[HN Gopher] There is no "software supply chain" ___________________________________________________________________ There is no "software supply chain" Author : xena Score : 162 points Date : 2022-09-19 19:41 UTC (3 hours ago) (HTM) web link (iliana.fyi) (TXT) w3m dump (iliana.fyi) | lrvick wrote: | I do software supply chain security consulting for several high | risk companies and largely agree with this post that we must stop | expecting devs to have any responsibility for code they produce. | The responsibility is on those that consume it. | | This will sound pretty harsh, but if your company chooses to use | open source code that does not have capable, paid, full time | professionals reviewing it for security and quality, then your | company is signing up for that responsibility. If you make no | reasonable attempt at vetting your supply chain and harm comes to | users as a result, then IMO you should be liable for negligence | just like a restaurant serving food with poisonous ingredients. | Broadly normalized negligence is still negligence. | | This should not be controversial, but it is. Washing hands in | hospitals was once controversial too but those advocating for it | had irrefutable evidence on their side. The medical industry did | not want to pay the labor cost of hygiene, and we are seeing the | same in the software industry. | | https://www.nationalgeographic.com/history/article/handwashi... | | Ask yourself if it cheaper to fully review, sign, compile, and | maintain third party OSS code or to write something in-house | focused on your needs on top of the standard library. Pick one. | Both are real options. Some of my clients actually do (or pay | others for) security review of every single NPM dependency they | use in prod. If you can not afford to review 2000 dependencies | then you can not afford 2000 dependencies. Find a leaner path. | | Companies must stop expecting others to do their software review | job for them. OSS devs already wrote the code for free because, | ostensibly, it was fun. You are an ass if you ask them to do | anything that is not fun, for free, to make your company safer or | more money. Such actions make it not fun anymore, and make them | stop entirely. | | I do not know why companies have code review policies for code | written by peers, but if the code is 2 million lines of NPM | dependencies essentially copy/pasted from randos on the internet | it is suddenly okay to ship straight to prod and give said randos | full control of the data or property of millions of people. | | We need to start calling this out as the negligence that it is. | lcw wrote: | Why do you think this is controversial? Whether a company works | with another software company that is bonded and/or a person | uses OSS if something bad happens to the customer it still is | reflective on the company using the software in a negative way. | No company would refute that. | | I rarely have seen court cases in regard to customer damage try | to quantify negligence, because the court system is missing a | lot of nuance in our industry. Pragmatically speaking the | courts are ruling on the severity of the customer impact. There | can and will always be an argument that is subjective about | negligence in regard to how much you protect yourself from a | malicious event vs the severity of said event. This isn't | specific to software engineering either like concert venues | that are mishandled and result in accidental death. | | Your comments around npm dependencies not being reviewed and | shows an engineering team is negligent seem contextually | correct depending on the damage of said system the engineers | are managing. If it's a bank system that leads to fraud then I | agree. If it's a start up that runs a website; I hardly | categorize this as negligent. Every company I have worked for | has understood this trade off. If you are trying to be over | zealous about the definition of negligence then I could | understand how that would be controversial. | nradov wrote: | I agree that the responsibility for quality and security of | open-source lies with the consumers of that code. But legal | _liability_ for negligence is another thing altogether. If the | ultimate customer or user wants their vendor to accept | liability for failures or defects then they need to negotiate | that up front in a binding contract. If customers don 't want | to pay for that then that's their problem, they can take | whatever garbage their vendors shovel out and then deal with | the consequences. | zmmmmm wrote: | > Companies must stop expecting others to do their job for | them. OSS devs already wrote the code for free because, | ostensibly, it was fun | | This is not really true. Open source is _much_ more than | hobbyists doing things in their spare time for fun. A huge | amount of open source is developed by and released by paid | software professionals as part of their jobs. Some of those | companies are directly doing it as part of their actual | business offering. Others are doing it because they value | owning the mind share in a space. Then, a huge amount of other | OSS is developed by people who want to enhance their | professional reputations. | | EDIT: I see the article actually confines itself to OSS | software that was written as a hobby. In that case I think my | words above are probably out of context. But by the same token, | the whole article scope is diluted a lot. Yes, if you have | pinned your project on something someone wrote on the weekend | for fun with no intention to maintain it, you've got problems. | But let's not brand all of open source with that problem. | lrvick wrote: | I generally advise my clients to mostly trust open source | with lots of well known and documented professional eyes on | it like reproducible builds of programming language | compilers, standard libraries, and well maintained OS | kernels. | | Where I normally have them focus their resources is on the | often thousands of dependencies they depend on that are, | mostly, written has hobby projects by randos. | 616c wrote: | How did you get into this type of consulting? | lrvick wrote: | My software engineering and sysadmin background overlapped a | lot with security, and I found flaws and recommended security | solutions at every company... so I pivoted my career to full | time security engineering for multiple companies. I | eventually saw enough massive oversights and targeted attacks | to operate as though any person or system that lacks strong | accountability for their every action is compromised. | | Most companies can not afford to meet this kind of zeroish- | trust threat model, so I moved to roles in fintech companies | where they -must- think this way as they are highly targeted. | | I realized though the highest value I provided to employers | in addressing security problems happens in the first few | weeks, then spot check pentests and advice a few hours a | month after that while I build tooling. I also got tired of | writing internal-only security tooling and practices I knew | so many companies really need. I concluded the only assured | way for me to be able to open source