSS ecosystem… tons of people use ffmpeg without ever realizing they are) how does that work? If I use a library, and that library suddenly adds 20 more dependencies, do I need to shell out $20? Or am I as a maintainer supposed to divvy up any donations I get to every library I used (I bet you used a compiler to build whatever your tool is).

It’s rough, and I don’t see it really working for anything but a few special snowflake projects. It’s just not workable at the scale FOSS has turned into. A blessing a curse I suppose.

catacomb, 2 months ago

Yeah and this still wouldn’t cover something like xz-utils because I would only be aware of end user projects and not the libraries behind them. I’d have to draw up entire dependency graphs.

TehPers, 2 months ago

I’d imagine doing this for a simple website project only for npm to tell me there are over 2000 packages installed. Donating even $1 to each of them would be unsustainable (as myself, for a company that’s another story). I think what we need is a more scalable way of supporting these projects. For example, should is_even get the same amount of support as zod?