[HN Gopher] There is no "software supply chain"
___________________________________________________________________
There is no "software supply chain"
Author : xena
Score : 162 points
Date : 2022-09-19 19:41 UTC (3 hours ago)
(HTM) web link (iliana.fyi)
(TXT) w3m dump (iliana.fyi)
| lrvick wrote:
| I do software supply chain security consulting for several high
| risk companies and largely agree with this post that we must stop
| expecting devs to have any responsibility for code they produce.
| The responsibility is on those that consume it.
|
| This will sound pretty harsh, but if your company chooses to use
| open source code that does not have capable, paid, full time
| professionals reviewing it for security and quality, then your
| company is signing up for that responsibility. If you make no
| reasonable attempt at vetting your supply chain and harm comes to
| users as a result, then IMO you should be liable for negligence
| just like a restaurant serving food with poisonous ingredients.
| Broadly normalized negligence is still negligence.
|
| This should not be controversial, but it is. Washing hands in
| hospitals was once controversial too but those advocating for it
| had irrefutable evidence on their side. The medical industry did
| not want to pay the labor cost of hygiene, and we are seeing the
| same in the software industry.
|
| https://www.nationalgeographic.com/history/article/handwashi...
|
| Ask yourself if it cheaper to fully review, sign, compile, and
| maintain third party OSS code or to write something in-house
| focused on your needs on top of the standard library. Pick one.
| Both are real options. Some of my clients actually do (or pay
| others for) security review of every single NPM dependency they
| use in prod. If you can not afford to review 2000 dependencies
| then you can not afford 2000 dependencies. Find a leaner path.
|
| Companies must stop expecting others to do their software review
| job for them. OSS devs already wrote the code for free because,
| ostensibly, it was fun. You are an ass if you ask them to do
| anything that is not fun, for free, to make your company safer or
| more money. Such actions make it not fun anymore, and make them
| stop entirely.
|
| I do not know why companies have code review policies for code
| written by peers, but if the code is 2 million lines of NPM
| dependencies essentially copy/pasted from randos on the internet
| it is suddenly okay to ship straight to prod and give said randos
| full control of the data or property of millions of people.
|
| We need to start calling this out as the negligence that it is.
| lcw wrote:
| Why do you think this is controversial? Whether a company works
| with another software company that is bonded and/or a person
| uses OSS if something bad happens to the customer it still is
| reflective on the company using the software in a negative way.
| No company would refute that.
|
| I rarely have seen court cases in regard to customer damage try
| to quantify negligence, because the court system is missing a
| lot of nuance in our industry. Pragmatically speaking the
| courts are ruling on the severity of the customer impact. There
| can and will always be an argument that is subjective about
| negligence in regard to how much you protect yourself from a
| malicious event vs the severity of said event. This isn't
| specific to software engineering either like concert venues
| that are mishandled and result in accidental death.
|
| Your comments around npm dependencies not being reviewed and
| shows an engineering team is negligent seem contextually
| correct depending on the damage of said system the engineers
| are managing. If it's a bank system that leads to fraud then I
| agree. If it's a start up that runs a website; I hardly
| categorize this as negligent. Every company I have worked for
| has understood this trade off. If you are trying to be over
| zealous about the definition of negligence then I could
| understand how that would be controversial.
| nradov wrote:
| I agree that the responsibility for quality and security of
| open-source lies with the consumers of that code. But legal
| _liability_ for negligence is another thing altogether. If the
| ultimate customer or user wants their vendor to accept
| liability for failures or defects then they need to negotiate
| that up front in a binding contract. If customers don 't want
| to pay for that then that's their problem, they can take
| whatever garbage their vendors shovel out and then deal with
| the consequences.
| zmmmmm wrote:
| > Companies must stop expecting others to do their job for
| them. OSS devs already wrote the code for free because,
| ostensibly, it was fun
|
| This is not really true. Open source is _much_ more than
| hobbyists doing things in their spare time for fun. A huge
| amount of open source is developed by and released by paid
| software professionals as part of their jobs. Some of those
| companies are directly doing it as part of their actual
| business offering. Others are doing it because they value
| owning the mind share in a space. Then, a huge amount of other
| OSS is developed by people who want to enhance their
| professional reputations.
|
| EDIT: I see the article actually confines itself to OSS
| software that was written as a hobby. In that case I think my
| words above are probably out of context. But by the same token,
| the whole article scope is diluted a lot. Yes, if you have
| pinned your project on something someone wrote on the weekend
| for fun with no intention to maintain it, you've got problems.
| But let's not brand all of open source with that problem.
| lrvick wrote:
| I generally advise my clients to mostly trust open source
| with lots of well known and documented professional eyes on
| it like reproducible builds of programming language
| compilers, standard libraries, and well maintained OS
| kernels.
|
| Where I normally have them focus their resources is on the
| often thousands of dependencies they depend on that are,
| mostly, written has hobby projects by randos.
| 616c wrote:
| How did you get into this type of consulting?
| lrvick wrote:
| My software engineering and sysadmin background overlapped a
| lot with security, and I found flaws and recommended security
| solutions at every company... so I pivoted my career to full
| time security engineering for multiple companies. I
| eventually saw enough massive oversights and targeted attacks
| to operate as though any person or system that lacks strong
| accountability for their every action is compromised.
|
| Most companies can not afford to meet this kind of zeroish-
| trust threat model, so I moved to roles in fintech companies
| where they -must- think this way as they are highly targeted.
|
| I realized though the highest value I provided to employers
| in addressing security problems happens in the first few
| weeks, then spot check pentests and advice a few hours a
| month after that while I build tooling. I also got tired of
| writing internal-only security tooling and practices I knew
| so many companies really need. I concluded the only assured
| way for me to be able to open source my tools and practices
| and get them refined by collaboration and exposure with a lot
| more organizations was to start a company with that mission.
|
| I founded Distrust and my full time employer at the time
| graciously agreed to be my first part time retainer client.
| Turns out, many companies want pentesting and full stack
| security consulting retainers where someone can integrate
| into their team and help architect practical solutions unique
| to each company. Even companies with their own security teams
| benefit from a part timer with a perspective on security
| problems and solutions at many other companies with similar
| threat models.
