Comment by einpoklum
20 days ago
Yikes :-(
This makes me wonder - is there some platform on which people who maintain important (or arguably-important) facilities can post Wanted ads for volunteer co-maintainers?
I realize that the number of people who would actually be crazy enough to browse that platform and answer such ads is pretty small... but - it may be noticeably above Zero.
Who's going to vet the applicants to ensure that they're not secretly working for bad people, and that as soon as they have sufficient permissions/lack of oversight they'll inject malware into the project and ship it?
We're seeing ever-increasing supply chain attacks. All these bazaar projects are vulnerable to that.
It's going to take some serious funding to get the kind of oversight we actually need to secure this stuff properly.
And the clock's ticking - those maintainers from the 90's are going to retire, and we need to have some way of replacing them
> Who's going to vet the applicants to ensure that they're not secretly working for bad people
The same person who vets people who approach you as a project maintainer today and offer to participate in maintaining your FOSS project.
That is to say, what I've asked about is not intended to solve security problems, just a lack of exposure / connecting interest-with-need problem.