fsebugoutzone.org:9999

       Post B3B4rFbVyINPlSYPCa by bagder@mastodon.social
 (DIR) More posts by bagder@mastodon.social
 (DIR) Post #B3B4rFbVyINPlSYPCa by bagder@mastodon.social
       2026-02-10T09:41:35Z
       
       0 likes, 0 repeats
       
       &quot;It is important that whatever is done in the name of Open Source attestations motivates the manufacturers to do their part. If attestations for OSS should have a possibility to work, there needs to be motivations and incentives for OSS projects to submit such attestations and contribute to the process. Good Will is not going to be a strong enough driving factor.&quot;Me, providing feedback on the idea.
       
 (DIR) Post #B3B4rHI5hU1mznTvCi by smallsees@social.dropbear.xyz
       2026-02-10T11:09:33Z
       
       0 likes, 0 repeats
       
       @bagder What&#39;s the incentive for OSS projects to do CRA attestations?I get some odd requests similar to this from large companies but I&#39;ve always said go read the license, that&#39;s what you&#39;ve got.
       
 (DIR) Post #B3B4rIEEDKX3u6gLp2 by bagder@mastodon.social
       2026-02-10T11:10:06Z
       
       0 likes, 0 repeats
       
       @smallsees I propose: money
       
 (DIR) Post #B3B4rJ5l0JLma7j6G0 by giacomo@snac.tesio.it
       2026-02-10T11:31:38Z
       
       0 likes, 0 repeats
       
       @bagder@mastodon.socialMoney from? To? Through?Also, let&#39;s assume I&#39;m the xz-utils or the log4j maintainer who in full good faith believe the distributed binaries are perfectly safe.I attest this and get the money.What should happen when the attack get discovered?Nothing?More money to the maintainer?Maintainer refunds?go read the license, that&#39;s what you&#39;ve gotThat is &quot;NO WARRANTY&quot;.It&#39;s fun someone want requires warranties over something explicitly shared without.I guess that without moving to new licenses with warranties, CRA will just harm users.@smallsees@social.dropbear.xyz
       
 (DIR) Post #B3B4rJxzkejfIL6PnU by bagder@mastodon.social
       2026-02-10T11:36:30Z
       
       0 likes, 0 repeats
       
       @smallsees @giacomo no warranty and no money is where we start, where we are now. I can&#39;t see any open source project doing attestations unless given motivation and I can&#39;t figure out a motivation that would work better than the plain old money
       
 (DIR) Post #B3B4rKXnbXNL5Nr0bY by giacomo@snac.tesio.it
       2026-02-10T11:48:27Z
       
       1 likes, 0 repeats
       
       @bagder@mastodon.socialHow much money would you ask to strip line 12 to 18 from #curl&#39;s license?@smallsees@social.dropbear.xyz
       
 (DIR) Post #B3B4rLXpst00BmsYIi by bagder@mastodon.social
       2026-02-10T09:44:56Z
       
       0 likes, 0 repeats
       
       If you too want to feedback on the idea of Open Source CRA attestations (basically projects officially saying that they are &quot;good projects&quot; in a CRA sense), here&#39;s the surveyhttps://dialog-cybersicherheit.limesurvey.net/113884
       
 (DIR) Post #B3B4rR4HLgvBJr6240 by bagder@mastodon.social
       2026-02-10T09:47:47Z
       
       0 likes, 0 repeats
       
       while you wait on the survey to come back to life, here&#39;s the relevant associated FOSDEM 2026 talk:https://fosdem.org/2026/schedule/event/QEZ3LB-cra_-_role_of_free_software_and_q_a/