SoylentNews is people
SoylentNews
from the for-what-they-crave-must-I-supply? dept.
There is no "software supply chain":
In actual supply chains, money is changing hands. A server manufacturer is paying for PCB fabrication, who is paying their suppliers for raw materials and equipment, and so on until the whole thing eventually loops back on itself when a mining company needs to buy a server.
When you take on an additional dependency in a software project, often money does not change hands. `
npm install' and `cargo add' do not bill your credit card. There is no formal agreement between a maintainer and its downstream users.There is a lot of attention on securing "software supply chains." The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.
This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.
[...] I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is "done". The focus on securing the "software supply chain" has made it even more likely that releasing software for others to use will just mean more work for me that I don't benefit from. I reject the idea that a concept so tenuous can be secured in the first place.
Is there such a thing as a software supply chain?
Related: Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks
(Score: 1, Touché) by Anonymous Coward on Thursday September 22 2022, @11:12PM (1 child)
nope, just a bunch of greed driven corporations who want exploit-free code for free
fsck 'em all
(Score: 5, Insightful) by DannyB on Friday September 23 2022, @02:22PM
In the Java world this seems to work pretty well. There is and has for years been an absolute embarrassment of riches of open source libraries to do anything under the sun. All these are typically licensed under Apache 2 or some BSD/MIT style license. A few are LGPL but not many.
Some of these software projects are immense. Java itself. Eclipse. NetBeans. Tomcat. Spring. And many many others I could name. For some of these when you look at who sponsors them it is a who's who of giant corporations.
Some would say that Oracle develops Java. But Oracle is downstream from the open source version. Oracle may be the biggest contributor, but others contribute as well including (shocker): Microsoft, Red Hat, Amazon, IBM, and others.
Amazon provides builds of Java. Amazon also offers its own sweetly addictive version of Java with extras.
Microsoft optimizes Java for Windows. Microsoft sponsored the port of Java on Windows for ARM processors.
IBM develops its own Open J9 -- a completely different JVM runtime engine for Java bytecode, which has some impressive features.
The Eclipse foundation provides all of the build infrastructure and hosting for Java for all of the myriad of versions, processor architectures, operating systems. That's quite a matrix if you think about it. Need a Java runtime for Mac? Which version of Java? Which processor architecture for Mac?
Red Hat spent significant development effort on its open source Shenandoah garbage collector for Java. Max GC pause time of 1 ms on workloads with multiple Terabytes of RAM.
Oracle contributed is own ZGC garbage collector with similar claims for fast GC on gigantic heap sizes.
This ecosystem has been going on for a very long time and it seems to work. Those commercial interests are not making such huge contributions out of the goodness of their hearts. They are in it for the money. So obviously Java must be a big money maker for Microsoft, Red Hat, Amazon, IBM, and many others. Just look at the sponsors of the Eclipse foundation.
Maybe it is not a Supply Chain. But it is not what I could call exploitative either.
It's like the proverbial Stone Soup. It started out as a kettle of hot water with a large stone in it. Each animal in the story brought some ingredient that they thought would improve the flavor of the stone soup. Once they had all contributed there was an excellent soup for all to share.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by Mojibake Tengu on Thursday September 22 2022, @11:52PM (7 children)
a. There is, kind of some, but you are currently looking on the wrong side of the Internet for it...
b. Running any software taken from net is similar to picking up food found dropped on the sidewalk and eating it...
c. Any self-esteemed business man uses only custom software heavily paid with his bloody money, not some cheap handouts...
d. Everyone should cultivate his coding skills high enough to become capable to write his own software and use this solely for all his needs...
No more opinions generated, terminating.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1, Touché) by Anonymous Coward on Friday September 23 2022, @12:06AM
I'm one bad day away from dumpster diving.
(Score: 3, Touché) by MostCynical on Friday September 23 2022, @02:17AM (1 child)
a. There is, kind of some, but you are currently looking on the wrong side of the Internet for it...
>>> company 1 pay company for some software. company 2 pays coders (often from company 3, and/or 'off shore') to actually code
b. Running any software taken from net is similar to picking up food found dropped on the sidewalk and eating it...
>>> many of the coders mentioned above get code from stackexchange, so yes.
c. Any self-esteemed business man uses only custom software heavily paid with his bloody money, not some cheap handouts...
>>> no, you COTS ("Commercial Off The Shelf") systems, then do T+M CRs to customize, at the buyer's expense.
d. Everyone should cultivate his coding skills high enough to become capable to write his own software and use this solely for all his needs...
>>> no one who makes money from software actually writes any of the code. Cultivating coding skills is for hobbyists and exploitables (cf. 'off-shore'), and we appreciate your service. Here, have some pizza and a ping pong table.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Interesting) by kazzie on Friday September 23 2022, @04:42AM
I took a) to refer to supplying zero day exploits, malware, etc on the dark web.
(Score: 3, Insightful) by DannyB on Friday September 23 2022, @02:25PM (3 children)
This statement truly does not understand the true scale of large software projects, nor how many of them there are. That works fine for hobby or toy projects. Or for very small business projects -- where you still depend on a lot of software written by others.
It is like saying everyone should develop their own personal heavy lift rocket launchers.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by turgid on Sunday September 25 2022, @10:05AM (2 children)
What everyone should do is be responsible for the quality of their software. If your software depends on third party code, whether it's FOSS or not (I've seen a lot of terrible very expensive "professional" code), you should and you must demonstrate that the system that you are releasing to your customers is fit for purpose. That means that for all the use cases that you have agreed with your customer, you have a very high degree of confidence that they entire system works as agreed and intended.
PHB types don't like to hear this. They want to hear that software is just a bunch of typing, a compile and a release to the customer. Software must be integrated and tested, continuously and thoroughly. That is expensive in terms of time, It can be substantially automated, but this means that the developers have to create the automated tests along side the production code and it has to be run early and often, ideally from day 1 of the project and at least once per day, and it should cover all of the code written (features implemented) to date.
Contracts and agreements, guarantees and the ability to sue mean nothing in terms of real actual quality. They may mitigate the legal actions after a disaster, but the disaster should be avoided in the first place.
Take responsibility for the quality of your product. Delight your customer.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Insightful) by janrinok on Sunday September 25 2022, @11:44AM (1 child)
I think I agree with you, but initially I thought that you were suggesting that the person (me!) who writes a piece of code is responsible for testing it for purposes I know nothing about.
Most of the open source code that I have seen comes with categorical disclaimers about any of these things. There is no contract or agreement between me and anybody else; in fact TFS actually states:
If I write a piece of code that I think might be useful to others I can release it. I am not obligated to support it or test it for use in circumstances other than that which I wrote it for. Businesses, if they want to use my code, are welcome to do so but they take on responsibility for testing and verifying that it works the way that they want it to in their product. It is their head on the chopping block if it doesn't do what they expect it to do.
If they are suggesting that my contribution by writing it in the first place is insignificant they can get one of their own programmers to write their own version - and pay him for the time and effort he expends in doing so. I have no obligation to maintain it other than that which I assume for myself.
(Score: 2) by turgid on Sunday September 25 2022, @12:47PM
Yes, that's what I was trying to say.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 5, Insightful) by RamiK on Friday September 23 2022, @02:57AM
Meanwhile, us dirty plebs depend on hundreds of different interconnected projects and sub-projected that are written and maintained by thousands of individuals and corporations just to be able to play mine-sweeper in the terminal.
compiling...
(Score: 2, Flamebait) by legont on Friday September 23 2022, @03:04AM
We just want to make love to each other and otherwise want to be left alone. If kids come out because of this it's our business what to do about them. Nobody pays us to produce new workers for Google, don't they? Why the hell they force so many laws on us about children's welfare? Because Goggle wants quality free resource. Yes, resource word is what they use when they talk about us.
So, if you don't want to be punished, don't write software unless explicitly paid to do it. This simple idea is coming; fast. And while we are at it, don't fuck heterosexually either, but I think the latest generation got it already.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by MIRV888 on Friday September 23 2022, @03:53AM (4 children)
Unfortunately that is no longer an option.
You need solidarity in order to form a union.
Captain obvious told me that ain't gonna happen.
So software folks are up sh1t creek without a paddle.
It's happened before.
(Score: 0) by Anonymous Coward on Friday September 23 2022, @04:23AM
He slept on a couch at MIT
Who needs a real job?
(Score: 3, Insightful) by Thexalon on Friday September 23 2022, @10:53AM (2 children)
A union or professional association or something like that would be a good idea for professional programmers: At the very least, it would make the "everybody always has to work 80+ hours per week" some shops operate in less common.
