More and more, recent (and not too recent) episodes [1-5] nowadays show a hard truth we already discovered in the Debian project since the end of the 90s. A key security principle in FOSS code development is ensuring the trustworthiness of all parties involved, and that’s unfortunately also the weakest part of the whole chain.
I recently read a post by Jack Poller about the end of FOSS optimism in creating software in recent years. His thesis is that the myth that the more eyes that look at a piece of software, the higher its quality, is indeed a myth, and that nowadays it is also a dangerous illusion when we concentrate the analysis on security. Commercial software, on the other hand, has processes and resources dedicated to managing security, which in these times of active AI use could make the difference.
I recently read with interest the post where Hector Martin resigned as Asahi Linux leader. As possibly well-known, Asahi Linux is the very first Fedora-based distribution where all the hard work to support the Apple ARM M* chip series in the Linux world found its way.
I have long participated in the FOSS community. My first public contribution was the YardRadius project in 1995, a consolidation of the old Livingston Radius daemon and a series of add-ons written by Christian Gafton (RIP) and me. That was some years before the more significant FreeRadius project. At that time, I ran for a period an ISP just before the dotcom bubble exploded, but that's another story...