So we have it now. Rust solved a large number of the safety problems of the system language level. Not everything ofc, but still. Lot of them. And it is actually being adopted.
So I have a question for my cybersecurity/infosec crowd.
Have you introspected why 3 decades of yelling about that stuff got no results, 3 decades of sanitisers and fuzzers barely moved the needle, but Rust slam dunked it?
Where is the retrospective of what went wrong? Where are the learnings?
i am genuinely interested. It is a domain I keep being surprised not finding discussions about. And I feel like I must be missing. I am probably not looking in the right place.
So I am asking the internet to do its magic and point me to these places please :)
@Di4na We should recognise the possibility that it may have simply been random factors that caused the adoption of Rust where other solutions didn't take off; that there wasn't something specific Rust did right or the others did wrong.
@Di4na I have read them. The Synopsys and Tidelift reports don't share your conclusion. You pulled numbers from each, smashed them together in a dodgy way and made a poor conclusion.
"So, nearly 60% of all code being actively shipped in an app or product in the wild is hobbyist-maintained open-source."
That's simply not supported by the reports you cited.
Look, I'm all for paying OSS maintainers. But in a piece where you tell people to sit down and shut up, maybe have more sound conclusions.
For everyone that calls for ways to make open source more secure, or for all their magical solutions that will provide money and resources to FOSS maintainers, please read this.
This is a rare account of the reality of maintainers, things that are hard, but also how much knowledge and niche expertise you need for anything in there.
That is why just giving money to experts will not help that much. It is too hard to train experts in this. But we may make it easier
So i will not have time until the weekend, at best, to write a full blogpost about it.
But fucking hell is this a ball of crap with nearly no ties to reality. I understand you all would love the real world to work like in this "manifesto" but... I am sorry, this is not reality.
@Di4na@joshbressers@kurtseifried I don't have words for how angry I am after reading this. As an open source software developer and contributor, I don't want any of this. Unless you're paying me big bucks for it, I won't do it.
It's actually really dangerous because it's also about blame-shifting. Organizations don't want to have risk, this would allow shifting the blame to unrelated parties that they have no relationship with.
@kurtseifried@Conan_Kudo@joshbressers while thinking about it, i think i got better terminology for open source use.
On one side you have "contributors" and on the other you have "scavengers". And scavengers that start asking from contributors are not scavengers anymore. They are now "beggars". And beggars can't be choosers.
I rarely agree with the conversation of "lack of reciprocity" for FOSS maintainers. Reciprocity itself does not make sense to talk about in this situation imho.
But I do think that there is a double standard. Here is my example for today. Do better corp.
Just. Give your employees frigging security tokens.
@mdwyer yeah no you probably want different one because you probably do not want to have to rotate your personal one if your work do a doofus... Or the opposite. More importantly you really do not want to lose it if you lose your job, but your job want to track the supply chain and serial number of the one you use for them.
I think I finally found a name to put on the work that needs to be done to bring all the fantastic ideas that come out of academia and esolang into the tooling for developers out there.
And I think this is the way out of the pit of pain and security vulnerabilities our digital infrastructure is in rn.
@joshbressers I think the reason it exists out there is because Taylor. Because it is pretty easy to count the impact and Taylor introduced it at the right time.
The reason we do not have it in software is because we have not had yet the understanding of the reality of the impact of it. A ton of software build out there is made for "nebulous" reasons.
Said otherwise: we have not been able to make the financial case for software tooling really well, only "disruptive" stuff.
@joshbressers it took quite some time. Like 50 years and WW2 actually. But mostly it was because Taylor got 10 to 100x results.
In software, I have anecdotal and relatively qualitative data showing that kind of results for the few real process engineering work in it. See Rust for the quite visible impact.
But the real question is not if the benefits are obvious and immense. It is if anyone wants them and sees value in them. Software does not care that much about making something that works.
Before writing a full blog post, I want to gather some reactions.
What if we made it legally obligated that if an employee can show (putting aside the validation mechanism here, lot of options with different tradeoffs) they contribute to open source a bit (and i really mean a low amount. Even an obscure package count, even a few PR to fix real bug) on their non work time.
Then the employer have to give them one more (paid) free day a week. 80% job for the salary of 100% one.
@thisalex this has not been my experience with government. Policy makers tend to prefer super targeted bills, because then noone outside of the domain hear about it. It really simplifies the policy making work.
The larger it gets, the harder it gets to do anything.
@maarten What I mean is that when I talked to a lot of the people in the room last weekend, nearly everyone was focused on "getting the users to know there is foss there" or "more use of FOSS apps", which is great!
But also does not come close to helping on the Road and Bridges problem. And when I talked of the Road and Bridges problem, people thought I was talking of "Indy people need a voice too." Nearly no one realised "our infra is crumbling"
Who the fuck thought that passkeys and passwordless were a good idea?
One week into having moved to a yubikey 5 (after years of my previous yubikey), and every service on the planet wants me to use it as a passkey and not just a 2fa otp.
Except it is crap. Like at this point, I just want to delete 2FA from everything due to how worse the UX was.
It is time to unplug that experiment, this is going to make people stop doing the secure thing.
It wants a pin on my key, making login a 3-step operation; goal was to make it one step. That is why I use a security token. To make it seamless.
I cannot port them without a passkey manager, aka password.
I cannot delete them from the key, and have a limited number.
The UX of adding them to my accounts is atrociously bad. Like, it took me an hour to get them on my Google account.
On Windows, I keep getting windows hello pushing itself.
And it wants to use my biometrics. NO
Today has not been a particularly good day, but it was not a bad day either, and just...
I don't think it will resonate with anyone who does not have ADHD, and honestly idk if I need it to. But I need to yell about it and this is the best place.
I had no idea things could be this easy. The meds are not solving everything but like. Is it how it is for y'all? You can just... DO THINGS?!?!616?!
And yes I am crying saying it.
Oh Also. Some things can actually make you feel better after doing?!
@Di4na Showers, and polishing off mildly annoying things in less effort than I was worrying about at the time. I think a "fun hobby" is a kind of self-imposed string of the latter? maybe?
Has anyone tracked where Musk got the obsession with X as the killer app for everything?
The only real thing i can find as inspiration in my knowledge of the cultural material he draw from is The eXchange from SR. But iirc it is from 3rd edition aka 98, so could be a reverse influence.
Or is this a SAC?
Maybe @cstross or @davidgerard or your own networks? This guy has to have it from somewhere.
@JonRowe@cstross@davidgerard I know and I love John (still need to sit down with my copy of the Brexit Tapes looking at me from the coffee table) but this is from after he chose the name and the goal of the app. Not where he got the idea.
As a maintainer of OpenSource libraries and packages, there is something that kept feeling off in the whole Software Supply Chain discourse. I think this comes down to something simple.
Analogies are by definition never a perfect fit, saying "stretched" is a statement and with explaining how it just sounds like you don't know the meaning of purpose of analogies
Pandemic: who said we weren't? Why introduce that mate? Really odd of you to make a point of it as though it's correcting some claim I never made
I'm the contributer to open source, and started, and always, agreed - why the hostility? Why attack me as the OSS sponger low life suddenly when I'm your supporter with a wider view? At the core of my view is agreeing to your entire article, I only extended that conversation to cover a missing element.
Its very very likely that these attacks that have come out of nowhere and based on correcting things I never said, it's therefore likely you're "@" me but thinking I'm someone else who said those things, someone who disagrees with you ..
Do I have anyone with a tool that could query the full range of code bases for idk... all the big FOSS tools? In my followers network? If yes, I would love to get data on the following questions.
"How many projects have a bin or scripts directory? What is the distribution of languages used in these?". Bonus point if you can count the "build tasks" too, things like npm assets.build or equivalent. Use of make as a task runner, and not as a build system, would probably be interesting too.
@Di4na the question is then “how often do projects have ad-hoc scripts” which wasn’t clear to me from your original post
I wonder if the new GitHub search could help answer this question. not sure if you could get it in a single query, but it can certainly look for paths and languages. like if there’s a bash script in an otherwise unremarkable JS project, that’s a good candidate. search for invocations of “node” in package.json scripts, etc. dunno if they have an API opened up yet?
Whoever wrote, reviewed, and approved this at the OpenSSF.
Consider leaving the organization. I am not joking. You have no idea what you are talking about; you know nothing about Open Source, and you seem to know nothing about Security, either.
Even less all these things combined. Just. Leave. Resign. It is ok to realize you are not the right person for that position. It happened to me before.
@Di4na@KingmaYpe The right tool has been invented, and it is available, but people decided to ignore it (that’s even worse variant of the phenomena your post is about): sudo {zypper,apt-get,dnf} install rust.
@mcepl@KingmaYpe Nope, these tools do not work cross-platform, are usually broken, and do not let you pick the version well. They also necessitate the maintainers to build a bunch of different tools. They are not adapted to the demands of the maintainers, distributors, or users.
Believing the opposite is refusing the reality of what the field tells us and exactly what I call upon us not to do and reflect upon instead.