🧵 View Thread
🧵 Thread (7 tweets)
The OSS community has yet to come to grips with “Companies with $50 million in the bank send an incredible volume of support requests to people who are worried about making their $600 rent, and the community and culture in OSS makes this feel normal.” https://t.co/ZSxXkTiRQz
People want someone to blame for this security incident, and while I sympathize with that emotional desire, folks wouldn’t be fulminating nearly as much if (non-responsible) engineers were getting paid $200k and ate at same lunchroom.
It’s a really curious sociological thing that the fact that folks are exploiting the OSS devs here, and I’m not choosing that word lightly, is what gives them social permission to hold their own engineering practices blameless in the process of doing the exploitation.
I did consulting for a number of years. You know what happens if someone discovers a bug in the general vicinity of one of my 2012 consulting deliverables? Nothing happens, because everyone involved is a professional. They pay someone to fix the code they bought for $X0k.
In the very unlikely event that they were to say “Oh hey Patrick we have discovered a security vulnerability here... I know you’re probably busy what with working at another company, but could you drop everything to fix it?”, I would politely and firmly point to the MSA and SOW.
(Contracts which define the relationship between a consultant and their client viz things like Acceptance Criteria, and which are very unambiguous about “After you’ve accepted a deliverable this work is *over.* If you want more work, enquire about rates and availability.”)