Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Thursday September 22 2022, @11:04PM   Printer-friendly
from the for-what-they-crave-must-I-supply? dept.

There is no "software supply chain":

In actual supply chains, money is changing hands. A server manufacturer is paying for PCB fabrication, who is paying their suppliers for raw materials and equipment, and so on until the whole thing eventually loops back on itself when a mining company needs to buy a server.

When you take on an additional dependency in a software project, often money does not change hands. `npm install' and `cargo add' do not bill your credit card. There is no formal agreement between a maintainer and its downstream users.

There is a lot of attention on securing "software supply chains." The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.

This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.

[...] I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is "done". The focus on securing the "software supply chain" has made it even more likely that releasing software for others to use will just mean more work for me that I don't benefit from. I reject the idea that a concept so tenuous can be secured in the first place.

Is there such a thing as a software supply chain?

Related: Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks


Original Submission

 
This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by turgid on Sunday September 25 2022, @10:05AM (2 children)

    by turgid (4318) Subscriber Badge on Sunday September 25 2022, @10:05AM (#1273542) Journal

    What everyone should do is be responsible for the quality of their software. If your software depends on third party code, whether it's FOSS or not (I've seen a lot of terrible very expensive "professional" code), you should and you must demonstrate that the system that you are releasing to your customers is fit for purpose. That means that for all the use cases that you have agreed with your customer, you have a very high degree of confidence that they entire system works as agreed and intended.

    PHB types don't like to hear this. They want to hear that software is just a bunch of typing, a compile and a release to the customer. Software must be integrated and tested, continuously and thoroughly. That is expensive in terms of time, It can be substantially automated, but this means that the developers have to create the automated tests along side the production code and it has to be run early and often, ideally from day 1 of the project and at least once per day, and it should cover all of the code written (features implemented) to date.

    Contracts and agreements, guarantees and the ability to sue mean nothing in terms of real actual quality. They may mitigate the legal actions after a disaster, but the disaster should be avoided in the first place.

    Take responsibility for the quality of your product. Delight your customer.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Insightful) by janrinok on Sunday September 25 2022, @11:44AM (1 child)

    by janrinok (52) Subscriber Badge on Sunday September 25 2022, @11:44AM (#1273546) Journal

    I think I agree with you, but initially I thought that you were suggesting that the person (me!) who writes a piece of code is responsible for testing it for purposes I know nothing about.

    Contracts and agreements, guarantees

    Most of the open source code that I have seen comes with categorical disclaimers about any of these things. There is no contract or agreement between me and anybody else; in fact TFS actually states:

    There is no formal agreement between a maintainer and its downstream users.

    If I write a piece of code that I think might be useful to others I can release it. I am not obligated to support it or test it for use in circumstances other than that which I wrote it for. Businesses, if they want to use my code, are welcome to do so but they take on responsibility for testing and verifying that it works the way that they want it to in their product. It is their head on the chopping block if it doesn't do what they expect it to do.

    If they are suggesting that my contribution by writing it in the first place is insignificant they can get one of their own programmers to write their own version - and pay him for the time and effort he expends in doing so. I have no obligation to maintain it other than that which I assume for myself.