this post was submitted on 28 Aug 2025
19 points (88.0% liked)

Opensource

4140 readers
107 users here now

A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!

CreditsIcon base by Lorc under CC BY 3.0 with modifications to add a gradient


founded 2 years ago
MODERATORS
pylapp@programming.dev
19
Open Source is one person (opensourcesecurity.io)
submitted 1 month ago by cm0002@lemmy.world to c/opensource@programming.dev
4 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Kissaki@programming.dev 1 points 1 month ago

If you want to talk about possible risks to your supply chain, a single maintainer that’s grossly underpaid and overworked. That’s the risk. The country they are from is irrelevant.

Total nonsense.

A good open-source maintainer won't act maliciously, even when underfunded, until they are forced to.

A FOSS project that is underfunded has its own problems. But if it becomes unmaintained, you can take over or react. The other risks are assessable.

Russia is an oppressive regime that continuously attacks other parties through hybrid warfare. Who knows what environment and pressures the maintainer is under? The more important the project is, the more value it has as an attack surface.

How can they think and publicize "nah, underfunded is more important"? And even going further than that, claiming the country is irrelevant?