Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I dunno; if an open source project wants to take public sector funding, then some kinds of public sector oversight (e.g. public sector requiring security audits, or SBOMs, etc which they pay for) could be very desirable indeed.

If your implication is that the government who's funding it might then try to leverage the project somehow (e.g. insert a backdoor or whatever), then we're back with the original problem of needing to protect FOSS projects from malicious actors wherever they come from.

I'd argue that the benefits of actually being funded massively outweigh the risks of the funder going rogue, given you can use the funding to build checks & balances to protect against malicious activity no matter the source.



IMO we should start an Office of Digital Infrastructure if we want things like software BOM and software oversight. If the government wants secure code they should write the code in a controlled environment. They can run it similarly to an open source project (take pull requests from the general public) but it should be clear that the responsibility lays 100% at their feet.

I don’t think most open source projects really inspect their dependencies that well. Lots of these projects are community/hobby things, they should be treated as such.


I found this post to be interesting discussion on how a not profit organisation could practically operate to support FOSS maintenance. It still has risks surrounding infiltration by bad actors, but mitigation is easier since staffers are paid. https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: