Post ATfioya2LZOChW1BTs by simon@en.osm.town
(DIR) More posts by simon@en.osm.town
(DIR) Post #ATfiovLONYtOfE8wjo by IvanSanchez@mastodon.social
2023-03-14T12:32:15Z
0 likes, 0 repeats
I just disabled security alerts for my FLOSS github repos (dependabot's CVEs). I think that has been one of the factors of my FLOSS burn-out.Unpopular(?) opinion: the responsibility of caring for CVEs (etc) falls onto the FLOSS user, not onto the *unpaid* FLOSS maintainer.cc @ianturton
(DIR) Post #ATfiowGSxMXvWEqWhM by simon@en.osm.town
2023-03-14T13:54:16Z
0 likes, 0 repeats
@IvanSanchez @ianturton the problem is how does the "user" aka downstream distinguish between paid and unpaid maintainers? Not even starting on the obvious issue this would cause with indirect dependencies.
(DIR) Post #ATfiowpCsCKrFz6Gqe by IvanSanchez@mastodon.social
2023-03-14T14:13:46Z
0 likes, 0 repeats
@simon @ianturton After all the time I've been a burnt-out maintainer (and at the risk of looking like a jackass), I'm entitled to say "not my problem".
(DIR) Post #ATfioxOekOgx1vga6S by simon@en.osm.town
2023-03-14T14:56:13Z
0 likes, 0 repeats
@IvanSanchez @ianturton well if you are not maintaining a project with the intention that other people use it (the question is if that even fits the definition), then sure, no reason you can't say that. But if you want to have a downstream (why else would you publish it in the 1st place) you don't want it to be a cascade of "not my problem"s.
(DIR) Post #ATfioxwKjBd8iNRTay by fanf42@mastodon.social
2023-03-15T15:49:39Z
0 likes, 0 repeats
@simon @IvanSanchez @ianturton you are really confusing paid service with free and open source software. It's on the license : no garanties. If you want garanties, then it's work, and a contract can be made.The final user (or companies in the middle acting as a proxy) is responsible to assess the risk and take the corresponding risk mitigation action. Like paying maintainers, contributing patches, etc. And even with patches, that doesn't give entitlement of their acceptation
(DIR) Post #ATfioya2LZOChW1BTs by simon@en.osm.town
2023-03-16T08:09:06Z
0 likes, 0 repeats
@fanf42 @IvanSanchez @ianturton I don't want to put words in @IvanSanchez mouth but I suspect the issue is more that you can't really just put some code out there without being told one way or the other that you have to do all these other things. Document you project, make it nice and welcoming, fix all security issues, have a proper inclusive governance structure and so on. That makes a lot of sense for the 0.001% deep pocket projects with lots of reach, but not so much the rest.
(DIR) Post #ATfiozAu8UscXrGcwi by simon@en.osm.town
2023-03-16T11:19:54Z
0 likes, 0 repeats
@fanf42 @IvanSanchez @ianturton BTW @webmink has been blogging a couple of times about the CRA https://the.webm.ink/the-commission-must-consult-the-open-source-community
(DIR) Post #ATfiozcuSNHVwiMzb6 by webmink@meshed.cloud
2023-03-16T11:37:07Z
0 likes, 0 repeats
@simon @fanf42 @IvanSanchez @ianturton Handy tag: https://the.webm.ink/tag:CRA
(DIR) Post #ATfip0VrA5EYh84sF6 by simon@en.osm.town
2023-03-14T16:44:58Z
0 likes, 0 repeats
@IvanSanchez @ianturton And I'm not claiming that there is any simple solution for the quagmire (well outside of "no dependencies", but that is a bit unrealistic).
(DIR) Post #ATfqRoCxXlz3VMghai by fanf42@mastodon.social
2023-03-16T13:02:48Z
0 likes, 0 repeats
@webmink @simon @IvanSanchez @ianturton thanks!