|
| Word of mouth has kept my schedule full enough to raise rates
| and justify building a small team last year. Best career
| choice I ever made.
| mholt wrote:
| Hey, it sounds like you'd like my essay on this: The Asymmetry
| of Open Source: https://matt.life/writing/the-asymmetry-of-
| open-source
| vngzs wrote:
| I frequently find myself advocating for better supply chain
| security. But if I asked developers (or their managers) to
| review/audit 2,000 NPM dependencies, I would almost certainly
| fail. No other company they know of is doing that, and asking
| them to _start_ is predicated on the entire industry being
| wrong. That tends to be a tough sell - even though I agree with
| you, convincing others is a whole 'nother ball game!
|
| What kind of arguments do the organizations you consult for
| find compelling? I find it extraordinarily difficult to
| convince others. There is a strong bias towards the status quo.
| ahtihn wrote:
| > Ask yourself if it cheaper to fully review, sign, compile,
| and maintain third party OSS code or to write something focused
| on your needs on stop of the standard library yourself.
|
| Why stop at the standard library? What about the rest of the
| language toolchain? Compilers, interpreters. What about the OS?
| lrvick wrote:
| Those much more often have full time paid people whose actual
| job is to review them. E.g the standard library of Go has
| security and quality review by Google. It is reasonable to
| assume they are investing more in supply chain security than
| you are in those portions.
|
| The random dep you grabbed from some rando student who
| hammered out in a weekend... may not have 2FA on github, or
| maybe their email domain is about to expire, and it is very
| likely no one reviewed it.
|
| If you choose to use the latter because it does what you
| need, then you are now the first party accepting the
| additional responsibilities of reviewing and maintaining that
| code to the level of safety appropriate for your use case.
|
| If you are making a video game for personal use, then maybe
| the worst case scenario is tolerable for you to not care. If
| you are handling PII or money of other people... then
| suddenly you /must/ care.
| willcipriano wrote:
| He who cashes the check shall be the defendant in the
| lawsuit. If things went well the people behind the compiler,
| interpreter and OS wouldn't have received a dime from your
| successful enterprise, now that it's gone sideways you want
| to share?
| [deleted]
| ralph84 wrote:
| Well of course security consultants believe every company
| should hire security consultants to review every dependency in
| the stack all the way down.
|
| But for the people who sign the checks, do you have ROI numbers
| to support this approach?
|
| How many exploitable vulnerabilities in open source
| dependencies that could have led to financial loss have your
| reviews found that an off-the-shelf SCA tool didn't find?
| deathanatos wrote:
| I want to first say: I agree with your comment.
|
| I think the problem is that companies _would_ say "okay, let's
| take the leaner path"; they then proceed to implement their own
| (say) HTTP library, riddled with bugs which will never get
| fixed, because it will _never_ have the same person-hours sunk
| into it that a (major /respectable) FOSS HTTP library will.
|
| (And the number of times I've watched a dev attempt to
| implement some standard while steadfastly refusing to read the
| standard. Then I proceed to find bug after bug, trivially ...
| because I _am_ reading the standard...)
|
| But you're right with your hospital analogy: it's that the
| company does not want to put forth the resources to do the job
| _right_ , either by doing it right themselves or by doing the
| verification work & upstreaming fixes; they'd rather put
| forward a bare minimum to do shoddy work.
|
| And in all my years of experience, I still am no closer to
| understanding how to fix that.
|
| > _We need to start calling this out as the negligence that it
| is._
|
| People absolutely hate this, IME.
| pid-1 wrote:
| This sort of term is made up by c suites for c suites, arguing
| about semantics is rarely productive and I'm inclined to believe
| that's the case here.
|
| I also think this battle is lost as GH and others will always
| yeld to the needs of folks that atually bring money to their
| business.
|
| "Pure hobbist FOSS" mantainers likely need to start a Wikipedia
| ish non profit for software hosting or think about something
| else.
| jacques_chester wrote:
| Maybe Github and repository maintainers care about society at
| large.
|
| If the bet could be objectively settled I'd happily stake my
| entire savings on the question, because I've already talked to
| the folks making those decisions.
| msla wrote:
| > This sort of term is made up by c suites for c suites,
| arguing about semantics is rarely productive and I'm inclined
| to believe that's the case here.
|
| That's the point of the article, yes. It's about the mismatch
| of expectations and behaviors between C suite, which expects
| every business to do its duty on pains of lawsuit, and hobbyist
| FOSS programmers, who don't see themselves as in business and
| who have less than zero duty to FrobnitzWare/Invisible
| Corporation kabushiki gaisha LLC Limited AG despite the fact
| that August Corporate Personage decided to base Essential
| Business Processes on their work.
|
| I mean, fundamentally, the programmers are in the right, in
| that the company cannot, in point of fact, rely on a contract
| it never drew up or got anyone to sign, but the companies will
| do the legal equivalent of holding their breath and stamping
| their feet and this is something people will, every so often,
| write blog posts about. Heck, maybe, just this once, a blog
| post will inform some C suite suits about the power gradient
| here (corporations: none, rando programmers: quite a bit, in
| fact) and maybe nudge some of them to, maybe, not make software
| that collapses when left-pad's author has another Big Idea.
| jacques_chester wrote:
| Do you have an example of the C suites stamping their feet? I
| am in this space and I have seen no such foot stamping from
| anyone.
| msla wrote:
| Just one I found quickly:
|
| > If you are a multi billion dollar company and are
| concerned about log4j, why not just email OSS authors you
| never paid anything and demand a response for free within
| 24 hours with lots of info? (company name redacted for _my_
| peace of mind)
|
| https://twitter.com/bagder/status/1484672924036616195
|
| https://daniel.haxx.se/blog/2022/01/24/logj4-security-
| inquir...
|
| Maybe "Stamping their feet" is a bit hyperbolic for this
| case, but it demonstrates the cultural mismatch very well:
| The email assumes the Log4J package comes from the "Log4J
| Company" such that a business requesting the results of an
| internal audit would be met with something other than an
| annoyed FOSS developer Tweeting about this clueless moo
| sending a form email to a random programmer they have no
| prior relationship with.