my tools and practices | and get them refined by collaboration and exposure with a lot | more organizations was to start a company with that mission. | | I founded Distrust and my full time employer at the time | graciously agreed to be my first part time retainer client. | Turns out, many companies want pentesting and full stack | security consulting retainers where someone can integrate | into their team and help architect practical solutions unique | to each company. Even companies with their own security teams | benefit from a part timer with a perspective on security | problems and solutions at many other companies with similar | threat models. | | Word of mouth has kept my schedule full enough to raise rates | and justify building a small team last year. Best career | choice I ever made. | mholt wrote: | Hey, it sounds like you'd like my essay on this: The Asymmetry | of Open Source: https://matt.life/writing/the-asymmetry-of- | open-source | vngzs wrote: | I frequently find myself advocating for better supply chain | security. But if I asked developers (or their managers) to | review/audit 2,000 NPM dependencies, I would almost certainly | fail. No other company they know of is doing that, and asking | them to _start_ is predicated on the entire industry being | wrong. That tends to be a tough sell - even though I agree with | you, convincing others is a whole 'nother ball game! | | What kind of arguments do the organizations you consult for | find compelling? I find it extraordinarily difficult to | convince others. There is a strong bias towards the status quo. | ahtihn wrote: | > Ask yourself if it cheaper to fully review, sign, compile, | and maintain third party OSS code or to write something focused | on your needs on stop of the standard library yourself. | | Why stop at the standard library? What about the rest of the | language toolchain? Compilers, interpreters. What about the OS? | lrvick wrote: | Those much more often have full time paid people whose actual | job is to review them. E.g the standard library of Go has | security and quality review by Google. It is reasonable to | assume they are investing more in supply chain security than | you are in those portions. | | The random dep you grabbed from some rando student who | hammered out in a weekend... may not have 2FA on github, or | maybe their email domain is about to expire, and it is very | likely no one reviewed it. | | If you choose to use the latter because it does what you | need, then you are now the first party accepting the | additional responsibilities of reviewing and maintaining that | code to the level of safety appropriate for your use case. | | If you are making a video game for personal use, then maybe | the worst case scenario is tolerable for you to not care. If | you are handling PII or money of other people... then | suddenly you /must/ care. | willcipriano wrote: | He who cashes the check shall be the defendant in the | lawsuit. If things went well the people behind the compiler, | interpreter and OS wouldn't have received a dime from your | successful enterprise, now that it's gone sideways you want | to share? | [deleted] | ralph84 wrote: | Well of course security consultants believe every company | should hire security consultants to review every dependency in | the stack all the way down. | | But for the people who sign the checks, do you have ROI numbers | to support this approach? | | How many exploitable vulnerabilities in open source | dependencies that could have led to financial loss have your | reviews found that an off-the-shelf SCA tool didn't find? | deathanatos wrote: | I want to first say: I agree with your comment. | | I think the problem is that companies _would_ say "okay, let's | take the leaner path"; they then proceed to implement their own | (say) HTTP library, riddled with bugs which will never get | fixed, because it will _never_ have the same person-hours sunk | into it that a (major /respectable) FOSS HTTP library will. | | (And the number of times I've watched a dev attempt to | implement some standard while steadfastly refusing to read the | standard. Then I proceed to find bug after bug, trivially ... | because I _am_ reading the standard...) | | But you're right with your hospital analogy: it's that the | company does not want to put forth the resources to do the job | _right_ , either by doing it right themselves or by doing the | verification work & upstreaming fixes; they'd rather put | forward a bare minimum to do shoddy work. | | And in all my years of experience, I still am no closer to | understanding how to fix that. | | > _We need to start calling this out as the negligence that it | is._ | | People absolutely hate this, IME. | pid-1 wrote: | This sort of term is made up by c suites for c suites, arguing | about semantics is rarely productive and I'm inclined to believe | that's the case here. | | I also think this battle is lost as GH and others will always | yeld to the needs of folks that atually bring money to their | business. | | "Pure hobbist FOSS" mantainers likely need to start a Wikipedia | ish non profit for software hosting or think about something | else. | jacques_chester wrote: | Maybe Github and repository maintainers care about society at | large. | | If the bet could be objectively settled I'd happily stake my | entire savings on the question, because I've already talked to | the folks making those decisions. | msla wrote: | > This sort of term is made up by c suites for c suites, | arguing about semantics is rarely productive and I'm inclined | to believe that's the case here. | | That's the point of the article, yes. It's about the mismatch | of expectations and behaviors between C suite, which expects | every business to do its duty on pains of lawsuit, and hobbyist | FOSS programmers, who don't see themselves as in business and | who have less than zero duty to FrobnitzWare/Invisible | Corporation kabushiki gaisha LLC Limited AG despite the fact | that August Corporate Personage decided to base Essential | Business Processes on their work. | | I mean, fundamentally, the programmers are in the right, in | that the company cannot, in point of fact, rely on a contract | it never drew up or got anyone to sign, but the companies will | do the legal equivalent of holding their breath and stamping | their feet and this is something people will, every so often, | write blog posts about. Heck, maybe, just this once, a blog | post will inform some C suite suits about the power gradient | here (corporations: none, rando programmers: quite a bit, in | fact) and maybe nudge some of them to, maybe, not make software | that collapses when left-pad's author has another Big Idea. | jacques_chester wrote: | Do you have an example of the C suites stamping their feet? I | am in this space and I have seen no such foot stamping from | anyone. | msla wrote: | Just one I found quickly: | | > If you are a multi billion dollar company and are | concerned about log4j, why not just email OSS authors you | never paid anything and demand a response for free within | 24 hours with lots of info? (company name redacted for _my_ | peace of mind) | | https://twitter.com/bagder/status/1484672924036616195 | | https://daniel.haxx.se/blog/2022/01/24/logj4-security- | inquir... | | Maybe "Stamping their feet" is a bit hyperbolic for this | case, but it demonstrates the cultural mismatch very well: | The email assumes the Log4J package comes from the "Log4J | Company" such that a business requesting the results of an | internal audit would be met with something other than an | annoyed FOSS developer Tweeting about this clueless moo | sending a form email to a random programmer they have no | prior relationship with. | | As Daniel himself says in the follow-up Tweet: | | > I replied saying I'd be happy to answer all the questions | as soon as we have a support contract. | | There was, deep inside the company, an internal process | which blindly assumed a contract would be present, and | acted accordingly. | q-big wrote: | Just for the sake of completeness: | https://daniel.haxx.se/blog/2022/01/24/logj4-security- | inquir... has a link at the end to the following HN and | Reddit discussions: | | > https://news.ycombinator.com/item?id=30059404 | | > https://www.reddit.com/r/opensource/comments/sboj1l/ent | itled... | Crontab wrote: | > The author of an open source project usually makes NO | guarantees and assumes no liability. | | That's pretty much true of commercial software as well. | otikik wrote: | I respectfully disagree with the author. | | Once you put stuff on someone else's servers, they can do | whatever they want to the package as long as it doesn't break the | license. That includes marking the package as critical or even | making a fork the canonical repo. If you want that kind of | control, you need to become your own package provider. Or | distribute your code with a more restrictive license. | Waterluvian wrote: | If you want or need support or maintenance for my project in your | business, offer me cash. If your first thought is, "hah, as if | finance would ever green light that..." then I encourage you to | fork it and tell your manager it will cost your company two to | three times as much to do it yourself. | | I think both are perfectly valid options. Just make informed | decisions and in doing so, demonstrate business competence. | r3trohack3r wrote: | There are several forms of OSS and it seems people often conflate | them. | | There is: | | * "open source as a reference" | | * "open source as a line item" | | * "open source as a funnel" | | It seems like our industry favors line item OSS. Personally, I | think the other two are far more useful. | | Line item OSS productizes a high-value project inside a company | and releases it publicly for no charge. The goal of open sourcing | is generally to steer the industry in a direction compatible with | your company's architecture. Often times companies are trying to: | | * Cultivate engineering talent trained on their architecture that | they can hire in the future | | * Increase maturity of their software stack by exposing it to | environments outside their current architecture | | * Recruit maintainers to drive down the cost of maintaining an | internal pattern | | * Cultivate an ecosystem of plugins and modules they can rely on | for future engineering projects | | * Cultivate good will in the developer community as a | recruiting/dev-rel tactic | | * etc. | | Line-item OSS projects typically carry a high cost, they don't | just become successful when you push to a public repository. | These projects require devrel presence to meet 3rd party | engineers where they are (conferences, blogs, documentation, | branding, logos, news aggregator sites, etc.). They require | maintainers to mentor 3rd party engineers through pull requests | and issues. You have to navigate community building with codes of | conduct, boards, foundations, etc. This all requires salaried | employee's time. This high cost raises the bar for contributing | to the commons: the return has to cover the salaried time spent | on open sourcing the project. If the return doesn't cover your | investment, ROI is negative and you're expecting companies to | contribute for charity. What's worse is that failing on a line | item OSS project often results in the opposite of what you want: | a perception that your company is bad at OSS or not a great | community participant. Every line item OSS project is a high-cost | bet carrying risk to your reputation. | | Open source as a reference, in contrast, is closer to publishing | a conference paper. You describe how you are doing something, | publish the source code as a reference, and call it a day. No | community building. You don't commit to merging random PRs. You | don't commit to fielding questions on issue trackers. It's a | statement that what you are doing is working for you, that other | engineers might benefit from similar patterns, and a jump start | for motivated engineers to figure out how to apply the pattern | themselves. You're contributing to the commons under a permissive | license for the cost of a conference road show and a "cleanup" of | the code to ensure you aren't leaking anything sensitive in your | SCM history. I feel a lot more software would make it into the | commons if we normalized this form of OSS. | | "Open source as a funnel" is probably the most sustainable OSS | model IMH(umble)O. "OSS funnel projects are associated with a | vendor that sells services and products in that ecosystem. The | services are particularly useful for companies building on top of | OSS. If you are a small-ish org, every dependency you're bringing | in is a pretty big risk. You have to have internal talent capable | of maintaining the entire software stack. "OSS as a line item" | and "OSS as a reference" do not give you any guarantees from the | project. The maintainers aren't your employees and they owe you | nothing. You often have no way to pay maintainers to solve your | problems. A show stopper bug in those projects can bury your | company. In contrast, "OSS as a funnel" has a vendor you can | reach out to for consulting/contracting services to elastically | scale out your engineering org for bugs in the stack. In the | Node.js ecosystem, NearForm is a great example IMHO. They are | maintainers on a pretty large catalogue of software (i.e. | fastify). You can bring that into your architecture knowing that, | if you end up blocked on a bug your team doesn't have the | expertise to solve, you have a vendor you can reach out to and | pay to solve your problem. | | Sometimes line item OSS projects foster an ecosystem of vendors | which in turn checks the OSS as a funnel box. For example, with | GraphQL and React, you can't pay Facebook but someone out there | will take your money to solve your problems. | | I do consulting/contracting in the Node.js space and, when I | bring modules into my client's architecture, having a vendor | associated with the module is front-of-mind for me. I know I'm | not leaving them with technical debt they have no way out of if | something goes sideways. They always have me and they have a 3rd | party vendor they can reach out to as well. | lesuorac wrote: | The could be a supply chain though. | | I had a