|
SlowBloke posted:Adversary in the middle. I can't take people who try to use "adversary" in a security context seriously. It just makes me think of the IT guy at work who seems still mad that developers get sudo access, spends a ton of his time arbitrarily blocking specific commands from passing through sudo, while telling everyone who's trying to do work that it's to "protect from the adversary". Also that going around his nonsense because you actually need docker/k8s to do your job so yes you're going to do a little sudo bash as a treat (and developers are supposed to have sudo access in the first place! we have a process for getting it!) that it is a "resume producing event".
|
# ¿ Nov 9, 2023 15:22 |
|
|
# ¿ May 14, 2024 12:28 |
|
Rescue Toaster posted:Hopefully OSS at large does some reflection on this and what to do going forward. More concretely, it's not "OSS at large" but rather all of the companies doing an extraction on it. It's your employer (the general you, I don't know you specifically--it's definitely mine) who's either using Ubuntu Server off a FTP download or thinks paying for a RHEL contract absolves them of further duty--and while they contribute in some lanes as well this absolutely includes Red Hat and even moreso Canonical. The XKCD comic is right; distros aren't paying it forward to the random projects they package, and then oops!-all-vulns happens and everyone just looks shocked. Being freely downloadable doesn't absolve one of pay-it-back and pay-it-forward moral obligations, but that's a foreign concept today I guess. I have a history of burning social capital to at least move the needle a tiny bit and put money in the hands of people whose stuff we rely on, but now that I'm at a megacorp I can't even do that. It sucks. I talked to Tidelift early on in their existence when they were hiring founding engineers and they seemed to at least scope the problem, but they completely failed to do anything about it as they instead tried to capture a sub-RHEL market of OSS by contributing directly instead of enabling maintainers of critical infrastructure. tracecomplete fucked around with this message at 20:01 on Mar 31, 2024 |
# ¿ Mar 31, 2024 19:49 |