@bagder One thing I do not really understand ...
"Free" is fine. But I see "Companies" mentioned pretty often. Companies have one master goal: Make money. Taking something for free and selling it for money does not contradict that goal.
So why not adjust the licences to something like "If used by a legal entity generating at least a turnover of 240 times the average monthly income of the country their headquarters are located at, at least 3% of the total turnover has to be spread equally across the products used that are covered by this license."
@bagder You can add something about contributing to the projects, but ...
Once upon a time, one of our devs solved an issue in an open source library we are using. He asked his superior to create a corresponding pull request. The request got denied because "It may also contribute our competitors".
So I have my doubts that a call for contribution will generate much participation.
@bagder Jia Tan's trust was generated through humint style pushing on a vulnerable maintainer using sock puppet accounts.
We still need reviews, verification and tests, but if we ignore the load we place on a project maintainer and expect them to do better at identifying bad commits, then this will happen again and again.
@codepope my point is that contributors normally are not "trusted" at all by maintainers - like myself. I don't need trust for that. As long as their contribution is good. That's the vast majority of contributions.
Trust is for when handing over responsibilities and powers, which is MUCH rarer.
@bagder But isn't that the point. The lone maintainer ends up taking on the full load, and add in the knowledge that bad actors will try and subvert their project with apparent good code obfuscating their attack over multiple projects, then thats a huge burden. The kind of burden which ends up with projects with n year backlogs and no activity and then there's a push to move the maintainer to someone new and (see xz)…
@codepope but with a lot of additional requirements the burden on the maintainer is also increased when being unable to bring in more maintainers because they are not in the web...
So no, I don't see how a web of trust thing is a realistic scenario for where I have been in my maintainer life.
@bagder Are you basing that on the assumption that nobody trusts anybody so no one would be eligible? And as I said in another part of the thread, it'd be up to each project to decide how much weight they put on the trust graph ratings - I'd expect most projects to start with it on low and ramp it up in line with current maintainers own ratings over time.
But I’m guessing from the responses, we're going to be stuck with zero trust FOSS going forward.
Add comment