running joke at a place I used to work that I should just | quit and start my own US based company that "sold" open-source | software so that it'd have a US-flagged company behind it. IMO | easy way to branch out to commercial instead of just government | contracts would be to audit the source code. Probably save a few | companies from a left-pad incident (or worse) since they'd have | to pull from my servers (or cache mine) and I'm smart enough to | recognize that updating leftpad to be nothing would not be | helpful to any client | yardie wrote: | > start my own US based company that "sold" open-source | software so that it'd have a US-flagged company | | That is the business model for Redhat, Ubuntu, SUSE, and other | GNU/Linux companies. You can download it for free or pay a | subscription to have emails and phonecalls answered. | lesuorac wrote: | The difference is really I wouldn't be developing any of the | software. I'm literally selling things you can get off of say | GitHub. | | Although I'd probably need to not be completely blunt about | it. It'd just be mostly an open secret where any of the dev | teams would know that's exactly what I'm doing (and any sort | of LICENSE file would make it dead obvious) but to | procurement and whatnot it just looks like you're funneling | money to me in exchange for some software. | danjoredd wrote: | You can download Red Hat for free, but you won't be able to | use it without registering. Rocky Linux has done a good job | of making a free Red Hat though. Been using it for my RHCSA | recently | gerikson wrote: | Frankly I'm surprised a company like this hasn't been created | yet. | zokier wrote: | Anaconda is pretty much selling a redistribution of popular | foss python packages. | badrabbit wrote: | I must disagree. Software supply chain is very different than | supply chain of physical goods, but, it is still a chain of | supplies in the form of software code. | | Looking at it strictly from an open source perspective is having | too narrow of a focus. If I purchase O365 licenses from a | reseller and they buy it from Microsoft, that's a supply chain. | If I have an embedded system that has a proprietary OS made by a | 3 person company who use a proprietary firmware from other | vendors, that is a supply chain. | | The npm example is a good example of a convoluted and unreliable | supply chain. OSS is an example of a supply chain that is by | design unreliable, the suppliers disavow all responsibility to | support or guarantee its features. OSS supply chain being | unreliable does not mean the supply chain does not exist, it just | means you have to compensate for the unreliability yourself. The | real life equivalent would be sourcing materials from guys | standing at a street corner selling stuff that "fell off a truck" | or "made in their garage". | hot_gril wrote: | Am I missing some background? Author gives out software "WITHOUT | WARRANTY" and can just ignore PRs etc. Why is the author | complaining? | q-big wrote: | > and can just ignore PRs | | This complaint is in my opinion rather specific to GitHub (and | could thus likely be solved by switching to a more repository | provider, or hosting the repository oneself), but not being | able to disable PRs at your own repositories is like having a | blog hosted by a provider that does not offer the option to | disable blog comments. | hot_gril wrote: | Eh, sounds like a really minor annoyance. It's clear that the | PRs aren't your own content, unlike comments which you're | sorta responsible for moderating or else you'll often end up | with vile stuff all over your family-friendly blog post. | q-big wrote: | > It's clear that the PRs aren't your own content, unlike | comments which you're sorta responsible for moderating. | | I see this differently: you have some own content | | * a blog post | | * a Git repository | | that is hosted by some provider. "Everybody" can add their | own "scribblings" next to it: | | * comments | | * PRs | | In _both_ cases it is clear that these "scribblings" are | not your own content. | | _Why do you thus make the difference that in one case one | is some kind of responsible for moderating, but not in the | other case?_ | hot_gril wrote: | Cause PRs aren't presented very upfront to visitors and | are far less frequently abused. A lot of the open source | world relies purely on goodwill, just like the author | says. | | Also, blogs are on your own domain name usually, which at | least gives the illusion that it's your own website | rather than just your little tenancy on a blog platform. | Some platforms don't give you a domain technically but a | / instead, like FB Pages and Reddit, and they explicitly | assign you the responsibility of moderating your own | page. If their own moderators have to step in, it often | leads to deletion. | falcolas wrote: | > "WITHOUT WARRANTY" | | Liability disclaimers are a legal grey area. Even the US pulls | aside some developers at customs because of their work on OSS | projects. Imagine what some of the least tolerant countries do. | hot_gril wrote: | Yeah, but that doesn't seem to be the complaint here. It's | more about GitHub's workings. | gumby wrote: | There's a business opportunity here for making a "slow copy" of | npm (or PyPI or whatever): start with a copy and then just only | upgrade packages after you've checked the changes. You could sign | and manage the BOM, perhaps even ensuring that $BIG_ENTERPRISE | only got the versions they had asked for no matter what request | they make (oh, sorry for the dev trying to get their job done -- | go ask IT). | ineedasername wrote: | This is just nitpicking over the fact that a specific metaphor | doesn't map 1-to-1 with the target domain. No metaphor does, | that's not the point of using one. | | The metaphor in this case is pretty straightforward as are its | limits, and it doesn't appear to be causing confusion with people | misidentifying attributes of the metaphor that don't map to the | software domain. | | (And to boot: there are _actual_ software supply chains with a | traditional supplier /vendor relationship...) | q-big wrote: | > The metaphor in this case is pretty straightforward as are | its limits, and it doesn't appear to be causing confusion with | people misidentifying attributes of the metaphor that don't map | to the software domain. | | One of the central points that the author makes is that this is | in his opinion not true, and he provides evidence for this. | mikewarot wrote: | The author of an open source project usually makes NO guarantees | and assumes no liability. They've tossed a blueprint into the | world. | | When you decided to use it, you took on all of its technical debt | and design decisions as your own. You can't fault the author if | you use it in an environment they didn't have, or didn't intend | it to be used in, or in a manner that wasn't intended. They left | an artifact, they did NOT make an agreement to support it. | | If someone makes a mistake in a book, there's no obligation for | the author to correct it. If someone misunderstands the ideas and | goes on to do some horrible deeds using it as justification, it's | not the author's fault. | | Open source software is, for the most part, an unsupported gift | economy. It isn't commercial, and it certainly isn't a chain... | there's no delivery to be had... something was tossed over the | wall, and it may never happen again. | | We Tims have been waiting for the next episode of Hello Internet | for a while now... it may never come. That is also the nature of | open source software. | hinkley wrote: | This is a historically narrow view of the situation. | | We are all living in a post-war era. That war was over whether | and how much of the software in the world should be locked up | behind proprietary licenses and paywalls. To win the war, Open | Source had to produce software that was less awful than the | proprietary software it was trying to unseat. It did. Companies | went out of business or adapted. | | Now everyone is trying to pretend that the choice all along was | between someone else's software and making your own. That | wasn't the choice, and it's revisionist history to claim | otherwise. A war was one, territory was occupied, and the | 'treaty' at the end of that war was "make stuff that isn't | awful", which is being peeled away layer by layer. | | The above is the opening to my thesis as to why SaaS is now | trying to eat Open Source: FOSS is abdicating responsibility | for quality, and so the only way to get quality is to harass | FOSS authors who think we are ungrateful whiners, or pay for | improvements on the backs of paying customers who just want | software that works, not to be told to put up or shut up. | | The only sane way to defend against the re-privatization of | FOSS software is to stop treating your users like they need to | grow up and realize that you're deflecting. Unless authors | accept that you have an ethical responsibility that comes with | occupying a corner of the collective consciousness, it's going | to be walled gardens everywhere you look. | | We aren't paying people to 'steal' your code. We're paying | people to act like professionals. | q-big wrote: | > and the 'treaty' at the end of that war was "make stuff | that isn't awful", which is being peeled away layer by layer. | | There never was a treaty (not even an informal one!). | | In businesses, the reason why open source software was | adopted was typically because it enabled cost savings (e.g. | saving/reducing license costs). | robocat wrote: | The metaphor "war" is invalid methinks. | | Ecological systems or economic competition are far better | metaphors, because they are emergent and decentralised, | rather than patriotic and authoritarian. "Nature red in tooth | and claw", or monopoly rent and marginal price - 0. | | Revisionist? The 1T$ Microsoft has not "lost the war". The | biggest FOSS wins have serious corporate sponsorship (OSes, | databases, browsers, dev tools, languages, etcetera). | gorjusborg wrote: | > This is a historically narrow view of the situation. | | > We aren't paying people to 'steal' your code. We're paying | people to act like professionals. | | I think you have a narrow view of the situation, or you are | trying to misrepresent the reality we are living in. | | We are signing up for OSS-derived SaaS mostly because of the | existence of cloud-computing network effects. There have been | many fights fought by companies 'acting like professionals' | that could accept payment. They are re-licensing their | software because developers and companies are utilizing a | forked cloud-vendor-specific clones of their work. Forking | software to provide it to a captive audience doesn't seem | professional, it seems anti-competitive. | | That said, most popular licenses allow it, so it is legal, | but I don't think it is ethical. | JohnFen wrote: | > FOSS is abdicating responsibility for quality, and so the | only way to get quality is to harass FOSS authors who think | we are ungrateful whiners, or pay for improvements on the | backs of paying customers who just want software that works, | not to be told to put up or shut up. | | I think you are assigning things broadly to "FOSS authors" | that were explicitly disclaimed by most such authors from | before companies started using FOSS. | OkayPhysicist wrote: | You can also get quality by... doing it yourself. That's the | Free Software core idea. Don't like what exists? You're free | to change it. In fact, you're encouraged to change it, and | publish your changes, so others can use your higher-quality | version. | | It's supposed to be a gift economy, not a plunder economy. | You're given something for free, with little to no strings | attached. All that is politely expected of you is to A) not | be a dick, and B) reciprocate in kind, if the situation | arises. | blooalien wrote: | Or you can get "quality" (or support) by paying the author | (or some _other_ developer) to support / improve said | software within the legal terms of whatever license that | software is released under. | jacques_chester wrote: | Software repositories have every right to set terms and | conditions for their use. | | Nothing about tossing a blueprint into the world entitles you | to have blueprint hosting for free and without requirements. | | Folks who don't like that there are terms and conditions on | hosting software in repositories are free to host it | themselves. | LtWorf wrote: | I could easily self host my projects on a rpi and rate limit | all the companies that download the same thing over and over | every second. Companies can and should set up internal | mirrors. | | The advantage of github is that people have accounts and it's | easy for them to send patches or discover projects. | | But I'm fully capable of using git via email. | senko wrote: | Is there a software repository that requires the developers | to assume the liabilities? | vore wrote: | I don't really understand this argument: if GitHub allows | hosting things that completely disclaim warranty and people | are using things from GitHub, don't you effectively have this | "tossing a blueprint into the world" problem? Sure, you | aren't entitled to it, but there are plenty of places that | offer this kind of service and plenty of consumers who get | software from these services. | humanistbot wrote: | That's nice in principle, but definitely not how it operates in | practice. | falcolas wrote: | Practically speaking, I'm going to assert that there is no team | of developers, let alone single developers, who are capable of | taking on both the burden of their own software and the | software that they import. I simply can not imagine even a | whole fortune 500 company supporting their own business logic | written on top of Spring, which includes log4j and a whole host | of other open source dependencies. | | And what's the commercial alternative? I'm personally not aware | of one. | | Also, the liability thing is a grey area - it works for the US | (mostly, Tornado cash is currently testing these waters) - | since there are open issues with developers of "questionable" | software traveling to some countries. Heck, even the US has | pulled some OSS developers aside at customs because of their | work on OSS projects. | 