Poll: Could You Convince Your Employer to Pay for Vetted Packaging?
Basically, epaulson says that their company would pay for a company to handle Linux packaging, vetting all of the packages, if some liability is accepted by the vendor. It interests me, and I would like to see if anyone would pay for it.
(If I did this, the liability I would accept would be that the contract would be extended, for free, for the length of time that the customer was affected by a broken package. Please comment if your have other ideas for how liability could be accepted, especially if it's how your company would want it done.)
Obviously, I would do as epaulson suggests: give back to the FOSS that I am packaging, probably based on number of users. This would help protect me from people like Marak (see recent threads about colors.js and faker.js) while also giving back to Open Source.
My question is this: could you convince the people in control of spending at your current employer to pay for this vetted packaging service? Crucially, this is not about whether you would pay, unless you are C-level and/or do choose how to spend funds; in that case, please comment so if you can.
Bonus points if you comment with how much your company would pay (or contact me [1]).
[1]: https://gavinhoward.com/contact/
2 comments
[ 2.6 ms ] story [ 19.1 ms ] thread> if some liability is accepted by the vendor.
Asking a vendor to accept liability for 3rd-party code is some combination of an insurance policy and a full audit. Both of which are extraordinarily expensive for any large software package.
That's why I asked people to comment what their companies would pay.
> Asking a vendor to accept liability for 3rd-party code is some combination of an insurance policy and a full audit. Both of which are extraordinarily expensive for any large software package.
Not necessarily, as long as the vendor makes clear how much liability they are accepting. That's why I said specifically what liability I would be willing to accept.