The backdoor highlights the politics, governance, and community management of an ecosystem exploited by massive tech companies and largely run by volunteers.
If they were conpromised, being paid by a company wouldn’t helo. Likely companies would keep it in house, not FOSS. So I think it grows t show how ODD is less open to corruotion. It gets spotted. If this is a state actor that made it haooen, do you really think they have not compromised closed software too? We just have no idea about it not any means to find out.
Company: Here is a security vulnerability in your OSS project, please fix our production is vulnerable.
Random Guy working on OSS library in his free time: Sure, I have some time next month.
Random Guy works full-time, has a family and friends. Random Guy is not your supplier and has no obligations and warranties WHAT SO EVER, even implied. That’s what the license of his project says.
If Company wants it fixed, they better allow him to work full time on it, or pay part time work. Or they pay someone else to maintain Project and send the changes to Project so Random Guy can take a little look and merge if he feels like it. Random Guy won’t just merge company code and be done with it, more code in a codebase needs to be maintained now after all.
This also works with features of course. The time of Random Guy is valuable and if Company wants Random Guy to work on something they use, they’d better pay good money for that time.
If they were conpromised, being paid by a company wouldn’t helo. Likely companies would keep it in house, not FOSS. So I think it grows t show how ODD is less open to corruotion. It gets spotted. If this is a state actor that made it haooen, do you really think they have not compromised closed software too? We just have no idea about it not any means to find out.
Company: Here is a security vulnerability in your OSS project, please fix our production is vulnerable.
Random Guy working on OSS library in his free time: Sure, I have some time next month.
Random Guy works full-time, has a family and friends. Random Guy is not your supplier and has no obligations and warranties WHAT SO EVER, even implied. That’s what the license of his project says.
If Company wants it fixed, they better allow him to work full time on it, or pay part time work. Or they pay someone else to maintain Project and send the changes to Project so Random Guy can take a little look and merge if he feels like it. Random Guy won’t just merge company code and be done with it, more code in a codebase needs to be maintained now after all.
This also works with features of course. The time of Random Guy is valuable and if Company wants Random Guy to work on something they use, they’d better pay good money for that time.