|
| As Daniel himself says in the follow-up Tweet:
|
| > I replied saying I'd be happy to answer all the questions
| as soon as we have a support contract.
|
| There was, deep inside the company, an internal process
| which blindly assumed a contract would be present, and
| acted accordingly.
| q-big wrote:
| Just for the sake of completeness:
| https://daniel.haxx.se/blog/2022/01/24/logj4-security-
| inquir... has a link at the end to the following HN and
| Reddit discussions:
|
| > https://news.ycombinator.com/item?id=30059404
|
| > https://www.reddit.com/r/opensource/comments/sboj1l/ent
| itled...
| Crontab wrote:
| > The author of an open source project usually makes NO
| guarantees and assumes no liability.
|
| That's pretty much true of commercial software as well.
| otikik wrote:
| I respectfully disagree with the author.
|
| Once you put stuff on someone else's servers, they can do
| whatever they want to the package as long as it doesn't break the
| license. That includes marking the package as critical or even
| making a fork the canonical repo. If you want that kind of
| control, you need to become your own package provider. Or
| distribute your code with a more restrictive license.
| Waterluvian wrote:
| If you want or need support or maintenance for my project in your
| business, offer me cash. If your first thought is, "hah, as if
| finance would ever green light that..." then I encourage you to
| fork it and tell your manager it will cost your company two to
| three times as much to do it yourself.
|
| I think both are perfectly valid options. Just make informed
| decisions and in doing so, demonstrate business competence.
| r3trohack3r wrote:
| There are several forms of OSS and it seems people often conflate
| them.
|
| There is:
|
| * "open source as a reference"
|
| * "open source as a line item"
|
| * "open source as a funnel"
|
| It seems like our industry favors line item OSS. Personally, I
| think the other two are far more useful.
|
| Line item OSS productizes a high-value project inside a company
| and releases it publicly for no charge. The goal of open sourcing
| is generally to steer the industry in a direction compatible with
| your company's architecture. Often times companies are trying to:
|
| * Cultivate engineering talent trained on their architecture that
| they can hire in the future
|
| * Increase maturity of their software stack by exposing it to
| environments outside their current architecture
|
| * Recruit maintainers to drive down the cost of maintaining an
| internal pattern
|
| * Cultivate an ecosystem of plugins and modules they can rely on
| for future engineering projects
|
| * Cultivate good will in the developer community as a
| recruiting/dev-rel tactic
|
| * etc.
|
| Line-item OSS projects typically carry a high cost, they don't
| just become successful when you push to a public repository.
| These projects require devrel presence to meet 3rd party
| engineers where they are (conferences, blogs, documentation,
| branding, logos, news aggregator sites, etc.). They require
| maintainers to mentor 3rd party engineers through pull requests
| and issues. You have to navigate community building with codes of
| conduct, boards, foundations, etc. This all requires salaried
| employee's time. This high cost raises the bar for contributing
| to the commons: the return has to cover the salaried time spent
| on open sourcing the project. If the return doesn't cover your
| investment, ROI is negative and you're expecting companies to
| contribute for charity. What's worse is that failing on a line
| item OSS project often results in the opposite of what you want:
| a perception that your company is bad at OSS or not a great
| community participant. Every line item OSS project is a high-cost
| bet carrying risk to your reputation.
|
| Open source as a reference, in contrast, is closer to publishing
| a conference paper. You describe how you are doing something,
| publish the source code as a reference, and call it a day. No
| community building. You don't commit to merging random PRs. You
| don't commit to fielding questions on issue trackers. It's a
| statement that what you are doing is working for you, that other
| engineers might benefit from similar patterns, and a jump start
| for motivated engineers to figure out how to apply the pattern
| themselves. You're contributing to the commons under a permissive
| license for the cost of a conference road show and a "cleanup" of
| the code to ensure you aren't leaking anything sensitive in your
| SCM history. I feel a lot more software would make it into the
| commons if we normalized this form of OSS.
|
| "Open source as a funnel" is probably the most sustainable OSS
| model IMH(umble)O. "OSS funnel projects are associated with a
| vendor that sells services and products in that ecosystem. The
| services are particularly useful for companies building on top of
| OSS. If you are a small-ish org, every dependency you're bringing
| in is a pretty big risk. You have to have internal talent capable
| of maintaining the entire software stack. "OSS as a line item"
| and "OSS as a reference" do not give you any guarantees from the
| project. The maintainers aren't your employees and they owe you
| nothing. You often have no way to pay maintainers to solve your
| problems. A show stopper bug in those projects can bury your
| company. In contrast, "OSS as a funnel" has a vendor you can
| reach out to for consulting/contracting services to elastically
| scale out your engineering org for bugs in the stack. In the
| Node.js ecosystem, NearForm is a great example IMHO. They are
| maintainers on a pretty large catalogue of software (i.e.
| fastify). You can bring that into your architecture knowing that,
| if you end up blocked on a bug your team doesn't have the
| expertise to solve, you have a vendor you can reach out to and
| pay to solve your problem.
|
| Sometimes line item OSS projects foster an ecosystem of vendors
| which in turn checks the OSS as a funnel box. For example, with
| GraphQL and React, you can't pay Facebook but someone out there
| will take your money to solve your problems.
|
| I do consulting/contracting in the Node.js space and, when I
| bring modules into my client's architecture, having a vendor
| associated with the module is front-of-mind for me. I know I'm
| not leaving them with technical debt they have no way out of if
| something goes sideways. They always have me and they have a 3rd
| party vendor they can reach out to as well.
| lesuorac wrote:
| The could be a supply chain though.
|
| I had a running joke at a place I used to work that I should just
| quit and start my own US based company that "sold" open-source
| software so that it'd have a US-flagged company behind it. IMO
| easy way to branch out to commercial instead of just government
| contracts would be to audit the source code. Probably save a few
| companies from a left-pad incident (or worse) since they'd have
| to pull from my servers (or cache mine) and I'm smart enough to
| recognize that updating leftpad to be nothing would not be
| helpful to any client
| yardie wrote:
| > start my own US based company that "sold" open-source
| software so that it'd have a US-flagged company
|
| That is the business model for Redhat, Ubuntu, SUSE, and other
| GNU/Linux companies. You can download it for free or pay a
| subscription to have emails and phonecalls answered.
