The ROI of paying open source maintainers (in light of the xz utils backdoor)

As we continue to watch the attempted xz utils backdoor hack unfold, I’ve been following several conversations where questions are being raised about what this type of hack means for the software supply chain, and for security, identity, and trust.

At Tidelift, for years our rallying cry has for years been to “pay the maintainers.” We believe this is an essential step in avoiding situations like xz where a volunteer maintainer who described themselves as an unpaid hobbyist was tasked …

backdoor continue conversations hack identity maintainers open source opensource questions roi security software software supply chain supply supply chain tidelift trust watch xz xz utils