I agree that open source infrastructure needs to be funded. I think first there needs to be a mindset shift in who's responsible for open source.
Currently when new vulnerabilities pop up (i.e. xz-utils compromise, log4j shell), people are quick to blame the maintainers for it. Why shouldn't companies instead be responsible for these vulnerabilities?
Currently, companies treat open source code as someone else's, so they don't bother to audit, maintain it, or fund it.
Clearly, this is wrong, and reflected in the oss license, which states that code is solely consumer's responsibility.
> Currently when new vulnerabilities pop up (i.e. xz-utils compromise, log4j shell), people are quick to blame the maintainers for it. Why shouldn't companies instead be responsible for these vulnerabilities?
They are. I've never seen a single example of a company that was able to dodge legal liability for something bad that happened as a result of an open-source software package that they used.
The problem is that software companies generally aren't liable for anything that happens as a result of their software. If you store the code to a safe with $100k in OneDrive and Microsoft deletes that file by accident, they have zero legal liability - regardless of whether the fault was in Microsoft's proprietary code or some open-source library that they use.
That's the more fundamental problem that needs to be addressed first - that tech companies have extremely few responsibilities to their users, in a way that's unlike most other industries that have come before.
What are the penalties? Will they crack down on the buggy WiFi routers which often times have open source software that they never maintain?
Also I see this as a benefit for the major commercial Linux Distribution like Red Hat, Ubuntu and maybe SuSe because small companies can't provide that level of assurance.
"Failure to comply with vulnerability reporting, cyber incident reporting, or essential cybersecurity requirements could trigger administrative fines of up to €15 million or 2.5% of global turnover. Other obligations include €10 million or 2% of global turnover."
Apart from fines, "Beyond financial penalties, non-compliant products may also be prohibited or restricted from being made available on the EU market, or authorities may order their withdrawal or recall. This can lead to significant reputational damage and loss of market access."
There is more to it than just reporting, "essential cybersecurity requirements" presumably would include fixing issues, hardening to reduce impact of issues etc.
Currently when new vulnerabilities pop up (i.e. xz-utils compromise, log4j shell), people are quick to blame the maintainers for it. Why shouldn't companies instead be responsible for these vulnerabilities?
Currently, companies treat open source code as someone else's, so they don't bother to audit, maintain it, or fund it. Clearly, this is wrong, and reflected in the oss license, which states that code is solely consumer's responsibility.