| lesuorac wrote:
| The difference is really I wouldn't be developing any of the
| software. I'm literally selling things you can get off of say
| GitHub.
|
| Although I'd probably need to not be completely blunt about
| it. It'd just be mostly an open secret where any of the dev
| teams would know that's exactly what I'm doing (and any sort
| of LICENSE file would make it dead obvious) but to
| procurement and whatnot it just looks like you're funneling
| money to me in exchange for some software.
| danjoredd wrote:
| You can download Red Hat for free, but you won't be able to
| use it without registering. Rocky Linux has done a good job
| of making a free Red Hat though. Been using it for my RHCSA
| recently
| gerikson wrote:
| Frankly I'm surprised a company like this hasn't been created
| yet.
| zokier wrote:
| Anaconda is pretty much selling a redistribution of popular
| foss python packages.
| badrabbit wrote:
| I must disagree. Software supply chain is very different than
| supply chain of physical goods, but, it is still a chain of
| supplies in the form of software code.
|
| Looking at it strictly from an open source perspective is having
| too narrow of a focus. If I purchase O365 licenses from a
| reseller and they buy it from Microsoft, that's a supply chain.
| If I have an embedded system that has a proprietary OS made by a
| 3 person company who use a proprietary firmware from other
| vendors, that is a supply chain.
|
| The npm example is a good example of a convoluted and unreliable
| supply chain. OSS is an example of a supply chain that is by
| design unreliable, the suppliers disavow all responsibility to
| support or guarantee its features. OSS supply chain being
| unreliable does not mean the supply chain does not exist, it just
| means you have to compensate for the unreliability yourself. The
| real life equivalent would be sourcing materials from guys
| standing at a street corner selling stuff that "fell off a truck"
| or "made in their garage".
| hot_gril wrote:
| Am I missing some background? Author gives out software "WITHOUT
| WARRANTY" and can just ignore PRs etc. Why is the author
| complaining?
| q-big wrote:
| > and can just ignore PRs
|
| This complaint is in my opinion rather specific to GitHub (and
| could thus likely be solved by switching to a more repository
| provider, or hosting the repository oneself), but not being
| able to disable PRs at your own repositories is like having a
| blog hosted by a provider that does not offer the option to
| disable blog comments.
| hot_gril wrote:
| Eh, sounds like a really minor annoyance. It's clear that the
| PRs aren't your own content, unlike comments which you're
| sorta responsible for moderating or else you'll often end up
| with vile stuff all over your family-friendly blog post.
| q-big wrote:
| > It's clear that the PRs aren't your own content, unlike
| comments which you're sorta responsible for moderating.
|
| I see this differently: you have some own content
|
| * a blog post
|
| * a Git repository
|
| that is hosted by some provider. "Everybody" can add their
| own "scribblings" next to it:
|
| * comments
|
| * PRs
|
| In _both_ cases it is clear that these "scribblings" are
| not your own content.
|
| _Why do you thus make the difference that in one case one
| is some kind of responsible for moderating, but not in the
| other case?_
| hot_gril wrote:
| Cause PRs aren't presented very upfront to visitors and
| are far less frequently abused. A lot of the open source
| world relies purely on goodwill, just like the author
| says.
|
| Also, blogs are on your own domain name usually, which at
| least gives the illusion that it's your own website
| rather than just your little tenancy on a blog platform.
| Some platforms don't give you a domain technically but a
| / instead, like FB Pages and Reddit, and they explicitly
| assign you the responsibility of moderating your own
| page. If their own moderators have to step in, it often
| leads to deletion.
| falcolas wrote:
| > "WITHOUT WARRANTY"
|
| Liability disclaimers are a legal grey area. Even the US pulls
| aside some developers at customs because of their work on OSS
| projects. Imagine what some of the least tolerant countries do.
| hot_gril wrote:
| Yeah, but that doesn't seem to be the complaint here. It's
| more about GitHub's workings.
| gumby wrote:
| There's a business opportunity here for making a "slow copy" of
| npm (or PyPI or whatever): start with a copy and then just only
| upgrade packages after you've checked the changes. You could sign
| and manage the BOM, perhaps even ensuring that $BIG_ENTERPRISE
| only got the versions they had asked for no matter what request
| they make (oh, sorry for the dev trying to get their job done --
| go ask IT).
| ineedasername wrote:
| This is just nitpicking over the fact that a specific metaphor
| doesn't map 1-to-1 with the target domain. No metaphor does,
| that's not the point of using one.
|
| The metaphor in this case is pretty straightforward as are its
| limits, and it doesn't appear to be causing confusion with people
| misidentifying attributes of the metaphor that don't map to the
| software domain.
|
| (And to boot: there are _actual_ software supply chains with a
| traditional supplier /vendor relationship...)
| q-big wrote:
| > The metaphor in this case is pretty straightforward as are
| its limits, and it doesn't appear to be causing confusion with
| people misidentifying attributes of the metaphor that don't map
| to the software domain.
|
| One of the central points that the author makes is that this is
| in his opinion not true, and he provides evidence for this.
| mikewarot wrote:
| The author of an open source project usually makes NO guarantees
| and assumes no liability. They've tossed a blueprint into the
| world.
|
| When you decided to use it, you took on all of its technical debt
| and design decisions as your own. You can't fault the author if
| you use it in an environment they didn't have, or didn't intend
| it to be used in, or in a manner that wasn't intended. They left
| an artifact, they did NOT make an agreement to support it.
|
| If someone makes a mistake in a book, there's no obligation for
| the author to correct it. If someone misunderstands the ideas and
| goes on to do some horrible deeds using it as justification, it's
| not the author's fault.
|
| Open source software is, for the most part, an unsupported gift
| economy. It isn't commercial, and it certainly isn't a chain...
| there's no delivery to be had... something was tossed over the
| wall, and it may never happen again.
|
| We Tims have been waiting for the next episode of Hello Internet
| for a while now... it may never come. That is also the nature of
| open source software.
| hinkley wrote:
| This is a historically narrow view of the situation.
|
| We are all living in a post-war era. That war was over whether
| and how much of the software in the world should be locked up
| behind proprietary licenses and paywalls. To win the war, Open
| Source had to produce software that was less awful than the
| proprietary software it was trying to unseat. It did. Companies
| went out of business or adapted.
|
| Now everyone is trying to pretend that the choice all along was
| between someone else's software and making your own. That
| wasn't the choice, and it's revisionist history to claim
| otherwise. A war was one, territory was occupied, and the
| 'treaty' at the end of that war was "make stuff that isn't
| awful", which is being peeled away layer by layer.
|
| The above is the opening to my thesis as to why SaaS is now
| trying to eat Open Source: FOSS is abdicating responsibility
| for quality, and so the only way to get quality is to harass
| FOSS authors who think we are ungrateful whiners, or pay for
| improvements on the backs of paying customers who just want
| software that works, not to be told to put up or shut up.
|
| The only sane way to defend against the re-privatization of
| FOSS software is to stop treating your users like they need to
| grow up and realize that you're deflecting. Unless authors
| accept that you have an ethical responsibility that comes with
| occupying a corner of the collective consciousness, it's going
| to be walled gardens everywhere you look.
|
| We aren't paying people to 'steal' your code. We're paying
| people to act like professionals.
| q-big wrote:
| > and the 'treaty' at the end of that war was "make stuff
| that isn't awful", which is being peeled away layer by layer.
|
| There never was a treaty (not even an informal one!).
|
| In businesses, the reason why open source software was
| adopted was typically because it enabled cost savings (e.g.
| saving/reducing license costs).
| robocat wrote:
| The metaphor "war" is invalid methinks.
|
| Ecological systems or economic competition are far better
| metaphors, because they are emergent and decentralised,
| rather than patriotic and authoritarian. "Nature red in tooth
| and claw", or monopoly rent and marginal price - 0.
|
| Revisionist? The 1T$ Microsoft has not "lost the war". The
| biggest FOSS wins have serious corporate sponsorship (OSes,
| databases, browsers, dev tools, languages, etcetera).
| gorjusborg wrote:
| > This is a historically narrow view of the situation.
|
| > We aren't paying people to 'steal' your code. We're paying
| people to act like professionals.
|
| I think you have a narrow view of the situation, or you are
| trying to misrepresent the reality we are living in.
|
| We are signing up for OSS-derived SaaS mostly because of the
| existence of cloud-computing network effects. There have been
| many fights fought by companies 'acting like professionals'
| that could accept payment. They are re-licensing their
| software because developers and companies are utilizing a
| forked cloud-vendor-specific clones of their work. Forking
| software to provide it to a captive audience doesn't seem
| professional, it seems anti-competitive.
|
| That said, most popular licenses allow it, so it is legal,
| but I don't think it is ethical.
| JohnFen wrote:
| > FOSS is abdicating responsibility for quality, and so the
| only way to get quality is to harass FOSS authors who think
| we are ungrateful whiners, or pay for improvements on the
| backs of paying customers who just want software that works,
| not to be told to put up or shut up.
|
| I think you are assigning things broadly to "FOSS authors"
| that were explicitly disclaimed by most such authors from
| before companies started using FOSS.
| OkayPhysicist wrote:
| You can also get quality by... doing it yourself. That's the
| Free Software core idea. Don't like what exists? You're free
| to change it. In fact, you're encouraged to change it, and
| publish your changes, so others can use your higher-quality
| version.
|
| It's supposed to be a gift economy, not a plunder economy.
| You're given something for free, with little to no strings
| attached. All that is politely expected of you is to A) not
| be a dick, and B) reciprocate in kind, if the situation
| arises.
| blooalien wrote:
| Or you can get "quality" (or support) by paying the author
| (or some _other_ developer) to support / improve said
| software within the legal terms of whatever license that
| software is released under.
| jacques_chester wrote:
| Software repositories have every right to set terms and
| conditions for their use.
|
| Nothing about tossing a blueprint into the world entitles you
| to have blueprint hosting for free and without requirements.
|
| Folks who don't like that there are terms and conditions on
| hosting software in repositories are free to host it
| themselves.
| LtWorf wrote:
| I could easily self host my projects on a rpi and rate limit
| all the companies that download the same thing over and over
| every second. Companies can and should set up internal
| mirrors.
|
| The advantage of github is that people have accounts and it's
| easy for them to send patches or discover projects.
|
| But I'm fully capable of using git via email.
| senko wrote:
| Is there a software repository that requires the developers
| to assume the liabilities?
| vore wrote:
| I don't really understand this argument: if GitHub allows
| hosting things that completely disclaim warranty and people
| are using things from GitHub, don't you effectively have this
| "tossing a blueprint into the world" problem? Sure, you
| aren't entitled to it, but there are plenty of places that
| offer this kind of service and plenty of consumers who get
| software from these services.
| humanistbot wrote:
| That's nice in principle, but definitely not how it operates in
| practice.
| falcolas wrote:
| Practically speaking, I'm going to assert that there is no team
| of developers, let alone single developers, who are capable of
| taking on both the burden of their own software and the
| software that they import. I simply can not imagine even a
| whole fortune 500 company supporting their own business logic
| written on top of Spring, which includes log4j and a whole host
| of other open source dependencies.
|
| And what's the commercial alternative? I'm personally not aware
| of one.
|
| Also, the liability thing is a grey area - it works for the US
| (mostly, Tornado cash is currently testing these waters) -
| since there are open issues with developers of "questionable"
| software traveling to some countries. Heck, even the US has
| pulled some OSS developers aside at customs because of their
| work on OSS projects.
| 411111111111111 wrote:
| Wouldn't you have to start with the JVM? Or possibly with the
| Linux kernel?
| AceJohnny2 wrote:
| What about the hardware? Who will take on liability for Row
| Hammer[1] vulnerabilities? What about Meltdown [2] or
| Spectre?
