Hi

As we all know the XZ-Backdoor showed how open source can help to find out how and when things happened. You can look back into the source code, commits and comments to see what happened. Many started to talk about what it means regarding open source, and also showed that security is a very important part of computers and software.

But the XZ-Incident showed again one of the biggest problems of FOSS (and OSS), the lack of support the maintainers and contributors get. The maintainer of XZ (before he got replaced by Jia Tan via a social engineer attack), talked about mental issues and overall many things to look after. He was the only maintainer for a library that is used in many big Linux distributions but no one thought maybe to help him or support him.

We all use FOSS projects either knowingly or unknowingly (the XKDC comic comes to mind with the Nebraska maintainer project) and we all love and fight for open and free (libre) software. Simply using and pushing it is not enough we need to support the people that code, test and maintain the projects, libraries, programs that we use. If we don’t, it will crash down on us sometime in the future.

When a friend does something for you, you say thank you and maybe buy him/her a beer. Why not do that too for a converter you used or some cool little terminal addition you found and now can’t live without it?

As an experiment, make a list of all FOSS/OSS things you use in your daily life that you know of, and then look them up to see if they need funding or in general how they stand. Maybe you can donate to a few of them.

Make FOSS not only a philosophy but also a community that looks after each other.

  • 4dpuzzle@beehaw.org
    link
    fedilink
    English
    arrow-up
    46
    ·
    8 months ago

    While I agree that many FOSS devs/maintainers would find donations and other monetary support very useful, please remember that money isn’t the solution for everything. This is especially the case for mental and emotional wellbeing. Funding might increase the entitlement and demands of the users on the maintainer’s time. What the maintainer really needs might be some time off or reduction on their workloads.

    I’m all for donating to these projects. But don’t let that be an excuse to treat them badly and make unreasonable demands on them.

    • dog@suppo.fi
      link
      fedilink
      arrow-up
      8
      ·
      8 months ago

      You do realize with more donations they can AFFORD to hire more people, and to get the help they need? Money is the solution. Let’s not downplay the value of it.

      • loops@beehaw.org
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        8 months ago

        What would be an even better alternative then involving capitalist ideals, is to learn how to code and freely contribute to the project.

  • flatbield@beehaw.org
    link
    fedilink
    English
    arrow-up
    30
    ·
    edit-2
    8 months ago

    Supply chain attacks also show one reason that using older software like Debian stable may be a better plan for things that matter. All new software versions need some time to be tested and vetted.

    It also shows the importance of security in depth. That less is more in terms of code dependencies and complexity. That knowing dependencies is as important as knowing your code.

    I would consider the xz incident to be a success. The supply chain attack was found pretty rapidly. We have already seen many of these and we will see more. Ones I remember off the top of my head include Linux Kernel, NodeJS, Python PyPI.

    I would not over blow this. Security is an ongoing activity and all security is porous.

  • penquin@lemm.ee
    link
    fedilink
    arrow-up
    16
    ·
    8 months ago

    As an experiment, make a list of all FOSS/OSS things you use in your daily life that you know of, and then look them up to see if they need funding or in general how they stand. Maybe you can donate to a few of them.

    I haven’t been doing this enough, not gonna lie. I’m gonna start doing it more. Thank you for the reminder.