[GTALUG] security threats of Open Source

Dave Collier-Brown davecb.42 at gmail.com
Sat Nov 21 19:55:36 EST 2020 

I've seen better coverage but less depth from commercial entities. I 
just referred a Kobo bug to the in-house counsel, as the assigned 
support creature could neither understand the problem /nor/ the process.

I used to work with their lawyer at Lexis Nexis: that's *not* a common 
kind of situation (;-))

in the open source world, one arguably only needs to convince a peer 
that something is wrong, not a legal representative of the company that 
they're at risk.

--dave


On 2020-11-21 12:06 p.m., D. Hugh Redelmeier via talk wrote:
> | From: David Thornton via talk <talk at gtalug.org>
> | Date: Fri, 20 Nov 2020 15:25:42 -0500
>
> Thanks for reviving this thread 10 months later.  What prompted you to do
> that?  Note: this is not a complaint.  I continue to think that this is an
> important and unresolved topic.
>
> | As administrators we have a responsibility to vet. Even if it's to
> | "deligate" the vetting, we have to vet the deligate.
>
> "have to" means "responsibility to".  Unfortunately, responsibility without
> capability is a recipe for disaster.
>
> Clearly you've thought about this in a setting with customers.  How do you
> discharge this responsibility?
>
> The GPL says: you get what we offer but we accept no responsibility.
>
> Many commercial software contract and EULAs disclaim responsibility
> and forbid using the software in safety-critical settings.  They then
> often fall back on saying at most you can get back the purchase cost.
>
> So a responsible decision-maker cannot delegate the responsibility yet has
> no practical or even theoretical tools to discharge the
> responsibility.  Except bankruptcy law.
>
> - you can ask your customer / client / employer that "here are the risks
>    that I can imagine, are you willing to accept them?"
>
> - you can make sure that there are no assets available that can be lost
>    when and if problems arise
>
> - you can work to reduce risks.  This quickly hits the law of diminishing
>    returns, long before the risks are eliminated.  But I'm sure we can
>    do better than the industry norms, as long as customers
>    understand that they must and should pay for the up-front cost.
>
> Customers / clients often think that they are safer with large
> corporations.  In that role, I've found the help from large companies (eg.
> Microsoft, Sun Microsystems (back in the day), ...) to inferior
> to help from small companies.  Both are eclipsed by support from FLOSS
> communities.  But support only deals with problems in the future, not
> damage that has happened.
>
> In the area of security, the worst breaches are the ones you never learn
> about.
>
> | Npm is a hot mess, and most people get that now.
> |
> | Galaxy / puppetforge / helm stuff ? Take a number.
> |
> | It sprouts faster than you can get on it sometimes.
> |
> | Pays the mortgage :)
>
> You can't live with them and you can't live without them?
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
dave.collier-brown at indexexchange.com |              -- Mark Twain

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20201121/c41d91f6/attachment.html>

More information about the talk mailing list