[GTALUG] security threats of Open Source
D. Hugh Redelmeier
hugh at mimosa.com
Sat Nov 21 12:06:21 EST 2020
| From: David Thornton via talk <talk at gtalug.org>
| Date: Fri, 20 Nov 2020 15:25:42 -0500
Thanks for reviving this thread 10 months later. What prompted you to do
that? Note: this is not a complaint. I continue to think that this is an
important and unresolved topic.
| As administrators we have a responsibility to vet. Even if it's to
| "deligate" the vetting, we have to vet the deligate.
"have to" means "responsibility to". Unfortunately, responsibility without
capability is a recipe for disaster.
Clearly you've thought about this in a setting with customers. How do you
discharge this responsibility?
The GPL says: you get what we offer but we accept no responsibility.
Many commercial software contract and EULAs disclaim responsibility
and forbid using the software in safety-critical settings. They then
often fall back on saying at most you can get back the purchase cost.
So a responsible decision-maker cannot delegate the responsibility yet has
no practical or even theoretical tools to discharge the
responsibility. Except bankruptcy law.
- you can ask your customer / client / employer that "here are the risks
that I can imagine, are you willing to accept them?"
- you can make sure that there are no assets available that can be lost
when and if problems arise
- you can work to reduce risks. This quickly hits the law of diminishing
returns, long before the risks are eliminated. But I'm sure we can
do better than the industry norms, as long as customers
understand that they must and should pay for the up-front cost.
Customers / clients often think that they are safer with large
corporations. In that role, I've found the help from large companies (eg.
Microsoft, Sun Microsystems (back in the day), ...) to inferior
to help from small companies. Both are eclipsed by support from FLOSS
communities. But support only deals with problems in the future, not
damage that has happened.
In the area of security, the worst breaches are the ones you never learn
about.
| Npm is a hot mess, and most people get that now.
|
| Galaxy / puppetforge / helm stuff ? Take a number.
|
| It sprouts faster than you can get on it sometimes.
|
| Pays the mortgage :)
You can't live with them and you can't live without them?
More information about the talk
mailing list