I came across an interesting article, few excerpts which I could highlight!
Over the past few years, it has become apparent that the open source ecosystem – which provides the software to run much of the internet, the economy, and our critical infrastructure – would benefit from a bit more rigor.
The OpenSSF was formed in August 2020 to raise the bar for open source security, and subsequent cyberattacks like the SolarWinds supply chain fiasco, the Apache Log4j vulnerability, and Colonial Pipeline ransomware infection, to name a few, have drawn more attention to the organization’s mission – something that hasn’t been top of mind in the FOSS community.
But really, it’s this participatory kind of thing that has to work
And therein lies the problem: open source governance consists of herding cats. Members of the community have different ideas about how things should work and consensus building isn’t easy or necessarily possible in every situation.
There’s a part of the FOSS community that believes the Linux Foundation, funded by major tech companies including Microsoft and Oracle, favors corporate interests over those of the community.
Ultimately, this is a classic discussion of what kinds of governance and organizations should be the homes for FOSS projects," said Bradley M. Kuhn, Policy Fellow at SFC, in an email to The Register.
While the details of the OpenSSF proposal to control the GCC, GDB, glibc, and Binutils’ infrastructure remains hazy, they’ve stated that the governing body will be a group of companies, who buy seats on a committee that will control the projects’ infrastructure. While that committee may well sometimes act in the interest of the community (by taking advice from a technical advisory committee, which apparently gets collectively only one vote), it’s not guaranteed."
“Open source projects have this complex history of how do you get decision making done with so many disparate views,” said O’Donell in an interview with The Register.