SoylentNews is people
SoylentNews
from the for-what-they-crave-must-I-supply? dept.
There is no "software supply chain":
In actual supply chains, money is changing hands. A server manufacturer is paying for PCB fabrication, who is paying their suppliers for raw materials and equipment, and so on until the whole thing eventually loops back on itself when a mining company needs to buy a server.
When you take on an additional dependency in a software project, often money does not change hands. `
npm install' and `cargo add' do not bill your credit card. There is no formal agreement between a maintainer and its downstream users.There is a lot of attention on securing "software supply chains." The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.
This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.
[...] I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is "done". The focus on securing the "software supply chain" has made it even more likely that releasing software for others to use will just mean more work for me that I don't benefit from. I reject the idea that a concept so tenuous can be secured in the first place.
Is there such a thing as a software supply chain?
Related: Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks
(Score: 5, Insightful) by DannyB on Friday September 23 2022, @02:22PM
In the Java world this seems to work pretty well. There is and has for years been an absolute embarrassment of riches of open source libraries to do anything under the sun. All these are typically licensed under Apache 2 or some BSD/MIT style license. A few are LGPL but not many.
Some of these software projects are immense. Java itself. Eclipse. NetBeans. Tomcat. Spring. And many many others I could name. For some of these when you look at who sponsors them it is a who's who of giant corporations.
Some would say that Oracle develops Java. But Oracle is downstream from the open source version. Oracle may be the biggest contributor, but others contribute as well including (shocker): Microsoft, Red Hat, Amazon, IBM, and others.
Amazon provides builds of Java. Amazon also offers its own sweetly addictive version of Java with extras.
Microsoft optimizes Java for Windows. Microsoft sponsored the port of Java on Windows for ARM processors.
IBM develops its own Open J9 -- a completely different JVM runtime engine for Java bytecode, which has some impressive features.
The Eclipse foundation provides all of the build infrastructure and hosting for Java for all of the myriad of versions, processor architectures, operating systems. That's quite a matrix if you think about it. Need a Java runtime for Mac? Which version of Java? Which processor architecture for Mac?
Red Hat spent significant development effort on its open source Shenandoah garbage collector for Java. Max GC pause time of 1 ms on workloads with multiple Terabytes of RAM.
Oracle contributed is own ZGC garbage collector with similar claims for fast GC on gigantic heap sizes.
This ecosystem has been going on for a very long time and it seems to work. Those commercial interests are not making such huge contributions out of the goodness of their hearts. They are in it for the money. So obviously Java must be a big money maker for Microsoft, Red Hat, Amazon, IBM, and many others. Just look at the sponsors of the Eclipse foundation.
Maybe it is not a Supply Chain. But it is not what I could call exploitative either.
It's like the proverbial Stone Soup. It started out as a kettle of hot water with a large stone in it. Each animal in the story brought some ingredient that they thought would improve the flavor of the stone soup. Once they had all contributed there was an excellent soup for all to share.
The lower I set my standards the more accomplishments I have.