Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Thursday September 22, @11:04PM   Printer-friendly [Skip to comment(s)]
from the for-what-they-crave-must-I-supply? dept.

There is no "software supply chain":

In actual supply chains, money is changing hands. A server manufacturer is paying for PCB fabrication, who is paying their suppliers for raw materials and equipment, and so on until the whole thing eventually loops back on itself when a mining company needs to buy a server.

When you take on an additional dependency in a software project, often money does not change hands. `npm install' and `cargo add' do not bill your credit card. There is no formal agreement between a maintainer and its downstream users.

There is a lot of attention on securing "software supply chains." The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.

This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.

[...] I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is "done". The focus on securing the "software supply chain" has made it even more likely that releasing software for others to use will just mean more work for me that I don't benefit from. I reject the idea that a concept so tenuous can be secured in the first place.

Is there such a thing as a software supply chain?

Related: Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks


Original Submission

Related Stories

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks 8 comments

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks:

Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks.

Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs.

With the tech giant the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program aims to reward vulnerability discoveries that could otherwise have a significant impact on the larger open source landscape.

Other projects managed by Google and hosted on public repositories such as GitHub as well as the third-party dependencies that are included in those projects are also eligible.

[...] Beefing up open source components, especially third-party libraries that act as the building block of many a software, has emerged a top priority in the wake of steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems.

[...] "Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability," Google's Francis Perron and Krzysztof Kotowicz said.

[...] Earlier this May, the internet behemoth announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects.


Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Touché) by Anonymous Coward on Thursday September 22, @11:12PM (1 child)

    by Anonymous Coward on Thursday September 22, @11:12PM (#1273062)

    nope, just a bunch of greed driven corporations who want exploit-free code for free

    fsck 'em all

    • (Score: 5, Insightful) by DannyB on Friday September 23, @02:22PM

      by DannyB (5839) Subscriber Badge on Friday September 23, @02:22PM (#1273172) Journal

      In the Java world this seems to work pretty well. There is and has for years been an absolute embarrassment of riches of open source libraries to do anything under the sun. All these are typically licensed under Apache 2 or some BSD/MIT style license. A few are LGPL but not many.

      Some of these software projects are immense. Java itself. Eclipse. NetBeans. Tomcat. Spring. And many many others I could name. For some of these when you look at who sponsors them it is a who's who of giant corporations.

      Some would say that Oracle develops Java. But Oracle is downstream from the open source version. Oracle may be the biggest contributor, but others contribute as well including (shocker): Microsoft, Red Hat, Amazon, IBM, and others.

      Amazon provides builds of Java. Amazon also offers its own sweetly addictive version of Java with extras.

      Microsoft optimizes Java for Windows. Microsoft sponsored the port of Java on Windows for ARM processors.

      IBM develops its own Open J9 -- a completely different JVM runtime engine for Java bytecode, which has some impressive features.

      The Eclipse foundation provides all of the build infrastructure and hosting for Java for all of the myriad of versions, processor architectures, operating systems. That's quite a matrix if you think about it. Need a Java runtime for Mac? Which version of Java? Which processor architecture for Mac?

      Red Hat spent significant development effort on its open source Shenandoah garbage collector for Java. Max GC pause time of 1 ms on workloads with multiple Terabytes of RAM.

      Oracle contributed is own ZGC garbage collector with similar claims for fast GC on gigantic heap sizes.

      This ecosystem has been going on for a very long time and it seems to work. Those commercial interests are not making such huge contributions out of the goodness of their hearts. They are in it for the money. So obviously Java must be a big money maker for Microsoft, Red Hat, Amazon, IBM, and many others. Just look at the sponsors of the Eclipse foundation.

      Maybe it is not a Supply Chain. But it is not what I could call exploitative either.

      It's like the proverbial Stone Soup. It started out as a kettle of hot water with a large stone in it. Each animal in the story brought some ingredient that they thought would improve the flavor of the stone soup. Once they had all contributed there was an excellent soup for all to share.

      --
      You can not have fun on the weak days but you can on the weakened.
  • (Score: 2) by Mojibake Tengu on Thursday September 22, @11:52PM (7 children)

    by Mojibake Tengu (8598) Subscriber Badge on Thursday September 22, @11:52PM (#1273065) Journal

    Is there such a thing as a software supply chain?

    a. There is, kind of some, but you are currently looking on the wrong side of the Internet for it...

    b. Running any software taken from net is similar to picking up food found dropped on the sidewalk and eating it...

    c. Any self-esteemed business man uses only custom software heavily paid with his bloody money, not some cheap handouts...

    d. Everyone should cultivate his coding skills high enough to become capable to write his own software and use this solely for all his needs...

    No more opinions generated, terminating.

    --
    The edge of 太玄 cannot be defined, for it is beyond every aspect of design
    • (Score: 1, Touché) by Anonymous Coward on Friday September 23, @12:06AM

      by Anonymous Coward on Friday September 23, @12:06AM (#1273066)

      I'm one bad day away from dumpster diving.

    • (Score: 3, Touché) by MostCynical on Friday September 23, @02:17AM (1 child)

      by MostCynical (2589) on Friday September 23, @02:17AM (#1273077) Journal

      a. There is, kind of some, but you are currently looking on the wrong side of the Internet for it...

      >>> company 1 pay company for some software. company 2 pays coders (often from company 3, and/or 'off shore') to actually code

      b. Running any software taken from net is similar to picking up food found dropped on the sidewalk and eating it...

      >>> many of the coders mentioned above get code from stackexchange, so yes.

      c. Any self-esteemed business man uses only custom software heavily paid with his bloody money, not some cheap handouts...

      >>> no, you COTS ("Commercial Off The Shelf") systems, then do T+M CRs to customize, at the buyer's expense.

      d. Everyone should cultivate his coding skills high enough to become capable to write his own software and use this solely for all his needs...

      >>> no one who makes money from software actually writes any of the code. Cultivating coding skills is for hobbyists and exploitables (cf. 'off-shore'), and we appreciate your service. Here, have some pizza and a ping pong table.

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
      • (Score: 3, Interesting) by kazzie on Friday September 23, @04:42AM

        by kazzie (5309) Subscriber Badge on Friday September 23, @04:42AM (#1273095)

        I took a) to refer to supplying zero day exploits, malware, etc on the dark web.

    • (Score: 3, Insightful) by DannyB on Friday September 23, @02:25PM (3 children)

      by DannyB (5839) Subscriber Badge on Friday September 23, @02:25PM (#1273173) Journal

      d. Everyone should cultivate his coding skills high enough to become capable to write his own software and use this solely for all his needs

      This statement truly does not understand the true scale of large software projects, nor how many of them there are. That works fine for hobby or toy projects. Or for very small business projects -- where you still depend on a lot of software written by others.

      It is like saying everyone should develop their own personal heavy lift rocket launchers.

      --
      You can not have fun on the weak days but you can on the weakened.
      • (Score: 2) by turgid on Sunday September 25, @10:05AM (2 children)

        by turgid (4318) Subscriber Badge on Sunday September 25, @10:05AM (#1273542) Journal

        What everyone should do is be responsible for the quality of their software. If your software depends on third party code, whether it's FOSS or not (I've seen a lot of terrible very expensive "professional" code), you should and you must demonstrate that the system that you are releasing to your customers is fit for purpose. That means that for all the use cases that you have agreed with your customer, you have a very high degree of confidence that they entire system works as agreed and intended.

        PHB types don't like to hear this. They want to hear that software is just a bunch of typing, a compile and a release to the customer. Software must be integrated and tested, continuously and thoroughly. That is expensive in terms of time, It can be substantially automated, but this means that the developers have to create the automated tests along side the production code and it has to be run early and often, ideally from day 1 of the project and at least once per day, and it should cover all of the code written (features implemented) to date.

        Contracts and agreements, guarantees and the ability to sue mean nothing in terms of real actual quality. They may mitigate the legal actions after a disaster, but the disaster should be avoided in the first place.

        Take responsibility for the quality of your product. Delight your customer.

        • (Score: 3, Insightful) by janrinok on Sunday September 25, @11:44AM (1 child)

          by janrinok (52) Subscriber Badge on Sunday September 25, @11:44AM (#1273546) Journal

          I think I agree with you, but initially I thought that you were suggesting that the person (me!) who writes a piece of code is responsible for testing it for purposes I know nothing about.

          Contracts and agreements, guarantees

          Most of the open source code that I have seen comes with categorical disclaimers about any of these things. There is no contract or agreement between me and anybody else; in fact TFS actually states:

          There is no formal agreement between a maintainer and its downstream users.

          If I write a piece of code that I think might be useful to others I can release it. I am not obligated to support it or test it for use in circumstances other than that which I wrote it for. Businesses, if they want to use my code, are welcome to do so but they take on responsibility for testing and verifying that it works the way that they want it to in their product. It is their head on the chopping block if it doesn't do what they expect it to do.

          If they are suggesting that my contribution by writing it in the first place is insignificant they can get one of their own programmers to write their own version - and pay him for the time and effort he expends in doing so. I have no obligation to maintain it other than that which I assume for myself.

  • (Score: 5, Insightful) by RamiK on Friday September 23, @02:57AM

    by RamiK (1813) on Friday September 23, @02:57AM (#1273079)

    Meanwhile, us dirty plebs depend on hundreds of different interconnected projects and sub-projected that are written and maintained by thousands of individuals and corporations just to be able to play mine-sweeper in the terminal.

    --
    compiling...
  • (Score: 2, Flamebait) by legont on Friday September 23, @03:04AM

    by legont (4179) on Friday September 23, @03:04AM (#1273080)

    I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone.

    We just want to make love to each other and otherwise want to be left alone. If kids come out because of this it's our business what to do about them. Nobody pays us to produce new workers for Google, don't they? Why the hell they force so many laws on us about children's welfare? Because Goggle wants quality free resource. Yes, resource word is what they use when they talk about us.

    So, if you don't want to be punished, don't write software unless explicitly paid to do it. This simple idea is coming; fast. And while we are at it, don't fuck heterosexually either, but I think the latest generation got it already.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
  • (Score: 2) by MIRV888 on Friday September 23, @03:53AM (4 children)

    by MIRV888 (11376) on Friday September 23, @03:53AM (#1273086)

    Unfortunately that is no longer an option.
    You need solidarity in order to form a union.
    Captain obvious told me that ain't gonna happen.
    So software folks are up sh1t creek without a paddle.
    It's happened before.

    • (Score: 0) by Anonymous Coward on Friday September 23, @04:23AM

      by Anonymous Coward on Friday September 23, @04:23AM (#1273091)

      He slept on a couch at MIT
      Who needs a real job?

    • (Score: 3, Insightful) by Thexalon on Friday September 23, @10:53AM (2 children)

      by Thexalon (636) on Friday September 23, @10:53AM (#1273137)

      A union or professional association or something like that would be a good idea for professional programmers: At the very least, it would make the "everybody always has to work 80+ hours per week" some shops operate in less common.

      But that's not what this is talking about. The problem this article is trying to highlight is that the people who write the stuff everybody uses don't necessarily get paid for it. Which is true, because when it comes to software, the cost of copying already-written software is nearly 0, which means that any scarcity is artificial. There are some ways to create artificial scarcity, but basically the only way people who write stuff that is going to make it to anything other than servers owned only by their employer are going to get paid is either begging or copyright enforcement. I don't see an easy answer so long as we live in a society where people who don't get paid don't eat and don't have a roof over their heads.

      --
      Alcohol makes the world go round ... and round and round.
      • (Score: 2) by bzipitidoo on Friday September 23, @01:54PM (1 child)

        by bzipitidoo (4388) on Friday September 23, @01:54PM (#1273163) Journal

        There is a solution: public patronage. It can be direct, as with crowdfunding, or indirect as with government funding. I see it as the least bad solution.

  • (Score: 4, Insightful) by khallow on Friday September 23, @12:26PM (2 children)

    by khallow (3766) Subscriber Badge on Friday September 23, @12:26PM (#1273146) Journal

    This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.

    I find this to be a non sequitur obscuring the story. "Supply chain" is just an abstraction phrase. Abstractions related to people dehumanize by definition. And I find it interesting that supply chain is actually pretty well defined here - it's the dependencies in your software on other products.

