I have found (c) to be high noise, low signal. We're winding down our HackerOne program.
D: we do this in a couple ways. For PQCA, for instance, we use credits from AWS to get access to hardware to run proofs and CI on. PQCA also has a paid mentorship program.
For OWF, we do the same with AWS credits, as well as provide hosting for projects to run services on for testing.
For LFDT, we offer paid mentorships, have paid for Trail of Bits to do reviews, and run events. We had a maintainer summit in New York in January so our maintainers could meet for two days face-to-face. We fund large GitHub CI runners for projects as well.
I know it doesn't answer everything, but our team is only a few people and we really do work hard to help developers. What I'll call the devrel team for OWF/PQCA/LFDT is three FTE, one contractor, and our manager.
LFDT: https://www.lfdecentralizedtrust.org/
OWF: https://openwallet.foundation/
PQCA: https://pqca.org/
PQCA benchmarks, for instance: https://pq-code-package.github.io/mldsa-native/dev/bench/
This is, of course, ridiculous, and Dr. Ambergris is just an amalagam of Muammar al-Gaddafi and some 2nd rate wannabe strongmen not worth mentioning that I made up for fun.
You say this as if these players aren't members of "the open source folks". It's not an exclusive club.
In fact, it doesn't even seem difficult to simultaneously acknowledge and commend the valuable role they play, while also expressing concern over the influence they wield and how it might contrast with desires and goals of the wider community.
I won't pretend to speak to specific numbers, but a huge amount of work and maintenance is from these programmers, or funded via the corporate actors which employ these programmers. Those actors are either on this list, or don't have a problem with this list.
What remains are the handful of truly independent contributors, which are a minority in terms of LoC (though they often have an outsized impact), and the peanut gallery.
Open source wasn't always this way, it would be a different discussion 30 years ago when independents were the only guys in town, but it is now.
People talk about contributing financially, but how and to what end? Most projects aren't set up to accept or utilise donations. That said, I would say we should be providing all OSS projects with significant access to AI in order to review their codebases and PRs and hopefully relieve some of the maintenance burden. I know there are some initiatives in this area already.
Linux Foundation is run by the said called corporates from the list. So is Rust Foundation. Linux in itself is safe cos Linus controls it. Not the rest of the projects LF controls.
There's bureaucracy of course but the mission is clear. Highly recommend working with them in any capacity.
It seems weird to blame Google here, given that they didn’t manufacture the bugs: the bugs were already there, and they just found them. This is arguably the best thing for all parties: open source maintainers are still under no obligation to fix things, but downstreams can properly inform themselves about the risks they inherit by using any given project.
The alternative is a “don’t ask, don’t tell” system, which people generally agree doesn’t work well in other aspects of life.
It may be an industry body, but it runs multiple community conferences and projects which support Open Source. A notable example in this case being the OpenSSF https://openssf.org/
The LF is not perfect, but I would expect them to come from an OSS and community angle on this.
I read this they would build the patches privately (or with maintainers if confidential) and then share amongst their supporters before public release.
That's a feature to them, not a bug. They want the software and don't want the community.
What worked is to remove the bounty and simply allow people to report bugs responsibly. This attracts the kind of altruistic volunteers who want more secure software for ideological rather than financial reasons. They still use AI but you won’t see slop.
I always advice aspiring open source enthusiasts to stay far, far away from the Linux Foundation. It has become a barrier to software freedom these days, rather than an enabler.
What would you propose otherwise?