411111111111111 wrote: | Wouldn't you have to start with the JVM? Or possibly with the | Linux kernel? | AceJohnny2 wrote: | What about the hardware? Who will take on liability for Row | Hammer[1] vulnerabilities? What about Meltdown [2] or | Spectre? | | [1] https://en.wikipedia.org/wiki/Row_hammer | | [2] https://en.wikipedia.org/wiki/Meltdown_(security_vulner | abili... | l33t233372 wrote: | Not necessarily. If you _purchase_ software that includes | the guarantees that you desire. (e.g. of correctness, | fitness for purpose, and support), then you don't have to | maintain the entire stack yourself. | nradov wrote: | Even if you purchase the software from a commercial | vendor that doesn't mean that the vendor will indemnify | you for damages caused by their failures, or that they | have sufficient financial resources to pay for such | damages (counterparty risk). | conductr wrote: | At that point, just buy insurance | Qerub wrote: | > I simply can not imagine even a whole fortune 500 company | supporting their own business logic written on top of Spring, | which includes log4j and a whole host of other open source | dependencies. | | > And what's the commercial alternative? I'm personally not | aware of one. | | There's commercial support for Spring: | | https://spring.io/support | https://tanzu.vmware.com/support/oss | throwaway894345 wrote: | > You can't fault the author if you use it in an environment | they didn't have, or didn't intend it to be used in, or in a | manner that wasn't intended. | | It goes even farther than that: you can't fault the author even | if you _did_ use it in the intended manner. | numbsafari wrote: | Funny thing, most commercial software also comes with T&Cs that | say the make no guarantees and assume no liability. e.g., | Microsoft Windows 10 retail license: | | > Neither Microsoft, nor the device manufacturer or installer, | gives any other express warranties, guarantees, or conditions. | | And their liability is limited to... | | > at its election, either: (i) repair or replace the software | at no charge, or (ii) accept return of the software (or at its | election the device on which the software was preinstalled) for | a refund of the amount paid, if any. | | So, maybe they'll fix, or maybe they'll refund you your money | and you discontinue your use of the software. Maybe they'll | issue a fix that you incur the cost of installing and testing. | | [1] https://www.microsoft.com/en- | us/Useterms/Retail/Windows/10/U... | JohnFen wrote: | I can be on board with that. If you don't like the software I | provided for free, then I'll refund every dime that you paid | me. | [deleted] | j-bos wrote: | We the Tims accept this fact and stand waiting. | danjoredd wrote: | RIP Hello Internet. Cortex is great, but it just isn't the | same. Grey always said he would probably take the Irish Exit on | that show, and that's exactly what he ended up doing | skybrian wrote: | This isn't entirely true because many people don't just write | software, they also promote it. For example, they create | websites encouraging adoption, much in the same way companies | do, with instructions on how to install it easily, implying | that you _should_ install it. And maybe they 'll give talks and | make videos? | | But it gets worse. Often the people promoting the software | aren't the people who wrote it, and they may make claims that | the authors never intended. | | None of these things mean that the authors accept formal | liability, but morally speaking, if you're encouraging people | to use your software and you're participating in an ecosystem | promoting its usage, and it turns out to have bad security | flaws, then maybe you shouldn't be so encouraging? Be upfront | that it's just something you threw together. Add a few | speedbumps. Maybe don't publish it on npm? Disrupt the hype | train. | | Disclaiming all responsibility should imply that you also don't | hype it up and set people up for failure. | enraged_camel wrote: | It's kind of amazing that 95% of gripes about open source | projects and who is supposed to support them to what extent | can be solved by open source authors being upfront about | those expectations. | | If you're releasing something and have no intention of | supporting it, simply put "NOT INTENTED FOR USE IN | PRODUCTION" at the very top of the readme file. It's that | easy, imho. | zokier wrote: | I do feel its indicative that most of the authors issues stem | from GitHub, the facebook of foss, big social media for coders. | If you don't want to engage with the social trends and aspects of | the ecosystem (which is perfectly understandable) then GH seems | particularly poor choice of platform to publish your software on. | I feel the author would have far better chance of "to be left the | hell alone" if they chose literally any other platform. | nyanpasu64 wrote: | Not the author, but I wouldn't say it's just (or even | primarily) Github's pull requests or "critical security | advisory" that's the problem here. PyPI requiring 2FA for | maintainers of popular software has had more real-world impact | (one maintainer took down and recreated their project, erasing | old releases), and Google calling for deanonymizing (doxxing) | maintainers of open-source software is more terrifying. | | I'd argue that the problem isn't that "software supply chains | do not exist", but "you using a program or library without pay | does not and should not mean the software's author is now | responsible for fulfilling your use cases and paperwork | requirements". | yardie wrote: | I've heard of software pipelines and software dependency but this | is the first I've ever heard of software supply chain. | | I don't think the metaphor is apt. Dependencies are fungible you | can branch, tag, freeze, lock, etc whatever your requirements are | and continue trucking along. Physical Supply chains are not that | at all. In some cases you literally cannot go back to the | previous revision ever again. | jacques_chester wrote: | Physical supply chains are full of fungible products such as | wheat, pork bellies or gold. | | Such products are what the word "fungible" was first used to | describe. | Tangurena2 wrote: | After the Log4J vulnerability, people started using the term | "software supply chain". | | I think this comic demonstrates the "problem": | https://xkcd.com/2347/ | ChrisMarshallNY wrote: | In my case, I basically never use anyone else's code, unless | there's a real need for it, and if I'm quite confident in its | veracity. | | I also take full Responsibility and Accountability for that code, | when it is running in my execution thread. | | The result of this policy, is that I have written almost every | single dependency that I use. | | It has garnered me a lot of sneers from the "in crowd." | | I don't particularly care. | | WFM. YMMV. | | _[EDIT]_ Also, I like this: my name is always | spelled lowercase and is pronounced /Ili'an@ e'ti:n/. | please consider making the internet a weirder place today | note: if you send me unsolicited email based on my github | profile: i will screenshot it and share in my | discord server we will make fun of