Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Thursday September 22 2022, @11:04PM   Printer-friendly
from the for-what-they-crave-must-I-supply? dept.

There is no "software supply chain":

In actual supply chains, money is changing hands. A server manufacturer is paying for PCB fabrication, who is paying their suppliers for raw materials and equipment, and so on until the whole thing eventually loops back on itself when a mining company needs to buy a server.

When you take on an additional dependency in a software project, often money does not change hands. `npm install' and `cargo add' do not bill your credit card. There is no formal agreement between a maintainer and its downstream users.

There is a lot of attention on securing "software supply chains." The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.

This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.

[...] I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is "done". The focus on securing the "software supply chain" has made it even more likely that releasing software for others to use will just mean more work for me that I don't benefit from. I reject the idea that a concept so tenuous can be secured in the first place.

Is there such a thing as a software supply chain?

Related: Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks


Original Submission

 
This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Touché) by MostCynical on Friday September 23 2022, @02:17AM (1 child)

    by MostCynical (2589) on Friday September 23 2022, @02:17AM (#1273077) Journal

    a. There is, kind of some, but you are currently looking on the wrong side of the Internet for it...

    >>> company 1 pay company for some software. company 2 pays coders (often from company 3, and/or 'off shore') to actually code

    b. Running any software taken from net is similar to picking up food found dropped on the sidewalk and eating it...

    >>> many of the coders mentioned above get code from stackexchange, so yes.

    c. Any self-esteemed business man uses only custom software heavily paid with his bloody money, not some cheap handouts...

    >>> no, you COTS ("Commercial Off The Shelf") systems, then do T+M CRs to customize, at the buyer's expense.

    d. Everyone should cultivate his coding skills high enough to become capable to write his own software and use this solely for all his needs...

    >>> no one who makes money from software actually writes any of the code. Cultivating coding skills is for hobbyists and exploitables (cf. 'off-shore'), and we appreciate your service. Here, have some pizza and a ping pong table.

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
    Starting Score:    1  point
    Moderation   +1  
       Touché=1, Total=1
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 3, Interesting) by kazzie on Friday September 23 2022, @04:42AM

    by kazzie (5309) Subscriber Badge on Friday September 23 2022, @04:42AM (#1273095)

    I took a) to refer to supplying zero day exploits, malware, etc on the dark web.