The sad thing is that stepping down as maintainer is the only thing that raises sufficient awareness. You can put a disclaimer in your README that you need help, you can run around and beg for support, but this is unlikely to have any effect. It's only this kind of finality that can change things.
After I stepped down as libxml2 maintainer for the first time, I received a donation from Google which made it possible to continue my work. This wouldn't have happened otherwise. Of course, this isn't a sustainable approach to funding, but I'd encourage maintainers to step down sooner if they feel that they don't get enough support. You'll be surprised how many people will reach out to you after you made this step. Nobody will blame you if some support materializes and you rethink your decision.
In my experience, everyone got their act together except Google. I also used to receive massive amounts of spam from Azure and Sendgrid but this eventually stopped. Now 80% of the spam I receive is from the Google network, mainly Google Cloud.
On top of that, all these spam and phishing emails are sent through Google servers. About two thirds of spam I receive originates from Google, 12x more than AWS and 20x more than Microsoft. This is completely insane.
You can do amazing things with only a single SID channel. One of the most impressive examples is the in-game music of Hawkeye [1] which allows to use the remaining two channels for sound effects.
First of all, you have to realize that it's impossible to measure inflation and purchasing power objectively. It always depends on a highly subjective (and gameable) basket of goods. But inflation and purchasing power are a thing, so it's a bad idea to ignore them. You just have to keep in mind that all these economic time series are a lot less accurate than they seem.
But if you want to account for purchasing power, it doesn't make sense to ignore inflation. So the "GDP, PPP (current international $)" data which the article refers to seems mostly useless to me. You really have to adjust for inflation as well (constant $) and the picture will become quite clear:
Reminds me of an old April Fools' prank in German c't magazine. They offered a defragmentation-like tool for HDDs that claimed to distribute 0s and 1s more evenly on the drive to make it run more smoothly and extend its lifespan.
About a day after I resigned as maintainer, SUSE stepped in and is now maintaining the project. As announced here [1], I'm currently trying a different funding model and started a GPL-licensed fork with many security and performance improvements [2].
It should also be noted that the remaining security issues in the core parser have to do with algorithmic complexity, not memory safety. Many other parts of libxml2 aren't security-critical at all.
As soon as you start paying individual maintainers, it stops being nonprofit OSS they work on. If you direct your funds to other charities, you're only shifting the tax issue to them. If you want to give money to maintainers with no strings attached, it's basically impossible to avoid double taxation.
Concrete examples: GNU software, musl C library, everything from x.org and freedesktop.org. Just have a look at the top 1,000 projects from the Debian popularity contest and you'll find many projects outside the Github bubble. Why not use the Debian package name in your nomination form instead of a Github URL? Any project important enough to matter will have a Debian package, right?
If you're trying to come up with something like the "criticality score" based on repo metadata like the OpenSSF, you're likely to fail just like they did. Starting with Debian's popcon data makes a lot more sense, in my opinion.
Just another opaque and exclusive subproject of the Linux Foundation.