Hacker News new | ask | show | jobs
by fieldcny 653 days ago
Using your yardstick, we wouldn’t have any open source software, everything costs time to implement, that’s the point of open source, we donate time to the collective community. All those security features are not enterprise specific, they are rudimentary for any modern open source product
1 comments
cduzz 653 days ago
I'm saying that companies that opensource their products tend to distinguish "enterprise" and non-enterprise based on things like RBAC and audit mechanisms, neither of which is "security" as much as "compliance".

The original license owner, if a commercial enterprise trying to sell the product alongside the "open" version, has less incentive to accept those features from the community as it would reduce their sales of the enterprise version of the same thing, and may not align with their long-term product roadmap.

In open source, the team managing a codebase isn't under any obligation to accept contributions the community and you are welcome to fork the project, if you like.

link
ang_cire 652 days ago
RBAC is absolutely a practical security control, even for non-commercial users. Least necessary privilege is not a checkbox, it will 100% save your butt in a breach by limiting blast radius.
link
cduzz 649 days ago
I'm not really sure what you're talking about.

Let's say you work at a company that uses Elasticsearch. Let's say you're running a newspaper and you've got your logs in elasticsearch. Let's say one of your reporters ends up getting chopped up while they're visiting the Ostrich embassy to get a marriage license. Now let's say you're then asked "who looked at the logs of the CMS who searched for and found the IP address that was used by that reporter on October 1st 2018"

That example, purely hypothetical, is an example of "security" but not the typical security you'll see in some open source application -- it's an enterprise "compliance" feature that won't be trivial to implement and will be judged not just on completeness but on user interface, ease of use, ease of implementation, etc.

"security" means different things to different people

link
tstenner 651 days ago
Sure. But for smaller users it's easier to breathe the accounts by hand rather than manage an entire active directory installation.
link
paulddraper 650 days ago
RBAC and Active Directory are different things.
link