FOSS projects thrive on transparency; are such large anonymous gifts good for them? Think of a similar anonymous gift to a politician - in that case, humble anonymity isn't a good thing (it's a very imperfect analogy; I'm just trying to relate the issue to something familiar). I assume, maybe incorrectly, that the FreeBSD foundation knows who the donor is; should the wider community know who wields such influence? Will the donor want something in return, now or later? Is it a corporation or corporate leader who may want FreeBSD's cooperation later, perhaps to stay out of or to support a certain market segment or technology? A U.S. government entity such as In-Q-Tel, or an entity controlled by a foreign government?
FreeBSD and the donor may both say, and even mean, that there are no strings attached, but it's similar to a parent saying they won't favor their own children; when that donor calls with a request, it is very hard to say no.
Likely the donor is being very generous and should be thanked, not questioned. And of course, if the FreeBSD Foundation said they were turning down the gift for the reasons above, many would question that decision too.
Maybe in theory, but that sounds very doubtful in reality. I'm sure the people who run the project know well what is going on in the Foundation, and know where their critical resources - including money - are coming from.
Also, to be clear, I'm raising the issue more generally; this isn't about the FreeBSD project in particular.
For example, OpenBSD excluded virtualization for a long time. I don't at all think it was something nefarious, but if Theo de Raadt had wanted to block virtualization for some ulterior reason then very few people would have the ability to detect his motive and the ones who could are strongly influenced by him.
If using the git mirror a command like
git log --since=2016-01-01 --grep 'Sponsored by.*FreeBSD Foundation'
will show the Foundation-sponsored commits in 2016.
Here are a few recent examples:
r310702 btxldr: process all PT_LOAD segments, not just the first two
This was a tiny change of mine, removing an 18 year old assumption to allow us to build the FreeBSD base system with LLVM's LLD linker. Reviewed by a Foundation employee and a FreeBSD (and Illumos) community member.
r310617 Make knote KN_INFLUX state counted
Reviewed by a FreeBSD developer working at Isilon.
r310371 bhnd: remove srand() to ensure deterministic output
Another one of mine as part of the Reproducible Builds effort. Reviewed by the original author of the affected driver.
These are small, uncontroversial fixes, but demonstrate the approach the Foundation strives to take with all development work. Also being able to drive longer-term projects and maintain subsystems over long timescales is a significant advantage of having funded developers on staff.
r310154 Add support to read the _CLS entry if it's present
A commit from a Foundation project grant recipient, part of adding ACPI support along with the FreeBSD/arm64 porting effort. Reviewed by a long-time FreeBSD committer and core team member. The Foundation drove the overall arm64 porting effort. Cavium (an ARM CPU licensee) and ARM helped contribute to the initial porting effort, which was generally reviewed with a similar approach.
r301172 Import NetBSD's blacklist source from vendor tree
The Foundation provided a grant to port NetBSD's blacklistd daemon to FreeBSD. The initial work here was reviewed by an idependent, long-time FreeBSD committer.
The Foundation's development projects have no special status - work is still subject to the communities norms and standards. If there were to be a dispute over a proposed project or change the final authority rests with the elected core team. (The current core team includes some Foundation members, but a minority position.)
Surely if a bad actor wants to do nefarious things to the code base there are cheaper and more reliable methods, such as simply becoming trusted contributors and sneaking in back doors.
or just finding a critical developer on the team and paying him/her the same anonymous $500k "donation" to sneak the vulnerability into the code.
On one extreme it's "add the secret backdoor" (haha. As if!). On the extreme, it's "add a device driver for foo".
Are you worried about the former? Are you concerned about the latter?
Kidding asside, I'm just pointing out that there are cheaper and easier ways to get device drivers into BSD.
Its just extra zeroes for some people. If you have $5,000,000 then giving $5000 to some worthy cause is not a big deal at all. Its like going to Starbucks... chump change.
if you have $500,000,000 then $500,000 becomes chump change.
Someone who made lots of money in the recent tech bubble could easily swing this much $ with no strings attached.