Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
belval 7 hours ago

It's an interesting world for sure, I maintain a somewhat popular package and got a form to fill from a Deloitte consultant about security once.

They seemed genuinely confused when I told them I was not going to fill compliance form and make patching commitments for free. Really makes you wonder how many maintainers are letting themselves be taken advantage of.

thwarted 6 hours ago | parent | next [-]

The people who maintain open source software are considered "the vendor" by these compliance types. When it comes to open source, the user is really the vendor and the user has responsibility to themselves for compliance (this is pretty much spelled out in the licence and WARRANTY file). The compliance industry doesn't acknowledge how open source works and have tried, since forever, to shoehorn it into a paid vendor model. Open source maintainers creating destination/marketing websites espousing the advantages of their software as if it is a sellable/buyable product doesn't help and perpetuates that perception.

Aurornis 2 hours ago | parent | prev | next [-]

> got a form to fill from a Deloitte consultant about security once.

It could be someone trying to extract free work, but in my experience this person was probably trained by someone else about how to handle vendor compliance for contracted vendors.

Some times the people in these grunt work consulting positions aren't really knowledgable about the space. They're in those positions because they can follow directions and will diligently grind out billable hours. Their default mode for getting things done is to try what worked last time, and if that fails they just start looking for names to send the request to until someone does it.

As others mentioned, you could have said "Compliance forms are $1000, payable to ____" and the consultant may have diligently gone through their mental process about where to direct invoices for work.

joshlemer 7 hours ago | parent | prev | next [-]

Maybe that would be a good opportunity to offer them a quote for how much you could do the work for.

embedding-shape 7 hours ago | parent | next [-]

Yeah, that's what I do. Anytime anyone from a company sends an email about whatever, who wants me to help them (for their company) in private with something, I ask if they're willing to pay for my time spent on it, maybe 20% says yes. Most of the time they end up getting redirected to use the same venues the rest of the community has access to too.

SoftTalker 6 hours ago | parent | prev [-]

Assuming you want to. But if you do, understand that accepting payment for services creates obligation to deliver, and possibly liability for poor performance. You may or may not want that.

warkdarrior 7 hours ago | parent | prev [-]

Missed opportunity here. You could have offered consulting services, $10,000/hour. Compliance form requires at 40 hours of work minimum.

yunnpp 4 hours ago | parent | next [-]

No kidding. I don't maintain anything of enough popularity to warrant being approached like that, but a good hourly-rate answer would be the no-brainer response.

OrvalWintermute 2 hours ago | parent | prev [-]

I do talk with OSS devs about “we need X for security and we are willing to provide X amount of funding”

You’d be amazed how much OSS devs will do for you when your request of something they wanted to do anyways (but had no impetus for prioritization) is matched by a healthy rate