Google calls on government to help secure open source

They want:<p><pre><code> a public-private partnership to identify a list of critical open source projects </code></pre> Which should create:<p><pre><code> formal requirements or standards for maintaining the security of that critical code. </code></pre> I want to see the governement barging in on any random project, dictating to the maintainers how they&#x27;re going to run the thing .<p>Even governemental funding might have too many strings attached. Our governement is providing subsidies to small local charity&#x27;s. Turns out they wanted a paper trail with detailled activities for each meeting, and signatures from a lot of people. Auditors ran amock, requiring even more paper. The volunteers complained about the morass of paperwork, so the gov helped them &#x27;professionalise&#x27;. After a year of professionalizing, it turns out they lost so much volunteers that a lot of local chapters were giving up.

I can&#x27;t even imagine what Richard Stallman thinks about this.<p>I would have loved to be a part of the conversation. While I&#x27;m sure there are at least 100s or 1,000 of open source projects that would be classified as critical, by any set of requirements, I&#x27;m really curious how the real silent killer, transitive dependencies, would be handled.<p>Modern development is all about grabbing someone else&#x27;s package, that has grabbed these other folks packages... and as one would expect , there is a recursive nightmare of dependencies, 100s or more, per package.<p>I&#x27;m not one of the folks that believes government can&#x27;t do anything right. However, I fear the open source community would be quite split over support an FOSS application that the government is openly connected with.

Sounds like they’re asking for the government to subsidize the maintainable of their dependencies