It's not "Open Source" (making code public and free to use and modify) that's broken. It's how people rely on it without any consideration about the sourcing of it.
It's not that it's free to pick and to use. It's that some/most people too often associate "it's free" to be equivalent to "I don't need to care about it, like, at all".
It's that some/most people don't understand that, whatever they take, they become dependent of, for the better and for the worse (insert Marie Kondo cue here).
The interesting thing here is that there's a full new line of work for Info/OpSec opening here: ensuring that your software supply chain is not only secured, but also properly funded and supported.
That's like... common sense in so many "old" industries.
Yes 'free' means 'the little people work on that'.
There's no real way to secure finegrained node.js or python etc deps, since you have no clue if the original author who signs his sources should be trusted, or was malicious from the start and just biding his time, let alone everyone who contributed to every package.
What would help is independent audits and where needed help with hardening like fuzzing and asan / valgrind / static analysis. Just an extra security-minded eye on patches in realtime would be a big help (and maybe would have found the logging bug at hand).
I hope you are answering the parent. Because rhis is exactly what I said. You as a user of any foreign library have to look through it. You can't trust code you didn't write. That is also one of the reasons why in the past so many parts where reinvented. Those guys where not stupid, but why on eaeth would you risk the security of your work just to not write the login process yourself? And then some smarty pants came and told you this is all unnecessary and it is "best practice" to just include some library, package or whatever it is called nowadays.
> It's how people rely on it without any consideration about the sourcing of it.
Exactly this. I think the problem is that OSS consumers often have a complex that they are entitled to "good software". But I doubt that the solution is to make it so that the producers are "entitled" to financial compensation. I can see situations where that backfires -- satisfying the producer's "entitlement" can exacerbate the consumer's sense of entitlement and just create an entitlement arms race, and stress out open source producers.
It absolutely is $0 free to pick and use. So that’s what people/companies will obviously do. Why should they pay more than $0 for something that is worth $0 in the market place?
It's common enough to see the phrases "'free' as in 'free beer'" puts it in contrast to "'free' as in 'free speech'" (which emphasises you can do what you want with the software).
Following in popularity from these is "'free' as in 'free puppy'"; which emphasises that you'd be taking on a burden of responsibility by using it. -- At the very least, if you're using it, it may have bugs.
Why? Because they not only pick something that helps them, they also pick the legacy that comes intrinsically with it.
If they want this legacy not to be a burden, they need to take appropriate steps: contribute to it, through the means of their choice: developer time, advocate time, money, structure, anything.
It's (a bit) like all industries sourcing from the environment (trees, vegetables, minerals, oil, gaz, etc.): it's all available for free, let's pick it.
Only, if you're not careful about the sustainability of it, and the consequences of sourcing these, it will backfire at you at some point. Badly.
It's not that it's free to pick and to use. It's that some/most people too often associate "it's free" to be equivalent to "I don't need to care about it, like, at all".
It's that some/most people don't understand that, whatever they take, they become dependent of, for the better and for the worse (insert Marie Kondo cue here).
The interesting thing here is that there's a full new line of work for Info/OpSec opening here: ensuring that your software supply chain is not only secured, but also properly funded and supported.
That's like... common sense in so many "old" industries.