There are so many projects which are considered as “they must be there” and underfunded or not funded at all. I believe, companies using packages should sponsor them.
@sardo Unfortunately, as @lcamtuf points out, money is not enough:
* "it’s hard to build a sustainable community around watching paint dry" * "It’s hard to build a rewarding career on being very familiar with some boring, old dependency that’s just taken for granted by everyone else."
Thank you! I can't imagine how bad this must feel for Lasse Collin, especially after reading[1]. We're with him and all honest XZ contributors, and they're not to blame 🙂
Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.
are we really? Yeah, we feel sorry for them, but not with them. It's still largely an unpaid one-man band taking care of a crucial bit that keeps multi billion companies running.
Gab es nicht vor ewiger Zeit mal die Behauptung einer Entwicklerin sie hätte Stück für Stück Schadcode im Kernel platziert? War ein Fake, aber hat die Aufsicht dann doch sensibilisiert. ssh oder ssl hatte doch ein ähnliches Problem vor einiger Zeit, GPG war auch mal am wackeln.
Sardo
in reply to daniel:// stenberg:// • • •Marcel Waldvogel
in reply to Sardo • • •@sardo Unfortunately, as @lcamtuf points out, money is not enough:
* "it’s hard to build a sustainable community around watching paint dry"
* "It’s hard to build a rewarding career on being very familiar with some boring, old dependency that’s just taken for granted by everyone else."
I don't know what the solution will be, but it will have to (not only) consist of money. Any good ideas?
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
Techies vs spies: the xz backdoor debate
lcamtuf (lcamtuf’s thing)daniel:// stenberg://
in reply to Marcel Waldvogel • • •Jan Wildeboer 😷:krulorange:
in reply to daniel:// stenberg:// • • •Matthias Klumpp
in reply to daniel:// stenberg:// • • •Thank you! I can't imagine how bad this must feel for Lasse Collin, especially after reading[1].
We're with him and all honest XZ contributors, and they're not to blame 🙂
[1]: https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
A Microcosm of the interactions in Open Source projects
robmensching.comphi1997
in reply to daniel:// stenberg:// • • •Rick :swift: 6x💉😷🇺🇦
in reply to daniel:// stenberg:// • • •Joris Meys
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Joris Meys • • •Joris Meys
in reply to daniel:// stenberg:// • • •subroutine
in reply to daniel:// stenberg:// • • •adingbatponder
in reply to daniel:// stenberg:// • • •is an anagram of
faster insomnia
we are with you !
#xz
rostundrad
in reply to daniel:// stenberg:// • • •War ein Fake, aber hat die Aufsicht dann doch sensibilisiert.
ssh oder ssl hatte doch ein ähnliches Problem vor einiger Zeit, GPG war auch mal am wackeln.
fanf42
in reply to daniel:// stenberg:// • • •(total agreement).
Does the green heart has a special meaning? The internet Pythias are only drowning me with AI generated voidness
daniel:// stenberg://
in reply to fanf42 • • •