From the article"
There is now a distinct strain in the OSS market that advocates loudly for non-viral licenses. The growing view is, amazingly, that the viral licenses are somehow less in the spirit of open source ("not 100% open source"). This is a rather imaginative perspective, as copyleft licenses (a much better term than "viral") were purposely designed to increase the amount of free, open-source software.
My concern is that if this view becomes widespread and copyleft licenses are heavily disfavored, the fundamental nature of open source will change. Small teams of innovators, à la OpenSSL, will no longer be able to create value and be sustained by skill and innovation. And so, one of the most important feeder streams to the open-source ecosystem will disappear — a victim of corporate users' unreasonable refusal to help pay to support projects from which they derive substantial revenue.
I don't see it so much as a refusal to help out as much as I see it as a deliberate strategy to poison the well and re-factor the fundamental idea behind OSS into something more in keeping with the corporate closed-source mindset.
Because, while it may be true that lack of money allowed a major software problem to go undetected or fixed, I don't think it's all that surprising. Consider the number of glaring security issues found in Windows, or Oracle, or dozens of other products by companies such as Apple, Cisco, IBM, and others, that were
identified - but left uncorrected
. In some cases for decades.
So yes, lack of funding may be a key factor in the case of OpenSSL. But having massive amounts of money and people available is no assurance things will be any different. Because it hasn't been for some of the big players. Some of whom have been (with typical corporate hypocrisy) highly and vocally critical of "security" when it comes to FOSS projects.
The big advantage of having security handled in an open fashion is that it drastically cuts down on the opportunity to introduce backdoors and rogue routines into the officially maintained codebase - and have them remain undetected.
Try doing that with something like Windows or a company like Microsoft. Because the big players all seem to have reached an 'accommodation' with the NSA on that issue. (When asked if the NSA ever approached the Linux kernal maintainer group
to put in a backdoor, Linus Torvalds nodded an exaggerated yes while smiling broadly - and then said "No." Try getting that degree of candor from the corporate crowd.)
Dunno. I don't have good feelings about any of what's going on. And money alone isn't going to fix it.
Once again: "It's never a tech problem - it's always a people problem."
To which I'll add: It's never just
a money problem either.