Fair points, All of the service contracts I've worked behind say effectively: If we can't keep it from happening, then we can't be held responsible for it happening.
You paid for a managed linux server, linux has a bug and you crash, we are not responsible. We'll patch when it comes out, we'll add a firewall rule to mitigate. But we could not have kept it from happening. It's pretty weak I know, but one thing I have learned is that there is a lot of conscious and unconscious, communicated and uncommunicated acceptance of risk in many industries. I advocate for professional , responsible, management and communication of risk in my day to day activities. I feel like I've done my best work when I can talk to clients directly and honestly about risk, and how we can manage it. I can do what I can, but I can't worry about or fret about stuff I can't do anything about. (Which is , I think, basically what you are saying above ) I can do a lot of reasonable things to protect against uncontrolled aspects of operation. We had only one hard drive and it failed, so we went to a pair of mirrored disks. We had only one web server and it failed so we went to a cluster of 2 to a bagilion web servers. We used open source software and it was a hot mess so we .....um hullo? anyone else? .... Canonical, Microsoft, Redhat, Oracle, Amazon, Google , what have you.. They can do mitigation and management in ways I can't. I lived and breathed Redhat for along time, and we sold linux under "Redhat is good, redhat can make it go" They added safety and consistency. I mean it wasn't / isn't perfect, but it worked. It got a lot of stuff done in a short amount of time for us. Risk management never gets old, it is as old as the first profession ( Prostitution: "Will my primary mate catch me." ) ( Which of course led to the second oldest professions : Lawyers ) P.S. I decided to give email another go, for old-time sake, that's why I revived thethread I guess: I read my mail :) David On Sat, Nov 21, 2020 at 12:06 PM D. Hugh Redelmeier <[email protected]> wrote: > | From: David Thornton via talk <[email protected]> > | Date: Fri, 20 Nov 2020 15:25:42 -0500 > > Thanks for reviving this thread 10 months later. What prompted you to do > that? Note: this is not a complaint. I continue to think that this is an > important and unresolved topic. > > | As administrators we have a responsibility to vet. Even if it's to > | "deligate" the vetting, we have to vet the deligate. > > "have to" means "responsibility to". Unfortunately, responsibility > without > capability is a recipe for disaster. > > Clearly you've thought about this in a setting with customers. How do you > discharge this responsibility? > > The GPL says: you get what we offer but we accept no responsibility. > > Many commercial software contract and EULAs disclaim responsibility > and forbid using the software in safety-critical settings. They then > often fall back on saying at most you can get back the purchase cost. > > So a responsible decision-maker cannot delegate the responsibility yet has > no practical or even theoretical tools to discharge the > responsibility. Except bankruptcy law. > > - you can ask your customer / client / employer that "here are the risks > that I can imagine, are you willing to accept them?" > > - you can make sure that there are no assets available that can be lost > when and if problems arise > > - you can work to reduce risks. This quickly hits the law of diminishing > returns, long before the risks are eliminated. But I'm sure we can > do better than the industry norms, as long as customers > understand that they must and should pay for the up-front cost. > > Customers / clients often think that they are safer with large > corporations. In that role, I've found the help from large companies (eg. > Microsoft, Sun Microsystems (back in the day), ...) to inferior > to help from small companies. Both are eclipsed by support from FLOSS > communities. But support only deals with problems in the future, not > damage that has happened. > > In the area of security, the worst breaches are the ones you never learn > about. > > | Npm is a hot mess, and most people get that now. > | > | Galaxy / puppetforge / helm stuff ? Take a number. > | > | It sprouts faster than you can get on it sometimes. > | > | Pays the mortgage :) > > You can't live with them and you can't live without them? > -- David Thornton https://wiki.quadratic.net https://github.com/drthornt/ https://twitter.com/northdot9/
--- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
