Basically... can we open source this code? I want to that do for many reasons, but the most pressing ones are trustworthiness and reproducability.
If we keep the code closed source, how could we make a living off of it, without doing promotions or making parts of the data non-public?
None of these seem terribly hopeful. I'm wanting something like what http://contribsys.com/ does with Sidekiq, which seems to be
free accounts get open-source software to do X, or you can buy the closed-source version which does X+N. But we're not producing tools, we're producing information. Maybe selling people accounts that grant access to more information is the way to go. :-/
Maybe we can do something regarding code review services? In that case basically I (and probably others) form a company for providing security consulting, and use cargofox as a tool for it.
Another other way would be to provide cargofox as a tool for people to perform and register code reviews, post and accept bounties on them, and so on. So someone could look at a crate, saythis is reviewed poorlyand post a bounty to either review it or improve it. Then we either take a cut, or offer some sort of escrow services, or people pay for an account that can see/work with/submit bounties, something like that.
This is more desirable because other people do the work and we run the infrastructure. :-P But it also means that a) all the analysis stays free, b) all the important code can be open-sourced and thus peer-reviewed.
But, I don't know much about this sort of market. Talk to Julianne and/or Crichton about it? Or go find some places that already do this and collect some bounties, and see how it goes.
Good suggestions in #45. Takeaways:
- There are multiple services that do similar things to this already, on a paid basis, and they presumably make a living off of it.
- Nobody's going to trust the code if it stays closed-source
- Companies should theoretically donate to this if they find the information useful. But I have little faith that they will.
- I don't want to sell privileged access or early access to tools, and that isn't really feasible with open-source development anyway. But what I can do is sell privileged availability and notification. Doing this stuff routinely is going to take significant amounts of storage and compute power, and so even if it's open source, selling notifications and faster turnaround time seems to be the most hopeful prospect.