The person needing a feature can do implement it themselves or pay for it. They may even share it, in the spirit of open source, but they probably don't have to (depending on license conditions).
Help normalize saying no? As an OSS maintainer, the sense of entitlement many have is quite frustrating. After years in OSS, I have built up a thick skin and am fine saying no, but many aren't.
I’m sure many companies like to pay. It’s probably the cheapest way to solve a business problem. It should be the norm. If a company wants to have a bug fixed or a feature added, they should pay. And GitHub should make it easy to do so.
> Correct, maintainers can say that and get shamed.
And then they can shrug and move on with their respective days. If I open source something it's a gift to the commons, not a promise to work on it for free in perpetuity. I don't really care if someone tries to shame me for that, as there's nothing to be ashamed of.
If you look at the issue list for any significant open source project, it's probably of nonzero size. That's a way of saying "no": just don't do it.
Maybe you're overloaded, maybe you just don't feel like it. It's totally normal, and different projects have different levels of resources, some with none anymore.
I 100% agree with this. It also is 100% OK to fork aggressively and patch yourself.
(And on the flipside, nothing is owed for a bugfix the maintainer made out of their own free will. Again, a gift.)
The problem is lots of open source is unmaintained/insecure, and there aren't any security engineers on those open source libraries.
For the library to be secure, there needs to be funding, not by magic and expecting maintainers will do stuff on there free will.
The person needing a feature can do implement it themselves or pay for it. They may even share it, in the spirit of open source, but they probably don't have to (depending on license conditions).
Correct, maintainers can say that and get shamed.
And it leads to unmaintained libraries, since companies don't want to pay.
At some point, is open sourcing your work a liability?
Help normalize saying no? As an OSS maintainer, the sense of entitlement many have is quite frustrating. After years in OSS, I have built up a thick skin and am fine saying no, but many aren't.
I’m sure many companies like to pay. It’s probably the cheapest way to solve a business problem. It should be the norm. If a company wants to have a bug fixed or a feature added, they should pay. And GitHub should make it easy to do so.
> Correct, maintainers can say that and get shamed.
And then they can shrug and move on with their respective days. If I open source something it's a gift to the commons, not a promise to work on it for free in perpetuity. I don't really care if someone tries to shame me for that, as there's nothing to be ashamed of.
If you look at the issue list for any significant open source project, it's probably of nonzero size. That's a way of saying "no": just don't do it.
Maybe you're overloaded, maybe you just don't feel like it. It's totally normal, and different projects have different levels of resources, some with none anymore.
I have seen small utility libraries like tj-actions get compromised because there aren't any security specialists looking at the library.
My main concern is supply chain compromise.
2 replies →