This is a good, brief post on the software supply chain situation from the perspective of an open source maintainer:

For better or for worse, a supply chain has emerged. We can agree that “supply chain” isn’t the right wording, and that the problem shouldn’t exist. But here we are. And here we will be. I do expect some big changes in the open source ecosystem that companies and other critical software providers need to adhere to, which almost certainly won’t be a positive for small open source authors/maintainers

@jerry on the other hand, all that FLOSS software has licenses that explicitly say that it is provided *as is* and without any warranty, implied or otherwise.

So I am with Iliana here. If somebody doesn't like it, they are welcome to not use it. Nobody is entitled to FLOSS developers' time, work, attention, or whatever, unless they sign an actual contract and actual money changes hands. At which point it becomes an actual supply chain.

@jerry sidenote: I am actually revolted by Big Tech talking big about how secure their crap is and actually badmouthing FLOSS as "hobbyist projects at best" and such... and then then falling flat on their faces on Log4shell.

Turns out they all use FLOSS components, and of course they don't pay the devs, and of course they don't even know where and how they use these FLOSS components.

The problem is not wording around "supply chains". The problem is the entitlement.

@rysiek I am in agreement, but I also don’t see it changing in a way that’s favorable for hobbyists. I am not sure what will happen, but I feel confident it’s not going to benefit the FLOSS developers.

@jerry I would not be so sure of that. Hobbyists gonna hobby, code will continue to be written and published with no warranty. Any silly requirements made by for-profit entities regarding their "supply chains" will end up making them pay for business support of FLOSS packages they use, or move to closed-source alternatives.

Hobbyists will shrug and continue to code away.

@rysiek @jerry having worked in many, many enterprises, I was always surprised at a) the eagerness to use FLOSS, because it costs nothing, and taken aback that they b) contribute nothing back, not even bug reports, because of the structures in place where people who execute have zero decision making power.

It's also fascinating to watch their skills deteriorate. They suck at opening issues and pull requests are so far outside their horizon it doesn't even almost come up on the radar.

so if you ever see entitlement shining thru from these people, that's often just clumsiness in navigating these vast worlds, of which they are usually just consumers.

@meena @rysiek @jerry (not to detract from the main point of the thread) I had the opposite experience. We used a FLOSS document management system. As I had budget, I paid in full for the system to be altered to be multi-lingual, necessary for our company. Afterwards the developing company pulled the "open core" trick and made multi-lingual capability one of their paid-for extras.
I thought that not in the spirit of FLOSS and eventually walked away.

@rysiek @meena @jerry It was quite a long time ago, and to be honest, I don't know if it still exists.

@rysiek @meena @jerry The developer was based in South Africa. I also thought it was the right thing to do to play a small role in getting international use of a South African project. Perhaps had I been able to have face-to-face meetings with them I would have either been able to understand their motivations better, or provide them with an overview of why their step was unfortunate. But I recall I did not want to be seen as a tail wagging the dog at the time.

@withaveeay @rysiek @jerry the main point was big companies vs individual FLOSS developers.

what companies do to each other i only care in how i care about sharks, and what they do to each other.

@meena @rysiek @jerry Fair enough, and as I said, I didn't want to highjack the thread.
For what it's worth, at the time, although I was head of IT, I thought if it as a much more personal decision based on my own FLOSS convictions, and I was dealing with a small group of perhaps 3 or 4 in the developer company. I do not recognise myself being a shark in that instance.

@withaveeay I try to stay away from corporateware as much as possible. If the company is the upstream, I’m assuming they’ll figure out some way to monetize the project.

@meena @rysiek @jerry

@meena @jerry sure, but I meant entitlement on the organizational level, not on particular human being level.

Google making outright *demands* (as mentioned in text linked in the toot that started this thread) towards FLOSS developers, or large corporations sending requests for SBOM to their "suppliers" (i.e. independent FLOSS developers) during the Log4shell shit storm — tat's some serious organizational-level entitlement right there.

@rysiek @jerry i think what I'm trying to get at here is this:

a lot of organisational entitlement effectively stems from said organisations making it impossible for their own "individual contributors" to… well… contribute.

so the cost of running the organisational hierarchy like we've always done is then externalised to FLOSS developers outside the organisation.

@jerry Ha! The two footnoted actions expose two very real problems with corporations: 1) They don't trust their employees; and 2) They aren't in the habit of ever seeing software projects as completed. Both are driven by the capital nature of corporations. i.e., greed begets greed, and money is always spent well. They can't understand the quality equation inherent in FOSS development, because there is no capital in it.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.