|
| [1] https://en.wikipedia.org/wiki/Row_hammer
|
| [2] https://en.wikipedia.org/wiki/Meltdown_(security_vulner
| abili...
| l33t233372 wrote:
| Not necessarily. If you _purchase_ software that includes
| the guarantees that you desire. (e.g. of correctness,
| fitness for purpose, and support), then you don't have to
| maintain the entire stack yourself.
| nradov wrote:
| Even if you purchase the software from a commercial
| vendor that doesn't mean that the vendor will indemnify
| you for damages caused by their failures, or that they
| have sufficient financial resources to pay for such
| damages (counterparty risk).
| conductr wrote:
| At that point, just buy insurance
| Qerub wrote:
| > I simply can not imagine even a whole fortune 500 company
| supporting their own business logic written on top of Spring,
| which includes log4j and a whole host of other open source
| dependencies.
|
| > And what's the commercial alternative? I'm personally not
| aware of one.
|
| There's commercial support for Spring:
|
| https://spring.io/support
| https://tanzu.vmware.com/support/oss
| throwaway894345 wrote:
| > You can't fault the author if you use it in an environment
| they didn't have, or didn't intend it to be used in, or in a
| manner that wasn't intended.
|
| It goes even farther than that: you can't fault the author even
| if you _did_ use it in the intended manner.
| numbsafari wrote:
| Funny thing, most commercial software also comes with T&Cs that
| say the make no guarantees and assume no liability. e.g.,
| Microsoft Windows 10 retail license:
|
| > Neither Microsoft, nor the device manufacturer or installer,
| gives any other express warranties, guarantees, or conditions.
|
| And their liability is limited to...
|
| > at its election, either: (i) repair or replace the software
| at no charge, or (ii) accept return of the software (or at its
| election the device on which the software was preinstalled) for
| a refund of the amount paid, if any.
|
| So, maybe they'll fix, or maybe they'll refund you your money
| and you discontinue your use of the software. Maybe they'll
| issue a fix that you incur the cost of installing and testing.
|
| [1] https://www.microsoft.com/en-
| us/Useterms/Retail/Windows/10/U...
| JohnFen wrote:
| I can be on board with that. If you don't like the software I
| provided for free, then I'll refund every dime that you paid
| me.
| [deleted]
| j-bos wrote:
| We the Tims accept this fact and stand waiting.
| danjoredd wrote:
| RIP Hello Internet. Cortex is great, but it just isn't the
| same. Grey always said he would probably take the Irish Exit on
| that show, and that's exactly what he ended up doing
| skybrian wrote:
| This isn't entirely true because many people don't just write
| software, they also promote it. For example, they create
| websites encouraging adoption, much in the same way companies
| do, with instructions on how to install it easily, implying
| that you _should_ install it. And maybe they 'll give talks and
| make videos?
|
| But it gets worse. Often the people promoting the software
| aren't the people who wrote it, and they may make claims that
| the authors never intended.
|
| None of these things mean that the authors accept formal
| liability, but morally speaking, if you're encouraging people
| to use your software and you're participating in an ecosystem
| promoting its usage, and it turns out to have bad security
| flaws, then maybe you shouldn't be so encouraging? Be upfront
| that it's just something you threw together. Add a few
| speedbumps. Maybe don't publish it on npm? Disrupt the hype
| train.
|
| Disclaiming all responsibility should imply that you also don't
| hype it up and set people up for failure.
| enraged_camel wrote:
| It's kind of amazing that 95% of gripes about open source
| projects and who is supposed to support them to what extent
| can be solved by open source authors being upfront about
| those expectations.
|
| If you're releasing something and have no intention of
| supporting it, simply put "NOT INTENTED FOR USE IN
| PRODUCTION" at the very top of the readme file. It's that
| easy, imho.
| zokier wrote:
| I do feel its indicative that most of the authors issues stem
| from GitHub, the facebook of foss, big social media for coders.
| If you don't want to engage with the social trends and aspects of
| the ecosystem (which is perfectly understandable) then GH seems
| particularly poor choice of platform to publish your software on.
| I feel the author would have far better chance of "to be left the
| hell alone" if they chose literally any other platform.
| nyanpasu64 wrote:
| Not the author, but I wouldn't say it's just (or even
| primarily) Github's pull requests or "critical security
| advisory" that's the problem here. PyPI requiring 2FA for
| maintainers of popular software has had more real-world impact
| (one maintainer took down and recreated their project, erasing
| old releases), and Google calling for deanonymizing (doxxing)
| maintainers of open-source software is more terrifying.
|
| I'd argue that the problem isn't that "software supply chains
| do not exist", but "you using a program or library without pay
| does not and should not mean the software's author is now
| responsible for fulfilling your use cases and paperwork
| requirements".
| yardie wrote:
| I've heard of software pipelines and software dependency but this
| is the first I've ever heard of software supply chain.
|
| I don't think the metaphor is apt. Dependencies are fungible you
| can branch, tag, freeze, lock, etc whatever your requirements are
| and continue trucking along. Physical Supply chains are not that
| at all. In some cases you literally cannot go back to the
| previous revision ever again.
| jacques_chester wrote:
| Physical supply chains are full of fungible products such as
| wheat, pork bellies or gold.
|
| Such products are what the word "fungible" was first used to
| describe.
| Tangurena2 wrote:
| After the Log4J vulnerability, people started using the term
| "software supply chain".
|
| I think this comic demonstrates the "problem":
| https://xkcd.com/2347/
| ChrisMarshallNY wrote:
| In my case, I basically never use anyone else's code, unless
| there's a real need for it, and if I'm quite confident in its
| veracity.
|
| I also take full Responsibility and Accountability for that code,
| when it is running in my execution thread.
|
| The result of this policy, is that I have written almost every
| single dependency that I use.
|
| It has garnered me a lot of sneers from the "in crowd."
|
| I don't particularly care.
|
| WFM. YMMV.
|
| _[EDIT]_ Also, I like this: my name is always
| spelled lowercase and is pronounced /Ili'an@ e'ti:n/.
