Comments

  • I'm a strong proponent of Open Source and security through many "eyes".

    However it should be pretty obvious that "a few eyes" and "many mouths" doesn't work out so well.
  • Randrew: I'm a strong proponent of Open Source and security through many "eyes".  However it should be pretty obvious that "a few eyes" and "many mouths" doesn't work out so well.


    The part they forgot is that somebody has to pay for the eyes.
  • And as we all know, proprietary closed-source software goes through a thorough line-by-line review by Margaret Hamilton and Donald Knuth.
  • SomeAmerican: Randrew: I'm a strong proponent of Open Source and security through many "eyes".  However it should be pretty obvious that "a few eyes" and "many mouths" doesn't work out so well.

    The part they forgot is that somebody has to pay for the eyes.


    Big Corp probably figures "Bigger Corp is using it, so they're paying for it and we'll just leach!"

    Meanwhile Bigger Corp says, "Lookit all them peons paying for it!  Hawhaw, they're paying for US!"
  • But has anybody paid for WinRar yet?
  •  
    This isn't an unexpected downside.  Open source software tends to be made to a much higher quality standard than proprietary software, and proprietary software is at least as prone to security vulnerabilities.
  • Ah, so the back door that the CIA has been using for years has been discovered and patched.  So, Urgent meeting to see how quickly a replacement back door can de deployed.
  • hej: This isn't an unexpected downside.  Open source software tends to be made to a much higher quality standard than proprietary software, and proprietary software is at least as prone to security vulnerabilities.



    I believe you make a logic fallacy here in this statement.

    That a specific proprietary solution is needed, is not an automatic on that it must be lower quality.
    The needs and the quality of meeting those needs are independent factors, you are confusing into one same thing.

    however if we replace a single part in what you say, then i find it rings far more true.

    Open source software tends to be made to a much higher quality standard than proprietary for profit software, and for profit software is at least as prone to security vulnerabilities.


    See that?
    It address the reason behind the observation you make.

    You think of the software as "proprietary" but in truth the divide here is  non-profit vs. for profits.

    the goals define what we put our effort into and what we do not.
    When the goal was to produce a useful bit of code, then we do that, we produce useful code.
    When the goal is to make a profit then we do that. And as can be readily exampled anywhere, you don't have to make good product to be profitable. In fact the higher quality your product, the lower your personal hourly input/return may be.


    So there we are, we can achieve our goals, but maybe we're just not very good at balancing thigns out, we prefer the simpler plan of just one goal.
  • SomeAmerican: Randrew: I'm a strong proponent of Open Source and security through many "eyes".  However it should be pretty obvious that "a few eyes" and "many mouths" doesn't work out so well.

    The part they forgot is that somebody has to pay for the eyes.


    Yeah, but those are only like $1500.

    onlyfunfacts.comView Full Size
  • If this becomes a bill in Congress, can we get it named after Matt Wright?

    https://en.m.wikipedia.org/wiki/Matt'​s​_Script_Archive

    /once saw an instance of wwwboard still running in 19105.
  • Oneiros: If this becomes a bill in Congress, can we get it named after Matt Wright?

    https://en.m.wikipedia.org/wiki/Matt's​_Script_Archive

    /once saw an instance of wwwboard still running in 19105.


    Really dude? Out of all the things you return from 19105 - 17 thousand years in the future - and THATS what you decided on?
  • hej: This isn't an unexpected downside.  Open source software tends to be made to a much higher quality standard than proprietary software, and proprietary software is at least as prone to security vulnerabilities.


    Of the three pillars Good/Fast/Cheap, open source software gets rid of the "fast" part.

    Most of it is built by people working on it by themselves, mostly unsupervised, on their free time, a few hours here and there on evenings and weekends, without compensation. It is not their full time job and sometimes they might go months without working on it at all.

    While there is a little bit of project flow and structure that goes into it, for the most part open source software is all ad hoc. That bug could be fixed today, or it could persist in successive builds for years. It all depends how much free time they have, and when they feel like working on it.

    When there is no profit motive there is no deadline, no hard schedule, no crunch time, no grand product launch or target milestones to worry about. It's a less stressful work environment, but also moves a lot slower than the beancounters feel comfortable with.

    Because programmers are lazy, and "it will be done when it will be done" is the most honest assessment they can ever give you.
  • Promo Sapien: But has anybody paid for WinRar yet?


    Registering WinRAR in 2021: How Far Back Does It Work?
    Youtube o7W6hv4kcvg
  • lifeslammer: Oneiros: If this becomes a bill in Congress, can we get it named after Matt Wright?

    https://en.m.wikipedia.org/wiki/Matt's​_Script_Archive

    /once saw an instance of wwwboard still running in 19105.

    Really dude? Out of all the things you return from 19105 - 17 thousand years in the future - and THATS what you decided on?