    And it's irrelevant to the real problem:

    You still cannot disable pull requests on a GitHub repository. A package repository might deem your software “critical”, adding requirements to publishing updates that you might not want to or be able to comply with. Google even wanted to disallow anonymous individuals from maintaining critical software and wanted to police the identities of others.1

    Or, perhaps a maintainer tells someone that they won’t maintain a project anymore, and GitHub notifies thousands of dependent repositories, calling it a “critical severity” advisory.2 This was obviously a mistake, and GitHub withdrew and re-labeled it as low severity this morning, but it is far from the only time systems built to secure the “software supply chain” have failed to understand the nuances of open source software maintenance.

    High value software depends on hobby software which creates a problem for the former. So rather than fix that, they're trying to throw requirements on the hobby software, making it more of a burden to publish.

    Rather than trying to force a open source developer into higher efforts for someone else's software problem, the downstream users who are whining about these things should do some work. It's your problem. You need to solve it, not some hobbyist.

    • (Score: 2) by RedGreen on Friday September 23, @12:44PM

      by RedGreen (888) on Friday September 23, @12:44PM (#1273151)

      "Rather than trying to force a open source developer into higher efforts for someone else's software problem, the downstream users who are whining about these things should do some work. It's your problem. You need to solve it, not some hobbyist."

      What do some actual work rather than be the parasite corporation, you must be joking that is totally essential for their nature to be giving up. After all how can you be the victim if you actually take some responsibility for the thing that makes you money and do the vetting required to safely use it. Instead you need to be thinking of the boss who needs it done cheaply for his bonus and who will have no one to blame when the shit hits the fan with that idea, how cruel...

      --
      "I modded down, down, down, and the flames went higher." -- Sven Olsen
    • (Score: 2) by istartedi on Friday September 23, @05:05PM

      by istartedi (123) on Friday September 23, @05:05PM (#1273211) Journal

      Is anybody seriously suggesting that a hobbyist doesn't have the right to tell corporations (or anybody for that matter) to fuck off about a bunch of bug reports?

      If I leave an old bicycle in front of my house with a sign that says FREE on it, you have no right to come bugging me about the chain slipping off the sprockets. Fix it yourself, or take it to a bike shop. Not my problem. I left it out there FREE for a reason.

  • (Score: 1, Insightful) by Anonymous Coward on Friday September 23, @01:15PM

    by Anonymous Coward on Friday September 23, @01:15PM (#1273156)

    Fundamentally, it comes down to the utter and childish sense of entitlement exhibited by corporations these days.
    They see "Open Source" and think "Free as in beer, and comes with a personal server". If I work on code, and I release the code (under some permissive license), then you sure can do with that code what the license permits. That does not mean that you get support. Heck, I might even produce 'releases', but still, you are not entitled to support.

    If you fail to do your own due diligence on your dependencies (either by doing your own or by paying someone who will do it for you) when you include them in your own products, then that's your problem as the ultimate provider of your product. You do not get to offload that responsibility on someone who published a work of code as a hobby project.

    If corporations, trying to secure their supply chain, want guarantees about the open source dependencies they utilize, how about they pony up the money for that too? It's not because the source is available that they are entitled to anything else as well.

    Build your house on sand and all that...

  • (Score: 2) by jb on Saturday September 24, @06:39AM

    by jb (338) on Saturday September 24, @06:39AM (#1273340)

    The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.

    Yes, I'm sure they do care about that, but not in the way TFS implied. More likely they are (or at least should be) worried that even the "unpaid hobbyist maintainers ... with no maintenance plan" often tend to have a better track record for things like security & reliability than most big-name software vendors.

    That should indeed worry them.

    Not to mention that bugs found in some free software package or other are always fixable within a fairly short time frame, so long as you're willing to invest either the time in fixing it yourself or the money to pay someone else to fix it...

    ...whereas bugs found by customers in big-name vendors' software often go unfixed for months after the initial bug report ... and if the bug doesn't affect a significantly large proportion of their customer base, at the end of the day the answer is often EWONTFIX, no matter how much money we might be willing to pay them to fix it (surprised? go read the license terms -- in most cases non-free licenses contain the very same disclaimers of liability that free software licenses do ... and then some!).

    For that reason, from a maintainability perspective, deploying non-free software on any production system should be regarded as a fairly clear cut case of professional negligence.

    More end user organisations coming to that realisation is what those big-name vendors are really worried about ... which is of course why they're using every dirty trick in the book (including this very much pot-calling-kettle-black number) to try to discredit FOSS before too many more do.

(1)