The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code.
Hopefully this xz scandal will give the kind of big corps which already pay OSS maintainers the kick up the arse required to treat their entire supply chain as a potential attack vector that should be audited and supported. Or maybe I’ve just asked the monkey’s paw for increased corpo control over OSS projects…
That used to be the dream: corps hired you to work on the thing they needed that you were good at. Now, though, they just want everything for free and just acquihire to reassign you to whatever makes more money.
I think the real old big dogs like Microsoft, Google, and IBM still have a lot of dedicated developers for big projects like the Linux kernel. I doubt they bother that much with smaller projects though.
Hopefully this xz scandal will give the kind of big corps which already pay OSS maintainers the kick up the arse required to treat their entire supply chain as a potential attack vector that should be audited and supported. Or maybe I’ve just asked the monkey’s paw for increased corpo control over OSS projects…
That used to be the dream: corps hired you to work on the thing they needed that you were good at. Now, though, they just want everything for free and just acquihire to reassign you to whatever makes more money.
I think the real old big dogs like Microsoft, Google, and IBM still have a lot of dedicated developers for big projects like the Linux kernel. I doubt they bother that much with smaller projects though.