The community matters. It's one thing to get control of the official websites, official packages, etc, and another to have to tell every single user "come use my fork".
There are accidents on the highway, planes crash, fires in buildings, etc. Let's reason about Jia Tan - a problem, not a danger to all of FOSS - not, like everything else these days, just embrace ignorant fears.
It's cool to destroy social trust, to deny it and abandon it. The counterargument is right in front of your nose - the incredible, infinite, world-changing world of FOSS. Think of all those amazing projects, social trust working over and over and over.
You're going to throw all that out over one guy? The only thing we have to fear is fear itself.
This is not what I meant. But I prefer a fork of an abandoned project which needs to gain new trust to be installed instead of a new release pushed through an auto update after 3 years that installs malware.
The parent comment was not about someone from the community taking over (which to be honest was the case in the xz story) but about posting the project on a „projects without maintenance“ site for any random person to take control.
So you're saying that if projects continue choosing to sunset without handing over the keys to the kingdom, open source will stop existing?
This is simply not even close to true.
Edit: I can't reply to your reply, so here will do. You've completely ignored my main point. I get that you want projects to pass on the torch, but saying open source will otherwise die is ridiculous.
> "But I want and can maintain it, can I take it over?" Let me put it plain and simple: No! I don't know you, I don't trust you! Fork it and carry on!
For something security critical like VPN, ownership change is a big deal. Users trust project's reputation. So if there is not a a trusted successor, shutting it down is way better that giving it up to unknown people.
That's not what they meant at all, don't be obtuse. The community exists around the project (in this case the repo and associated website etc). If you fork it then you have to hope that the community follows you to your fork and that then everyone coalesces around it. This isn't guaranteed to work though, so passing the existing project onto a new maintainer is a much better way of retaining the existing community. That is what was meant when talking about the community.
The earlier comment is concerned for the users being orphaned by the project they used. The project is concerned with protecting the trust the users placed in the project by using it.
To trivialize the concern of the project seems worse because it prioritizes convenience in a particularly sticky area (security/privacy) as well as forcing a less informed choice on the user (who they are trusting).
There's probably a nice parallel here where we consider the NRL's role in Tor and how FOSS practices, EFF funding, and transparency meant it preserved user trust.
