Just some scratch notes on a topic, any interest in talking about it or fleshing it out? Reading some blog about Firefox source code and development: - 21M loc - “unwieldy and not decomposable” Thinking about how to take advantage of this from a competitor’s perspective: - what would a corporate competitor do to encourage bad habits in an open source project like Firefox? What is bad for an OSS project? Thinking from the attacker’s perspective and thinking worst-case scenario (like a good security analyst).. What does a DOS attack on an OSS project look like? - submitting lots of superfluous/invalid/detailed bug reports that are difficult to replicate but sound important - lots of feature requests, perhaps lots of competing/incompatible features - regarding both bugs and features: this seems like something that a robust organization can handle with a good feature/bug triage process and reasonable estimates of available effort, but you have to ensure that the creation effort grows faster than the triage effort - obviously one counter is to incorporate identity and trust so that bad actors are flagged separately from those with a good reputation What about a DDOS? ie what is the equivalent of taking over others’ computers for a botnet? Perhaps: - encouraging lots of bad/junior contributions (ie identifying a community of juniors and encouraging participation in a way that doesn’t scale well, or which makes work harder for the more experienced/involved members) - encouraging churn (ie the competitor could hire any seniors/leads in the OSS project) - lots of badly architected contributions that add visible value (ie something that looks flashy in the usage of the OSS project, but in the implementation is tightly coupled across all parts of the project so that it is hard to refactor/simplify the whole)

what is the equivalent of taking over others' computers for a botnet?

giving them money......

obviously one counter is to incorporate identity and trust so that bad actors are flagged separately from those with a good reputation

I think this is the key to a lot of decentralized collaboration, but also means almost ignoring people who have no reputation.

I would argue that Chrome's approach to web standards and feature development, particularly in the area of PWAs, is de facto an attack on the other browser vendors. Chrome introduces platform features directly, skipping the standards process, and then popularizes those features among devs, who then smear the reputation of the other browsers for taking a long time to implement them, implementing them differently than Chrome, or deciding not to implement them at all. Chrome does this at such a rapid pace that it is a bit like a DOS attack. (Yes, I know Safari also has a habit of launching new platform features directly — it still sucks, but due to all the factors, it's not as big a problem as when Chrome does it.)