The CVE thing gets sillier every month.
On one hand you have the laziness of Mitre and friends to add any silly CVE claim, unless someone like @bagder pushes back using days of his precious time
Otoh, there are these „super CVEs“ which apply to several projects and people demand coordinated rollouts on specific dates to limit exposure. But most projects don‘t work that way.
And I‘m not sure why unpaid people are putting in extra effort to protect business interests, myself included.
> why unpaid people are putting in extra effort
I think they do it because they feel a responsibility for a thing they created, and to help making the world a better place.
It's an interesting situation we have now that huge companies use so much free software, without paying for it. Total freeloading like that is hardly ethical, but then they are companies and companies cannot be expected to behave ethically. What matters to them is finding ways to increase profits.
1/2
Those companies should at least make some reasonable donations to help sustaining the FOSS projects that their business is relying on.
Maybe there could be some kind of marking on products that consumers can look for, in the same way there are markings on "fair-trade" food or whatever, there could be a mark meaning that "this company contributes reasonably to FOSS", then consumers could look for that and it would give an incentive for companies to donate?
2/2
@Di4na @eliasr @icing @bagder An ex-MITRE, I’ll point out they are a not-for-profit https://www.mitre.org/who-we-are that runs FFRDCs https://en.wikipedia.org/wiki/Federally_funded_research_and_development_centers. They put lots into INFOSEC without 'getting paid'. CVE’s history https://www.cve.org/About/History is evidence that they are more likely under-funded and stretched too thin, not 'lazy'. While I was never involved in those programs directly during my career they pervade lots of what MITRE does "in the public interest".
@jwd630 @Di4na @eliasr @bagder
The people at Mitre might have the best intentions, but the organization is "lazy" as in having installed a system where the burden is laid at the feet of projects, as described in https://daniel.haxx.se/blog/2024/02/21/disputed-not-rejected/
Having a registry that takes in all sorts of garbage and then is reluctant to make corrections because they are overloaded is not helpful.
@eliasr @icing @bagder the reason they use FOSS is because coordinating said support is not scalable and cannot be done at a reasonable cost at the scale of these dependencies. Not talking of the maintenance cost but the cost of maintaining the list and relationships and payments systems.
This is a Commons problem
Solutions will be Commons solutions. Aka some form of governance or government like entity.