I've been working on thanks.dev for over two years now & reading this report is disappointing to say the least. Why not spend the time to explain the value XZ Utils created for all the commercial users & what companies can do to better supporting maintainers with hundreds of issues experiencing burnout from their unpaid work? OpenSSF should instead promote FOSS programs like https://frontendmasters.com/blog/how-were-supporting-open-so... & how they help their open source community stay active. Working in open source is a social contract & corporates need to be better citizens if they want to reduce their risk profile.
On first reading your comment makes a lot of sense, and is certainly logical for maximizing the common good.
But unfortunately, companies simply don't work the way you are proposing.
The short reason is this "good citizenship is indistinguishable from corruption. Therefore good company governance leans away from both."
The somewhat longer answer is that while a "company" might have a lot of money, or might make a lot of money leveraging some common good, it is not (usually) one person's money.
The bigger the company the harder it gets to actually -spend- the money. There are procurement departments, various sign-offs and so on. First and foremost it helps if there is a tangible (defendable) reason to spend the money.
Yes, companies "give" money away. Usually under the guise of marketing. It's easy to donate money to the local cancer center. It's harder to explain the marketing value of supporting random open source projects.
For tech companies it's -somewhat- easier, but even then it's simpler to donate time rather than money.
I've said it a lot lately, but OSS development has to "commercialize" if it wants to be commercial. That means first understanding "what companies pay for" and designing products to fit that.
Or target individuals with excess cash of their own that they're willing to just "pass along".
"What companies pay for" is anything they cannot get for free. If the value of an OSS project is mostly in its code, then any license that allows it to be used commercially will mean lots of free-riding.
Thing is, they still continue using the code even as they are complaining. Which is to say, they'd very much like the warranty so long as it's also free, but if it's not, they're willing to go without.
I'm sorry but this is a huge copout. At least the big companies and governments have the money to solve all these problems. They have literally teams of lawyers on retainer and they can hire a few more people for all the other self created bureaucracy. None of the things mentioned here are laws, of nature or otherwise.
I'm not sure what you are proposing. You declare cop-out, but then fail to describe a mechanism.
Who exactly would initiate this change? Shareholders? Board members? C-suite? Employees?
What do you propose an initiator should argue to convince colleagues? Why should an initiator spend political capital on this rather than on themselves?
Of course they have the money to give to random OSS projects for no return. What your post lacks is any motivation for doing so.
Yup these three. Its been too long that we give passes to executives for their bad behavior. If a company is using a tool they should be thinking about paying back. If they are not, they are being bad members of society (and yes companies also live in a society). It is not hard if there were good people in charge. Who's only lookout isn't to make the share price go up every quarter.
