Over the past fifty years, free and open source software has gone from little-known to a critical component of today’s infrastructure. Free software is usually maintained by voluntary maintainers, but when they become critical infrastructure, the role of the maintainer changes. They used to release code out of their own interest, not to meet the needs of large corporations and institutions, but suddenly the responsibilities on their shoulders increased. Many people may not know that a certain free and open source project is very critical to them, through the intricate dependencies, the software you are using depends on an open source component, and its security issues can also affect your software. The recent Log4j incident is a prime example of a supply chain security issue. The community has recently begun to increase its attention to security issues. For example, PyPI has screened out about 3,500 projects classified as critical based on downloads in the past six months, requiring its maintainers to have 2FA enabled on their accounts, which it provides for free to these maintainers. Security key for 2FA. Some felt the move placed an unreasonable burden on maintainers. Maintainers are being asked to do more and more things, often without compensation. What if the maintainer doesn’t want to do this ? Today’s world is very different from the world in which free and open source software grew up.
This article is reprinted from: https://www.solidot.org/story?sid=72220
This site is for inclusion only, and the copyright belongs to the original author.