Different types of issues with different solutions. When you have a support contract with the original developer of a piece of code, you can demand the original developer fix the code.
That same solution still works for FOSS, you just actually need to pay for it. The situation for FOSS is even better because you also have the option of paying any other person to fix the code. Hopefully that's kinda what this bill does, though?
It’s “the same” in a really broad hand-wavy sort of way. It’s not the same practically speaking.
FOSS usually does not have warrantees, SLAs, or developers in particular locations with particular credentials. The government has processes that they must follow for paying contractors, so “just pay them” is not something that can easily be done last minute, (and sometimes, not at all without a literal act of Congress.) Also the financial and obligatory relationship between them and the developer is much different, and must be managed differently.
Really, it is very important for people doing technology projects at the government to understand the difference between calling up the developer of Windows and calling up the developer of Git. Those are two very different relationships.
You seem to be reading me as implying any use of FOSS is equivalent to having a support contract; it's not. I was claiming that having a support contract for FOSS is equivalent to having a support contract for proprietary software. If you need "support contract" level support you should probably be paying for a support contract. At least with FOSS that can be competitive for the same piece of software (although that probably also means that some of the services on offer are quite a bit worse, having not had to organizationally have passed the hurdle of "actually making the software" at any point).
Finding out that you have a problem when you don't have a support contract and then looking around for someone to work on the thing is not the same thing as having a support contract, although in some cases it can be a sufficient substitute and it's certainly cheaper in the best case (like any other form of skipping insurance).
Depending on context, providing the "support contract" internally is also an option.
I said the issues are different and you disagreed, so I detailed what I meant.
It’s also not reasonable to require the government to just get 10,000 support contracts just to implement a single application.
What makes the most sense is what they’re doing here:
1. come up with a strategy for managing these risks
2. Collectively work with OSS developers instead of treating every one of the governments 10 bazillion projects like it needs a separate support contract for a component that is shared
> I said the issues are different and you disagreed
I disagreed that things are all that different "if you have a support contract."
> It’s also not reasonable to require the government to just get 10,000 support contracts just to implement a single application.
I agree, but I'm not sure that's relevant? If a single support contract is sufficient for proprietary software - making them responsible for addressing (incl. possibly working around) issues in any dependency - why is that not also viable for FOSS software?
I don't disagree that what they're doing here seems likely to be a good idea, I just think you were initially selling "pay for support for the software you rely on as a big organization" a little short in its general applicability; indeed, this probably be viewed as providing that service internally.
It's not so simple. The developers are not necessarily available for this kind of support. For example, I maintain an FOSS library, but I already have a full time job, and I'm not interested in working more hours. Unless someone hires me to work full time on this library, there is no chance that I provide paid support. I suspect that many other maintainers are in the same situation.
That's also potentially true of proprietary software, though. Not every company will offer a support contract, so if that's what you need you need to pick other software. I agree that probably a smaller fraction of FOSS projects offer first-party support contracts, but on the other hand third-party support contracts are a lot more reasonable in the FOSS context.