I think googles program to hire security researchers was a minor step in the right direction, but it would behoove big tech and or various governments, to do the same thing these state intelligence actors are doing, and take a look at all of these projects that touch core infra and investigate the maintainers and their vulnerability.
I would bet that some of these projects like xz would show enormousness benefits from one paid person working on it 1/4 time, leaving room for a couple more projects per dev. Additionally, a couple places providing relatively minor grants would probably help a dev buy back some of their time so the can work on their project some other time then 'after the kids are in bed'
I would bet that some of these projects like xz would show enormousness benefits from one paid person working on it 1/4 time, leaving room for a couple more projects per dev. Additionally, a couple places providing relatively minor grants would probably help a dev buy back some of their time so the can work on their project some other time then 'after the kids are in bed'