The CVE thing gets sillier every month.
On one hand you have the laziness of Mitre and friends to add any silly CVE claim, unless someone like @bagder pushes back using days of his precious time
Otoh, there are these „super CVEs“ which apply to several projects and people demand coordinated rollouts on specific dates to limit exposure. But most projects don‘t work that way.
And I‘m not sure why unpaid people are putting in extra effort to protect business interests, myself included.
> why unpaid people are putting in extra effort
I think they do it because they feel a responsibility for a thing they created, and to help making the world a better place.
It's an interesting situation we have now that huge companies use so much free software, without paying for it. Total freeloading like that is hardly ethical, but then they are companies and companies cannot be expected to behave ethically. What matters to them is finding ways to increase profits.
1/2
Those companies should at least make some reasonable donations to help sustaining the FOSS projects that their business is relying on.
Maybe there could be some kind of marking on products that consumers can look for, in the same way there are markings on "fair-trade" food or whatever, there could be a mark meaning that "this company contributes reasonably to FOSS", then consumers could look for that and it would give an incentive for companies to donate?
2/2
@eliasr @icing @bagder the reason they use FOSS is because coordinating said support is not scalable and cannot be done at a reasonable cost at the scale of these dependencies. Not talking of the maintenance cost but the cost of maintaining the list and relationships and payments systems.
This is a Commons problem
Solutions will be Commons solutions. Aka some form of governance or government like entity.