No i speak of reality.
-
-
There are other realities. The retainer model isn’t awful. It’s a support contract, for support. Being on call is work even if you don’t do anything because you have set up the intrusive structure in case work is necessary. Less money, but guaranteed. That trade is common.
1 reply 0 retweets 3 likes -
I don't follow how that answers Stefan's point, are you proposing a retainer for researchers *and* maintainers?
1 reply 0 retweets 0 likes -
I’ve always supported full time research into open source security vulnerabilities. Project Zero is not wrong and I’m glad Google pays for it. Bounties work better than expected but are not going to be less stressful for volunteer labor. The job is support. There’s budget.
2 replies 0 retweets 3 likes -
Security research can be done on spec. But being on call is different. You’re impacted whether or not a bug is found. I’m ok with a retainer. The other guy is getting paid, after all.
2 replies 0 retweets 1 like -
“Which one person should get paid for many people’s valuable contributions” is a bit odd. Fund what society needs. Blood to each finger, not just one or two.
2 replies 0 retweets 3 likes -
I'm not sure I follow the on-call point, but of course maintenance and security work are both valuable. I think Stefan's point was that a project might want to (or need to) incentivize security, but already has maintainers who benefit indirectly or in non-financial ways.
2 replies 0 retweets 1 like -
I like more support. I like more security research. I like more funding. I don’t like implying some group is already paid enough. In security, even when people are paid well (which isn’t always), there’s not enough people.
1 reply 0 retweets 2 likes -
Ah-ha, I think I understand what you're saying. It's a nice thought, but I suppose the counterargument is that it's a long way off and *right now* the incentives need to be enough to make the work actually happen
1 reply 0 retweets 4 likes -
People like myself,
@k8em0, and even you speaking up are *how* things change from a long way off to yes, of course, let’s do that too. It’s ok. We can talk about things getting better beyond point solutions like writing a check and expecting problems to fix themselves.1 reply 0 retweets 2 likes
Sure, fair enough.
-
-
If I’m not mistaken, Google(?) does pay maintainers for security fixes for open source projects with enough of a following / use. There was an article on it this past year that we covered on Application Security Weekly - I’ll have to dig it up.
1 reply 0 retweets 1 like - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.