The problem is more so maintenance.

The expectation of FOSS is that the users and maintainer work together to resolve bug fixes/features/security issues.

However many companies will dump these issues to the maintainer and take it for granted when they are resolved.

It's not a sustainable model, and will lead to burnout/unmaintained libraries.

If the companies don't have the engineering resources/specialization to complete bug fixes/features, they should sponsor the maintainers.

It’s OK to say “No” or “Pay me and I’ll do it right now” to companies doing this.

I 100% agree with this. It also is 100% OK to fork aggressively and patch yourself.

(And on the flipside, nothing is owed for a bugfix the maintainer made out of their own free will. Again, a gift.)

The problem is lots of open source is unmaintained/insecure, and there aren't any security engineers on those open source libraries.

For the library to be secure, there needs to be funding, not by magic and expecting maintainers will do stuff on there free will.

The person needing a feature can do implement it themselves or pay for it. They may even share it, in the spirit of open source, but they probably don't have to (depending on license conditions).

Is your perspective here "these things need to be useful/stable/secure, how do we make them/create incentive for them to be what we need them to be"? Because my view is more like "open source is a sprawling wild garden and occasionally a tree bears fruit, and anyone gets to have some for as long as it does."

The assumed base state we're looking to augment via open source software being: "Fully working software"(Augmented: free) vs "No software" (Augmented: yes software)?

Like, what you seem to want is business, plain and simple. Pay a guy, have your specs filled, get guarantees. That would be expecting open source to fill a role it just isn't made for.

Correct, maintainers can say that and get shamed.

And it leads to unmaintained libraries, since companies don't want to pay.

At some point, is open sourcing your work a liability?

Help normalize saying no? As an OSS maintainer, the sense of entitlement many have is quite frustrating. After years in OSS, I have built up a thick skin and am fine saying no, but many aren't.

I’m sure many companies like to pay. It’s probably the cheapest way to solve a business problem. It should be the norm. If a company wants to have a bug fixed or a feature added, they should pay. And GitHub should make it easy to do so.

> At some point, is open sourcing your work a liability?

I argue that open sourcing your work is no more liable than making a comment on social media. The biggest risk to an open source maintainer is publicly losing their patience and/or being heterodox in their beliefs. Code isn't a requirement for that to happen.

> Correct, maintainers can say that and get shamed.

And then they can shrug and move on with their respective days. If I open source something it's a gift to the commons, not a promise to work on it for free in perpetuity. I don't really care if someone tries to shame me for that, as there's nothing to be ashamed of.

I always chuckle at indignant GH comments on OSS projects. There should be a subreddit dedicated to them. Like a specific kind of r/choosingbeggars

If you look at the issue list for any significant open source project, it's probably of nonzero size. That's a way of saying "no": just don't do it.

Maybe you're overloaded, maybe you just don't feel like it. It's totally normal, and different projects have different levels of resources, some with none anymore.

I have seen small utility libraries like tj-actions get compromised because there aren't any security specialists looking at the library.

My main concern is supply chain compromise.

Unless you're talking about a different event, tj-actions wasn't "compromised because there aren't any security specialists looking at the library". Instead, an API key was used, maybe by the author, maybe by someone else, to replace good code with bad code, including modifying historical release tags to point to the bad code.

That said, everything in my previous post still applies: a nonzero buglist is totally normal and widely accepted.

I'm not too sure about the root cause about tj-actions. IIRC there are some libraries that compromised by actions injections vulnerabilities, where a security specialist could have helped.

Are there honestly examples of maintainers being shamed for that?

A company finding a bug and opening an issue on an open source project _is_ contributing.

What happens next is completely irrelevant. The maintainer can 100% decide to just ignore the issue or close it.

Opening issues doesn't create unmaintained software. In fact it helps.

> The expectation of FOSS is that the users and maintainer work together to resolve bug fixes/features/security issues.

This depends a lot on the users, and then somewhat on the maintainers.

I have seen a lot of end-user facing software where people do not understand that features and fixes do not magically materialize - that there is a person on the other end likely working on this in their free time, with their own prioritization on how they will use that limited time.

You, as a maintainer, are free to ignore any such expectations and do what you want. There are no obligations. You only risk disappointing people (or corporations), and losing Github stars. If that leads to unmaintained libraries, that probably means the open-source model doesn't work for this project. And that's fine.

No the expectation of FOSS is that code is provided AS-IS with NO WARRANTY because that’s what it says in the license.

People's expectations are not constrained by the license. They are free to exercise a sense of entitlement beyond the terms of the contract and empirically they often do. The license does not prohibit them from engaging with the authors or maintainers for any reason whatsoever, including requesting free labor.

You could perhaps add a clause in the license that restricts this behavior but then it would no longer be FOSS.

Perhaps they simply meant the legal expectations are constrained by the license.

They are free to have a sense of entitlement or to try and engage with the project maintainers/owners but there is nothing that obligates them to reciprocate anything at all.

The software can't have a price, but the service of maintaining it and adding someone's desired features can.

What are these many companies? And how are these mysterious companies forcing you to work on their issues?

If you have companies name and shame them, but often these are just hypotheticals or few entities.

Agreed. Supporting open source maintainers is a great idea in general, but shaming people for using something according to the exact license terms it was released with is getting old.

It's crazy to expect someone to pay for something that you're giving them for free.

Correct, but if there's a bug/enhancement/support they want, it's perfectly reasonable to ask for compensation for it.

A natural solution for this kind of problem would be either a private or public grants program. Critical infrastructure built by random uncompensated people... ideally there would be some process for evaluating what is critical and compensating that person for continued maintenance.