Ela

Here's my suggestions for "lessons learned" from the xz attack:

* Upstream code should be pulled from the git, not some random tarball
* All requests to disable valgrind, memory sanitation etc. in tests should be met with extreme scepticism and caution
* We need to call out people bullying open source maintainers
* We need to find ways to support maintainers before they burn out
* We need to establish a culture of succession for open source maintainers

Apr 1, 2024 at 7:23amWeb
Show threadfoaxApr 1, 2024
@andreasdotorg the EU should force IT companies to hire FOSS maintainers, as somewhat suggested by @tante
Show threadOch MennoApr 1, 2024
@andreasdotorg erste Chance auf: β€žWhat she says!β€œ +1 good call
Show threadπŸ‡ΊπŸ‡¦πŸ‡ͺπŸ‡Ί cweickhmannApr 1, 2024

@andreasdotorg
reverse(list)

Otherwise: 110% agreed!
@Openhuman

Show threadZuri (he/him) βŒοΈπŸ‘‘ | πŸ• CETApr 1, 2024
@andreasdotorg "We need to establish a culture of succession for open source maintainers"
This doesn't just apply to abandoned projects but also to those where maintainers try to hold on to projects by replying, they will do *something* in an indefinite future, once a year and then do nothing because they essentially moved on to other projects and are incapable of finding time for said project.
Show threadJan WalzerApr 2, 2024

@andreasdotorg

can we reverse this list please and put the priority on the people part please.

Show threadMahid (Moved to infosec.space)Apr 2, 2024
@andreasdotorg in fairness, GitHub's "Source download" for releases looks like it'll download the Git archive, not some file calles Source that normally is automatically added
Show threadder.hansJun 1, 2024
@andreasdotorg s/git/upstream revision control/