[zbruhnke]

I agree with this in principle (in fact I had a long argument with the former CTO of Citi about this during the heartbleed fiasco) but I also worry that if noone is willing to put in the effort to fix flaws or they are not reported properly then fixing them could go un-funded while flaws were easier to discover.

Maybe the answer is very good logging of anyone who has cloned the repos etc. but right now when we have a government that uses whether or not they're going to fund important parts of our infrastructure (like Air Traffic Controllers) as a bargaining chip I have some skepticism around them being willing to fund ongoing maintenance of some of these products.

Despite the fact that things being in the open SHOULD curb this from happening I've read enough legislation (yes, I actually do like to read legislation) to know that that probably is not true when it comes to the government