But that's not what this is talking about. The problem this article is trying to highlight is that the people who write the stuff everybody uses don't necessarily get paid for it. Which is true, because when it comes to software, the cost of copying already-written software is nearly 0, which means that any scarcity is artificial. There are some ways to create artificial scarcity, but basically the only way people who write stuff that is going to make it to anything other than servers owned only by their employer are going to get paid is either begging or copyright enforcement. I don't see an easy answer so long as we live in a society where people who don't get paid don't eat and don't have a roof over their heads.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by bzipitidoo on Friday September 23 2022, @01:54PM (1 child)
There is a solution: public patronage. It can be direct, as with crowdfunding, or indirect as with government funding. I see it as the least bad solution.
(Score: 2) by hendrikboom on Friday September 23 2022, @07:46PM
Leaving the question of who should be paid how much.
(Score: 4, Insightful) by khallow on Friday September 23 2022, @12:26PM (2 children)
I find this to be a non sequitur obscuring the story. "Supply chain" is just an abstraction phrase. Abstractions related to people dehumanize by definition. And I find it interesting that supply chain is actually pretty well defined here - it's the dependencies in your software on other products.
And it's irrelevant to the real problem:
High value software depends on hobby software which creates a problem for the former. So rather than fix that, they're trying to throw requirements on the hobby software, making it more of a burden to publish.
Rather than trying to force a open source developer into higher efforts for someone else's software problem, the downstream users who are whining about these things should do some work. It's your problem. You need to solve it, not some hobbyist.
(Score: 2) by RedGreen on Friday September 23 2022, @12:44PM
"Rather than trying to force a open source developer into higher efforts for someone else's software problem, the downstream users who are whining about these things should do some work. It's your problem. You need to solve it, not some hobbyist."
What do some actual work rather than be the parasite corporation, you must be joking that is totally essential for their nature to be giving up. After all how can you be the victim if you actually take some responsibility for the thing that makes you money and do the vetting required to safely use it. Instead you need to be thinking of the boss who needs it done cheaply for his bonus and who will have no one to blame when the shit hits the fan with that idea, how cruel...
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by istartedi on Friday September 23 2022, @05:05PM
Is anybody seriously suggesting that a hobbyist doesn't have the right to tell corporations (or anybody for that matter) to fuck off about a bunch of bug reports?
If I leave an old bicycle in front of my house with a sign that says FREE on it, you have no right to come bugging me about the chain slipping off the sprockets. Fix it yourself, or take it to a bike shop. Not my problem. I left it out there FREE for a reason.
Appended to the end of comments you post. Max: 120 chars.
(Score: 1, Insightful) by Anonymous Coward on Friday September 23 2022, @01:15PM
Fundamentally, it comes down to the utter and childish sense of entitlement exhibited by corporations these days.
They see "Open Source" and think "Free as in beer, and comes with a personal server". If I work on code, and I release the code (under some permissive license), then you sure can do with that code what the license permits. That does not mean that you get support. Heck, I might even produce 'releases', but still, you are not entitled to support.
If you fail to do your own due diligence on your dependencies (either by doing your own or by paying someone who will do it for you) when you include them in your own products, then that's your problem as the ultimate provider of your product. You do not get to offload that responsibility on someone who published a work of code as a hobby project.
If corporations, trying to secure their supply chain, want guarantees about the open source dependencies they utilize, how about they pony up the money for that too? It's not because the source is available that they are entitled to anything else as well.
Build your house on sand and all that...
(Score: 2) by jb on Saturday September 24 2022, @06:39AM
Yes, I'm sure they do care about that, but not in the way TFS implied. More likely they are (or at least should be) worried that even the "unpaid hobbyist maintainers ... with no maintenance plan" often tend to have a better track record for things like security & reliability than most big-name software vendors.
That should indeed worry them.
Not to mention that bugs found in some free software package or other are always fixable within a fairly short time frame, so long as you're willing to invest either the time in fixing it yourself or the money to pay someone else to fix it...
...whereas bugs found by customers in big-name vendors' software often go unfixed for months after the initial bug report ... and if the bug doesn't affect a significantly large proportion of their customer base, at the end of the day the answer is often EWONTFIX, no matter how much money we might be willing to pay them to fix it (surprised? go read the license terms -- in most cases non-free licenses contain the very same disclaimers of liability that free software licenses do ... and then some!).
For that reason, from a maintainability perspective, deploying non-free software on any production system should be regarded as a fairly clear cut case of professional negligence.
More end user organisations coming to that realisation is what those big-name vendors are really worried about ... which is of course why they're using every dirty trick in the book (including this very much pot-calling-kettle-black number) to try to discredit FOSS before too many more do.