There's $100/month on Tidelift for JNA, https://tidelift.com/lifter/search/maven/net.java.dev.jna:jna, with TideLift and we could enable enterprise support using them. I can set it up, and we'd have to figure out how to distribute the $. I've had good success in other projects. Maybe @matthiasblaesing, @twall and others are interested?

Here's a security policy I use for other lifted projects: https://github.com/slack-ruby/slack-ruby-client/blob/master/SECURITY.md

Right now I'm not interested in contracted work on JNA.

Right now I'm not interested in contracted work on JNA.

Right. Neither am I. Tidelift takes care of being the one with a contract for security patching work. It just happens to offer some money, which we can distribute via GitHub sponsors for example. Care to take a look at say what you think about it?

There's $100/month on Tidelift for JNA, https://tidelift.com/lifter/search/maven/net.java.dev.jna:jna, with TideLift and we could enable enterprise support using them. I can set it up, and we'd have to figure out how to distribute the $. I've had good success in other projects. Maybe @matthiasblaesing, @twall and others are interested?

I have set up my JNA-based project on Tidelift. It's not that much work to set up (making sure you have a security policy stated which you can copy and paste pointing to them), point to where release notes are, and list the currently supported branch(es).

It does somewhat create the expectation of "support" in terms of fixing bugs, but I think we already do our best to do that anyway.

These are the folks with maintain/write permissions:
@twall @matthiasblaesing @lgoldstein @bhamail @krosenvold @toddfast @dbwiddis

Would you be ok adding TideLift to this project? Appreciate a yes/no from some majority, and as before I think @twall can veto/decide if we have a tie.

I can do all the work to set it up, collect the $100/mo via my LLC, pay taxes, and redistribute it via GH sponsors if anyone wants some and has it setup.

I think any organization that wants to pay open-source contributors, however little it is, is a good thing. So my vote is a yes.

Hi @twall @matthiasblaesing @lgoldstein @bhamail @krosenvold @toddfast any thoughts about this? We can either configure Tidelift or use Github Security Advisory to receive vulnerability reports.

Let me know what you rather do.

Thanks!