One dev salary for open source dependencies

[abitrolly]

Status

• [ ] Build dependency tree to know what are the depenencies
  • [ ] Make PyPI.org expose information about dependencies
  • [ ] https://github.com/pypa/warehouse/pull/9972
    • [ ] Protect PyPI wheels from zip bombs (Python CVE-2019-9674 which doesn't seem to be fixed upstream)
    • [x] https://github.com/pypi/warehouse/issues/10504
    • [x] Run Gitcoin campaign for PyPI to sponsor reviews (https://gitcoin.co/grants/3537/python-package-index)
    • [ ] Work with PSF crypto fears to allow it for PyPI (help needed)
  • [ ] Test and speed up PyPI.org development setup
    • [x] https://github.com/pypa/warehouse/issues/10158
    • [x] https://github.com/pypa/warehouse/pull/10159
    • [ ] https://github.com/pypa/warehouse/pull/10052
    • [ ] https://github.com/pypa/warehouse/pull/9993
    • [x] https://github.com/pypa/warehouse/issues/10446
    • [x] https://github.com/pypa/warehouse/issues/10447
  • [ ] Format migrations when generating to fix CI/CD failures (https://github.com/pypa/warehouse/pull/10146)
    • [x] Find a way to quickly snap/restore DB while testing migrations
    • https://github.com/fastmonkeys/stellar
      • [x] https://github.com/fastmonkeys/stellar/issues/86
      • [ ] Find a fork where this could be fixed
        • [ ] Create a tool on ObservableHQ to detect longest forks (https://stackoverflow.com/questions/54868988/how-to-determine-which-forks-on-github-are-ahead/68335748#68335748)

Updates

• 2021-10-21 - How Sentry is giving $150k to their OSS Dependencies - https://podcast.sustainoss.org/96

Intro

"Know Your Maintainers" as in KYC.

To avoid replacing them with bounty hunters, and erasing the spirit and culture of open collaboration. Think about how to preserve it.

"We follow mafia model" in Blender.

Open source culture is definitely about socializing, collaboration and all emotions that fall aside from those pillars.

---

Dedicate one full time salary to spread among open source project you use, and make it both a gameplay and a social process. They say that giving helps to avoid the burnout. But the link should be "healthy" too whatever that means. Common sense and fun may not work for everyone, because people don't have time to maintain the balance.

[abitrolly]

• [ ] https://github.com/yakshaveinc/python/issues/7
• [ ] #50
• [ ] https://github.com/yakshaveinc/linux/issues/47

[abitrolly]

/spent 30m

[abitrolly]

Zip bomb CVE https://www.cvedetails.com/cve/CVE-2019-9674/ doesn't seem to be fixed in zipfile, because the fix is just a warning in documentation. This seems to be a blocker for merging https://github.com/pypa/warehouse/pull/9972

/spend 30m