undefined | Better HN

0 pointsgiaour3y ago0 comments

I have seen this perspective a lot in government and adjacent entities. For them, commercial software and corporate open source has a clear financial motive. If they can't identify why a project exists and continues to receive support, they see a security risk, either via direct compromise or project abandonment and the associated supply chain rot.

0 comments

4 comments · 2 top-level

numbsafari3y ago· 1 in thread

and they aren’t wrong to do so.

Browser plug-in author gets bored and sells out customer base is a well tread story.

Takeovers of well known packages are another.

Most of these ecosystems do not offer proper sandboxing for the things we take from them, so it’s easy for things to grow an appendage that abuses our prior assumptions.

Apache’s Java ecosystem is full of consultant abandonware and tripwires.

kube-system3y ago

> Browser plug-in author gets bored and sells out customer base is a well tread story.

Not even just "get bored" but, just a plain matter of incentive. Salaries are a strong incentive against undermining your employer's work. Now, of course, there are people who are incentivized because they are altruistic and good at heart, but that's very difficult to measure. It's much easier to demonstrate aligned interests monetarily.

AnimalMuppet3y ago· 1 in thread

But that concern exists on the other side just as much! Companies get compromised, companies abandon projects. And companies, even though they make money from a project, decide that they could make more money by having it ship them data on the side.

giaourOP3y ago

True, but I wouldn't say "just as much." An ongoing financial relationship usually means that the purchaser can expect reasonable advance notice if a project is getting discontinued.

And in more sensitive agencies, if the government purchases software, they generally have the name and contact information of who they can arrest if the purchased item becomes or is found to be malware.

j / k navigate · click thread line to collapse