This would of course be nice since the fact that so much of our infrastructure is based on the work of people sharing it openly, a practice heavily in contrast to industry behavior, is sadly still a little known fact outside of software development.

The demand for more assistance here is the angle that was played in social engineering, specifically the demand to acquire more maintainers due to workload. Especially if such support would take the form like providing source archives with manipulated build scripts that are rarely checked by third parties.

There is also a problem of badly behaving industry that tries to take control of "hobby projects". Speaking of which, these "hobby"-projects often have much better code than many, many industry codebases.

I think FOSS overall still lessens the risk. It got more risky since it has been integrated in social media since these often allow for developer being shouted down or exploited much more easily.

> allow for developer being shouted down or exploited much more easily

No is an answer. And blocking people should be a thing.

Personally I do not publish anything anymore which is not "non-commercial only" as a result of demands, you can do it yourself if you want to make money off it (or if you demand things for that matter). Fortunately my online stuff isn't used much but even then it's possible to get "requests".

> This event should be a wake-up call to businesses everywhere

This ought to be not only a wake-up call for businesses, but also to hobbyists and members of the public in general; our code, our projects and our social "code-generating systems" must be hardened or face rampant abuse and ultimately be weaponised against us.

In a way, these issues which FOSS is facing and are becoming apparent are no different to those democracy been submitted since time immemorial.

Funding all of these deep dependencies may have helped in this case but wouldn't address the root of the problem, which is that every business out there runs enormous amounts of unsandboxed third party code. Funding may have helped xz specifically from falling to pressure to switch to a malicious maintainer, but it does nothing about the very real risk that any one of the tens of thousands of projects we depend on has always been a long con.

The solution here has to be some combination of a dramatic cut back on the number of individual projects we rely on and well-audited technical solutions that treat all code—even FOSS dependencies—as potentially malicious and sandboxes it accordingly.

Yeah, as I note elsewhere in this thread, the OpenSSL "Heartbleed" saga should've taught some lessons, but alas, it's "classic" human nature to repeat our mistakes.

no - funding is going to places where profit is returned on investment, NOT to the tedious and long-term work that all of this sits on. It is not "human nature" because tedious, high-skill maintenance is done by humans, which built the infrastructure and continue to be crucial.

There is no accountability and in fact high-five and star shots for those taking piles of money and placing it on more piles of money, instead of doing what appears to be obvious to almost everyone on this thread -- paying long-term engineers.

No counter-argument; fully agree. FWIW, that's what I was referring to when I said, "fat companies" (and executives) glossing over the important tedious here[1].

[1] https://news.ycombinator.com/item?id=39905802

I'm all for funding FOSS, but how would the money have made any difference here? It just would have made Jian a bit richer, right?