[GTALUG] security threats of Open Source

D. Hugh Redelmeier hugh at mimosa.com
Sat Nov 21 12:06:21 EST 2020 

| From: David Thornton via talk <talk at gtalug.org>
| Date: Fri, 20 Nov 2020 15:25:42 -0500

Thanks for reviving this thread 10 months later.  What prompted you to do 
that?  Note: this is not a complaint.  I continue to think that this is an 
important and unresolved topic.

| As administrators we have a responsibility to vet. Even if it's to
| "deligate" the vetting, we have to vet the deligate.

"have to" means "responsibility to".  Unfortunately, responsibility without 
capability is a recipe for disaster.

Clearly you've thought about this in a setting with customers.  How do you 
discharge this responsibility?

The GPL says: you get what we offer but we accept no responsibility.

Many commercial software contract and EULAs disclaim responsibility
and forbid using the software in safety-critical settings.  They then
often fall back on saying at most you can get back the purchase cost.

So a responsible decision-maker cannot delegate the responsibility yet has 
no practical or even theoretical tools to discharge the
responsibility.  Except bankruptcy law.

- you can ask your customer / client / employer that "here are the risks 
  that I can imagine, are you willing to accept them?"

- you can make sure that there are no assets available that can be lost 
  when and if problems arise

- you can work to reduce risks.  This quickly hits the law of diminishing 
  returns, long before the risks are eliminated.  But I'm sure we can
  do better than the industry norms, as long as customers
  understand that they must and should pay for the up-front cost.

Customers / clients often think that they are safer with large 
corporations.  In that role, I've found the help from large companies (eg. 
Microsoft, Sun Microsystems (back in the day), ...) to inferior 
to help from small companies.  Both are eclipsed by support from FLOSS 
communities.  But support only deals with problems in the future, not 
damage that has happened.

In the area of security, the worst breaches are the ones you never learn 
about.

| Npm is a hot mess, and most people get that now.
| 
| Galaxy / puppetforge / helm stuff ? Take a number.
| 
| It sprouts faster than you can get on it sometimes.
| 
| Pays the mortgage :)

You can't live with them and you can't live without them?

More information about the talk mailing list