This just reminds me of the meme of a big stone structure supported by a pebble to prevent falling, The pebble being an OSS maintainer in Nebraska.
I like the spirit of article however,
1. Tracking every mention of a dependency and assigning value fairly is extremely hard: many packages are widely reused while many are tiny utility libs.
2. Usage in a file doesn’t reflect actual runtime usage. A repo might list a package but never import it.
Overall, solutions that align incentives, and maintain ecosystem neutrality are more likely to gain traction than a platform-wide mandated surcharge.
Make secure online transactions easy without compromising privacy (some GitHub users cannot afford to have their username connected to a real-world identity, for example because their software does something their local government disapproves of) and we can talk.
"GitHub should charge every org..."? As in, large open source projects and commercial plans only? The commercial plans are already paying quite a lot, so it would be mostly open source projects seeing this extra charge...
But the much bigger plan is how to make sure we distribute it "fairly". Javascript has this big problem that it's ecosystem is messed up using thousands of tiny packages - the "left-pad" is gone, but there are many other very short packages which should not exist. If Github starts paying for each package name, things will get 100x worse - now every package will be split into hundreds of "micro-packages", as this will be an easy way to start printing money. This will make all the audits much harder, and future supply chain attacks easier.
This just reminds me of the meme of a big stone structure supported by a pebble to prevent falling, The pebble being an OSS maintainer in Nebraska.
I like the spirit of article however,
1. Tracking every mention of a dependency and assigning value fairly is extremely hard: many packages are widely reused while many are tiny utility libs.
2. Usage in a file doesn’t reflect actual runtime usage. A repo might list a package but never import it.
Overall, solutions that align incentives, and maintain ecosystem neutrality are more likely to gain traction than a platform-wide mandated surcharge.
Make secure online transactions easy without compromising privacy (some GitHub users cannot afford to have their username connected to a real-world identity, for example because their software does something their local government disapproves of) and we can talk.
"GitHub should charge every org..."? As in, large open source projects and commercial plans only? The commercial plans are already paying quite a lot, so it would be mostly open source projects seeing this extra charge...
But the much bigger plan is how to make sure we distribute it "fairly". Javascript has this big problem that it's ecosystem is messed up using thousands of tiny packages - the "left-pad" is gone, but there are many other very short packages which should not exist. If Github starts paying for each package name, things will get 100x worse - now every package will be split into hundreds of "micro-packages", as this will be an easy way to start printing money. This will make all the audits much harder, and future supply chain attacks easier.
> future supply chain attacks easier
to clarify if I understood correctly, because packages would be fragmented and hence more attack vector?