I'm certainly grateful of course, but I don't feel like there was any sort of contract/exchange between myself and the maintainers that creates an obligation on my part.Įveryone affected was to blame for their own vulnerability, to the extent they relied on OpenSSL. Similar to how I use linux/BSD and don't feel obligated to maintain the kernel. I'll continue to use open source projects 'AS IS' and I still wont feel morally obligated to maintain them. Interesting perspective even though I strongly disagree. It seems like being paid a kindness creates an obligation, which is not that nice. Paying forward kindness and being morally obligated to maintain an open source library just because you use it are different things in my mind. > I consider not paying forward kindnesses paid to you way, way more unfair and unreasonable. It was more a method of risk management than altruism. I have also worked at companies that funded open source projects through donations or maintenance, but there was never a moral obligation there. I have also entreated (and in two cases succeeded in convincing) maintainers to start up maintenance programs so we could pay them a yearly fee-because donations are way harder to push than support plans. A red line, I-will-quit condition is and always has been "I won't participate in the development of private forks of open-source software" and I have at multiple employers gotten checks straight-up cut to open-source software maintainers. Interesting - it may be a nice thing to do, but I don't agree that there is any sort of obligation to the project just for using the project. > Yes, and it always has and it can't be discharged. I consider not paying forward kindnesses paid to you way, way more unfair and unreasonable. You should do likewise, because it is the decent and human thing to do. I have also entreated (and in two cases succeeded in convincing) maintainers to start up maintenance programs so we could pay them a yearly fee-because donations are way harder to push than support plans.Īnd, in turn, I open-source useful tools, including major parts of my consulting business, because it, too, is the right thing to do. > Do we say the same thing about any large company that uses openssl or any other open source libs that people use or depend on? Yes, and it always has and it can't be discharged. > Open source code now carries a moral maintenance obligation? On the other hand, when was the last time an even moderately well maintained SMB file server behind a LAN was compromised directly? Unique zero-day attacks are much more likely to be used on public services too due to the nature of their value. A quick search reveals that just last year 68 million dropbox accounts were compromised. The value there is well documented - look what happened when the world moved from exposed to behind NAT routers.īig public breaches happen all the time - you mentioned dropbox, I've gotten several reset emails from dropbox due to compromise, I'm guessing the attackers didn't walk away empty handed in such cases. Preventing you from being affected by public breaches like these. Not necessarily - but they are much better able to restrict things to only your employees by applying VPNs and HTTPS+LDAP auth only proxies. > Are we to think that our teams are better than Slack's when Slack's core competency is secure communication? They certainly couldn't have replaced their desktops with Dropbox. Nothing to do with local vs cloud storage. Not really, if I recall correctly Sony's whole Windows network was compromised via trojans in a PDF attachment exploit. Look at Sony - their data would have been safer stored on DropBox than their own internal servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |