|
|
|
|
|
|
by narinxas
942 days ago
|
|
|
it's the political principles I'm critizicing. the technical problem is really essentially a matter of trust, blockchains solved this problem in the technical sense. the opreations of large organization are typically private property... this is a touchy issue because technology corporations are essentially the government by this point I guess I should be glad this isn't really my problem, I'm just worried about the public and political consequences of what I see as potentially dangerous mistakes being made on the idelogical level |
|
|
The straw that broke the camel's back on this issue was CVE-2021-44228 -- which was a vulnerability in open source software. If you missed that debacle -- the problem wasn't that people distrust Apache or software that use Log4j. The problem was that people didn't know where all it was installed.
This was because it isn't currently a standard for software developers to provide a list of all of their dependencies, regardless of whether they're open source or not. This isn't because they are untrustworthy. It just simply isn't standard practice. SBOMs are an attempt to standardize such a list.
A blockchain isn't necessary here -- nobody is trying to lie about what version of Log4j they're depending on in a piece of software they're selling.