Supply chain attacks and OSS sustainability go hand in hand

Mitchell Hashimoto@mitchellhSupply chain attacks and OSS sustainability go hand in hand. I've semi-seriously joked for years that OSS upstreams should periodically purposely inject full vulns into their code and let downstreams fuck around and find out. Downstreams can pay to get the non-FAFO version. The not joke part is simply that OSS maintainers aren't a supply chain. OSS maintainers are not responsible for monitoring CVEs (because, they are not a supply chain). OSS maintainers are not at fault when bad shit happens to downstreams, because basically every OSS license (MIT, Apache, GPL, etc.) literally says: the software is provided "as-is, without warranty." You get what you pay for (that is to say: absolutely nothing!) Now, the joke part is that I do believe there is an ethical…

Excerpt limited to ~120 words for fair-use compliance. The full article is at X (formerly Twitter).