- cross-posted to:
- foss@beehaw.org
- cross-posted to:
- foss@beehaw.org
cross-posted from: https://lemmy.dbzer0.com/post/51040952
I’m moving away from using products by big tech and I recently started using EnteAuth for 2FA. Today I got an email from them saying that they received money as part of GitHub’s secure open source fund. Maybe I’m just being paranoid but I do not like this at all. Microsoft is not altruistic I don’t care what anyone says. There has to be an ulterior motive for this. With even the recent news that github won’t be so independent anymore and they’re getting folded into the Microsoft umbrella this has me worried. But let’s be real github was never independent just look at copilot being forced down everyone’s throat. That’s why I personally stopped using it.
According to the fund
Throughout this program, each project receives $10,000 USD via GitHub Sponsors (which breaks down to $6,000 USD during the sprint and $2,000 USD at 6- and 12-month security check-ins). Projects are also invited to a new security focused community, and office hours with the GitHub Security Lab, that they can take advantage of during the full 12 months. They also receive security resources to immediately implement in their project and Azure credits for cloud infrastructure.
Those sponsors include
Alfred P. Sloan Foundation, American Express, Chainguard, Datadog, Herodevs, Kraken, Mayfield, Microsoft, Shopify, Stripe, Superbloom, Vercel, Zerodha, 1Password
Projects that are part of this even include nodejs, nvm, log4j, JUnit, and Matplotlib. Taking cybersecurity seriously is great but this just seems like a way to sucker them into their ecosystem to get them dependent on their products. Like I said maybe I’m being paranoid but I wouldn’t be surprise when Microsoft suddenly buys these projects and we lose what made them so great.
You must log in or register to comment.
You may as well just stop using computers all together, bud 🤣
I don’t mean to ruin your world view, but there are no ways to run anything you want to run by focusing on “altruistic companies”, however you may subjectively define that.
Look, you’re focusing on the wrong thing here. Maybe you didn’t know this, but the massive majority of FOSS projects get funded by companies - either for consulting, feature bounties, IC development - and is a main driving force for the ecosystem.
Many in this ecosystem would even tell you that every single project is massively UNDERfunded by said companies, and they should kick in more to help keep these projects secure and in good standing. They make billions and billions of dollars off people’s work, and it surely seems they should kick some of that back to the projects.
Whatever Microsoft’s involvement is here, it’s not going to be changing the direction of any of the projects mentioned. If for some reason something untoward starts happening with any project: boom, fork and new community. It’s that simple.
In short, these people getting funding for their work is a good thing. If you take issue with who is providing that money, you’re going to be digging a deep, deep hole in your research, and if you’re running down the dep chain, you’ll find out that all of the things you use have some funding by companies like Microsoft, Apple, Google, Facebook, IBM, Red Hat, Amazon, Alibaba, Halliburton, Qualcomm…I could keep going on and on.
but there are no ways to run anything you want to run by focusing on “altruistic companies”, however you may subjectively define that.
I think you misunderstood OP. their complaint is not that these projects should search an altruistic donor… but that Microsoft is suspicious in doing this, because arguably they rarely have good intentions.
Whatever Microsoft’s involvement is here, it’s not going to be changing the direction of any of the projects mentioned.
let’s hope so
If for some reason something untoward starts happening with any project: boom, fork and new community. It’s that simple.
easier said than done.
In short, these people getting funding for their work is a good thing.
I think OP (and me too) is worried about the terms. like, can these projects abandon github without repercussions? can they start using another code forge in parallel?
https://en.m.wikipedia.org/wiki/Embrace,_extend,_and_extinguish
OP has a reasonable concern, Microsoft has had a troubling past history, and embrace extend extinguish hasn’t gone away, just look at the office file standards shenanigans.
It’s certainly the case that the purchase of github is intended to create a platform that has network effects (making it hard to leave).
Microsoft has proven many times that their participation in FOSS tends to come with a catch or an intent to subvert.
Uhhh, repercussions like what? They’re getting small amounts of money for specific work. Up front. What repurcussions could there be for project moving to Gitlab, for instance?
Uhhh, repercussions like what?
sudden closure of donated azure services without prior notification and time to move off.
having to pay back some of the money.
the project planning with the promised donations as a given (they don’t get all of it upfront, but as they get the most of it it’s actually fair) and microsoft either using it as leverage or just carelessly terminating the contract to save money.
in extreme case banning the project from microsoft owned services, including github.
any of that in decreasing order of probability if implementation is different from expected (like not baking in specific security tools to the project) and the parties cannot agree on a solution.
Uhhh, repercussions like what?
sudden closure of donated azure services without prior notification and time to move off.
having to pay back some of the money.
the project planning with the promised donations as a given (they don’t get all of it upfront, but as they get the most of it it’s actually fair) and microsoft either using it as leverage or just carelessly terminating the contract to save money.
in extreme case banning the project from microsoft owned services, including github.
any of that in decreasing order of probability if implementation is different from expected (like not baking in specific security tools to the project) and the parties cannot agree on a solution.
They’re payments for work services.
You listen to Joe Rogan, don’t you…
oh and I must also live in texas, right?
I wouldn’t even recognize their voice or face.
yes exactly, my problem is not the money. I don’t expect these project to always be free and I support those I can, sponsorship is good. These giant tech firms have used free projects all the time to make money without providing any support so its fine that they’re supporting them. My problem is that I do not trust Microsoft at all.
In terms of the open source community Microsoft has been significantly less sketchy than usual for about a decade now. For those of us that are old enough to remember the halloween files it’s hard to let go of that paranoia, particularly with the sketchy shit MS has been doing with their proprietary stuff lately, but near as I can tell they’ve been above board on their open source stuff.
I wouldn’t go so far as to say blindly trust them at this point, but I wouldn’t just assume with no evidence at all that there has to be something nefarious going on either.
I’ve never heard of the Halloween files I just looked it up and that’s just so crazy. I don’t know what’s going on behind closed doors in their c-suite but I wouldn’t be surprised if this fund is a way to get their hands into open source projects. Like you said there’s no explicit proof so it’s best to be cautious.
Whether it’s good or bad is not determined by the fact that it’s corporate money, but how that money impacts development, the devil’s in the details, not just in a company donating lots of money.
Open source in general is very dependent on corporate sponsors. The linux kernel wouldn’t exist had companies not invested in it.
I’m not knowledgeable enough to assess the potential pitfalls here, so I will be cautious but not paranoid, and continue to pay attention to discussions on how FOSS projects are run 🤷♂️
