Recent searches
Search options
I've been expecting something like this since the XZ hack, but still ... frustrated/annoyed/sad to see Microsoft and 13 (!) partners jointly announcing that their answer is to “educate” open source maintainers.
It's nice that they're compensating maintainers for the time spent on that training, but ... compliance with corporate security policies is still a whole lot of ongoing, unpaid work after that? Sigh.
https://github.blog/news-insights/company-news/announcing-github-secure-open-source-fund/
If your company relies on open source software and wants to support maintainers, please don't do it this way.
Better models include:
- Tidelift
- Open Source Pledge
- Sovereign Tech Fund Fellowship for Maintainers
@donmccurdy omg, yes, this.
XZ didn't happen because of a maintainer not having the right training or education, it happened because the maintainer didn't have the bandwidth to support the project. As much is obvious from the postmortem.
@donmccurdy Man, I’d have expected better from a trillion-dollar surveillance capitalist that trains its AI on your code.
@donmccurdy and @copiepublique (if you are a french company)
@lutindiscret @copiepublique wasn’t aware of this, thank you!
> Maintainers will get hands-on learning of security principles, tools like GitHub Copilot and Copilot Autofix to help improve security posture, reduce security debt, and improve confidence of downstream users.
fucking lmao
@Foxboron @donmccurdy if they use AI, I mistrust the code even more.
Microsoft, are you ill? Are you just joking here around or just want to sell your crapy Copilot? This is just an insult to Open Source maintainers.
@martin.social You do not see how inappropriate this is?