Saagar Jha (@saagar@saagarjha.com)

Ben Cohen

03/31/2024 (replying to Saagar Jha)

@saagar this thread is a lone voice of reason on my timeline, surrounded by boosts of the “this is entirely because we don’t pay maintainers” narrative.

Saagar Jha

03/31/2024 (replying to Ben Cohen)

@airspeedswift It’s one of those dangerous solutions because you look at it and it’s clearly better than the alternative (maintainers burn out and don’t get paid) and we *should* do it. But it doesn’t stop supply chain attacks in general (and maybe not even this one)

2 replies →

2 replies

Ben Cohen

03/31/2024 (replying to Saagar Jha)

@saagar yeah it seems lots of people are confusing correlation (the original maintainer burnt out) with causation (the original maintainer handed off to someone, as it happens because they burnt out but seems like if they'd moved on without burning out – which is a thing – the same events could have happened)

Helge Heß

03/31/2024 (replying to Saagar Jha)

@saagar @airspeedswift Aren’t both problems that Linux distri companies like RedHat and SuSE supposedly handle? (paying maintainers and also manage what exactly is packaged).

Noah Gibbs

04/01/2024 (replying to Helge Heß)

@helge @saagar @airspeedswift

In theory, yes. In practice there is far too much code for them to review, too.

Also, the difficulty with profit/paid solutions is that *not* reviewing all that code, or reviewing it badly, is *always* cheaper than reviewing it, let alone reviewing it all well -- which is certainly impossible under current conditions.