Comment by esseph
17 hours ago
Not sure why OSS is mentioned here, should just say "software". And it's always been like this (be careful).
17 hours ago
Not sure why OSS is mentioned here, should just say "software". And it's always been like this (be careful).
> And it's always been like this
Not, it hasn't. The open source community was much smaller, and much more tightly knit 20 years ago, and it was intrinsically much higher-trust.
Maybe out of ignorance, but that didn't span every internet subculture.
The whitehats/grayhats have always been super paranoid.
Were you active on SF or Savannah 20+ years ago? Everyone knew everyone else, and it was a much higher-trust society (think Minneapolis before Somalis).
> The whitehats/grayhats have always been super paranoid.
Yeah, they were always "super paranoid," but it was about something that could, and admittedly eventually did happen--but not for many years later. I remember in the Perl community, there was a big scandal where some module was "phoning home" on install (for the sake of telemetry), which the author fixed in response to the outcry. I remember a hapless Debian contributor who, in an attempt to silence Valgrind warnings, inadvertently reduced the entropy used for keygen (after some miscommunication with OpenSSL upstream), and was unfairly accused by some of intentionally backrdooring it. That was the extent of OSS malware back then.
Then along comes Github, and lets anyone upload anything, doesn't do even the minimal vetting of forcing you to explain what your project is and why it should be on GH, doesn't make you explicitly select an OSI-approved license, lets your freely fork other people's projects and even duplicate the project's name (making it difficult to identify canonical repos). It fosters a culture of just forking whatever you want, pulling in whatever you want, uploading any codeslop, ecourages MIT over copyleft, and has gamified crap like star rankings and activity graphs.