Money for nothing, commits for free
In Late March 2024, the open source community discovered a backdoor in XZ Utils, a suite of tools that use the xz compression algorithm. The xz backdoor was embedded inside liblzma, and took effect when liblzma was used in OpenSSH, a common remote-login tool. You can read about this extensively in many places elsewhere.
Since then, many people leveraged the xz backdoor to highlight their favorite systemic issue in open source. Jen Easterly, the head of CISA, argued that the only way to stop another backdoor is by having more corporate support for open source. This opinion was echoed by Meredith Whitaker, the CEO of Signal. A similar opinion among developers is that the only way to secure the open source ecosystem is by offering some sort of Universal Basic Income (UBI) so that developers can work on open source full time.
Unfortunately, money does not prevent this backdoor. First off, remember that aside from funding infrastructure, money is mostly only useful for open-source projects if it can enable the maintainer to work on open source in place of their current full-time job, rather than nights and weekends. A living wage UBI doesn’t reach this threshold for most software developers, who currently largely enjoy fairly high salaries. So let’s think about how companies can apply money1 to open source in ways that could allow maintainers to quit their day jobs.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24805888/STK160_X_Twitter_006.jpg)
