upvote

points

by amouat9 hours ago |
comments
upvoteby unsungNovelty8 hours ago|
next
[-]
> This is the Linux Foundation, so it must put OSS and community first, surely.

Linux Foundation is run by the said called corporates from the list. So is Rust Foundation. Linux in itself is safe cos Linus controls it. Not the rest of the projects LF controls.

reply
upvoteby limagnolia7 hours ago|
parent|
[-]
So far, the Linux Foundation, from what I have seen, has pretty darn good track record of keeping the projects under its umbrella open source, even going against corporate sponsors to do so. For a recent example, see the recent NATS tuffle. (And I should.recognize that Synadia, finally, did the right thing and backed down).
reply
upvoteby xyzzy_plugh5 hours ago|
parent|
[-]
To add to this, I've experienced all sides of the LF and they are the only organization I trust at this point. Donating a project to them is A Good Thing.

There's bureaucracy of course but the mission is clear. Highly recommend working with them in any capacity.

reply
upvoteby LtWorf7 hours ago|
prev|
next
[-]
Remember when google set up a whole project to find vulnerabilities but never sent any fix and unpaid developers were basically having to fix things that an entire team of people was hired to find… yeah maybe they could have just made an offer to some maintainers instead of burning them out?
reply
upvoteby woodruffw7 hours ago|
parent|
next
[-]
Is this an oblique reference to OSS Fuzz, or something else?

It seems weird to blame Google here, given that they didn’t manufacture the bugs: the bugs were already there, and they just found them. This is arguably the best thing for all parties: open source maintainers are still under no obligation to fix things, but downstreams can properly inform themselves about the risks they inherit by using any given project.

The alternative is a “don’t ask, don’t tell” system, which people generally agree doesn’t work well in other aspects of life.

reply
upvoteby oneshtein7 hours ago|
parent|
prev|
[-]
They are contributing back, which is a good thing. Other companies just fork, fix, and forbid to contribute back.
reply
upvoteby LtWorf7 hours ago|
parent|
[-]
Burning out maintainers isn't "contributing back".
reply
upvoteby limagnolia7 hours ago|
parent|
[-]
Do you have any examples of Google submitting vulnerabilities and refusing to assist maintainers create a patch when asked to do so?
reply
upvoteby finnthehuman5 hours ago|
parent|
prev|
[-]
Wasn’t that a story with ffmpeg a few months ago? And people were getting roasted for even the suggestion that google should contribute patches?
reply
upvoteby Dylan168074 hours ago|
parent|
[-]
People were getting rightly roasted for calling google a leech when A) google does donate money to ffmpeg and B) that bug was in a weird format google almost certainly has disabled so they're not reporting it to get free labor.
reply
upvoteby RustyRussell8 hours ago|
prev|
[-]
Um, the Linux Foundation is an industry body, not a user or community group. You seem confused?
reply
upvoteby amouat6 hours ago|
parent|
next
[-]
No, not really, and I don't think you need to be snarky.

It may be an industry body, but it runs multiple community conferences and projects which support Open Source. A notable example in this case being the OpenSSF https://openssf.org/

The LF is not perfect, but I would expect them to come from an OSS and community angle on this.

reply
upvoteby limagnolia7 hours ago|
parent|
prev|
[-]
I am pretty sure that these industries use the open source projects the Linux Foundation maintains. So it is pretty clear the Linux Foundation is indeed a user community group, too.
reply
upvoteby izacus6 hours ago|
parent|
[-]
These are also some of the largest Linux code contributors as well.
reply