Hacker News new | ask | show | jobs
by pixl97 396 days ago
>What you’re describing is a scenario that would force developers to just stop making software, on top of putting significantly more people at risk.

Good. I work in code security/SBOM, the amount of shit software from entities that should otherwise be creating secure software should worry you.

Businesses care very little about security and far more about pushing the new feature fast. And why not, there is no real penalty for it.
1 comments
haswell 396 days ago
What is your position on open source projects? Should someone who writes software in their spare time who decides to share it publicly be forced to stop doing so?

I’m more open to harsher limits on commercial software, especially in certain categories. But underneath all of this we’re discussing an ecosystem and a culture which can’t be cleanly separated.

Some of the binary thinking I see in this thread would be deeply damaging to parts of that ecosystem with potentially major unintended consequence. Open source software is critically important for human rights/freedom. Taken at face value, many of the comments here directly threaten that freedom.

I’m not assuming that’s your stance, but I’m curious how you see the open source aspect of this considering how significant its role is - especially in the security space.

link
pixl97 396 days ago
I don't have the answer here. Open source is the base of a lot of secure software. And at the same time open source software gets pulled into other functional software that has wide spread and potentially dangerous outcomes.

OpenSSL for example. Any security flaw in this package has worldwide effects, but we would be lessor without it.

Another example is the xz software that was attacked and then pulled into distributions. We were just lucky it was caught relatively early.

link
haswell 396 days ago
Therein lies the rub. Whatever the answer is, it will require careful and thoughtful solutions, not oversimplified conclusions that raking developers over the coals publicly with no warning is somehow “Good”.

To be clear, I have far less sympathy for big software shops that pump out negligently bad code and then have to be prodded to fix it, but they’re not the only players involved.

link