しかし、オープンソースコミュニティ自体、必要なリソースと最低限のセキュリティ対策を要求する影響力を持っていない。最近、PyPI が重要なプロジェクトに対し、二要素認証を義務化をアナウンスしたが大きな反発をくらった。つまり、善意であれオープンソースコミュニティ単独でセキュリティ基準の引き上げを達成するのは難しい。

Recently, one of the most popular collections of open-source projects, the Python Package Index (PyPI), announced that it will impose minimum security measures on “critical” projects—the top 1 percent of downloaded projects. This comes out to about 3,500 projects and requires that maintainers of those projects secure their accounts with two-factor authentication to continue contributing to the project. This resulted in an outcry from the community—authors of extremely popular projects threatened to abandon their posts, which could potentially break the systems of any end user reliant on that code.

But a lot of people in comment threads are trying really hard to figure out a way to impose requirements and standards on PyPI’s maintainers but not on anyone else, which then contradicts the “it’s open-source, you can’t demand anyone do anything” basis of the whole argument.

So let’s talk about responsibility. Many people, including Armin, have been arguing that authors of open source code either don’t have, or shouldn’t have, any responsibility for things like the security of the eventual users of the code.

In the Rust world Mozilla started a project that looks quite promising called cargo-vet. It's based on the idea that the users of packages can vet dependencies and most importantly individual versions of them. You can share your vettings with others or at least within your organization. There is an interactive tool that assists you in the vetting process.