SoylentNews is people
SoylentNews
from the for-what-they-crave-must-I-supply? dept.
There is no "software supply chain":
In actual supply chains, money is changing hands. A server manufacturer is paying for PCB fabrication, who is paying their suppliers for raw materials and equipment, and so on until the whole thing eventually loops back on itself when a mining company needs to buy a server.
When you take on an additional dependency in a software project, often money does not change hands. `
npm install' and `cargo add' do not bill your credit card. There is no formal agreement between a maintainer and its downstream users.There is a lot of attention on securing "software supply chains." The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.
This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.
[...] I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is "done". The focus on securing the "software supply chain" has made it even more likely that releasing software for others to use will just mean more work for me that I don't benefit from. I reject the idea that a concept so tenuous can be secured in the first place.
Is there such a thing as a software supply chain?
Related: Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks
(Score: 2) by MIRV888 on Friday September 23 2022, @03:53AM (4 children)
Unfortunately that is no longer an option.
You need solidarity in order to form a union.
Captain obvious told me that ain't gonna happen.
So software folks are up sh1t creek without a paddle.
It's happened before.
(Score: 0) by Anonymous Coward on Friday September 23 2022, @04:23AM
He slept on a couch at MIT
Who needs a real job?
(Score: 3, Insightful) by Thexalon on Friday September 23 2022, @10:53AM (2 children)
A union or professional association or something like that would be a good idea for professional programmers: At the very least, it would make the "everybody always has to work 80+ hours per week" some shops operate in less common.
But that's not what this is talking about. The problem this article is trying to highlight is that the people who write the stuff everybody uses don't necessarily get paid for it. Which is true, because when it comes to software, the cost of copying already-written software is nearly 0, which means that any scarcity is artificial. There are some ways to create artificial scarcity, but basically the only way people who write stuff that is going to make it to anything other than servers owned only by their employer are going to get paid is either begging or copyright enforcement. I don't see an easy answer so long as we live in a society where people who don't get paid don't eat and don't have a roof over their heads.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by bzipitidoo on Friday September 23 2022, @01:54PM (1 child)
There is a solution: public patronage. It can be direct, as with crowdfunding, or indirect as with government funding. I see it as the least bad solution.
(Score: 2) by hendrikboom on Friday September 23 2022, @07:46PM
Leaving the question of who should be paid how much.