Comment by mcmatterson
18 hours ago
The thing that really gets me as a small-time OSS maintainer is that none of us asked for this. The social and technical millieu where most of us started our projects is not the one we find ourselves in today, and the forces behind this are wildly asymmetric.
Security findings are one place where we as maintainers simply do not have the choice to not play ball, whether we like it or not. It seems likely that the only way that we meet the moment is to adopt these tools ourselves -- once again -- whether we like it or not. Reconciling this with the ground truth that 'OSS doesn't owe anyone a goddamn thing' is proving to be really hard for me.
It’s like a modern gun (or nuclear bomb). They’re really only necessary because other people also have guns. We could have all the same effects with swords and bows and arrows. This just 10x’s the effect of deciding to use the thing.
So now we need a 10x defense against people deciding to use the thing.
Invented a problem and now are selling a solution (but wait not yet… they have to build some more mystery and hype around it)