    19105 was 17 years ago

    The Perl community called y2k '19100' as one of the day functions returned years since 1900, so people would print:

    "19$year"
  • I'm a software engineer, and I currently work for one of the tech giants that tends to occupy a lot of space in the STEM tab. I've said before, and I'll say again: my biggest surprise when I entered the industry was that very important (m/b)illion dollar software isn't actually worked on by huge teams of geniuses and tested painstakingly and thoroughly before release into the wild. Instead, it's often three or four guys including one new college grad, one guy barely hanging onto his job by a individual performance plan, and one old guy that shows up at 10:00 and leaves at 3:00 to "beat the traffic," all of which spend half their time goofing off and the other half doing HR training and other big corporation administrative tasks. They finally get the last build done hours before it is committed to the customer and just cross their fingers that there are no catastrophic bugs left in.
  • Larry Ellison would be happy to take open source private.
  • Infinite respect for whoever it was last week that published up a deliberately broken build of his open source project.

    If you depend on something, pay for it.

    /or clone the version you depend on and keep it locally
    //this isn't hard people
  • Ishkur: hej: This isn't an unexpected downside.  Open source software tends to be made to a much higher quality standard than proprietary software, and proprietary software is at least as prone to security vulnerabilities.

    Of the three pillars Good/Fast/Cheap, open source software gets rid of the "fast" part.

    Most of it is built by people working on it by themselves, mostly unsupervised, on their free time, a few hours here and there on evenings and weekends, without compensation. It is not their full time job and sometimes they might go months without working on it at all.

    While there is a little bit of project flow and structure that goes into it, for the most part open source software is all ad hoc. That bug could be fixed today, or it could persist in successive builds for years. It all depends how much free time they have, and when they feel like working on it.

    When there is no profit motive there is no deadline, no hard schedule, no crunch time, no grand product launch or target milestones to worry about. It's a less stressful work environment, but also moves a lot slower than the beancounters feel comfortable with.

    Because programmers are lazy, and "it will be done when it will be done" is the most honest assessment they can ever give you.


    You're describing the majority of OSS projects, but not so much the high profile and well known ones which usually run on models that are exceptions, but may appear to be the rule because they're the ones people see.  But OSS projects are all over all of the maps.

    Linux kernel, Mozilla, Apache... these are high profile and "professionally" run projects.  Top tier.

    OpenWRT is a project somewhere in the middle.  Is it used as a base in a lot of consumer and sub-datacenter routers, but AFAIK not well supported by those commercial users.  A few years back the bulk of the OpenWRT devs revolted against the maintainer and forked it... because he'd been acting the way you described OSS developers.  Not responding to push requests, dismissing outside input and ignoring things in general.  The fork kinda got his attention and was merged back into OpenWRT with new rules of engagement.

    Log4j and these .js things we've been hearing about lately I'm not personally familiar with, but feel to me kind of like OpenWRT in that "everybody" uses them but relatively few contribute to them in meaningful ways, for whatever reasons.

    FOSS is approached by about as many different ways as there are developers who start such projects.  And most founder for lack of interest.  FOSS advocates and individual projects probably need to push harder on the truth that if you're going to use FOSS for your own commercial good, then you need to (a) do diligence and (b) be prepared to give back.
  • Chemlight Battery: I'm a software engineer, and I currently work for one of the tech giants that tends to occupy a lot of space in the STEM tab. I've said before, and I'll say again: my biggest surprise when I entered the industry was that very important (m/b)illion dollar software isn't actually worked on by huge teams of geniuses and tested painstakingly and thoroughly before release into the wild. Instead, it's often three or four guys including one new college grad, one guy barely hanging onto his job by a individual performance plan, and one old guy that shows up at 10:00 and leaves at 3:00 to "beat the traffic," all of which spend half their time goofing off and the other half doing HR training and other big corporation administrative tasks. They finally get the last build done hours before it is committed to the customer and just cross their fingers that there are no catastrophic bugs left in.


    The group that I dealt with at Lockheed Martin made great strides over two summers on their system for displaying their data.

    ... then their high school intern went to college
  • Considering how many companies try to get as much as possible for as little as possible I'm not surprised something like this is gnawing in to their backsides at this point.
  • Nimbull: Considering how many companies try to get as much as possible for as little as possible I'm not surprised something like this is gnawing in to their backsides at this point.


    I think any of same who try to blame FOSS for their problems aren't going to get far with that complaint.  It's not like they're going to stop using it and do their own development !
  • PvtStash: hej: This isn't an unexpected downside.  Open source software tends to be made to a much higher quality standard than proprietary software, and proprietary software is at least as prone to security vulnerabilities.


    I believe you make a logic fallacy here in this statement.

    That a specific proprietary solution is needed, is not an automatic on that it must be lower quality.
    The needs and the quality of meeting those needs are independent factors, you are confusing into one same thing.

    however if we replace a single part in what you say, then i find it rings far more true.

