For me, Mozilla is a big company not an open source project. As such it needs to take security seriously.
Let's think about the "harm innovation" bit for a moment. If you take money for your work, it is a commercial enterprise and as such you need to ensure it is secure. Even if abandoning it to work on a new shiny project may be more fun.
Right? Now imagine you're a solo developer, or a group of teenagers, trying to start a business from the proverbial garage in the EU. Still "meh"?
> Even if abandoning it to work on a new shiny project may be more fun.
What do you imply? Business needs cannot change because the law states so? Drive the company to the ground because some bureaucrat with no idea how open source software works decided so? Archiving GitHub projects prohibited by law?
> The point was that you are receiving money for _this_ project, hence you need to actually support it.
For how long? Businesses discontinue products all the time.
> The teenagers in your example are pretty far from releasing a product and receiving any money.
So many assumptions here.
I don't agree with any of your points. The reason why open source turns into commercial and drops the ball on open source is because open source is barely sustainable. The answer isn't legislation. The answer is to make open source sustainable.
For me, Mozilla is a big company not an open source project. As such it needs to take security seriously.
Let's think about the "harm innovation" bit for a moment. If you take money for your work, it is a commercial enterprise and as such you need to ensure it is secure. Even if abandoning it to work on a new shiny project may be more fun.