One dev salary for open source dependencies

[abitrolly]

Status

• Build dependency tree to know what are the depenencies
  • Make PyPI.org expose information about dependencies
    • Extract and host wheel METADATA on upload pypi/warehouse#9972
      • Protect PyPI wheels from zip bombs (Python CVE-2019-9674 which doesn't seem to be fixed upstream)
        • Zip Bomb protection for wheels pypi/warehouse#10504
      • Run Gitcoin campaign for PyPI to sponsor reviews (https://gitcoin.co/grants/3537/python-package-index)
        • Work with PSF crypto fears to allow it for PyPI (help needed)
    • Test and speed up PyPI.org development setup
      • Development setup is broken - web image fails to build pypi/warehouse#10158
        • Switch to NodeJS 14.15 LTS (fixes #10158) pypi/warehouse#10159
      • Test development setup with GitHub Actions pypi/warehouse#10052
      • Use docker initialization scripts for DB init pypi/warehouse#9993
      • Development setup is broken - No such file or directory: 'curl-config' pypi/warehouse#10446
        • Circular dependency in Makefile pypi/warehouse#10447
    • Format migrations when generating to fix CI/CD failures (Improve Alembic story pypi/warehouse#10146)
      • Find a way to quickly snap/restore DB while testing migrations
        • https://github.com/fastmonkeys/stellar
          • restore fails - cannot drop the currently open database on PostgreSQL 10.1 fastmonkeys/stellar#86
            • Find a fork where this could be fixed
              • Create a tool on ObservableHQ to detect longest forks (https://stackoverflow.com/questions/54868988/how-to-determine-which-forks-on-github-are-ahead/68335748#68335748)

Updates

• 2021-10-21 - How Sentry is giving $150k to their OSS Dependencies - https://podcast.sustainoss.org/96

Intro

"Know Your Maintainers" as in KYC.

To avoid replacing them with bounty hunters, and erasing the spirit and culture of open collaboration. Think about how to preserve it.

"We follow mafia model" in Blender.

Open source culture is definitely about socializing, collaboration and all emotions that fall aside from those pillars.

---

Dedicate one full time salary to spread among open source project you use, and make it both a gameplay and a social process. They say that giving helps to avoid the burnout. But the link should be "healthy" too whatever that means. Common sense and fun may not work for everyone, because people don't have time to maintain the balance.

[abitrolly]

• Detect and draw Python dependency tree python#7
• Show real-time graph for build dependency processing #50
• Bablora - Fedora Remix with revenue stream back to upstream folks linux#47

[abitrolly]

/spent 30m

[abitrolly]

Zip bomb CVE https://www.cvedetails.com/cve/CVE-2019-9674/ doesn't seem to be fixed in zipfile, because the fix is just a warning in documentation. This seems to be a blocker for merging pypi/warehouse#9972

/spend 30m