We then started asking other questions, such as how do we identify the next time bomb? Do we create relationships with our all of the maintainers in our supply chain? If our businesses rely on each link in the chain, that will make sense; however, it’s easy to throw money at the problem, but will it solve the problem?
"We sort of need a minority report to catch maintainers before they burn out."
I used to think money was the answer to solve all issues in open source, but it's another myth. Some maintainers can't take money because it goes against their employment contract. Others don't want the responsibility that comes with money. They started the project because it helped them solve a problem and thought, why not throw it up on GitHub? Ironically it then becomes a new problem.
Armin Ronacher, the creator of the Python-based microweb framework Flask argued:
"...when I create an Open Source project, I do not choose to create a 'critical' package. It becomes that by adoption over time," wrote Ronacher.
Maybe the issue is unfixable. Either way, I believe that we can all still make an impact by finding ways to help maintainers in any way possible. It's not a time to give up.
"In light of high profile recent events, we are all aware that open source software is a critical part of software infrastructure as a whole. Security issues related to popular open source projects are in the news and in policy conversations. As open source professionals, we hope that policy makers carefully consider the distinction between open source projects and products." − Aeva Black & Gil Yehuda
Open Source Security Policy Conundrum
I know I asked a lot of questions above. It's because I don't know all the answers, and I want us to all start conversations on how to find them. Find 20, heck, 10 minutes this week to talk to someone about open source sustainability. The non-code contributors will help answer the difficult questions so the maintainers can do what they do best.
Thanks for reading, and remember...sharing makes Petey happy.