fossified/podcast

Abandon a project and abandoned projects

Opened this issue · 1 comments

oej commented

Like businesses, Open Source projects has good times and bad times. Some projects are in the spotlight for a few years, attracts a lot of attention from developers and security researchers, gets funding for adding new functions and have huge project-cons with massive participation.

What happens when the spotlight is turned off? How does the project survive? Will lack of funding lead to risks of security issues in the code?

There are many abandoned projects out there. Do we need a formalise the slow death? Like an SPDX identifier that maintainers can use to indicate their current status - like "not active", "security fixes only", "looking for new maintainer". This could be added to SBOMs and used in evaluation of a project as a dependency.

sjn commented

This is a super interesting topic to explore. On CPAN, we operate with bus-factor (publicly shown on metacpan.org for each module published), and many projects have a bus factor of 0 or 1. There are routines in place for adopting modules, but there's quite often difficulty when making the judgement call if this is OK or not.

For abandoned projects that are actively in use (and maybe need security updates) the situation can become even more frustrating. And to make it even more interesting, the well-being and sustainability of projects are going to become even more important when considering the new upcoming laws on cybersecurity coming from the EU – the NIS2 directive, and the Cyber Resilience Act.

I'd love to conversations focusing on…

  • Succession planning – who takes over a project when a BDFL reaches EOL? How does one do this in a gentle and respectful manner?
  • Should commercial stakeholders take a more active role in the sustainability of the projects they depend on in their business, and what steps can a project do to make progress in this regard?
  • Who are the stakeholders that can influence the long-term viability and sustainability of a project, how does this typically play out in practice?
  • What are the best ways of identifying projects that require special attention like this?

I think this would be a extremely fascinating and prescient topic to bring forward in your schedule.