Open source software is a critical part of our national security infrastructure, but one that government is entirely neglecting. Federal agencies rely on OpenSSL, liblzma, etc. just as much as the private sector.
We need a division of federal government whose job isn’t to find and exploit security holes (like the NSA), but fix them. A sort of a national security agency, but that actually does…that.
@jacob @waldoj STF’s approach, while nice, would not have addressed this, because xz would never have made it to their radar. You need not just a lot more money (though there is that) but also the supported projects need to be driven by data on usage, not a grant-making process.
(Yes, obviously I have opinions here; and yes I’m working frantically to make the federal government a big Tidelift customer…)
@sovtechfund I super appreciate the work you do, hope you do more of it, and hope others copy your model. But that said I do have feedback. Context: I work on, and and am friends with, dozens of maintainers working on perhaps "critical" technology, and:
(a) I'm not aware of any direct outreach to STF to any of us
(b) last I looked the application didn't seem particularly “lightweight”. Perhaps it's changed?
Again huge <3s for your work but I don't think it's as accessible as you think it is.
Waldo Jaquith
jacobian
Luis Villa
Sovereign Tech Agency