fail2ban has one core maintainer https://github.com/fail2ban/fail2ban and he has only 3 Github sponsors https://github.com/sebres
WTF
I can't even comprehend how many servers are protected by fail2ban, how many compromises are avoided, how many people who run hobby things all the way up to major sites that get to sleep soundly every night... because of this single project.
@dee Thinking about this, and like - whose job is it, precisely, to ensure this kind of thing doesn't happen? That core infra like this has more support? Do we expect the government to do it? Corporations? Or if neither of them, (Not keen on either, personally), then who? Is someone going to go "This is my job, I will systematically review all open source projects and make note of the ones that need more support"?
@dee Is this a job for some non-profit foundation, maybe? Or just a whole gaggle of different people, all with their own crowdfunding or whatever? :/
@dee Personally, I wouldn't mind taking a step back and funding an organization whose job it is to find problems like this and assemble solutions for them - find people to review all the core infra software and make sure it's supported, or assemble resources for the programmers of such, or a million other things. That's no small ask though - even just deciding what, exactly, falls within that area is quite a task. :/
@Angle @dee My main question would how such an organization gets funded - the answer for the *maintainer* organizations is obvious (from the funders), but this intermediary would also need funding somehow, and accepting it *from* the maintainer organizations would create some perverse incentives, I think; the intermediary would try to get *any* agreement closed (at least under the rules of capitalism).
@joepie91 @dee Yeah I don't know. Funding for social goods like this is really hit or miss in general. In theory, this would make a lot of sense as a government program - but in practice, I don't think that's going to work for most countries. I suppose if this intermediary is able to connect funders and maintainers, then they should be able to pursue their own funding? That probably has it's own set of perverse incentives, though... :/
@joepie91 @dee Yup! It might also be responsible for setting up new maintainer organizations. And ideally, we'd have multiple of these things, and separate auditing orgs to make sure they actually do their jobs and don't just siphon off resources... It's a whole thing. :/