Hacker News new | ask | show | jobs
by janosdebugs 969 days ago
I have to say, I recently got a push into the direction of agreeing with "the EU" a whole lot. The CNCF was organizing a "security slam" where they surveyed CNCF project users what they would want for security compliance in the projects. See one such post here [1]. As you can see, we got some high profile users: Epic Games, the Space Force, and I personally know of two household name telcos who use it.

I asked the organizers about potential funding for the work that needed to be done since the project wasn't a commercial endeavour for us. They didn't even consider this before making demands for work that would consume several days if not weeks. The funding they had amounted to some gift cards and t-shirts. (They are very nice people, but there is not much they can do either.)

I am personally very frustrated with FOSS as it stands today. It's disingenuous: either the project is almost unusable on its own and you need to buy services from the people creating it (Kubernetes), it's missing parts you need, you get a pseudo-OSS license (BSL), sometimes funded by a foundation that has to do a whole lot of extra work to get donations and more often than not pays entry-level salaries or you run a project because you love doing it where you are expected to do the compliance work ... Why exactly?

And about 95% of the changes requested are basically paperwork to check off the boxes, ship material of bills, etc. Not the fun kind of problems. (Note: the CNCF doesn't pay its contributors anything, at least I didn't get a dime so far. The only thing I got was a truckload of paperwork, requests for more free work besides the project reviewing conference submissions for KubeCon, and more.)

I think, if you are a commercial FOSS user you should absolutely be on the hook for getting your wallet out and paying for people doing the ridiculous about of slog required for compliance. Pay a foundation for the compliance work, or hire the people working on the project to get it done. Does the EU get it right? No clue, but something has to be done. Supply chain security is important and the work needs doing, which somebody has to pay for.

[1] https://github.com/orgs/ContainerSSH/discussions/574#discuss...