    Open source software tends to be made to a much higher quality standard than proprietary for profit software, and for profit software is at least as prone to security vulnerabilities.


    See that?
    It address the reason behind the observation you make.

    You think of the software as "proprietary" but in truth the divide here is  non-profit vs. for profits.

    the goals define what we put our effort into and what we do not.
    When the goal was to produce a useful bit of code, then we do that, we produce useful code.
    When the goal is to make a profit then we do that. And as can be readily exampled anywhere, you don't have to make good product to be profitable. In fact the higher quality your product, the lower your personal hourly input/return may be.


    So there we are, we can achieve our goals, but maybe we're just not very good at balancing thigns out, we prefer the simpler plan of just one goal.


    The real gotcha here is that proprietary software is only going to updated from people that are specifically tasked by a project engineer/manager to do said software.  And those updates will only happen if their time is specifically paid, that particular task has a charge number, and other corporate stumbling blocks.

    OSS will be updated if the programmer feels like it and has time, they receive an update and feel like merging it in and is still actively maintaining the project (otherwise the updater can fork the whole project, which typically isn't worth it).

    In practice, the OSS method has worked better.

    The real danger of OSS is that said "somebody submitted a patch" could well be a carefully crafted security flaw.  There was a huge flap in the Linux community recently about somebody from a school in Wisconsin sliding a flaw into Linux as an experiment.  Sometime before that (a few years?) there was an even more egregious insertion into one of the BSDs.

    It is almost always easier to find security holes in proprietary software.  But it isn't at all clear if it isn't easier to insert flaws into OSS than find them in proprietary systems.  It works even better if the OSS maintainer happens to be working for the hacker organization all along (of course at this level, subverting programmers for proprietary projects is likely easier).  And yes, the NSA has been contributing to OSS and Linux: Security Enhanced Linux has been a thing (originally provided by the NSA) since 2000.  Although this probably existed because securing Windows NT/XP/2000 was so impossible that they wanted something for US government use that didn't automatically obey everything it saw on the internet...
  • yet_another_wumpus:
    The real gotcha here is that proprietary software is only going to updated from people that are specifically tasked by a project engineer/manager to do said software.  And those updates will only happen if their time is specifically paid, that particular task has a charge number, and other corporate stumbling blocks.

    OSS will be updated if the programmer feels like it and has time, they receive an update and feel like merging it in and is still actively maintaining the project (otherwise the updat ...



    Again i find the label "proprietary" to be irrelevant to the situaiotn.

    That the proprietary software was needed, in a for profit business, to turn a profit, is why it exists.
    That it had to perform a proprietary function for them was arbitrary, to the situaiotn that they are trying to make a profit.
    So every penny is either, profit in my pocket, or monye not in my pocket.
    If we spend more monye on that software, then less goes into my pocket.

    Thus the reason they may not generate as good a code in the first place, or go back and correct errors with more frequent and accurate updates, does not have anything to do with that the software is priority to their business.
    It is that the process of being a business is to put as much of that monye into your pocket as possible, not spend it on updating that software any more than is absolutely bare minimum required to keep the business going.


    profits, not proprietary function, are why the updates do come as frequently or with as much quality to them.
  • PvtStash: yet_another_wumpus:
    The real gotcha here is that proprietary software is only going to updated from people that are specifically tasked by a project engineer/manager to do said software.  And those updates will only happen if their time is specifically paid, that particular task has a charge number, and other corporate stumbling blocks.

    OSS will be updated if the programmer feels like it and has time, they receive an update and feel like merging it in and is still actively maintaining the project (otherwise the updat ...


    Again i find the label "proprietary" to be irrelevant to the situaiotn.

    That the proprietary software was needed, in a for profit business, to turn a profit, is why it exists.
    That it had to perform a proprietary function for them was arbitrary, to the situaiotn that they are trying to make a profit.
    So every penny is either, profit in my pocket, or monye not in my pocket.
    If we spend more monye on that software, then less goes into my pocket.

    Thus the reason they may not generate as good a code in the first place, or go back and correct errors with more frequent and accurate updates, does not have anything to do with that the software is priority to their business.
    It is that the process of being a business is to put as much of that monye into your pocket as possible, not spend it on updating that software any more than is absolutely bare minimum required to keep the business going.


    profits, not proprietary function, are why the updates do come as frequently or with as much quality to them.


    This is exactly why proprietary software sucks for security.  Does it work?  Done.  Does it leave the customer open for any security issues?  Fark you, I got paid.  Functionality and security are nearly orthogonal in software, so if you want a profit you only pay for one...

    Just look at all those IoT devices out there.  There's a reason a sizeable group on fark insist it stands for "internet of things that shouldn't be on the internet".
  • Load 18 of 18 newer comments
  •  

This thread is closed to new comments.