@joshbressers @CypherCon @ecosystems also this issue is just... Not even wrong.
They are living in a world that is nice, but that is a conversation from the 90s. This is not today's reality and not a possible goal.
Like. "Who review that code". Well
1. We have no support that review increase quality or security (caveat exist but not applicable here)
2. Lol, reviewing. We are lucky if the code is even written
3. If you cared so much, stop using any oss that is not reviewed. I am waiting.
Josh, thank you for publicizing this data and helping people understand the scale of open source!
Some disclaimers: I'm on the OpenSSF TAC, although that issue predates me. Also I know the OpenSSF has egg on its face from the xz blog (there was an apology in the OpenSSF Slack, but not publicly?)
Anyways, that OpenSSF issue conflates 2 things: maintainer count for OpenSSF Projects, and asking if that could apply to open source generally. The 2nd answer is clearly "no"!
@steiza @joshbressers except not really. Asking the question for openssf projects is already putting eggs on your face.
It shows you have no idea what you are talking about (you being the org here).
Which is why noone listens.
The OpenSSF has eggs on its face for years. The xz thing just made it become something we talk about instead of dismiss for being irrelevant.
Thinking differently is how we got there.
Thomas Depierre
Zach Steindler