CVE-less vulnerabilities

Posted Jun 26, 2019 17:04 UTC (Wed) by misc (subscriber, #73730)
In reply to: CVE-less vulnerabilities by roc
Parent article: CVE-less vulnerabilities

Wouldn't that have a side effect of giving less funding to a project with less security issues ?

CVE-less vulnerabilities

Posted Jun 26, 2019 20:17 UTC (Wed) by roc (subscriber, #30627) [Link]

Yes, that is one of the poor incentives.

CVE-less vulnerabilities

Posted Jun 26, 2019 20:25 UTC (Wed) by roc (subscriber, #30627) [Link] (10 responses)

Unfortunately some other popular models for funding free software also create perverse incentives. E.g. the "pay for support" model creates an incentive to make your software difficult to operate so people will have to pay for support.

CVE-less vulnerabilities

Posted Jun 27, 2019 9:01 UTC (Thu) by HenrikH (subscriber, #31152) [Link] (9 responses)

That is an excuse that I've heard many times on e.g Slashdot regarding why Red Hat introduced systemd so does there exist any evidence what so ever that "pay for support" have created unneeded complexity in the software?

CVE-less vulnerabilities

Posted Jun 27, 2019 9:24 UTC (Thu) by nix (subscriber, #2304) [Link] (2 responses)

I don't think we need incentives to make overcomplex software, really. We do that all on our own, with no incentive needed. :)

CVE-less vulnerabilities

Posted Jun 27, 2019 14:25 UTC (Thu) by bfields (subscriber, #19510) [Link] (1 responses)

Yeah, I mean, documentation and user interface design can be hard, and on any sufficiently complicated project may require the equivalent of multiple full-time skilled people. I don't think projects will intentionally sabotage improvements in those areas, it's more a question of whether they can fund them.

CVE-less vulnerabilities

Posted Jun 27, 2019 19:13 UTC (Thu) by HenrikH (subscriber, #31152) [Link]

And where would they find users? It's not like people will stand in line for "hey that software seams really hard to use vs the competition so let's also buy an expensive support package while we are at it!"

CVE-less vulnerabilities

Posted Jun 27, 2019 10:19 UTC (Thu) by roc (subscriber, #30627) [Link] (5 responses)

I can't point to any specific example, but the perverse incentive does exist. Hopefully most OSS developers take such pride in their work that the perverse incentive doesn't sway them!

CVE-less vulnerabilities

Posted Jun 27, 2019 19:12 UTC (Thu) by HenrikH (subscriber, #31152) [Link] (4 responses)

I have a hard time believing this, especially since no examples can be given. While such an incentive can exists in theory it's in stark contrast to the incentive to create software that are usable and good enough so that people choose to use it in the first place.

CVE-less vulnerabilities

Posted Jun 30, 2019 10:08 UTC (Sun) by nix (subscriber, #2304) [Link] (3 responses)

The automatic assumption here that most free software developers are mostly incentivized by money stands in stark contrast to almost every free software developer I have ever met. As a group we are to a large extent paid enough for free software hacking to be privileged sorts who usually don't need to worry about money, and freed from that tether most of us are interested in other things now (doing interesting things, writing code people will find useful, or just enjoying creating the software system itself).

Certainly, in my case, even a really blatant financial incentive like telling me that you'd double my salary if I did $thing (where $thing is not something I'd have been happy to do already) would not have much effect, and the financial incentive there is pointless: you could probably get me to prioritize a $thing I'd be happy to do over other things I was planning just by asking me, acting as a prod that at least one person has an expressed preference so I might as well follow it.

I suspect that if you *are* mostly incentivized by money, you've long since switched to become a VC vampire rather than a free software developer: God knows you'd have had enough opportunity to do so.

CVE-less vulnerabilities

Posted Jul 4, 2019 17:23 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

> The automatic assumption here that most free software developers are mostly incentivized by money stands in stark contrast to almost every free software developer I have ever met. As a group we are to a large extent paid enough for free software hacking to be privileged sorts who usually don't need to worry about money,

While I agree with the first half of that (free software developers are not incentivized by money), I'm not sure about the second. There are probably a fair few wannabe free software developers (myself included) who lack the time and opportunity precisely because we are NOT paid enough to indulge ourselves in what we want to do (write free software).

Some people get lucky breaks - I'm not complaining - but some people don't.

Cheers,
Wol

CVE-less vulnerabilities

Posted Jul 17, 2019 18:22 UTC (Wed) by nix (subscriber, #2304) [Link] (1 responses)

Oh, I completely agree (I was in the same boat for fourteen years). But that's being incentivized by *something else*, and money is just something to let you eat while you do the something else. If you had enough money to do the something else, would you want more money for the sake of it? If not, you're not incentivized by money, I'd say. (An amazing number of people *are* incentivized by it: I don't understand what they get out of it, maybe they use it to keep score or something primate-status like that?)

CVE-less vulnerabilities

Posted Jul 20, 2019 11:05 UTC (Sat) by jospoortvliet (guest, #33164) [Link]

On top of that I want to challenge the perverse incentive a bit. Yes, it is there, but Red Hat also wants it’s software to be popular and used a lot, otherwise it had no large user base to draw customers from. So it isn’t a 100% bad incentive - it is ‘complicated’ and I’d argue it kind of balances out.