Securing the supply chain at scale: Starting with 71 important open source projects
github.blog
Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture.

cross-posted from: https://lemmy.dbzer0.com/post/51040952

I’m moving away from using products by big tech and I recently started using EnteAuth for 2FA. Today I got an email from them saying that they received money as part of GitHub’s secure open source fund. Maybe I’m just being paranoid but I do not like this at all. Microsoft is not altruistic I don’t care what anyone says. There has to be an ulterior motive for this. With even the recent news that github won’t be so independent anymore and they’re getting folded into the Microsoft umbrella this has me worried. But let’s be real github was never independent just look at copilot being forced down everyone’s throat. That’s why I personally stopped using it.

According to the fund

Throughout this program, each project receives $10,000 USD via GitHub Sponsors (which breaks down to $6,000 USD during the sprint and $2,000 USD at 6- and 12-month security check-ins). Projects are also invited to a new security focused community, and office hours with the GitHub Security Lab, that they can take advantage of during the full 12 months. They also receive security resources to immediately implement in their project and Azure credits for cloud infrastructure.

Those sponsors include

Alfred P. Sloan Foundation, American Express, Chainguard, Datadog, Herodevs, Kraken, Mayfield, Microsoft, Shopify, Stripe, Superbloom, Vercel, Zerodha, 1Password

Projects that are part of this even include nodejs, nvm, log4j, JUnit, and Matplotlib. Taking cybersecurity seriously is great but this just seems like a way to sucker them into their ecosystem to get them dependent on their products. Like I said maybe I’m being paranoid but I wouldn’t be surprise when Microsoft suddenly buys these projects and we lose what made them so great.

  • WhyJiffie@sh.itjust.worksEnglish
    0·
    6 months ago

    but there are no ways to run anything you want to run by focusing on “altruistic companies”, however you may subjectively define that.

    I think you misunderstood OP. their complaint is not that these projects should search an altruistic donor… but that Microsoft is suspicious in doing this, because arguably they rarely have good intentions.

    Whatever Microsoft’s involvement is here, it’s not going to be changing the direction of any of the projects mentioned.

    let’s hope so

    If for some reason something untoward starts happening with any project: boom, fork and new community. It’s that simple.

    easier said than done.

    In short, these people getting funding for their work is a good thing.

    I think OP (and me too) is worried about the terms. like, can these projects abandon github without repercussions? can they start using another code forge in parallel?

    • just_another_person@lemmy.worldEnglish
      1·
      6 months ago

      Uhhh, repercussions like what? They’re getting small amounts of money for specific work. Up front. What repurcussions could there be for project moving to Gitlab, for instance?