This post on Medium by Nadia Eghbal pointing out the precarious situation of open source infrastructure is absolutely spot-on.
The world is dependent on a very small number of people who are taking care of things in their spare time, and we have no reasonable way of rewarding them for it. Even the foundation model–Wikimedia Foundation, Mozilla, etc–is relatively untested. We know corporations can maintain infrastructure over generations (look at the phone system, railways, etc) but we don’t know if non-profit foundations supplying critical infrastructure have the same potential for longevity or are unstable against various perturbations, particularly turnover of key personnel
“Open source infrastructure” is a really good term for the most critical components. The world wouldn’t stop turning if we lost emacs or vi–which are important and open source, but not infrastructure–but there are infrastructure components that would be fantastically expensive to replace: Perl, for example, which doesn’t even get a mention.
Bitcoin is an interesting example, because the blockchain technology it was based on was supposed to be completely distributed and immune to capture by a central authority, but the sparseness of resources actively contributing to Bitcoin Core has made it unstable. This should be a cautionary tale for anyone depending on open source infrastructure… and everyone is depending on open source infrastructure. We’re fortunate with regard to Bitcoin that this is happening relatively early in the history of blockchain tech, so it hasn’t had time to become a deeply embedded part of Internet infrastructure.
I don’t have any brilliant solution to this issue, but ActiveState is definitely part of the conversation, and our role in the Perl community should be considered in the light of this reality. We are incredibly fortunate to be part of deep and broad community that has grown up around the language in the past several decades, but we need to make sure that that community will still be vibrant and sustainable decades into the future. We don’t want “the duct tape of the Internet” to fall into the position of being dependent on “two guys named Steve”, the way OpenSSL turned out to be.
Automating Vulnerability Management
Automating vul’n remediation is still limited by code coverage & breaking changes, but ActiveState closes some gaps to remediating at scale.