I've been a FOSS contributor since the early 2000s, I've stopped contributing and stopped maintaining projects completely in recent years, except for when I am paid, or where there is a problem that affects me directly that I can't workaround easily. I don't feel the FOSS community values that formed part of my identity are represented in the community much these days, and AI has made that situation worse.
I feel like that is quite unlikely. Both the hash and bitwise comparisons read both files in both cases. In the not-equal case the hash reads the entirety of both files, so its slower than a start-to-end bitwise comparison, which exits at the first not-equal bit. In the equal case, both read the entirety of both files. Various other bitwise strategies can be faster than start-to-end, rdfind for example checks the start of the file first, then the end, then the rest of the file.
The OpenMoko Freerunner only had 128MB RAM, it was able to run a Linux desktop of the time, Englightenment/E16. There were lots of apps for it too. IIRC the cut down QtMoko distro ran best though.
I don't know what the solution to slop is. Maybe the bubble will implode at some point. Until then, just close down issues/pulls or remove projects from GitHub I guess.
The xz incident was only discovered by accident, not by someone actually verifying the tarball and test cases were not malicious. We still don't have verification of tarball build reproducibility anywhere. The closest you can get to verified builds is what the bootstrappable builds community built in hex0/stage0, and what stagex built on top of that. I'm guessing even they haven't read through all that source code though. There aren't even good tools for distributing reviews, there is crev, but the stagex folks think it has some deficiencies.
> someone (or something) who's concealing their identity has nothing to gain from recognition
The xz supply chain attacker hid their real identity, created fakes one and gained recognition over time in order to gain more access and add the backdoor. So TLAs and other bad actors at least are interested in gaining recognition.
See also this interesting slide deck about the GPLv3 and cars, I expect that regulations would mean you could not drive cars with modified software (similar to what happens with solar inverters):
That is incorrect, the FSF licenses would require Amazon contribute code forward to their users, not back to the project.
Also, Amazon were already contributing code back when these companies changed their licenses, the companies don't care about code contributions, just money.