Re: [Discuss] CrowdStrike
> Kent Borg said on Wed, 24 Jul 2024 10:39:33 -0700 > >>On 7/24/24 10:06, Daniel M Gessel wrote: >>> The failure does seem incompetent to the point of negligence and I >>> wouldn't be surprised to see it tested in court: big companies lost >>> large amounts of money; lawsuits may start happening soon. >> >>That would be nice. > > Before you call lawsuits nice, contemplate that it might cause > employment contracts to have indemnification clauses. For developers, > this would be anything but nice. A decade or two ago, I was a freelance contractor. I have some open source technologies I would customize and deploy for money. I got out of doing this because contracts started to get pretty onerous. I had one customer who wanted me to indemnify them for any inadvertent copyright infringement. This was as the whole Caldera thing was going on and there was suspicion that Linux infringed on BSD and that Caldera/SCO claimed the copyrights to BSD. I had to respond with a document that stated that to the best of my knowledge that I did not infringe on any copyright and that I abided by the terms and conditions of any and all third party licenses. They responded "It's just a standard contract." I responded that "there is no such thing as a standard contract" and I need that clause removed because, seriously I don't have the money to defend a copyright law suite from a corporation, not for what they were paying me for the contract. Software isn't what it was 20 years ago. Today, more than ever, the world runs on software and every bit of it, at some point, directly or indirectly can threaten the lives and livelihood of people. A lowly GPL library intended to do something completely innocuous may knock out a piece of life sustaining equipment or crash a plane or bring down computers in hospital operating rooms. The industry is no longer the "wild wild west." Something is going to happen, I'm not sure what, but I bet it will be terrible. ___ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
Re: [Discuss] CrowdStrike Fiasco
On Thu, 25 Jul 2024 15:37:27 -0400 Ian Kelling wrote: > FSF wrote a blog about this which I really enjoyed > https://www.fsf.org/news/lets-not-celebrate-crowdstrike-lets-point-to-a-better-way Just two points about that, and I acknowledge my anti-FSF knee-jerk reaction here. First, the aphorism that, "with enough eyes, all bugs are shallow," is demonstrably wrong. Examples include Heartbleed, Bashdoor (aka Shellshock), Log4Shell, and the recent regesSSHion bug. Quantity is not a substitute for quality. Second, where the article calls out those who accuse the FSF of being utopian, that's not an accusation. It's a description of the leadership. To them, a free-as-in-FSF program that does not work is superior to a proprietary program which is proven reliable. If the free-as-in-FSF software isn't at least as good[*] as the proprietary software it's trying to mimic or replace then it's never going to gain significant traction. [*] Where "good" subsumes many factors including functionality, suitability for purpose, and vendor support. -- \m/ (--) \m/ ___ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
Re: [Discuss] CrowdStrike Fiasco
On 7/25/24 14:13, Rich Pieri wrote: First, the aphorism that, "with enough eyes, all bugs are shallow," is demonstrably wrong. It might actually *be* true, were the precondition true, if there actually *were* there a lot of eyes. But there aren't. It turns out reading source code is not a major recreation on the internet, it has hard work. Even when programmers are paid to review code as part of their jobs, reviews tend to be whether the favored "design patterns" and "best practices" are being followed. And of course, whether it is nicely formatted, and only a small code change. Canonical kxcd cartoon 2347 "Dependency": https://imgs.xkcd.com/comics/dependency.png Not only is "some random person in Nebraska" the only one maintaining that little block that holds up "all modern digital infrastructure", s/he is the only person looking at that code at all. Since 2003… -kb ___ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
Re: [Discuss] CrowdStrike Fiasco
On Thu, 25 Jul 2024 14:25:34 -0700 Kent Borg wrote: > It might actually *be* true, were the precondition true, if there > actually *were* there a lot of eyes. But there aren't. Even if there were, they're only going to spot the low-hanging fruit because they either don't know what they are looking for or don't understand what they are looking at. It takes the right sets of eyes, knowledgeable eyes, experienced eyes, examining the code to identify these bugs. Quality, not quantity. -- \m/ (--) \m/ ___ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
Re: [Discuss] CrowdStrike Fiasco
I agree that a large number of superficial readings won't find issues that fewer, more careful investigations could - whether "free as in freedom" software is more reliable, efficient and capable than proprietary software (or visa versa) is an unanswered question. And theFSF does seem to hold a worldview that classifies distributing non-free software as a human rights violation, so unreliable, slow and incomplete free software is better than any proprietary software. It's not a worldview I share (nor would I describe it as utopian) but it's consistent. On the other hand, the world of computing would be vastly different without the FSF - I doubt Linux would exist (nor even the notion of open source software) without GNU. And I have to say I use GNU, Linux, and other open source software over "proprietary" software because it is technically superior - and I've been watching that gap grow and grow over the years. On 2024-07-25 17:13, Rich Pieri wrote: On Thu, 25 Jul 2024 15:37:27 -0400 Ian Kelling wrote: FSF wrote a blog about this which I really enjoyed https://www.fsf.org/news/lets-not-celebrate-crowdstrike-lets-point-to-a-better-way Just two points about that, and I acknowledge my anti-FSF knee-jerk reaction here. First, the aphorism that, "with enough eyes, all bugs are shallow," is demonstrably wrong. Examples include Heartbleed, Bashdoor (aka Shellshock), Log4Shell, and the recent regesSSHion bug. Quantity is not a substitute for quality. Second, where the article calls out those who accuse the FSF of being utopian, that's not an accusation. It's a description of the leadership. To them, a free-as-in-FSF program that does not work is superior to a proprietary program which is proven reliable. If the free-as-in-FSF software isn't at least as good[*] as the proprietary software it's trying to mimic or replace then it's never going to gain significant traction. [*] Where "good" subsumes many factors including functionality, suitability for purpose, and vendor support. ___ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
