Follow

Everyone: Big Tech should support developers, who develop tools Big Tech was built on, so that important FLOSS projects are well-maintained, quickly patched, and secure.

Google: pay us to access versions of open-source software we audited ourselves.

theverge.com/2022/5/17/2309752

@rysiek are they really charging for that
if that's true they found a new way to colonize the commons :blobcatnotlikethis2:

@icedquinn it's only available to customers of Google Cloud. So, yes.

But I am going to bet that you will not find a single AGPLed project in there. Google is allergic to enforceable copyleft:
opensource.google/documentatio

> WARNING: Code licensed under the GNU Affero General Public License (AGPL) MUST NOT be used at Google.

So, the strong-copyleft side of the code commons is not going to be colonized.

@rysiek Don't mind me, auditting XZ myself... Then I'll audit FontyFruity!

Certainly I welcome Google's auditting efforts, though I don't trust their package repo to line up with what interests me...

@rysiek Then again Google's package repo will almost certainly be better than the one Microsoft bought!

@rysiek Eh, Red Hat has been doing this for years, and it's really a pretty good business model. It provides as a paid service the part that nobody wants to do, but everybody wants to have.

Also, personally I'd like to keep big tech and money out of open source, they don't mix well.

@deshipu @rysiek Also:

"pay us to access versions of open-source software we audited ourselves"

To the extent this lets the payer shift blame/responsibility to Google, this is a tried and true business model in general, common in every industry.

@rysiek And of course that's ignoring the real solution.

Supply chain risk is fucking easy to solve.
Know your dependencies, yourself as much as possible and then with other people you trust to make software repositories.
That's what distros are for, which also means that if you do not trust a software repo you've picked: Leave it.

It's also why I've been avoiding entire software ecosystems where dependencies are managed by stuff like dependabot without any reviewing process going on.
Or ones where librairies can't be packaged by themselves.

@rysiek big tech, as it is now, shouldn't exist as far as I'm concerned.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!