| please consider making the internet a weirder place today
| note: if you send me unsolicited email based on my github
| profile: i will screenshot it and share in my
| discord server we will make fun of you you will
| not receive a response*
| wbobeirne wrote:
| I'm not trying to be flippant, but where do you draw the line
| of "never use anyone else's code"? You're writing that software
| using an operating system and editor someone else wrote. You're
| compiling it with software someone else wrote. If you're
| deploying it to users, it's hosted on someone else's code and
| will be run by someone else's code in that runtime.
| tomjakubowski wrote:
| OP claims responsibility for code _when it is running in my
| execution thread._ That seems to be the boundary. So no need
| to write their OS, though maybe their own interface for
| making syscallz.
| wongarsu wrote:
| If you want a software supply chain that includes formal
| agreements, use Java or C#, or maybe C++. Those ecosystems have
| plenty of vendors who will sell you libraries, including phone
| support and liability.
|
| So far enterprises are the only ones willing to pay for their
| "software supply chain", if you want this kind of "solution" just
| use what they use.
| bob1029 wrote:
| The sensitive nature of our business forced the equation for
| us. We are basically a pure Microsoft shop because it makes
| survival of audits feasible. 100% of our B2B clients are
| already doing business with them, so the conversation is fairly
| simple.
| kazinator wrote:
| > _You still cannot disable pull requests on a GitHub repository.
| A package repository might deem your software "critical", adding
| requirements to publishing updates that you might not want to or
| be able to comply with. Google even wanted to disallow anonymous
| individuals from maintaining critical software and wanted to
| police the identities of others._
|
| That's just whining from people who host their stuff on other
| people's servers and sites.
|
| If other people package your software into a bigger system and
| then later improve their standards so that the bar is above your
| stuff now (e.g. you break it left and right with careless,
| untested changes, or whatever, whereas downstream is doing actual
| QA) that's downstream's prerogative. You don't have to do
| anything; they can fork your stuff and develop it themselves, or
| stick with the old version from you that worked, ignoring the
| newer releases.
| gjvc wrote:
| The word these thought leaders are looking for is "provenance",
| which is not marketing-friendly and they are too scared that this
| will have people reaching for the dictionary or worse, ignoring
| them, so they resort to existing terms.
| jacques_chester wrote:
| Provenance is fine. People use it, particularly in narrow
| settings around the literal provenance of software assets. I
| have been in this space for a while and I have come across zero
| arguments that "provenance" should be ditched due to dictionary
| obstacles.
| gjvc wrote:
| You won't come across those arguments. They are had by
| marketing types.
| __derek__ wrote:
| The post's definition of 'supply chain' is wrong, and it leads to
| confusion. If I forage for mushrooms and give them to a local
| chef, I'm part of the supply chain for that night's dinner, even
| without money changing hands or quality guarantees.
|
| That said, to opt out of companies' supply chains, stop
| publishing software with permissive licenses.
| JohnFen wrote:
| I'm certainly not going to stop publishing software with
| permissive licenses. I'll just adhere to the disclaimer I
| include with that software: I provide no warranty that it is
| fit for any particular use. Use it as you will, but don't
| expect any guarantee that I'll support whatever needs your
| supply chain has.
| __derek__ wrote:
| That's the current state that the author considers untenable,
| right?
| JohnFen wrote:
| My read of TFA is that author is complaining that companies
| are trying to push responsibilities onto FOSS authors that
| don't belong with the FOSS authors.
|
| He includes complaints about Github there, but those are
| easily resolved by not using Github.
|
| I believe that the author and I are on the same page here,
| generally. Have I misunderstood his essay?
| cbm-vic-20 wrote:
| Or license your work under GPL, which is kryptonite to most
| businesses. The mega-globo-corp I work for makes commercial
| license deals with some open source software vendors who dual
| license their software with GPL and a commercial license.
| __derek__ wrote:
| Right. GPL is an example of a non-permissive license.
| numbsafari wrote:
| When, for example, Google open sources their client libraries, it
| absolutely is a supply chain issue for their customers. The
| people working on those projects for Google aren't doing it as a
| hobby. Their customers might not be paying them directly for
| those client libs, but they sure as heck are being billed at some
| point.
| khana wrote:
| awinter-py wrote:
| interesting points xie is making: 1) it's not a supply chain bc
| no money is changing hands, 2) therefore no contracts or
| enforcement, 3) many market participants are hobbyists
|
| I think this speaks to the fundamental weirdness of the
| information economy -- it's highly deflationary, with some
| extreme cases where hobbyists outperform paid software companies
|
| Hobbyists + open groups beat companies in cases where IP concerns
| makes the software worse, like if they're making something a saas
| that should be a 100-line library. And also in cases where
| everyone in industry needs a thing and they're happy to have a
| great standard free one rather than paying three shitty vendors.
|
| I don't know this, but I _think_ a chunk of major OSS projects
| are maintained by people at big companies or universities.
| (Postgres may have been associated with fujitsu for a while,
| guido van rossum + linus torvalds parked in various companies,
| some fraction of kube committers are at bigcos or corporate-
| backed CNCF). I have nadia eghbal 's 'building in public' on my
| list to read, guessing she knows the answer to this question.
| 0xbadcafebee wrote:
| _" I just want to publish software that I think is neat so that
| other hobbyists can use and learn from it, and I otherwise want
| to be left the hell alone. I should be allowed to decide if
| something I wrote is "done". The focus on securing the "software
| supply chain" has made it even more likely that releasing
| software for others to use will just mean more work for me that I
| don't benefit from. I reject the idea that a concept so tenuous
| can be secured in the first place."_
|
| K. The rest of us are gonna keep using the phrase though.
| arberx wrote:
| The author is taking the term too literally.
|
| Try explaining software packaging and distribution to a non-
| technical person.
|
| Using analogies like "software supply chain" helps people better
| frame a problem/concept in their heads.
| worik wrote:
| Not just "too literally" but outright incorrectly.
|
| "A supply chain is a network of individuals and companies who
| are involved in creating a product and delivering it to the
| consumer. Links on the chain begin with the producers of the
| raw materials and end when the van delivers the finished
| product to the end user. "
|
| https://www.investopedia.com/terms/s/supplychain.asp
|
| The exchange of money, guarantees, quality assurance... None of
| it is required.
