Comment by anonnon

Were you active on SF or Savannah 20+ years ago? Everyone knew everyone else, and it was a much higher-trust society (think Minneapolis before Somalis).

> The whitehats/grayhats have always been super paranoid.

Yeah, they were always "super paranoid," but it was about something that could, and admittedly eventually did happen--but not for many years later. I remember in the Perl community, there was a big scandal where some module was "phoning home" on install (for the sake of telemetry), which the author fixed in response to the outcry. I remember a hapless Debian contributor who, in an attempt to silence Valgrind warnings, inadvertently reduced the entropy used for keygen (after some miscommunication with OpenSSL upstream), and was unfairly accused by some of intentionally backrdooring it. That was the extent of OSS malware back then.

Then along comes Github, and lets anyone upload anything, doesn't do even the minimal vetting of forcing you to explain what your project is and why it should be on GH, doesn't make you explicitly select an OSI-approved license, lets your freely fork other people's projects and even duplicate the project's name (making it difficult to identify canonical repos). It fosters a culture of just forking whatever you want, pulling in whatever you want, uploading any codeslop, ecourages MIT over copyleft, and has gamified crap like star rankings and activity graphs.