It's not the foundation that does the work but developers. With that kind of budget, the foundation is just administrative support. They aren't employing a lot of developers. Many developers are employed of course. Partially by those same fortune 500 companies that you mention.
Open source is a pragmatic arrangement where developers embedded in the industry can collaborate and share code; often explicitly supported by the companies they work for. It has worked very well for decades and there's no urgent reason to change anything.
For example, Damien Miller, who puts in a lot of time on OpenSSH, is employed by Google. Employing key contributors is how the industry supports OSS.
> For example, Damien Miller, who puts in a lot of time on OpenSSH, is employed by Google. Employing key contributors is how the industry supports OSS.
Yeah that's just confirmation bias. How often do we read about key open source libraries that are being maintained by one random dude in his free time, said dude's free time dries up, and suddenly everyone is in panic mode on how to get funding to him.
It'd be much nicer if every tech company above X amount of yearly revenue would be required to kick in 1.0% (0.1%? 2.5%?) of their profit into a foundation. That foundation then would put out bounties or contracts for open source project maintainers. The priority (= monetary value) of these would be decided on by a mix of community voting, open source expert panel, and commercial interest, split ⅓/⅓/⅓.
This seems reasonable, but my concern is that the money would not do much good. It could simply lead to a more powerful bureaucracy that prioritizes its own survival instead of it’s original mission, like what seems to have happened with the Mozilla or Wikipedia foundations. More money doesn’t always solve problems. It can simply create new problems.
There's a long tail of stuff that isn't paid indeed but I don't think this is confirmation bias. I maintain a few things myself actually. The thing is, I'm not actually expecting to get paid.I think you are underestimating just how many OSS developers have steady jobs and over estimating the urgency of the issue. I don't think the crisis you are outlining actually exists. But I'm sure there are individuals who'd like to get paid more for whatever they are doing.
I mean, the XZ backdoor happened because the main developer was overworked and burned out[0]. Stuff like this happens all over the OSS sphere, its just that its usually on less-critical projects. AFAIK, Heartbleed also sat unnoticed in OpenSSL for years because it was no one's full-time job to care.
If you were paying someone to full-time maintain XZ or Heartbleed, or whatever, it would have their singular attention.
> I haven't lost interest but my ability to care has been fairly limited
mostly due to longterm mental health issues but also due to some other
things. Recently I've worked off-list a bit with Jia Tan on XZ Utils and
perhaps he will have a bigger role in the future, we'll see.
Yes. What’s interesting is that this corporate software engineering socialism isn’t new with modern open source. It dates back to the earliest operating systems for IBM mainframes.
Open source is a pragmatic arrangement where developers embedded in the industry can collaborate and share code; often explicitly supported by the companies they work for. It has worked very well for decades and there's no urgent reason to change anything.
For example, Damien Miller, who puts in a lot of time on OpenSSH, is employed by Google. Employing key contributors is how the industry supports OSS.