undefined | Better HN

0 pointskube-system3y ago0 comments

This isn't about fixing anyone's code, it's about securing the software stack that the government is running. They already have well developed processes for addressing closed source software.

0 comments

4 comments · 2 top-level

Xelynega3y ago· 2 in thread

Why can't those same processes be used for open source code then? If we assume those processes can't(or don't) apply to open source software then am I to believe that OpenSSL has been running the internet without any scrutiny for the last decade?

kube-systemOP3y ago

This is about risk management process, not computer science process. The businesses processes are different.

For example, if your proprietary software has a bug, you call the developer and demand they come into your office and fix it under warranty.

Doesn’t work that way for some dependency downloaded from GitHub.

yencabulator3y ago

Practically all software is licensed/sold without any warranty. I challenge you to find even a single counterexample.

1 more reply

yakak3y ago

Can you provide a reference to the processes you are referring to? I'm only familiar with EAL and FIPS which require theories that there is maintenance where they apply in the lower part of the stack. They are applied to open source like OpenSSL and SeLinux, probably with better quality than a lot of niche closed source government procures.

j / k navigate · click thread line to collapse