| ectopod wrote:
| It's investopedia. The exchange of money is taken as read.
| You might as well say that a vendor of exotic fish not
| mentioning water is proof that the fish don't need it.
| nrmitchi wrote:
| Further, the apparently requirement for "money to change
| hands" falls flat on it's face.
|
| The last node in the supply chain for virtually any real-
| world product is "human beings extract the material from the
| earth in some way/shape/form". No human being paid "the
| earth" money for this, yet it is a fundamental component of
| supply chains (and, recently, a fundamental component of many
| supply chain _issues_ ). "The earth" also doesn't offer any
| guarantees or quality assurance.
|
| Attempting to interpret these processes as requirements to be
| part of a "supply chain" excludes the core foundation of
| traditional supply chains.
| mind-blight wrote:
| Agreed. There are some interesting points made in the last
| third of the article, but the rigid interpretation in the
| beginning doesn't add anything to them.
|
| If the author scraped the title and just focused on how they
| are large companies attempting to force their will on open
| source maintainers to protect their supply chain, they'd have a
| stronger piece.
| 3np wrote:
| I think the author is rather raising the issue that this
| analogy gives people false expectations since _they_ take it
| too literally. I don 't think this post would have been made
| (and certainly not frontpaged) if this was just semantic
| pedantry.
| vngzs wrote:
| I mostly agree with the article, but the title is downright
| wrong.
|
| Even a relatively literal read of the words "supply chain" is
| reasonably appropriate, even for FOSS. Wikipedia's current
| definition for _supply chain_ is:
|
| > In commerce, a supply chain refers to the network of
| organizations, people, activities, information, and resources
| involved in delivering a product or service to a consumer.
|
| There's nothing in that definition that necessitates a formal
| agreement, support commitment, etc.
| marssaxman wrote:
| > A package repository might deem your software "critical",
| adding requirements to publishing updates that you might not want
| to or be able to comply with.
|
| I discovered last week that Github no longer allows you to push
| changes via https, and thus I have not yet published a minor fix
| for an insignificant piece of open source software I have been
| lackadaisically maintaining for the last eight years. Perhaps
| some day I will get around to jumping through their new security
| hoops... or perhaps I won't. In this case nobody is likely to
| care, but it makes me think these kinds of organizations ought to
| be extremely cautious about introducing extra friction to the
| workflows of people who are giving away their time for free.
| TheRealPomax wrote:
| Not sure I understand how having an ssh key is "jumping through
| hoops" though...? Presumably you already have one set up (even
| if you don't, it's literally just a few seconds of work to
| create a new one), so just add the public key to your account's
| SSH keys list, and done. Update your remote urls from https to
| the git@github.com:yourusername format and push whatever you
| want to push.
|
| Or, heck, if no build is required: why use git at all, just use
| github itself. You can edit, create PRs, on new branches, all
| without ever needing your own desktop. Perfect for small code
| changes (especially typo fixes).
| rtsdumdftub wrote:
| so publish on your own platform then?
|
| don't expect to get to publish on someone else's platform then
| not play by their rules regarding how published material is
| handled.
| jacques_chester wrote:
| This article is hyperbole. Everyone involved knows that it's an
| imperfect metaphor, but that is in the nature of metaphors.
| Referring to the metaphor as "dehumanizing" is just silly.
| verisimilitudes wrote:
| >You still cannot disable pull requests on a GitHub repository.
|
| >I just want to publish software that I think is neat so that
| other hobbyists can use and learn from it, and I otherwise want
| to be left the hell alone.
|
| Don't use GitHub. I don't. Random dipshits aren't even aware of
| me.
|
| >To continue the inclusive nature of open source, we need to be
| able to trust a wide range of identities, but still with verified
| integrity. This implies a federated model for identities, perhaps
| similar to how we support federated SSL certificates today
|
| Oh yes, of course Google supports TLS-flavoured snake oil to
| match the TLS snake oil.
|
| I'm shocked MicroSoft is extending _open source_ after embracing
| it so well, shocked.
|
| I'm now recycling a previous comment of mine on this topic:
|
| Companies used to have employees write code, rather than stitch
| together random garbage written by random dipshits who could be
| tricked into using loose licenses. That's one cause for concern.
| The only reason _open source_ receives support is because it
| helps corporations defang Free Software and get gratis labor.
|
| All of this new security theatre is always about trust and
| reputation, and not trusting those disgusting lone programmers
| such as me or other silly things; it's always really about doing
| anything but truly auditing that yucky code.
| JohnFen wrote:
| > I just want to publish software that I think is neat so that
| other hobbyists can use and learn from it, and I otherwise want
| to be left the hell alone.
|
| Me, too. Which is why I pretty much abandoned the formal "OSS"
| world and don't use Github and the like. I still make software, I
| still provide a free license for anyone to use it, and I'll even
| maintain it for as long as it interests me.
|
| But it's a hobby, not a job. If someone uses my software
| commercially, it's on them to make sure that it's properly
| maintained. They have the source, they can do it.
| asimpletune wrote:
| So fwiw I think the whole concept of the "software supply chain"
| actually stems from "supply chain" attacks. It's kind of like
| once that turn of speech entered the fray, suddenly there was a
| software supply chain (for OSS).
| zokier wrote:
| > There is no formal agreement between a maintainer and its
| downstream users.
|
| But there usually is, that is what software licenses are for,
| with typical statements like
|
| > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
| EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
| OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
| NONINFRINGEMENT
| hot_gril wrote:
| Maybe the annoyance comes from releasing software with no
| license.md or a license that says "DO WHATEVER THE F--- YOU
| WANT WITH THIS S---" then getting a bunch of corporates saying
| it's not properly licensed while a bunch of "free as in
| freedom" people are complaining that the license isn't free as
| in freedom enough.
| hot_gril wrote:
| (In which case, I propose a new slogan, "don't tread on my
| crap.")
| peteradio wrote:
| "I dare you to use this."
___________________________________________________________________
(page generated 2022-09-19 23:00 UTC)