I've seen better coverage but less depth from commercial entities. I
just referred a Kobo bug to the in-house counsel, as the assigned
support creature could neither understand the problem /nor/ the process.
I used to work with their lawyer at Lexis Nexis: that's *not* a common
kind of situation (;-))
in the open source world, one arguably only needs to convince a peer
that something is wrong, not a legal representative of the company that
they're at risk.
--dave
On 2020-11-21 12:06 p.m., D. Hugh Redelmeier via talk wrote:
| From: David Thornton via talk <[email protected]>
| Date: Fri, 20 Nov 2020 15:25:42 -0500
Thanks for reviving this thread 10 months later. What prompted you to do
that? Note: this is not a complaint. I continue to think that this is an
important and unresolved topic.
| As administrators we have a responsibility to vet. Even if it's to
| "deligate" the vetting, we have to vet the deligate.
"have to" means "responsibility to". Unfortunately, responsibility without
capability is a recipe for disaster.
Clearly you've thought about this in a setting with customers. How do you
discharge this responsibility?
The GPL says: you get what we offer but we accept no responsibility.
Many commercial software contract and EULAs disclaim responsibility
and forbid using the software in safety-critical settings. They then
often fall back on saying at most you can get back the purchase cost.
So a responsible decision-maker cannot delegate the responsibility yet has
no practical or even theoretical tools to discharge the
responsibility. Except bankruptcy law.
- you can ask your customer / client / employer that "here are the risks
that I can imagine, are you willing to accept them?"
- you can make sure that there are no assets available that can be lost
when and if problems arise
- you can work to reduce risks. This quickly hits the law of diminishing
returns, long before the risks are eliminated. But I'm sure we can
do better than the industry norms, as long as customers
understand that they must and should pay for the up-front cost.
Customers / clients often think that they are safer with large
corporations. In that role, I've found the help from large companies (eg.
Microsoft, Sun Microsystems (back in the day), ...) to inferior
to help from small companies. Both are eclipsed by support from FLOSS
communities. But support only deals with problems in the future, not
damage that has happened.
In the area of security, the worst breaches are the ones you never learn
about.
| Npm is a hot mess, and most people get that now.
|
| Galaxy / puppetforge / helm stuff ? Take a number.
|
| It sprouts faster than you can get on it sometimes.
|
| Pays the mortgage :)
You can't live with them and you can't live without them?
---
Post to this mailing list [email protected]
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
[email protected] | -- Mark Twain
---
Post to this mailing list [email protected]
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
