Comment by Vishwa Bhat on "Is our current Open Source model broken?"

Security is certainly low end in OSS specially in JS ecosystem, primarily because imposing strict set of standards on massive ecosystem is difficult when there is no powerful authority managing JS ecosystem.

For instance, take Apple or Google who manage and set the standards in their respective mobile ecosystem by introducing strict checklist of security measures on mobile Apps.

Assuming least/no damages done in the recent incident of npm library hack, I think people have now become cautious to include libraries written by unidentified source. They're now verifying it before directly hitting npm install ... which is a good thing IMO.

What could possibly be introduced is a concept of Certificates like we have for Websites. Some authorised source(probably by npm itself) should certify that a library is safe to use, of course, there would be a price for that but certainly makes an impact.

Interesting point, it would address the security issue, preventing literally anyone from publishing code to the community. But it would not affect maintainer burnout, potentially the same thing could happen if a maintainer would give away his repository and his security certificate as well, wouldn't it?

I think maintainer's burnout usually occurs due to lack of funds to manage that project. Obviously, one person cannot constantly resolve pile of issues in their repo all the time to keep the repo actively maintained.

I took a survey conducted by npmjs.com very recently where the questions involved the concept of freemium based repositories where you can use basic features for free and have paid features separately so that maintainers get paid to keep their repos active.

If the above model gets traction then it could be a major leap in the growth of Open Source ecosystem although it somewhere breaks the concept of OSS.

I didn't know about that model from npm, interesting. Thanks for sharing! :)

Search Hashnode