[skywhopper]

Sounds like a good way to kill off open source entirely. This is luckily unlikely to happen.

As for throwing money at the maintainers, honestly, it’s complicated. A lot of people aren’t doing open source work for the money. Money too often comes with strings, requirements to prioritize what the funder wants to prioritize, pressure to perform consistently, it becomes an actual job.

Not only does this turn off a lot of the types of folks who make the best contributions to these projects, but it bends the priorities toward what would make the most money for the funder. And as this article points out, real security investments often fall by the wayside when profit is involved.

So yes, companies should encourage their workers to contribute to these projects, donate money to the foundations that fund them, hire important maintainers and give them carte blanche to work on open source. But we have to be careful. Making it all completely transactional is directly contradictory to what drives a lot of the contributions.

[rickydroll]

Given the level of age discrimination in software engineering, maybe we should add a stipend to the pension plans of retired developers who work on open-source projects.

Yes, the devil is in the details, but I think the basic concept is worth exploring

[ChrisMarshallNY]

At least two of the maintainers of the framework I originally authored (and is now being maintained by a team, and used worldwide), are retired engineers. They are outstanding engineers, with great pedigrees, and bring real technical leadership to the project.

In that particular project, we're all just Paying It Back (not forward), but other projects could likely benefit from the participation of Grumpy Old Farts.

[cm277]

We are not talking about all of open source here; there are crucial bits of code and less crucial bits of code. LZ/OpenSSH was obviously in the first category. How do you determine which ones are more critical? same as you would for a bridge or a plane: by risk, impact, etc. That's basically liability.

And obviously a non-insured piece of code that assumes no liability whatsoever can still be free and maintained via IRC, same as it ever was. I dont see how this "kills all open source".

[candiodari]

Companies and in fact everyone has the choice to NOT use software that comes without warranty. But, of course, the cost difference will be astronomical. Alternatively companies and everyone have the choice to inspect open source software for security problems BEFORE use. Of course, astronomical cost.

This is an attempt to shift costs onto open source developers. Which, aside from being totally unjust, won't work. There's a legal expression "you can't squeeze blood out of a stone". Shifting costs onto people that can't carry those costs doesn't work for the same reason supporting a skyscraper with a toothpick doesn't work. The toothpick breaks, and when the skyscraper lies collapsed on the floor, nobody blames the toothpick. Hell, they might say the toothpick was heroic: trying to save the situation, sacrificing itself, screaming, and when nobody helped, not the government, not the owners, not ... the building collapsed and all the damage was done.

But it's even more stupid than just that. As soon as this gets introduced, and some company makes a security fix. They of course, for GPL or AGPL software, have to release their fixes. This will then make them liable for any other security problems in that same software. After all, they'll be the last ones releasing that software after the government implemented this law.

So how will you even do this, without making software fixes effectively illegal? Achieving the exact opposite of what such a law tries to achieve ... But of course, you can't have this discussion with people just looking to keep "their" free stuff but trying to shift the rest of the costs.

[transpute]

  liability

> Sounds like a good way to kill off open source entirely. This is luckily unlikely to happen.

It has already happened in the EU CRA, i.e. the law has passed. Implementation details still being negotiated.

https://hn.algolia.com/?query=cyber%20resilience

[LtWorf]

That only covers for profit software.

[transpute]

Scope fine print details are still being negotiated.

Second HN story from the link above, Dec 2023, https://news.ycombinator.com/item?id=38787005

  The Debian project has completed a general-resolution vote, adopting a statement expressing concern about the Cyber Resilience Act (CRA) pending in the European Union.

  Even if only "commercial activities" are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneur.

[LtWorf]

Yes, other stuff happened since then.