Comment by qerahb
1 day ago
So first they steal all code and launder it without attribution. Then they release a tool that doesn't find anything in hardened projects and is marketed through secrecy and modern equivalents of Netcraft like this British AI institute.
Then open source projects need a McKinsey-like stamp of approval to even be released.
Sounds like there are many parasites in this process.
You know that open source users are free to scan everything if they want to?
I don't like it either. But what alternative is there when a spaghetti graph of open-source dependencies serves as the backbone for the entire worlds software? I haven't seen or heard of any novel solutions to this problem yet.