you you will | not receive a response* | wbobeirne wrote: | I'm not trying to be flippant, but where do you draw the line | of "never use anyone else's code"? You're writing that software | using an operating system and editor someone else wrote. You're | compiling it with software someone else wrote. If you're | deploying it to users, it's hosted on someone else's code and | will be run by someone else's code in that runtime. | tomjakubowski wrote: | OP claims responsibility for code _when it is running in my | execution thread._ That seems to be the boundary. So no need | to write their OS, though maybe their own interface for | making syscallz. | wongarsu wrote: | If you want a software supply chain that includes formal | agreements, use Java or C#, or maybe C++. Those ecosystems have | plenty of vendors who will sell you libraries, including phone | support and liability. | | So far enterprises are the only ones willing to pay for their | "software supply chain", if you want this kind of "solution" just | use what they use. | bob1029 wrote: | The sensitive nature of our business forced the equation for | us. We are basically a pure Microsoft shop because it makes | survival of audits feasible. 100% of our B2B clients are | already doing business with them, so the conversation is fairly | simple. | kazinator wrote: | > _You still cannot disable pull requests on a GitHub repository. | A package repository might deem your software "critical", adding | requirements to publishing updates that you might not want to or | be able to comply with. Google even wanted to disallow anonymous | individuals from maintaining critical software and wanted to | police the identities of others._ | | That's just whining from people who host their stuff on other | people's servers and sites. | | If other people package your software into a bigger system and | then later improve their standards so that the bar is above your | stuff now (e.g. you break it left and right with careless, | untested changes, or whatever, whereas downstream is doing actual | QA) that's downstream's prerogative. You don't have to do | anything; they can fork your stuff and develop it themselves, or | stick with the old version from you that worked, ignoring the | newer releases. | gjvc wrote: | The word these thought leaders are looking for is "provenance", | which is not marketing-friendly and they are too scared that this | will have people reaching for the dictionary or worse, ignoring | them, so they resort to existing terms. | jacques_chester wrote: | Provenance is fine. People use it, particularly in narrow | settings around the literal provenance of software assets. I | have been in this space for a while and I have come across zero | arguments that "provenance" should be ditched due to dictionary | obstacles. | gjvc wrote: | You won't come across those arguments. They are had by | marketing types. | __derek__ wrote: | The post's definition of 'supply chain' is wrong, and it leads to | confusion. If I forage for mushrooms and give them to a local | chef, I'm part of the supply chain for that night's dinner, even | without money changing hands or quality guarantees. | | That said, to opt out of companies' supply chains, stop | publishing software with permissive licenses. | JohnFen wrote: | I'm certainly not going to stop publishing software with | permissive licenses. I'll just adhere to the disclaimer I | include with that software: I provide no warranty that it is | fit for any particular use. Use it as you will, but don't | expect any guarantee that I'll support whatever needs your | supply chain has. | __derek__ wrote: | That's the current state that the author considers untenable, | right? | JohnFen wrote: | My read of TFA is that author is complaining that companies | are trying to push responsibilities onto FOSS authors that | don't belong with the FOSS authors. | | He includes complaints about Github there, but those are | easily resolved by not using Github. | | I believe that the author and I are on the same page here, | generally. Have I misunderstood his essay? | cbm-vic-20 wrote: | Or license your work under GPL, which is kryptonite to most | businesses. The mega-globo-corp I work for makes commercial | license deals with some open source software vendors who dual | license their software with GPL and a commercial license. | __derek__ wrote: | Right. GPL is an example of a non-permissive license. | numbsafari wrote: | When, for example, Google open sources their client libraries, it | absolutely is a supply chain issue for their customers. The | people working on those projects for Google aren't doing it as a | hobby. Their customers might not be paying them directly for | those client libs, but they sure as heck are being billed at some | point. | khana wrote: | awinter-py wrote: | interesting points xie is making: 1) it's not a supply chain bc | no money is changing hands, 2) therefore no contracts or | enforcement, 3) many market participants are hobbyists | | I think this speaks to the fundamental weirdness of the | information economy -- it's highly deflationary, with some | extreme cases where hobbyists outperform paid software companies | | Hobbyists + open groups beat companies in cases where IP concerns | makes the software worse, like if they're making something a saas | that should be a 100-line library. And also in cases where | everyone in industry needs a thing and they're happy to have a | great standard free one rather than paying three shitty vendors. | | I don't know this, but I _think_ a chunk of major OSS projects | are maintained by people at big companies or universities. | (Postgres may have been associated with fujitsu for a while, | guido van rossum + linus torvalds parked in various companies, | some fraction of kube committers are at bigcos or corporate- | backed CNCF). I have nadia eghbal 's 'building in public' on my | list to read, guessing she knows the answer to this question. | 0xbadcafebee wrote: | _" I just want to publish software that I think is neat so that | other hobbyists can use and learn from it, and I otherwise want | to be left the hell alone. I should be allowed to decide if | something I wrote is "done". The focus on securing the "software | supply chain" has made it even more likely that releasing | software for others to use will just mean more work for me that I | don't benefit from. I reject the idea that a concept so tenuous | can be secured in the first place."