Distributions handle this for you. Installing your software through a distro, instead of getting it from each individual software authour, means that you trust one organisation instead of hundreds of individuals.

For instance, Debian has a strict set of guidelines for Debian developers (who have the right to upload packages). They will be familiar with the software they are packaging, are often independent from the upstream authours, and are expected to check the package for various issues, including licensing, security, version incompatibilities etc. In addition, every upload is signed, so you can see who is responsible for everything.

And when something slips through, as almost happened with xz, the analysis and recovery all happens completely in the open. There may not have been enough eyes on xz to prevent the vulnerability in the first place, but once it was discovered, there were at at least hundreds of people dealing with the aftermath, all in the open.

Compare this with proprietary software, where you’d be lucky if such a vulnerability was even disclosed, vs just silently patched.

Yep

I can highly recommend Mythic Beasts (UK).

There is no upsell or variable pricing and they make money by charging a flat rate on top of the cost from their supplier. See this blog post for more info

I would love for such a fund to invest very liberally in these companies, on the condition that anything it funds must be free and open source - public money, public code! The only way to take down these giant US companies is to work together, and the most effective way to work together is to release everything in the open in such a way that anyone can build on top of it.

If the money just gets funneled into these companies so they can build their own lock-in, the EU would be recreating the same dependency on a few small companies that happened in the US. It wouldn’t increase productivity in the long run, it would instead substitute dependency on a few US companies for a few EU companies.

But, if they invest in open source software, it could spur innovation not only in the companies that are directly funded, but also thousands of other companies throughout the EU that would now have common infrastructure that they can build on top of.

That’s good news, in my opinion. If they’re allowed to just completely disregard copyright when training, then I should be able to completely disregard any attempted copyright on the output too.