SoylentNews is people
SoylentNews
from the for-what-they-crave-must-I-supply? dept.
There is no "software supply chain":
In actual supply chains, money is changing hands. A server manufacturer is paying for PCB fabrication, who is paying their suppliers for raw materials and equipment, and so on until the whole thing eventually loops back on itself when a mining company needs to buy a server.
When you take on an additional dependency in a software project, often money does not change hands. `
npm install' and `cargo add' do not bill your credit card. There is no formal agreement between a maintainer and its downstream users.There is a lot of attention on securing "software supply chains." The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.
This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.
[...] I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is "done". The focus on securing the "software supply chain" has made it even more likely that releasing software for others to use will just mean more work for me that I don't benefit from. I reject the idea that a concept so tenuous can be secured in the first place.
Is there such a thing as a software supply chain?
Related: Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks
(Score: 2) by Mojibake Tengu on Thursday September 22 2022, @11:52PM (7 children)
a. There is, kind of some, but you are currently looking on the wrong side of the Internet for it...
b. Running any software taken from net is similar to picking up food found dropped on the sidewalk and eating it...
c. Any self-esteemed business man uses only custom software heavily paid with his bloody money, not some cheap handouts...
d. Everyone should cultivate his coding skills high enough to become capable to write his own software and use this solely for all his needs...
No more opinions generated, terminating.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1, Touché) by Anonymous Coward on Friday September 23 2022, @12:06AM
I'm one bad day away from dumpster diving.
(Score: 3, Touché) by MostCynical on Friday September 23 2022, @02:17AM (1 child)
a. There is, kind of some, but you are currently looking on the wrong side of the Internet for it...
>>> company 1 pay company for some software. company 2 pays coders (often from company 3, and/or 'off shore') to actually code
b. Running any software taken from net is similar to picking up food found dropped on the sidewalk and eating it...
>>> many of the coders mentioned above get code from stackexchange, so yes.
c. Any self-esteemed business man uses only custom software heavily paid with his bloody money, not some cheap handouts...
>>> no, you COTS ("Commercial Off The Shelf") systems, then do T+M CRs to customize, at the buyer's expense.
d. Everyone should cultivate his coding skills high enough to become capable to write his own software and use this solely for all his needs...
>>> no one who makes money from software actually writes any of the code. Cultivating coding skills is for hobbyists and exploitables (cf. 'off-shore'), and we appreciate your service. Here, have some pizza and a ping pong table.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Interesting) by kazzie on Friday September 23 2022, @04:42AM
I took a) to refer to supplying zero day exploits, malware, etc on the dark web.
(Score: 3, Insightful) by DannyB on Friday September 23 2022, @02:25PM (3 children)
This statement truly does not understand the true scale of large software projects, nor how many of them there are. That works fine for hobby or toy projects. Or for very small business projects -- where you still depend on a lot of software written by others.
It is like saying everyone should develop their own personal heavy lift rocket launchers.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by turgid on Sunday September 25 2022, @10:05AM (2 children)
What everyone should do is be responsible for the quality of their software. If your software depends on third party code, whether it's FOSS or not (I've seen a lot of terrible very expensive "professional" code), you should and you must demonstrate that the system that you are releasing to your customers is fit for purpose. That means that for all the use cases that you have agreed with your customer, you have a very high degree of confidence that they entire system works as agreed and intended.
PHB types don't like to hear this. They want to hear that software is just a bunch of typing, a compile and a release to the customer. Software must be integrated and tested, continuously and thoroughly. That is expensive in terms of time, It can be substantially automated, but this means that the developers have to create the automated tests along side the production code and it has to be run early and often, ideally from day 1 of the project and at least once per day, and it should cover all of the code written (features implemented) to date.
Contracts and agreements, guarantees and the ability to sue mean nothing in terms of real actual quality. They may mitigate the legal actions after a disaster, but the disaster should be avoided in the first place.
Take responsibility for the quality of your product. Delight your customer.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Insightful) by janrinok on Sunday September 25 2022, @11:44AM (1 child)
I think I agree with you, but initially I thought that you were suggesting that the person (me!) who writes a piece of code is responsible for testing it for purposes I know nothing about.
Most of the open source code that I have seen comes with categorical disclaimers about any of these things. There is no contract or agreement between me and anybody else; in fact TFS actually states:
If I write a piece of code that I think might be useful to others I can release it. I am not obligated to support it or test it for use in circumstances other than that which I wrote it for. Businesses, if they want to use my code, are welcome to do so but they take on responsibility for testing and verifying that it works the way that they want it to in their product. It is their head on the chopping block if it doesn't do what they expect it to do.
If they are suggesting that my contribution by writing it in the first place is insignificant they can get one of their own programmers to write their own version - and pay him for the time and effort he expends in doing so. I have no obligation to maintain it other than that which I assume for myself.
(Score: 2) by turgid on Sunday September 25 2022, @12:47PM
Yes, that's what I was trying to say.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].