_ | | K. The rest of us are gonna keep using the phrase though. | arberx wrote: | The author is taking the term too literally. | | Try explaining software packaging and distribution to a non- | technical person. | | Using analogies like "software supply chain" helps people better | frame a problem/concept in their heads. | worik wrote: | Not just "too literally" but outright incorrectly. | | "A supply chain is a network of individuals and companies who | are involved in creating a product and delivering it to the | consumer. Links on the chain begin with the producers of the | raw materials and end when the van delivers the finished | product to the end user. " | | https://www.investopedia.com/terms/s/supplychain.asp | | The exchange of money, guarantees, quality assurance... None of | it is required. | ectopod wrote: | It's investopedia. The exchange of money is taken as read. | You might as well say that a vendor of exotic fish not | mentioning water is proof that the fish don't need it. | nrmitchi wrote: | Further, the apparently requirement for "money to change | hands" falls flat on it's face. | | The last node in the supply chain for virtually any real- | world product is "human beings extract the material from the | earth in some way/shape/form". No human being paid "the | earth" money for this, yet it is a fundamental component of | supply chains (and, recently, a fundamental component of many | supply chain _issues_ ). "The earth" also doesn't offer any | guarantees or quality assurance. | | Attempting to interpret these processes as requirements to be | part of a "supply chain" excludes the core foundation of | traditional supply chains. | mind-blight wrote: | Agreed. There are some interesting points made in the last | third of the article, but the rigid interpretation in the | beginning doesn't add anything to them. | | If the author scraped the title and just focused on how they | are large companies attempting to force their will on open | source maintainers to protect their supply chain, they'd have a | stronger piece. | 3np wrote: | I think the author is rather raising the issue that this | analogy gives people false expectations since _they_ take it | too literally. I don 't think this post would have been made | (and certainly not frontpaged) if this was just semantic | pedantry. | vngzs wrote: | I mostly agree with the article, but the title is downright | wrong. | | Even a relatively literal read of the words "supply chain" is | reasonably appropriate, even for FOSS. Wikipedia's current | definition for _supply chain_ is: | | > In commerce, a supply chain refers to the network of | organizations, people, activities, information, and resources | involved in delivering a product or service to a consumer. | | There's nothing in that definition that necessitates a formal | agreement, support commitment, etc. | marssaxman wrote: | > A package repository might deem your software "critical", | adding requirements to publishing updates that you might not want | to or be able to comply with. | | I discovered last week that Github no longer allows you to push | changes via https, and thus I have not yet published a minor fix | for an insignificant piece of open source software I have been | lackadaisically maintaining for the last eight years. Perhaps | some day I will get around to jumping through their new security | hoops... or perhaps I won't. In this case nobody is likely to | care, but it makes me think these kinds of organizations ought to | be extremely cautious about introducing extra friction to the | workflows of people who are giving away their time for free. | TheRealPomax wrote: | Not sure I understand how having an ssh key is "jumping through | hoops" though...? Presumably you already have one set up (even | if you don't, it's literally just a few seconds of work to | create a new one), so just add the public key to your account's | SSH keys list, and done. Update your remote urls from https to | the git@github.com:yourusername format and push whatever you | want to push. | | Or, heck, if no build is required: why use git at all, just use | github itself. You can edit, create PRs, on new branches, all | without ever needing your own desktop. Perfect for small code | changes (especially typo fixes). | rtsdumdftub wrote: | so publish on your own platform then? | | don't expect to get to publish on someone else's platform then | not play by their rules regarding how published material is | handled. | jacques_chester wrote: | This article is hyperbole. Everyone involved knows that it's an | imperfect metaphor, but that is in the nature of metaphors. | Referring to the metaphor as "dehumanizing" is just silly. | verisimilitudes wrote: | >You still cannot disable pull requests on a GitHub repository. | | >I just want to publish software that I think is neat so that | other hobbyists can use and learn from it, and I otherwise want | to be left the hell alone. | | Don't use GitHub. I don't. Random dipshits aren't even aware of | me. | | >To continue the inclusive nature of open source, we need to be | able to trust a wide range of identities, but still with verified | integrity. This implies a federated model for identities, perhaps | similar to how we support federated SSL certificates today | | Oh yes, of course Google supports TLS-flavoured snake oil to | match the TLS snake oil. | | I'm shocked MicroSoft is extending _open source_ after embracing | it so well, shocked. | | I'm now recycling a previous comment of mine on this topic: | | Companies used to have employees write code, rather than stitch | together random garbage written by random dipshits who could be | tricked into using loose licenses. That's one cause for concern. | The only reason _open source_ receives support is because it | helps corporations defang Free Software and get gratis labor. | | All of this new security theatre is always about trust and | reputation, and not trusting those disgusting lone programmers | such as me or other silly things; it's always really about doing | anything but truly auditing that yucky code. | JohnFen wrote: | > I just want to publish software that I think is neat so that | other hobbyists can use and learn from it, and I otherwise want | to be left the hell alone. | | Me, too. Which is why I pretty much abandoned the formal "OSS" | world and don't use Github and the like. I still make software, I | still provide a free license for anyone to use it, and I'll even | maintain it for as long as it interests me. | | But it's a hobby, not a job. If someone uses my software | commercially, it's on them to make sure that it's properly | maintained. They have the source, they can do it. | asimpletune wrote: | So fwiw I think the whole concept of the "software supply chain" | actually stems from "supply chain" attacks. It's kind of like | once that turn of speech entered the fray, suddenly there was a | software supply chain (for OSS). | zokier wrote: | > There is no formal agreement between a maintainer and its | downstream users. | | But there usually is, that is what software licenses are for, | with typical statements like | | > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES | OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | NONINFRINGEMENT | hot_gril wrote: | Maybe the annoyance comes from releasing software with no | license.md or a license that says "DO WHATEVER THE F--- YOU | WANT WITH THIS S---" then getting a bunch of corporates saying | it's not properly licensed while a bunch of "free as in | freedom" people are complaining that the license isn't free as | in freedom enough. | hot_gril wrote: | (In which case, I propose a new slogan, "don't tread on my | crap.") | peteradio wrote: | "I dare you to use this." ___________________________________________________________________ (page generated 2022-09-19 23:00 UTC)