[GTALUG] security threats of Open Source
Dave Collier-Brown
davecb.42 at gmail.com
Sat Nov 21 19:55:36 EST 2020
I've seen better coverage but less depth from commercial entities. I
just referred a Kobo bug to the in-house counsel, as the assigned
support creature could neither understand the problem /nor/ the process.
I used to work with their lawyer at Lexis Nexis: that's *not* a common
kind of situation (;-))
in the open source world, one arguably only needs to convince a peer
that something is wrong, not a legal representative of the company that
they're at risk.
--dave
On 2020-11-21 12:06 p.m., D. Hugh Redelmeier via talk wrote:
> | From: David Thornton via talk <talk at gtalug.org>
> | Date: Fri, 20 Nov 2020 15:25:42 -0500
>
> Thanks for reviving this thread 10 months later. What prompted you to do
> that? Note: this is not a complaint. I continue to think that this is an
> important and unresolved topic.
>
> | As administrators we have a responsibility to vet. Even if it's to
> | "deligate" the vetting, we have to vet the deligate.
>
> "have to" means "responsibility to". Unfortunately, responsibility without
> capability is a recipe for disaster.
>
> Clearly you've thought about this in a setting with customers. How do you
> discharge this responsibility?
>
> The GPL says: you get what we offer but we accept no responsibility.
>
> Many commercial software contract and EULAs disclaim responsibility
> and forbid using the software in safety-critical settings. They then
> often fall back on saying at most you can get back the purchase cost.
>
> So a responsible decision-maker cannot delegate the responsibility yet has
> no practical or even theoretical tools to discharge the
> responsibility. Except bankruptcy law.
>
> - you can ask your customer / client / employer that "here are the risks
> that I can imagine, are you willing to accept them?"
>
> - you can make sure that there are no assets available that can be lost
> when and if problems arise
>
> - you can work to reduce risks. This quickly hits the law of diminishing
> returns, long before the risks are eliminated. But I'm sure we can
> do better than the industry norms, as long as customers
> understand that they must and should pay for the up-front cost.
>
> Customers / clients often think that they are safer with large
> corporations. In that role, I've found the help from large companies (eg.
> Microsoft, Sun Microsystems (back in the day), ...) to inferior
> to help from small companies. Both are eclipsed by support from FLOSS
> communities. But support only deals with problems in the future, not
> damage that has happened.
>
> In the area of security, the worst breaches are the ones you never learn
> about.
>
> | Npm is a hot mess, and most people get that now.
> |
> | Galaxy / puppetforge / helm stuff ? Take a number.
> |
> | It sprouts faster than you can get on it sometimes.
> |
> | Pays the mortgage :)
>
> You can't live with them and you can't live without them?
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
dave.collier-brown at indexexchange.com | -- Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20201121/c41d91f6/attachment.html>
More information about the talk
mailing list